Class Action (Tel Aviv) 47153-05-20 Aviv Kupershmidt v. Israel Electric Company Ltd. - part 5

In the event that the court conditions the approval of the arrangement on conditions that will not be acceptable to either party, and one of the parties chooses to cancel the arrangement, at its sole and absolute discretion, after written notice to the other party, within 4 business days from the date of the decision that includes the aforesaid conditions.

If in connection with 35 or more of the class members that are the subject of this arrangement, notice is given to the court that they do not wish to be included in the group, and the court permits them to leave the group, the IEC will be entitled (but not obligated) to notify the cancellation of the arrangement within 14 business days from the date on which the notice was received by the 35 group members not to be included in the group.  In this case, this arrangement, with all its terms and clauses and the undertaking stated therein, will be void and void.

If a party to the arrangement exercises its right to cancel the arrangement, as well as in any other case in which the settlement is not approved in whole and in its entirety by the court, the settlement arrangement with its appendices and the drafts that were exchanged in the framework thereof, will be null and void and legally invalid, inadmissible and prohibited from being presented in its entirety, including but not limited to the application and/or in any other legal proceeding, and the provisions thereof shall not be used by the parties either as evidence or otherwise.  Whether in a legal proceeding or in any other proceeding, it shall not be attributed to the duty or favor of any of the parties, and neither party shall have any claim, claim or right against the other in respect thereof.

In addition, it was clarified, for the avoidance of doubt, that under the control of the aforesaid, the parties will return to conducting the legal proceedings without this arrangement having any impact or impact on their management.

Request for Exemption from Appointment of an Inspector

23. The parties are of the opinion that there is no need to appoint an examiner to examine the settlement. This is because the settlement is proper, fair and reasonable, and takes into account the interest of the class members in weighing the chances of obtaining the application for approval; Examining the reasonableness of the settlement does not require special expertise other than that of the court; This balancing act is at the discretion of the court and not of an examiner.  The agreements in the settlement were reached after long and intensive negotiations; The attorneys' fees will be paid in milestones until the full implementation of the settlement agreement is completed; After the completion of the IEC's undertaking to the members of the class under the Settlement, the IEC will submit to the court a notice, backed by a lawful affidavit, regarding the completion of the implementation of the Settlement Agreement in all its components.
24. It was argued that in these circumstances, in order to approve the settlement, the parties agree that it is of particular importance to ensure the effectiveness of the mechanism for approving a settlement by the court. The appointment of an examiner, where it is not required, may be cumbersome and unnecessarily prolong the hearing of applications for approval of appropriate settlement arrangements.

Application for exemption from payment of the second part of the court fee

25. The court was asked to exempt the parties from paying the second part of the court fee in accordance with Regulation 7A of the Court Regulations (Fees) 5767-2007, taking into account that the request for approval of a settlement is filed at an early stage of the hearing, after only two pre-trial proceedings were conducted, after the parties heeded the court's proposals to talk, thus resulting in a significant saving of precious judicial time.
26. According to the parties, the acceptance of the request for exemption from payment of the second part of the fee will encourage other parties to reach such settlement arrangements in the future, which will save valuable judicial time and lead to procedural and substantial efficiency. A review of the case law shows that where the parties reach an agreement at an early stage of the proceeding, the courts find it necessary to grant the requested exemption from the second part of the fee.  The parties referred as an example toC. 52064-02-20 Shoham v. Cellcom [Nevo] (January 12, 2022); Civil Appeal (Tel Aviv) 53010-11-19 Abitbol v. Japanica [Nevo] (June 30, 2021); C.T. (M) 1974-06-21 Gabbay v. Palo Retail [Nevo] (June 1, 2022).
27. The affidavits of the parties' counsel and the affidavits of the parties were attached as Appendix D to the application in accordance with the provisions of section 18(b) of the Class Actions Law and Regulation 12(b) of the Class Actions Regulations.

The conduct of the proceeding after the submission of the application for approval of the settlement

