Re-introducing the Re-identification Offence Bill: The dumbest privacy idea this year?

The Privacy Act Discussion Paper, the latest stage in the comprehensive review of Australia’s Privacy  Act, proposes the re-introduction of the Re-identification Offence Bill,[1] a strange piece of legislation that disappeared with little attention.

According to the Discussion Paper, the Bill could be a useful tool to support the broader changes proposed to anonymisation. But is the re-introduction of the Re-Identification Offence Bill the dumbest privacy idea in Australia this year?

Background

In 2016, the Privacy Amendment (Re-identification Offence) Bill was released. It was proposed in direct response to researchers Vanessa Teague, Chris Culnane and Benjamin Rubinstein, all respected researchers and academics from Melbourne University, announcing that they had been able to re-identify a large MPBIS data released by the federal Department of Health, made available on the basis that it was de-identified.

The government itself confirmed that their identification of a vulnerability in the Department of Health’s Medicare and Pharmaceutical Benefits Scheme dataset was the trigger for the legislation saying that it brought to the Government’s attention the existence of a gap in privacy legislation regarding the re-identification of de-identified data. Once aware of this gap, the Government acted immediately to strengthen protections for personal information against re-identification by introducing these offences.[1]

The same researchers also later showed that data released by the Victorian government on the public transport system could be re-identified using just two data points.[2]

What was in the Privacy Amendment (Re-identification Offence) Bill?

The purpose of the Privacy Amendment (Re-identification Offence) Bill, introduced to Parliament in 2016, was to deter the re-identification of publicly-released data sets and support the government’s Public Data Policy Statement, which recommended that non-sensitive government data be made ‘open by default’.[3]

The Bill proposed to introduce criminal and civil penalties into the Act for re‑identification of de‑identified information released by Commonwealth agencies.[4] The general re-identification offence was supported by other provisions. [5] For example, the Bill sought to prohibit the onwards disclosure of re‑identified information, and included requirements to notify the responsible agency of re‑identification and to comply with directions of that agency (or be subject to penalties) [6].

The Bill also contained exemptions to ensure APP entities would not be criminally accountable for re‑identification in certain circumstances (for example, where working as a contracted service provider for a government agency).[7]  However, there is no general exemption for researchers, as had been foreshadowed by the then Attorney General, and only a general right to apply for a ministerial exemption.[8]

In the absence of a broader exemption, researchers working with publicly released data would effectively be forced to apply for a ministerial exemption, or run the risk of civil or criminal offences. This would particularly be the case if the de-identified personal information had only been encrypted or masked in a way that could be decrypted or revealed in the course of ordinary research activities.   This not withstanding the stated intention of the legislation to regulate only the malicious re-identification of data.

It is also worth noting that no criterion are attached to the exercise of the Ministerial power, other than whether or not the Minister is satisfied it is in the public interest to exercise the power.

The Privacy Commissioner’s functions and powers were to be increased. The Commissioner could conduct an assessment of agencies de-identification methods to determine how effective they were to prevent re-identification. The Commissioner also could investigate actions into the re-identification of de‑identified personal information, make determinations in relation to the investigations, and require an entity to comply with such determinations.[9]

What happened to the Bill?

Following its release, the Bill was referred to the Senate Standing Committee on Legal and Constitutional Affairs for review.  In February 2017, the Committee released its report on the Re-identification Offence Bill.[10] That report recommended that the Bill be passed, stating that it provided a necessary and proportionate response to gaps in privacy coverage, and balanced this with the need to promote open data.[11]

The dissenting report of the Australian Labor Party and Australian Greens took the opposite view.[12]

The Bill lapsed in 2019.[13]

Since the introduction of the Bill in Australia, a re-identification offence has been introduced in the United Kingdom, as part of the data protection legislation. [14] In the UK, it is now a criminal offense to re-identify individuals from anonymized data — either with intent or through recklessness. The maximum penalty for this is an unlimited fine.

To date there have been no prosecutions.

Privacy Act Discussion Paper

The Privacy Act Discussion Paper proposes the re-introduction of the Re-identification Offence Bill.[15]

According to the Discussion Paper, the Re-identification Offence, with appropriate amendments to support the Review’s reforms and address concerns raised by the Senate Committee, could be a useful tool to support the broader change to anonymisation. While anonymisation would mitigate privacy risk before information is publicly released, this offence could address concerns about malicious re-identification of information that has already been publicly released.

The Discussion Paper does not make it clear where those concerns came from or what other actions have been considered as part of any regulatory response to the concerns.

Some of the issues

It is not clear what the level of risk is that this Bill is trying to address.

Other than the MBPIS case, the basis for the concern is unclear. There have been no other reported cases in Australia of re-identification of de-identified data bases. And the MBPIS case did not involve small businesses or even rogue data thieves – it was a situation involving a well-known, reputable university researchers operating under the usual restrictions around research and ethics.

