The Americas: Argentina | Brazil | Mexico
East Asia, South Asia and Pacific: Australia | China | India | Japan | South Korea | Taiwan
Europe and Central Asia: European Union | England | France | Iceland | Italy | Norway | Portugal | Russia | Spain | Turkey
Middle East and Africa: Iran | Israel | South Africa | United Arab Emirates
The Israeli government has used electronic means to fight the COVID-19 pandemic since March 2020. These include both voluntary and non-voluntary digital tracing to stop the chain of infection.
From March to May 2020 the government utilized the robust surveillance technologies of the Israel Security Agency (ISA) to trace patients and those with whom they came into contact. The ISA authorization has been scrutinized by the Supreme Court, which held that its scope and duration must be regulated by law. Following the Court’s ruling the government prepared draft legislation. In response to public criticism and concerns expressed by the ISA Chief, however, the government announced on June 8, 2020, that it would not utilize the ISA abilities to trace COVID-19 patients and would not promote the legislation at this time.
The Ministry of Health offers a voluntary app, HaMagen, which is currently installed on the devices of only a small percentage of the population. The Ministry is working on improving the accuracy of the app and on increasing the number of users.
The use of tracing devices raises challenges to the right to privacy and to patients’ rights, which are protected under Israel’s basic laws, statutes, and regulations. Although not specifically required by law, the ability to utilize “privacy by design” was held by the Tel Aviv District Court to be a way to limit the harm to privacy associated with digital surveillance.
Israel appears to have had relative success in curtailing the spread of the novel coronavirus pandemic. The country has a population of over nine million. As of May 22, 2020, 531,124 tests for COVID-19 had been conducted; 16,690 patients had been diagnosed with COVID-19; 13,915 had recovered; and 279 had died. Due to the low infection rate, the government has been gradually easing social distancing requirements and the economy continues to open under conditions posted on the Ministry of Health (MOH) website.
Cell phones are widely used in Israel. As of 2020, the number of mobile phone internet users in Israel reached about 6.5 million. As discussed below, the number of Israelis uploading a voluntary app for COVID-19 tracing reflects the willingness of a significant, though insufficient, portion of the population to share personal data in relation to the pandemic. Improvement of the app’s features is expected to increase the number of users.
II. Legal Framework
A. Privacy and Data Protection
1. Constitutional and Legislative Guarantees
Basic Law: Human Dignity and Liberty recognizes that “[a]ll persons have the right to privacy and to intimacy . . . [and that] there shall be no violation of the confidentiality of conversation, or of the writings or records of a person.” The constitutional right to privacy, however, is qualified by a “limitation clause” in section 8 of the Basic Law, which requires that any law that limits the rights set out in the Basic Law, including the protected right to privacy, must “[comport with the] values of the State of Israel, [be] enacted for a proper purpose, and to an extent no greater than is required.”
Personal and medical privacy are protected by a number of statutory laws and regulations, including the Privacy Protection Law, 5741-1981 (PPL); the Secret Monitoring Law, 5739-1979 (SML); and the Patient’s Rights Law, 5756-1996 (PRL), as well as by court rulings.
2. Consent for Disclosure
The PPL prohibits the violation of a person’s privacy without his or her consent. The PPL considers the “breach of the duty of confidentiality provided by law regarding a person’s private affairs” as a violation of privacy.
Subject to specified exceptions, a duty of confidentiality is imposed on medical care providers and institutions regarding patients’ medical information that has been obtained in the course of treatment.
Disclosure of a patient’s private information is authorized under the following conditions:
(1) The patient consented to the delivery of the medical information;
(2) The caregiver or the medical institution is required by law to provide the medical information;
(3) The delivery of medical information is to another caregiver for the purpose of treating the patient;
(4) Medical information has not been disclosed to the patient under section 18(c) [applicable when the caregiver has determined that the information could cause serious harm to the patient’s physical or mental health or endanger patient’s life] and the Ethics Committee approved its delivery to another;
(5) The Ethics Committee, after giving the patient the opportunity to make his or her arguments, determined that the provision of medical information about him or her was essential for the protection of the health of others or the public and that the need for its delivery was superior to the interest in its non-delivery;
(6) The delivery of medical information is to the treating medical institution or employee of that medical institution for the purpose of processing, filing, or reporting the information [as required] by law;
(7) The delivery of the medical information is intended for publication in a scientific journal, for research or teaching purposes in accordance with instructions prescribed by the Minister [of Health, provided that no identifying details of the patient were disclosed.
