webinar Summary: digital consent

The legal framework in Israel in the field of data protection relies mainly on the principle of consent as the basis for processing personal data. This model, unique to Israeli law, poses a difficult challenge in the current digital age, in which the volume and frequency of data processing are increasing, the processing processes become more complex, and sometimes it is difficult for the average person to fully understand their implications.

Following the publication of a statement of opinion by the Privacy Protection Authority (PPA), which sharpens its position regarding the legal interpretation of the consent requirement according to the law, the Israel Technology Policy Institute held a webinar on May 11, 2025. The webinar dealt with the main challenges posed by the current legal situation and discussed possible solutions that will enable privacy to be maintained while adapting to the evolving digital reality.

Below are the main points of what was said in the webinar.

You can access the full webinar recording (about an hour) at this link (in Hebrew).

The Israel Institute for Technology Policy’s comments on the PPA’s statement are available here (in Hebrew).

Opening: Adv.  Amit Ashkenazi, Expert in legal and technology policy, former head of the legal department at the National Cyber ​​Directorate

The webinar follows the publication of the PPA’s statement on informed consent. We will discuss “informed consent” from three privacy angles: social science research, the impact of the statement on organizations’ legal practices, and legal interpretation that addresses the challenges in this field.

Dr. Dima Epstein, Senior Lecturer, Department of Communication and School of Public Policy, Hebrew University

Dr. Epstein presented a view of consent and privacy outside the legal field, from a social science perspective, focusing on people’s actual behavior and research insights.

Background: A series of studies indicate that people click on the “I Agree” button to terms of use and privacy policies without delving into what they are saying, and if they do, they have a partial understanding of the content (based on studies presented at the webinar).

The main question: What can today’s research offer for regulatory thinking about informed consent?

Thinking about privacy as a multidimensional idea:

1. Horizontal (social) privacy: Refers to the privacy relationship between an individual and his social environment (friends, sharing information within a group).

• Vertical Privacy: Refers to the privacy relationship between the individual and institutions (government, business entities, large platforms).

There is a tension between the horizontal and vertical orientations, with implications for policy discourse. On the one hand, horizontal privacy is more accessible to the public and is the dominant frame of thinking among them. On the other hand, policymakers and human rights activists emphasize vertical privacy. Sometimes, this tension is exploited to construct power, as emerges from a study of hearings in the US Congress and the European Parliament. After the Cambridge Analytica affair, legislators focused on vertical privacy, while Facebook (Mark Zuckerberg) emphasized horizontal aspects, as is also emphasized in the privacy management options on the platform. The tension is critical when seeking informed consent to the vertical relationships of privacy.

Additional Implications for Privacy Policy

1. Digital or privacy-specific literacy – Higher literacy partly explains the willingness to protect privacy. Research has shown that privacy-conscious people tend to learn more about the subject, but this literacy only predicted horizontal, not vertical, protective behaviors.
   1. Results of privacy “fatigue” – A more complex research model has shown that the more people know about privacy, the less they believe in their ability to protect their privacy, and the less they invest in protecting it (especially in the vertical context).
   1. It is important to consider how people think about privacy, and how the power building in the relationship between the data subjects and the controlling shareholders should be considered. Alternative ideas examined include: a graphical presentation of terms, the construction of consent documents, and the transfer of decision-making authority to more trusted professional third parties.

In conclusion, Dr. Epstein believes that transferring responsibility for privacy protection to the individual is not an applied expectation and is unfair in the realization of big data and increased connectivity.

To view Dr. Epstein’s presentation here.

Adv. Dan Or-Hof – Owner of Or-Hof Law Firms, Founder and CEO of Clearpath LTD.and Founding Partner at Stand Alliance

Adv. Or-Hof examined the PPA’s statement through the lens of practice and the market.

Assumptions regarding regulation:

1. Impact – How the written arrangement affects organizations’ ability to implement it.

• Regulatory certainty – Regulatory uncertainty impairs the market’s ability to conduct itself properly.
• Timing – whether the arrangement is appropriate for the specific timing.
• Attitude to the law – how the regulatory interpretation corresponds with the existing law and regulations.

Criticism of the PPA’s statement:

