Adv. Liat Galily-Perel**
Every start-up company has at least one important key asset. It can be unique knowledge, quality manpower, a patented (exclusive) technological product, a database, a successful reputation (brand), or anything else that gives the company a competitive advantage in the market.
In the age of information flow and sharing, a database often becomes the primary asset of a company. The value of information as well as the value of data, about people in a database, known as "data owners", has increased in recent years. For example, when Facebook acquired rights in the WhatsApp messaging application for no less than $ 16 billion, it did not acquire patents, employees or unique knowledge. Rather, it acquired a database consisting the 450 million users using WhatsApp at the time. The database included not only the name and telephone number of all users, but also the personal / social characterization of each of the users. This data was the main asset sold at the transaction. Information, as it turns out, is worth a lot of money nowadays.
Almost every start-up company collects information and data about customers and users of its product or service. Why? Because it is easy and people are willing to provide sensitive or personal information to companies without much thought; it is cheap and no expensive technology system is needed to gather information (information can be gathered via a page linked to a company's website or app) and it has monetary and commercial value. However, it is important to be cautious and collect only information permitted by law and in the manner permitted.
In that case, what information can be collected? Is consent of the data owners required? What can be done with the information? Under what circumstances is it mandatory by law to register the database with the Ministry of Justice? What data protection security measures must be taken to legally possess and manage a database? This article intends to answer these questions.
Privacy seems to be a rare commodity these days. Wherever we go, we are required to disclose personal information in order to receive one service or another. It is therefore important that those collecting information about others, do so with necessary care. It should be noted that the law permits the collection, possession and management of databases. However, it is important to do so in accordance with the requirements stated in the law.
The Israeli Privacy Protection Law defines the term "database" as "a collection of information data, held by magnetic or optical means and intended for computerized processing." The law is exceptional and does not apply to information collected for personal use as well as to a database that includes only a name, address and way of contact (such as phone number but not email). The idea is simple - if information is collected in a way that enables the identification of a person (whether alone or combined with other databases, including those existing in the public domain), the requirements of the law and Protection of Privacy (Data Protection) Regulations must be complied with and the privacy of the data subjects must be maintained.
In most cases, there is a legal or regulatory obligation to obtain the consent of the data owner, providing the information, to the very essence of collecting the information. This includes specifying to the data owner, whether he has a legal obligation to provide the information or whether it is provided of his own free will; the purpose of collecting the information; who has access to it; and for what purpose it is collected. It is also mandatory to collect, hold and manage only the information required for the purpose of collecting the information. In addition, it is imperative to allow the data owner the option to review the information, correct or delete it from the database, all in a friendly simple and convenient manner.
Databases must be registered with the Ministry of Justice in the following cases: the total number of data owners in the database is more than 10,000 people; the database contains sensitive information (such as information regarding economic status, health issues, identification number, etc.); the information was not provided by the data owners themselves, on their behalf or with their consent; the database belongs to a public body; or, the database is used for direct mail services (spam). In addition, anyone who holds more than five databases requiring registration must submit an annual report to the Registrar of Privacy. The said report must include detailed information about the databases held by the company and information about the data protection officer in the company.
The Privacy Protection (Data Protection) Regulations, stipulate four levels of data protection. The levels range from a basic level of data protection, suitable for an entity possessing a single database or a number of small databases, to a high level of data protection, suitable, for large entities, large databases and entities holding sensitive information, among other things. Said entities are required to maintain high level of data protection, including advanced operations and security products, timely submission of periodic reports and appointing a Privacy Protection Officer and a Data Protection Officer in the organization.
It is noteworthy that the requirements stated in the Privacy Protection Law and the Privacy Protection (Data Protection) Regulations, do not apply merely to the owner of the database. In fact, anyone who has any ongoing access to information in the database may be required to comply with the requirements of the law. This includes external service providers to the company, lawyers, accountants, suppliers and more.
Anyone who does not act in accordance with the requirements of the law will risk a claim for statutory compensation, without proof of damages, of up to NIS 50,000, as a fine by the Israel Privacy Protection Authority and possibly even imprisonment. On top of that is the risk of losing important information, damaging the company's reputation and the inability to work with business partners and suppliers that require this as a business condition.
Therefore, if you are a start-up company that collects information about your customers, it is crucial that you receive legal advice regarding the obligations applied to you by law. We all have the right to privacy, let's take care of each other and maintain the privacy of others, for the benefit of us all, as a society.
*The content of this article is based on Israeli Law and is intended for Israeli Start Up companies. Additional legal rules may apply. This article should not be construed as legal advice of any kind.
**This article was written by Advocate and Public Notary Liat Galily-Perel, a founding partner at Perel Law Office (www.israel-ip.com), member of The Israel Chamber of Information Technology and lecturer in various academic institutes in Israel.