3. Handling of Sensitive Information
The storage and sharing of sensitive data in databanks, including data on an individual’s personality, health, financial status, opinions, or beliefs, is regulated under the PPL and the Privacy Protection (Data Security) (ISA) Regulations, 5777-2017 (PPDS). The PPDS requirements for data protection by databank controllers and processors apply to both the public and private sectors. Sensitive information related to health requires either mid- or high-level security protection when preserved in a databank.
B. Data Retention and Location Tracking
1. Data Retention of Health Records
The PPDS requires mid-level security for databases that are owned by a public body or that are principally intended “to collect data for delivery to another entity,” and that generally includes sensitive information, such as medical, genetic, or biometric information. Databases that would otherwise require mid-level security but include information on more than 100,000 people or are accessible by more than 100 persons, would generally require high-level security.
Databank owners may not connect databank systems to the internet or to any other public system without installing proper protection against unauthorized penetration of the system or against software capable of causing damage to hardware or other software. Moreover, the transfer of information from a databank on a public system or the internet must utilize common encryption methods. The identity of the user and his or her grant of permission to use the databank will be verified. Access to databanks at mid- and high-levels of security must be provided through a means that is subject to the exclusive control of the access permit holder.
3. Storing and Sharing of Location Data
A decision rendered by Tel Aviv District Court Judge Agmon-Gonen on July 1, 2019, addressed the danger to privacy that may result from utilizing cross identification enabled by access to big data. The case involved the unauthorized disclosure of personal location data resulting from a requirement that caregivers of Israel Defense Force (IDF) disabled veterans report their work by mobile signature at the beginning and end of their shifts. 
Agmon-Gonen determined that the violation of privacy to the caregivers resulting from the requirement did not exceed what was required under the circumstances. It did result, however, in a violation of the right to privacy of the disabled veterans because the care provided might include taking or staying with the disabled veterans outside of their home¾for example, when the disabled veteran needed a short psychiatric hospital stay. The use of location data, she held, might “reveal data, such as health information, found in the core of the right to privacy [and] expose location data [which] constituted unlawful harm to the privacy of the disabled [veterans].”
She further concluded that the technology of “privacy by design” could enable caregiver reporting without harming the right to privacy. A tender for selecting a company that would monitor the IDF’s employment of veterans’ caregivers, therefore, should have required that bidding companies would use mobile signature software incorporating principles of “privacy by design” to limit the infringement of the veterans’ right of privacy. For example, a cellular signature could be required at the start and end of the caregiver shift, when the caregiver is with the disabled veterans for the whole shift, without keeping location data. As this has not been done, Judge Agmon-Gonen concluded that
[i]t was impossible to say that the least harmful means was chosen. Therefore, it should be determined, and also anchored in the tender with the monitoring company, that a cellular signature be made so that it does not reveal the location of the disabled, and be designed so that their privacy is not harmed beyond what is required.
III. Electronic Measures to Fight COVID-19 Spread
In an effort to stop the spread of the virus the MOH has offered a voluntary app called HaMagen to trace COVID-19 patients and those with whom they have been in contact. HaMagen is currently installed on the devices of 1.5 million Israelis, constituting only a small percentage of the population.
In addition, the government has authorized the Israel Security Agency (ISA), which normally handles threats to national security, to conduct surveillance on Israeli citizens and residents in order to stop the spread of the virus. A legislative framework defining the ISA’s surveillance scope and duration is currently being considered by the Knesset (Israel’s parliament) following a decision rendered by the Supreme Court on April 26, 2020, requiring anchoring the ISA authorization in legislation rather than in government decisions.
A. Electronic Surveillance by Israel Security Agency
1. Legal Basis
On March 17, 2020, the Israeli government issued the Emergency Regulations (Authorization of the Israel Security Service to Assist the National Effort to Reduce the Spread of the Novel Coronavirus), 5780-2020. The Emergency Regulations were in effect for a period of 14 days and then replaced by Government Decision No. 4916, on March 24, 2020, and by Government Decision No. 4950, on March 31, 2020, extending surveillance authorities to April 30, 2020. The government expressed interest in further extending the ISA’s authorization, especially when social distancing and other restrictions were being lifted.