28. The professional bodies in the Ministry of Justice and the Privacy Protection Authority (hereinafter: "the professional bodies") sought to express their position regarding the settlement in accordance with the provision of section 18(d) of the Class Actions Law.
29. With respect to the parties' agreement in clause 5.5. With regard to the settlement regarding the appointment of an "information security officer" and the details of his areas of responsibility, it was argued that clause 5.5 of the settlement should be amended so that instead of an "information security officer" a "privacy protection officer" would be appointed and his job description would be updated.  According to the professional sources, according  to the provisions of Section 17B of the Protection of Privacy Law, the IEC is obligated in any case to appoint an information security officer, since it constitutes a "public body" as  defined in Section 23 of the Protection of Privacy Law in sectors in which essential public services are provided.  Therefore, insofar as the "Information Security Officer" is in fact the information security officer that the IEC is obligated to appoint in any case under  section 17B(a) of the Protection of Privacy Law, and his appointment is not an action taken by the IEC in the framework of the settlement, but rather the fulfillment of its duty under the law.
30. It was also claimed that on August 5, 2024, the Knesset approved the Protection of Privacy Law (Amendment No. 13), 5784-2024 (hereinafter: "Amendment No. 13 to the Protection of Privacy Law"), which will come into effect on August 14, 2025.  One of the main arrangements enacted in Amendment No. 13 to the Protection of Privacy Law imposes an obligation on a large number of entities in the economy to appoint a privacy protection officer in section 17b1. This obligation shall apply, inter alia, to any public body as defined in section 23 of this Law, and to any entity that is in the sense of holding a database of a public body.  The amendment also enumerates the duties of the Commissioner in section 17b2; the knowledge and skills required of him in section 17b3; his duty to report directly to the director general of the entity in which he fulfills his position or to a person who is directly subordinate to the director general in section 17b2(c); the duty to provide the commissioner with the conditions and resources necessary for the proper performance of his duties, and to ensure his proper involvement in any matter relating to  the privacy protection laws in section 17b2(b), as well as other provisions.  Therefore, it was argued that in accordance with the provision  of section 17b1(a)(1), the IEC, as a controlling shareholder of a database that is a public body as defined in section 23 of the Protection of Privacy Law, will be obligated to appoint a privacy protection officer, as of the date of the entry into force of Amendment No. 13 to the Protection of Privacy Law.
31. The professional bodies in the state noted the distinction between the role of the Privacy Protection Officer and the Information Security Officer in accordance with the law. It was explained that while the role of an information security officer in an organization is to ensure compliance with relevant standards and procedures relating to information security, and to employ a range of measures related to the prevention of unauthorized use of information, the role of a privacy protection officer is broader, and relates to the design and formulation of work processes and procedures in the organization related to the collection, management, processing and use of personal information, supervision and control, training and assimilation.

The common translation of the term Data Protection Officer (DPO) derived from the European Data Protection Regulation, the GDPR, is "Privacy Protection Officer" and not "Information Security Officer".  Accordingly, the duties of the  Data Protection Officer under the GDPR are those of the Privacy Protection Officer and not of the Information Security Officer, including advising on the implementation of the obligations imposed by the GDPR and other EU or relevant country laws on the protection of personal information; monitoring the organization's compliance with the regulation on the protection of personal information; assigning responsibilities to the relevant officers; raising awareness and training of employees; advising and supervising the process of formulating a privacy impact assessment in the organization; and cooperating with The Regulatory Authority.