• A statement regarding the role of regulation – In the wake of the Regulatory Principles Law, the economic and social impacts and cost of compliance with the regulation must be considered, especially for small and medium-sized businesses. The statement adds stringent requirements that make it challenging to use consent when it is doubtful whether the requirements will lead to greater awareness and when the requirements impose costs. It appears that the PPA did not make such an assessment prior to the publication of the draft statement.
• Uncertainty
  •  Duty to inform – The disclosure makes the duty to notify in section 11 a “minimal” obligation. It uses valve terms such as “in certain cases” that leave the PPA with a great deal of discretion and little guidance and structure for organizations.
  • Implicit consent (“implied”) – The statement “demotes” an implicit consent that is explicitly present in the law, and creates a “presumption of guilt”, according to which an organization that relies on it will have to make more effort to prove its legitimacy. This position also does not take into account the economic implications of the requirement for explicit consent, which may be a much more expensive and unfeasible process.
  • Withdrawal of consent – the conditions for this are not clearly defined, and even in this context, the costs involved and the reliance on the consent given are not considered.
  • “Free will” – The PPA wishes to include this term in all transactions that require consent. “Free will” is a vague and philosophical term. The fact that it appeared in labor court rulings in the context of employee consent does not justify its impact on the market as a whole. It is unclear what this means in practice or the implementation costs.
  • “Dark Tactics” – The PPA states that dark tactics may not be used to obtain consent. This is a loaded term that requires deep discourse, and using it without providing real baggage and guidance for proper behavior (such as a detailed document of the European EDPB) undermines certainty.
• Timing and Attitude to the Law – the Timing of the Statement is problematic because companies are preparing for the complex Amendment 13, and this is in a difficult economic period. The legislature was required to define consent three times – when the law was enacted in 1981, when the term “informed consent” was added to the definition in 2007, and most recently in the framework of the discussions on Amendment 13, which substantially changed the definitions in the law. The legislature did not add free will to the definition, did not create a stratification that guides the value of implied consent, and did not create a right to withdraw from consent.

Alternative Proposal:

Instead of hardening the use of consent, the PPA could have developed an alternative basis for data processing. The PPA has a tradition of activism in introducing principles into the law. It is possible to build a thesis based on Section 18 of the Law (Protections), which allows the use of personal data in good faith for the purpose of protecting legitimate interests or a legitimate personal interest. This can include clear needs such as cyber protection, fraud prevention, lawsuit defense, ongoing communication with a customer,  and the provision of the service. Such needs are reasonable expectations of people and do not require individual and tedious disclosure. The PPA can guide the market as to which uses are considered legitimate within the framework of these protections, which will create certainty instead of the uncertainty created by the statement.

To view Adv. Or-Hof’s presentation here.

 

Adv. Rivki Dvash – Senior Fellow, Israel Technology Policy Institute (FPF)

Adv. Dvash proposed a model for legal interpretation that would enable the principles of data protection to be upheld in a more practical way, while taking into account reality. She emphasized the importance of empirical research and market costs in policymaking.

Characteristics of Israeli Law – Israeli law combines classic privacy protection with data protection. This is a unique legal situation in the world, and the connection between the two creates complexity. In addition, the existing arrangements in Israeli law regarding data protection are very lacking. Amendment 13 does increase enforcement, but it does not sufficiently expand the substantive arrangements, so the difficulty in implementing the provisions of the law will deepen. Things become more complicated in light of the advanced technology compared to the 1981 law. Therefore, creative interpretation is needed in order to create certainty in the absence of appropriate legislation.

In analyzing the law’s provisions, section 3 (consent) should be read together with section 18 (protections) .If the PPA introduces Section 3 into the Data Protection Branch, it is also obligated to address Section 18. Instead of a sweeping requirement for problematic explicit consent, defining when it is required to represent actual control and understanding is necessary.

Guiding questions for examining the need for consent:

1. Does data processing = violation of privacy (not all data processing violates classical privacy)

2. Is the processing of the data an “ancillary purpose”
3. Is it legitimate to violate privacy (there is protection under section 18)
4. Is there no other reasonable alternative (section 20(a))
5. Is the harm proportionate (section 20(b))
6. Suggestion for setting tests to tip the scales to require consent (not a closed list) – the identity of the subject of the information, the data subject’s reasonable expectation of the uses of the data, and is there a real alternative for the data subject if he objects to the processing of the information to which consent is requested (what does lack of consent mean).

In summary, there is a need to outline “what can be done” and not just “what can’t.” We must rely on the law’s anchors and learn from the GDPR that it has different processing bases beyond consent. The concern is that the lack of clarity today will lead to a proliferation of legal proceedings at the public’s expense.

To view Adv. Dvash’s presentation here.

Summary by the moderator (Adv. Amit Ashkenazi) and the speakers:

Adv. Ashkenazi concluded that the discussion raises the tension between the abstract principles and the practical application. While Amendment 13 expands enforcement tools, it is unclear what financial sanction is relevant to violating the PPA’s statement. In addition, the statement deals with informed consent without coherently addressing other obligations that apply to database owners, such as disclosure obligations, limitation of purpose, and existing guidelines of the PPA. For Officials in Organizations (such as DPOs), it is challenging to navigate the uncertainty, especially regarding “free will” and the need to prove it in the future. Despite the importance of privacy, there is a need for clear and practical rules.

The speakers reiterated that consent is a problematic mechanism. The legal requirement for consent must be designed in a way that is aware of the difficulties of consent, and leverages the obligations that apply to the entity that processes the information (the company/organization) in order to reduce the risks to privacy. This can be done through an orderly directive by the  PPA that will establish the use of information for legitimate purposes within the framework of the law’s protections (Article 18), rather than tightening the problematic consent mechanism. This will provide the certainty that the market needs.