Government Decision No. 4950 was issued pursuant to section 7(b)(6) of the ISA Law, 5762-2002, which authorizes the ISA to engage in activities other than those enumerated by the Law, as determined by the government, with the approval of the Knesset (Israel’s parliament) Committee on the ISA, to be necessary to protect and promote essential national security interests.
2. Scope of Surveillance
In accordance with Government Decision No. 4950, the ISA was authorized
(a) . . . to receive, collect and process technological information to assist the Ministry of Health in conducting an examination regarding the period of 14 days prior to a patient’s diagnosis, for identifying location data and movement paths of a patient and for identification of persons who came into contact with him, to identify the source of the patient’s virus infection and who might be infected by him . . . .
(b) [and to] . . . transmit necessary information details to the Ministry of Health . . . so that the Ministry of Health can give guidance to patients, people who have come into close contact with them and the general public.
The decision defines “technological information” as
[t]elecommunication data of . . . identification, location and communication, excluding content of conversations within the meaning of the wiretapping law, 5739-1979, as approved by the Knesset Service [ISA] Committee.
It defines “necessary information” details as follows:
(1) For a patient: Location data and traffic routes in the period of 14 days before the day of diagnosis.
(2) For persons who have come into contact with a patient: a full name, identity card number, telephone number, date of birth, date, time and location of last exposure to the patient, . . . to the extent possible and necessary.
3. Legitimacy of ISA Authorization to Conduct Surveillance on Patients and Contacts
The validity of the ISA’s authority to conduct surveillance in the context of the pandemic was reviewed by the Supreme Court. In a unanimous decision rendered on April 26, 2020, the Court held that the ISA authorization could not be based on government decisions. Instead, that authorization had to be anchored in legislation.
On May 5, 2020, the Knesset Intelligence Subcommittee approved a three-week extension of the government’s use of ISA surveillance assistance to fight the COVID-19 pandemic. The extension was granted to enable advancement of the legislative process.
In response to public criticism, on June 8, 2020, the government decided to stop utilizing ISA surveillance for COVID-19 tracing and put on hold legislative efforts for securing its statutory authorization. According to Israeli media, draft legislation providing such authorization in this regard would be authorized by the Ministerial Legislative Committee, but not be submitted for Knesset approval at this time. Expressing his “discomfort” in the ISA usage of its electronic technologies for purposes of monitoring patients, ISA Chief Nadav Argman has reportedly stated that, “if the [pandemic] outbreak was renewed, the law could be quickly enacted, and the ‘ISA would be prepared.’ ” He offered ISA assistance in the improvement of a voluntary app.
B. HaMagen Voluntary COVID-19 Tracing App
As compared with the robust technological surveillance abilities of the ISA, the HaMagen app provides more limited and a less accurate level of monitoring patients and their contacts. The HaMagen may be uploaded on a voluntary basis. It was launched by the MOH in March 2020 with the objective of stopping the chain of COVID-19 infection.
1. HaMagen System Characteristics
The HaMagen app cross-checks the GPS history of any subscriber against historical geographic data of patients identified by the MOH. The app is available in five languages: Hebrew, Arabic, English, Russian, and Amharic.
The app is free to download from the App Store and Google Play. It notifies subscribers if they “crossed paths with a COVID-19 patient,” provides the exact time and location of the contact, and allows them to “review, and confirm or reject the notification.” Upon confirmation, the user will be asked go into isolation and report to the MOH. If the message in the notification is incorrect, the user “can reject it and carry on as normal.”
Files shared by HaMagen are generated in the MOH’s epidemiological system, and contain
. . . only verified information that was received from laboratories and epidemiological investigations and is monitored by the Ministry of Health. Prior to sending, the file is digitally signed with the Ministry of Health’s digital signature. Upon receiving the file, the digital signature is examined by the application, to verify that the file was received from the Ministry of Health in an orderly manner, in order to prevent the breach of malware into the application.
- · The Ministry of Health puts great emphasis on the information’s confidentiality and privacy. Accordingly, any information shared with the Ministry of Health will go through an encrypted channel and stored in the Ministry’s servers in accordance with all procedures and protocols on information security and protection of privacy applicable to the Israeli healthcare system, and in accordance with the law.
- · The Ministry of Health runs routine maintenance checks of the measures ensuring information security and protection of privacy and updates them as needed.
2. Rate of Use and Accuracy
According to the Ministry of Health, the HaMagen app is currently installed on the devices of 1.5 million Israelis, constituting only a small percentage of the population. Based on GPS location data, the app has been criticized as insufficiently accurate, “certainly not at the required two meters [approx. 6.56 feet]. The app knows if people were around each other, but not beyond that. Nor is it able to identify the location of people within buildings.”