32. Therefore, it was argued that when the IEC states in the settlement that it will appoint a Data Protection Officer (DPO) in accordance with the principles of the GDPR regulation, this means that it must appoint a privacy protection officer and not an information security officer, and that his job description must match the duties of a privacy protection officer.
33. The professional sources further explained that upon the entry into force of Amendment No. 13 to the Protection of Privacy Law, and in accordance with the provision of Section 17B1(a) that will apply to it, the IEC will in any case be obligated to appoint a Privacy Protection Officer, to whom all the provisions set out in Amendment No. 13 in relation to the Commissioner will apply, including the statutory functions listed in Section 17B2, and the additional conditions set out in Section 17B3. Therefore, it was proposed to relate in the framework of the settlement to the statutory roles specified in Amendment No. 13, such as those of the Commissioner of Privacy Protection at the IEC. In addition, it was suggested by the professional bodies that the knowledge and skills required of the Privacy Protection Commissioner should also be addressed in the settlement arrangement, in accordance with the provisions set out in Amendment No. 13 on these issues.
34. The professional sources suggested that in addition to publishing information regarding privacy and cyber protection as stated in clause 5.7 of the Settlement Agreement, the IEC will inform its customers of the change in the privacy policy on its website in other effective ways, such as a suitable banner for its website, sending a message to customers who subscribe to the messaging service, a notice on the monthly account statement, and the like.
35. In addition, with regard to the manner in which the banner is discovered on the IEC's website, the purpose of which is to inform users about the use of cookies, it was clarified that it must be clear and accessible, must include at least basic information about the use of cookies and refer the user to a more detailed cookie policy.
36. The professional sources further argued that to the extent that data about the IEC's customers was transferred to Facebook without their consent, which amounts to a violation of section 2(9) of the Protection of  Privacy Law.  In addition, in the statement of claim and the motion to certify the class action, monetary relief (compensation) was also requested for the class members, but in the settlement agreement there is no compensation for the class members, but rather a future settlement was agreed.  The professional officials held a discussion with the IEC to clarify the question of the type of information that was transferred and whether it amounts to identifiable information, but no definitive conclusion was reached on the matter.  In addition, it was clarified that in this case, there was no supervision process by the Privacy Protection Authority, in which it was also possible to find out what information was transferred to Facebook.
37. Insofar as the data transferred constitutes information as defined in the Protection of Privacy Law or knowledge of a person's private affairs, the position of the professional bodies is that the settlement in its current form does not accurately reflect the damage caused to the class members and therefore there is no reason to apply a court action to the class members in the current format of the settlement agreement. The professional sources referred in this matter to  CA 6919/14 Brut v. Pelephone Communications Ltd. [Nevo] (April 18, 2016), where the Supreme Court accepted the position of the Attorney General and ruled that there would be no court action in the matter of the settlement discussed there, in the matter of a cause for which the class members did not receive compensation in the settlement; and referred toLCA 4129-14 Dor Chemicals v. Gilman,  Section 9 [Nevo] (April 2, 2015).
38. In addition, according to the position of the professional bodies, the outline that is more appropriate to the agreements reached by the parties is an outline of withdrawal in accordance with the provisions of section 16 of the Law, since the agreements between the parties are only in relation to the Respondent's conduct in the future.  In addition, it was argued that the fee component and the remuneration component should be examined in accordance with the provisions of the law and the judgment in CA 8114/14 Market Streamlining Products Ltd. v. Sonol Israel Ltd. [Nevo] (August 5, 2015) (hereinafter: the "Market" case).
39. According to the position of the professional bodies, the parties' request to exempt the applicants and the IEC from paying the second part of the court fee should be rejected. It was argued that in this proceeding, the parties were satisfied with a general argument that the motion to approve a settlement was filed at an early stage of the hearing, after only two pre-trial proceedings were conducted, after the parties heeded the court's suggestions to talk, and thus resulted in a significant saving of precious judicial time.  However, this argument does not meet the required threshold of presenting special and exceptional reasons that justify granting such a request, when the rule set forth in the Regulations is that the respondent must bear the payment of the second part of the fee in the circumstances of the filing of a settlement in a class action, which is often formulated at a preliminary stage of the proceeding, in a manner that obviates the need to conduct a proceeding, and this is not sufficient to justify the granting of a fee exemption.
40. The applicants submitted a reference to the position of the professional bodies and argued that this is a proper settlement that includes many amendments to the conduct of the IEC. The IEC has prepared a new privacy policy, updated its website, and adapted it to the applicants' requirements.  In addition, the IEC undertook to conduct audits and update users on the importance of maintaining privacy and information security.  In addition, in order not to settle only for the standard set by the Israeli legislature, the IEC agreed, following the applicants' demands, to appoint an officer called an information security officer who would act in accordance with the "spirit" of the European Privacy Regulation.  This was an agreement that the parties reached back in 2023, while the settlement was submitted for court approval in January 2024.
41. The Applicants clarified that insofar as the IEC is obligated to appoint a Privacy Protection Officer, the arrangement does not, of course, contain any reservation, statement or agreement not to appoint him or to relieve him of his obligations under Israeli law.
42. Moreover, the applicants believe that there is a benefit in appointing an information security officer in accordance with the spirit of the European GDPR regulation .  The Commissioner of Privacy Protection in the Law is an organization related to the regulation of databases in Chapter B of the Protection of Privacy Law.  The Applicants are of the opinion that when the IEC allows a third party to collect information from its website using third-party tools, additional supervision is necessary to ensure that the third party does not violate the users' privacy.  It is of declarative importance that entities in Israel act voluntarily in the spirit of European regulation, a regulation that seeks to protect consumers' personal information in a relatively stringent manner, and the very request of the professional bodies to change the roles of the information security officer will reduce the liabilities that apply to the information security officer in the framework of the settlement.

In addition, it was claimed that the amendment to the law had not yet come into effect, and that if representatives of the professional bodies in the state had responded in time, it would have been a prelude of more than a year and a half to the appointment of an official as agreed in the settlement arrangement.  It was also argued that there is a reason for the defect in the fact that the representative of the professional bodies delayed submitting the position until September, when it appears that he was aware of the amendment that was about to be passed in August, and when most of his reference relates to the matter of the amendment.  It was further argued that the appointment of the DPO is one of many matters in the settlement arrangement, and that the entry into force of the amendment to the law does not diminish the benefit that grows to the group, and that the provisions of the settlement do not detract from the IEC's obligation under the law.

