The Israeli Privacy Protection Authority issues a Position Paper on Databases containing Names and E
On November 28, 2018, the Israeli Privacy Protection Authority (the “Authority”) published its position paper regarding the application of the Privacy Protection Law to computerized lists containing names of individuals alongside their e-mail addresses.
The background to the Authority’s statement is Section 7 (2) of the Protection of Privacy Law (the “Law”), which excludes from the definition of “database” those databases that solely contain “means of communication….”. The relevance is that if something is characterized as a “database” then the provisions of the Law, and the accompanying privacy obligations, will apply to it.
According to the Authority’s position, an email address may constitute “information” that is more than merely a “means of communication”, and in some cases, may even contain sensitive information. For example, a person’s email address can imply a person’s education or occupation (e.g. @Lawyers), personal status (can be deduced from a shared email account of a couple), opinions or beliefs (e.g. Rabbi.Joe@ or Socialist@).
In addition, in the Authority’s view, an e-mail address is used today for identification in social services and online services and may serve as a “key” for identifying a person and linking to his details and preferences.
The Authority notes that even in the theoretical case where a computerized list of email addresses does not disclose such aforesaid personal information and therefore contains merely a “means of communication”, it is still necessary to check whether such database complies with rest of the exceptions relevant to a “database” under the Law: (a) that this database does not contain any information which could be considered to harm a person’s privacy, and (b) that the database owner does not have an additional database.
Comments and Recommendations
The practical effect of the Authority’s statement is to expand meaningfully the definition of “Information” and to extend the application of the obligations under the privacy protection laws to lists of email addresses. These databases are very common, and were assumed in many cases not to require registration or to have the Law’s obligations apply to them.
It is important to note that the Authority pointed out that the European Union includes email addresses as part of “personal data”. This continues the trend of the Authority to cite approvingly and follow the precedents in the European Union in the area of privacy.
In light of this position paper of the Authority, we recommend our clients to examine whether they have lists of e-mail addresses that have not yet been classified as “databases” under the Law and whether any steps are required in relation to these lists (including registration of databases and reviewing the manner in which such personal information is collected, stored and used) in order to meet the requirements of the Law, particularly in order to comply with the Protection of Privacy Regulations (Data Security) which entered into force in May, 2018.