The MOH is reportedly working on adding Bluetooth technology to the app, which will enable identification within buildings and improve accuracy. One commentator opined that
To be effective at curbing the epidemic when removing restrictions, the app needs to be installed with a much larger number of devices - including, as far as possible, in the Arab and ultra-Orthodox sectors. For example, according to a study in Oxford, in order for the Bluetooth-based contact detection app to stop the epidemic, about 60% of the population needs to install the app.
…The need to improve the accuracy of the protective app and dramatically increase its users’ reach is important for two reasons: to stop the pandemic’s spread in the coming months of the quarantine’s opening; and to make the ISA’s intrusive and controversial means of surveillance unnecessary.
According to an op-ed by two Israeli experts in game theory and behavioral economics,
the inaccuracy of the HaMagen app alongside the use of mobile tracing tools whose sources of information are unknown to the public has resulted in the sending of numerous false alerts and inconsistent messages between the systems, causing many people to lose confidence in the app as a way to fight the corona epidemic.
They argued that to counter resistance to their use, surveillance apps should incorporate carriers’ risk assessment features while preserving the privacy of users. Risk assessment features, they opined, would be welcomed by the public as such features would save users’ time and convey the users’ commitment to fighting the virus.
Prepared by Ruth Levush
Senior Foreign Law Specialist
 See “HaMagen Voluntary COVID-19 Tracing App,” Part III(B), below.
 Basic Law: Human Dignity and Liberty § 7(d), Sefer Hahukim [SH] No. 1391, 5752 (Mar. 25, 1992), this and all citations below as amended, https://perma.cc/CTP5-RQMD (unofficial English translation). Israel does not have a written constitution contained in one document. Based on the 1951 Harari Knesset (Israel’s Parliament) Resolution, Israel’s Basic Laws were intended to form chapters in its future constitution. The Constitution, Knesset, https://perma.cc/N5X7-KQVY. Basic Law: Human Dignity and Liberty and Basic Law: Freedom of Occupation, SH No. 1454 p. 90 (Mar. 10, 1994), https://perma.cc/EVN6-8NRA (unofficial English translation), however, contain provisions that have been interpreted by the Supreme Court as providing the Court with the authority to repeal statutory legislation that conflicts with the Laws’ provisions.
 Basic Law: Human Dignity and Liberty § 8.
 PPL, SH 5741 No. 1011 p. 128.
 SML, SH No. 938 p. 118.
 PRL, SH 5756 No. 1591 p. 327.
 PPL §§ 1 & 2(7) (all translations by author).
 PRL § 20(b).
 Id. § 20(a)(1), (2) & (5).
 PPL ch. B; PPDS, Kovetz Hatakanot [Kt] [Subsidiary Legislation] 5777 No. 7809 p. 1022, https://perma.cc/6UH6-KD6B. For a summary of the regulations see Ruth Levush, Israel: Online Privacy Protection Regulations Adopted, Global Legal Monitor (June 14, 2017), https://perma.cc/QCU8-TJS3.
 See discussion of the PPDS in Part II(B), below.
 PPDS, App. 2.
 Id.§ 14.
 Id. para. 16.6A.
 Id. para. 16.6B.
 Id. para 16.8.
 HC 2109/20 Ben Meir v. Prime Minister, Israeli Judicial Authority, https://perma.cc/P999-T2X7. For analysis of the decision see Ruth Levush, Israel Security Agency’s Involvement in COVID-19 Tracing Scrutinized, In Custodia Legis (Law Library of Congress, May 7, 2020), https://perma.cc/R9QW-W38P.
 Emergency Regulations (Authorization of the General Security Service to Assist the National Effort to Reduce the Spread of the Novel Coronavirus), 5780-2020, KT 5780 No. 8393 p. 782, https://perma.cc/UJ92-HGSK.
 Decision No. 4950 § 2.
 Id. § 3.
 The Intelligence Subcommittee Has Approved a 3-week Extension to the Use of the ISA’s Tool to Combat Corona – In Order to Facilitate Legislative Process, Foreign Affairs and Defense Committee (May 5, 2020), https://perma.cc/KV62-TTAA (in Hebrew).
 Cohen, supra note 26.
 Id. para. 9.
 Cohen, supra note 26.
Last Updated: 12/30/2020