43. Regarding the claim of the need to update customers regarding a change in the privacy policy in other ways as well, the Applicants believe that this is not necessary. This was because it was agreed between the parties that a change in the privacy policy would be brought to the public's attention with an update to the user of the IEC website.  The IEC website is the appropriate place to provide the update and not to send messages to customers or on the monthly bill.  In addition, it was mentioned that in accordance with the settlement arrangement, starting in 2025, an opt-in mechanism will begin to operate  , which is the main way to obtain informed consent.
44. With regard to the professional parties' argument that there is a difficulty that the settlement will create a court action against the class members, it was argued that in the existing circumstances there is no difficulty in this, since there is a dispute between the Applicants and the IEC regarding the existence of damages as well. The Applicants carried out the risk assessment of the continuation of the proceeding in terms of the damages to the public against the benefit that would accrue to the public in the implementation of the settlement arrangement, and they are of the opinion that this is a correct and beneficial arrangement for the public in the circumstances of the concrete matter vis-à-vis the IEC.  This risk management also addressed IEC's claims, in particular, and taking into account that the information transferred is in dispute between the parties, and its claims that it is not sensitive information at all, such as: financial-banking information, medical information, etc.
45. In addition, it was argued that the fact that the state authorities did not act against the IEC, despite the fact that the proceedings here are open and known to them, is an indication that the damage is not damage in amounts that will cause people to file an individual lawsuit and conduct a proceeding, with all the risks involved.
46. It was further argued that the Applicants have a real difficulty in relating to the factual claims of the counsel for the professional bodies in the State who received information ex parte. As emerges from clause 28 of the position according to which a dialogue was held with the IEC to clarify the question of the type of information that was transferred did not produce a result justifying the change in the agreement.
47. In addition, it was mentioned that the application for approval deals with the right to privacy, which is indeed a very important right, but in accordance with the Protection of Privacy Law, the statute of limitations for a claim under this law is two years.
48. In addition, it was claimed that many months had passed since the publication of the settlement in the press, and only the professional bodies had received their attention. None of the group members submitted any reservations to the settlement.
49. The Applicants also argued that the recommended remuneration and fees are on the low side, and that there is no reason to interfere with the remuneration and the fees of their attorneys. It was argued that the compromise in the circumstances of the case is not suitable for a proceeding of compensated withdrawal, and that even in compensated withdrawals, appropriate sums are awarded that are higher than the recommended amount.  This is especially so taking into account the strenuous work done by the applicants and their counsel, the risk taken, the benefit to the public, the public importance, the expertise required in handling the approval application process, and more.
50. The IEC submitted its response to the comments of the professional bodies and argued that the argument that the appointment of an information security officer (DPO) in the settlement arrangement is insufficient and that he should be replaced by the appointment of a "privacy protection officer" in accordance with section 17b of the Privacy Protection Law.  It was claimed that the IEC undertook to appoint a DPO, when at the time of drafting the settlement, Amendment 13 had not yet been published, and therefore the terminology in the settlement was taken from the GDPR regulation  , which includes strict international standards not only in information security but also in protecting customers' privacy.

Contrary to what was claimed in the position of the professional bodies, the intention was not to appoint an information security officer under section 17B of the law, which in any case already exists at the IEC.  The appointment of the DPO is not intended to replace the information security officer, but rather to add an additional layer of protection and protection of customers' privacy.  The Respondent clarified that the IEC undertook in the arrangement to appoint a DPO, whose functions include supervising the implementation of the provisions of the Protection of Privacy Law, ensuring the conduct of periodic risk surveys, ongoing control of the information systems, and subjecting the information processing processes to the provisions of the law.  It was argued that in fact, the IEC implements in advance the requirements  of section 17B(1)-(3) after the amendment to the Protection of Privacy Law, and thus precedes its entry into force.