Professor Teague, one of the original researchers whose work led to the introduction of the legislation in 2016 said the proposed re-introduction of the bill is concerning and would do nothing to improve data security in Australia.[16]

“Jailing data scientists for re-identifying incompetently released data is as helpful for preventing data breaches as banning geiger counters downwind of Chernobyl is for preventing nuclear accidents,” Professor Teague told InnovationAus.  “The incompetently released inadequately de-identified data will still be out there, you just won’t hear about it from Australian scientists because we’ll be in jail. They still haven’t notified the people whose easily-identifiable Medicare and PBS data was published online in 2016.”[17]

Another interesting aspect of the Bill is that it will be apply to small businesses, otherwise excluded from operation of the Privacy Act.  It is proposed that the legislation will apply to organisations, small businesses and individuals (proposed section 16CA). The Explanatory Memorandum (EM) explains that the broader scope of the bill is necessary ‘due to the need for a general deterrent to the re‑identification of de‑identified personal information.’

The Discussion Paper makes it clear that, as a general principle, it does not believe that the risk offered by small businesses justified extending the regulatory burden of compliance with the Privacy Act to that part of the Australian business environment.  However, re-identification is seen to be serious enough to warrant the extension.  It is not clear that the basis for that extension has been made.

Another of concern about the bill was that, if passed, it would operate retrospectively and prohibit intentional conduct by an entity that occurred from 29 September 2016.   It is not clear whether this would continue in the new Bill.

In the second reading speech, the then Attorney General confirmed that, in addition to criminalising re-identification, the Australian Government would work with the Department of the Prime Minister and Cabinet to put in place a process to govern the release of new anonymised datasets on data.gov.au.[18]  This would be a positive step supporting efforts to ensure the protection of the personal data of Australians. However, the only reference we could see in the open data toolkit available via the data.gov.au site was a non-working link to the OAIC’s guide to de-dentification.[19]

The Discussion Paper examines the question of anonymisation vs de-identification and puts forward some suggestions that would help clarify what is intended and required before personal information loses the protection of the Privacy Act by anonymisation/de-identification. However, in the five (5) years since criminalising re-identification of data was proposed, there is little evidence of the Department of Prime Minister and Cabinet or other government agency working with agencies, data brokers and the research community to develop frameworks or methodologies for the safe sharing of de-identified data.

And of course the Australian Privacy Act has little relevance to foreign entities not carrying on business here.  Perhaps an incentive to set up off-shore cyber security and privacy research undertakings?

Conclusion

Without a clearer justification or explanation of the particular risk landscape, there seems to be little basis for the criminalisation of re-identification of personal data.  Any such legislation, if passed, is most likely to impact legitimate Australian based researchers concerned to ensure they do not inadvertently breach the law.   Rather than encourage the sharing of data to support a robust innovation economy, this legislation will discourage research and innovation by Australian based cyber security and privacy researchers.

And finally, does anyone truly believe that the Australian Privacy Commissioner has the capability or capacity to take on the regulation of de-identifying or re-identifying public data sets without significant additional resources.

The re-emergence of the re-Identification bill,  a dis-proportionate response to an undefined problem, designed to indiscriminately penalise even public interest research, has to be one of the dumbest ideas in Australian privacy this year.

Footnotes

[1]Discussion Paper, 26.

[1] Senate Standing Committee for the Scrutiny of Bills, Tenth Report of 2016, 30 November 2016, p. 671.

[2] https://www.innovationaus.com/govt-has-another-go-at-criminalising-data-re-identification/

[3] Senate Legal and Constitutional Affairs Legislation Committee, Parliament of Australia, Privacy (Re-Identification) Offence Bill 2016 (Report, February 2017) 1.3 (‘Re-identification Offence Bill Report’); Department of the Prime Minister and Cabinet, Australian Government Public Data Policy Statement (Web Page, 7 December 2015).

[4] An entity that contravenes the above provisions may be subject to a criminal penalty of up to two years imprisonment or 120 penalty units, or a civil penalty of 600 penalty units.

[5] Privacy Amendment (Re-Identification Offence) Bill 2016 (Cth) cls 16E–16F.

[6] Ibid cl 16F.

[7] Ibid cls 16D(2) –(5).

[8] https://www.itnews.com.au/news/govt-will-make-it-a-crime-to-re-identify-anonymised-data-438415

[9] Ibid, proposed subsection 40(2A).

[10] Re-identification Offence Bill Report (n 96).

[11] Ibid 2.48, 2.51.

[12] Senate Legal and Constitutional Affairs Legislation Committee, Parliament of Australia, Privacy (Re‑Identification) Offence Bill 2016 (Dissenting Report of the Australian Labor Party and the Australian Greens, February 2017) [1.1]–[1.2].

[13] Parliament of Australia, Bills and Legislation: Privacy Amendment (Re-identification Offence) Bill 2016 (Web Page, 2016).

[14] See Data Protection Act 2018 (UK)  s 171.

[15]Discussion Paper, 26.

[16] https://www.innovationaus.com/govt-has-another-go-at-criminalising-data-re-identification/

[17] Ibid.

[18] https://parlinfo.aph.gov.au/parlInfo/genpdf/chamber/hansards/78dd1315-9808-45a9-843e-a630dbcac8e5/0113/hansard_frag.pdf;fileType=application%2Fpdf

[19] ‘Releasing unpublished data’ https://toolkit.data.gov.au/Publishing_your_data.html