The Israeli Law Information and Technology Authority (ILITA) imposed an administrative fine on AIG insurance company for illegally using a customer's personal information infringing his right to privacy

As part of ILITA's enforcement powers under the Protection of Privacy Law, an administrative fine was imposed on the insurance company AIG.

The fine was imposed for the use of personal information violating the complainant's right to privacy without his consent. AIG company used the information for a purpose different from the purpose for which the information was given to it. The company put the complainant's personal information in a database used for marketing offers from the company without requesting his consent, and without alerting him that it intends to do so.

Thus, AIG violated the provisions of Article 1, Section 2(9) and Article 11 of the Protection of Privacy Law.

During the inspection, the Databases Registrar inspectors found that the complainant contracted with AIG to activate a travel insurance for a trip abroad for a fixed period of time. During the phone conversation with the company representative the complainant gave his personal information, as requested for the insurance activation, which included, inter alia, phone number, ID card number, credit card number, date of travel and destination, health condition and more.

The complainant was not asked to give his consent to have AIG give him various marketing offers or make different uses in the information provided, which are not required for the insurance requested. However, in a later time AIG contacted the complainant in order to offer him a mortgage insurance.

AIG admitted that the contact with the complainant was made based on information received from the travel insurance activation. AIG's argument was that the personal information provided to it by the complainant was "voluntary" and that is the basis of the required consent to make other uses in it. This argument was rejected by the Databases Registrar.

The Databases Registrar determined that the complainant gave his details to AIG in order to receive a particular service - travel insurance. Since the law requires purpose limitation so that the only permitted uses in the information are for the purpose for which the information was received. If AIG wanted to make other uses in the personal information, it had to inform that person of that explicitly, and obtain his separate consent for this use.

The period of the contact with the company was fixed and defined by the complainant (the period of his stay abroad). During the phone conversation he was asked by the company's representative if he would like to receive auto insurance offers and he refused. The company has not informed the complainant that it wants to use his information for its marketing purposes, and has not obtained his consent for that.


Adv. Rivki Dvash, Head of the Registration and Supervision Department: "The personal information of people is their asset only. Companies seeking to obtain this information and use it, must inform the owner of the information if he is required to provide the information by law, for what purpose is the information requested, who will it be transferred to and for what purpose. We at ILITA are working to enforce this duty on all data controllers".