51. In addition, the respondent argued that the appointment of the DPO in the framework of the arrangement is not merely the fulfillment of a legal requirement, but rather constitutes a proactive step on the part of the IEC. The arrangement was formulated out of a genuine commitment to protecting the privacy of the company's customers, even though  the Privacy Protection Law in its current form does not require it.  The commitment to monitoring compliance with the provisions of the law, as well as updating the privacy policy and improving transparency through opt-in mechanisms  , reflect strict standards that exceed the requirements of the law.
52. Regarding the claim of the professional bodies regarding the need to expand the means of informing IEC customers of the changes in the privacy policy, and to improve the clarity and accessibility of the banner on the website, the IEC argued that the proposed arrangement provides a broad and comprehensive response, which provides a full response to the claims raised. The new privacy policy will be published in a clear, accessible and transparent manner on the Company's website.  The policy includes opt-in mechanisms  that give customers explicit control over cookies and browsing data collection.  In addition, an informative banner will be added on the website informing users of their rights and the options available to them.
53. It was also argued that there is no lack of clarity regarding the transfer of information to third parties. It was argued that the information collected on the IEC's website does not meet the definition of "identifiable information" in accordance with the Protection of Privacy Law, and that the settlement provides an appropriate response to the claims raised in the application for approval.  The information mentioned in the application for approval, and as provided to the State during the investigation, includes only technical data: a computer identifier (ID) that is not personal and is not unique to a particular person; the title of the action taken on the site (e.g., "viewing content"); The date and time of the action on the website.  This data does not allow direct identification of the user and does not include personally identifiable details such as name, address, payment details, medical condition, or similar data.  Therefore, these data do not meet the definition of "information" as defined in the law and do not establish grounds for violation of privacy.
54. According to the Respondent, the Settlement provides a balanced and efficient solution, which ensures compliance with advanced standards and provides a response to the use of personal information in a transparent and responsible manner. In accordance with the arrangement, the IEC is carrying out significant updates and improvements, including updating the privacy policy, implementing opt-in mechanisms,  conducting information security checks, and improving transparency regarding the use of information, including sending information information to all of the company's customers regarding privacy and cyber protection.  These steps bring material benefit to the members of the group and the general public, and reflect a commitment to adhering to high standards of privacy and information security.  The respondent referred as an example to CA 8037/06 Barzilai v. Prinir (Hadas 1987) Ltd., 67(1) 410, 515 (2014) and argued that the courts recognized systemic benefit as an appropriate alternative to direct monetary compensation, when it leads to extensive improvement and for the public good.
55. According to the Respondent, the application of a court action in an arrangement is necessary and logical and is a condition for ending disputes and creating legal certainty. There is no room to define the arrangement as a withdrawal since it does not amount to a waiver of the claim, but rather includes material and binding changes for the benefit of the group members and the public.  Withdrawal will not guarantee the IEC's continued commitment to these changes and may harm the systemic benefit intended for the Group.
56. With regard to the state's argument that the settlement does not provide direct financial compensation to the class members, the respondent clarified that the settlement provides a real benefit to the class members through significant improvements in the IEC's privacy and information security policy. The courts have recognized that a systemic benefit derived from a settlement can be an appropriate substitute for direct monetary compensation, especially when it comes to class actions whose purpose is not only to provide personal compensation, but also to correct systemic wrongs, promote public policy, and strengthen deterrence against future violations.  In addition, it was argued that direct financial compensation to the members of the class is not necessarily the most effective response in this case.  A cost-benefit examination shows that allocating resources for symbolic financial compensation to each member of the group will lead to a marginal result for the group members, while investing resources in improving privacy practices and information security, as done in the arrangement, creates a much greater overall benefit.
57. The Respondent further argued that the arrangement, including the remuneration and legal fees component, is consistent with the provisions of the law and case law and properly balances the benefit that was transferred to the class members and the consideration to the attorneys and the applicants. In accordance with the case  law in the Markit case, when examining the fees and remuneration, emphasis should be placed on the scope of the contribution that the class action proceeding provided to the group and to the general public, while maintaining the principle of proper incentive.  It was argued that in this case, the proceeding led to a significant change in the IEC's policy, with a long-term impact on protecting customers' privacy and improving its services.  Accordingly, the Applicants' fees and remuneration were determined in a manner that balances the need to incentivize proper class actions and maintaining a fair proportion in relation to the benefit obtained.
58. With regard to the application for exemption from the second part of the fee, it was argued that this case is one of those "exceptional" cases that justify granting an exemption from paying the second part of the fee, since the parties saved precious judicial time and conducted most of the proceeding outside the walls of court. It was argued that in similar cases in which a number of pre-trial hearings were held, the courts ruled that it was appropriate to be exempt from paying the second part of the fee.

Approval of the Settlement

59. Section 19 of the Class Actions Law states:

"(a) The court will not approve a settlement unless it finds that the settlement is proper, fair and reasonable in view of the interests of the class members, and if the motion to approve the settlement was filed before the class action was approved, there are prima facie substantive questions of fact or law that are common to all the class members and that the termination of the proceeding by a settlement is the most efficient and fair way to resolve the dispute in the circumstances of the case."