This appeared last week:
Labor, Greens oppose move to criminalise data re-identification
Government move to criminalise data re-identification in trouble
Passage through parliament looks uncertain for a government bill that would criminalise the re-identification of public sector datasets released under open data policies.
The Senate Legal and Constitutional Affairs Legislation Committee tonight tabled its report on the government’s Privacy Amendment (Re-identification Offence) Bill 2016. Although the committee’s majority recommends that the bill be passed, a dissenting report by its Labor and Greens members calls for parliament to reject the proposed legislation.
Attorney-General George Brandis in September last year announced that the government would introduce legislation to criminalise re-identification. The motivation behind the sudden announcement became clear when a group of Melbourne University researchers revealed that data made public by the Department of Health had been improperly de-identified.
The department was forced to pulled offline datasets it had released based on the Pharmaceutical Benefits and Medicare Benefits schemes (PBS/MBS). The government’s bill would retrospectively criminalise re-identification to the date of Brandis’ initial announcement.
The government’s bill prompted concern from cyber security experts and digital rights advocates that it could hamper legitimate security research.
The researchers who discovered the flaws in the health department’s de-identification process — Vanessa Teague, Chris Culnane and Benjamin Rubinstein — argued in a submission to the Senate inquiry that the “threat of criminal penalties” — up to two years’ prison — “could inhibit open investigation, which could mean that fewer Australian security researchers find problems and notify the government”.
As a result, “Criminals and foreign spy agencies will be more likely to find them first,” the researchers argued.
The government has sought to assuage concerns, including provisions in the bill to exempt some research from its scope. However, in many cases it will be up to the responsible minister to set out what individual organisations or classes of organisations will be exempt from the ban on re-identification, and what conditions will be imposed on them.
In addition, the bill reverses the burden of proof, putting the onus on researchers to prove that the re-identification of a dataset is covered by one of the exemptions.
……
Lots more here:
There is also some coverage here:
Govt could lose its battle to criminalise data re-identification
Labor, Greens say proposed laws are "disproportionate" response.
The federal government's attempts to criminalise those who point out badly de-identified government datasets could fall short after Labor and Greens MPs united against the effort.
In October last year a data breach at the Department of Health prompted the government to introduce a bill which would see individuals and businesses who re-identify open public sector data face up to two years jail and hefty fines.
The Privacy Amendment (Re-identification Offence) Bill 2016 would also make it a criminal offence to publicly point out that supposedly de-identified data can be reversed.
The bill exempts government agencies and their service providers.
The government claimed the legislation would act as a deterrent against attempts to re-identify anonymised personal information, especially given "methods that were sufficient to de-identify data in the past may become susceptible to re-identification in the future".
The bill caused outrage in the research community, which claimed that legitimate research and public-interest revelations about badly de-identified datasets would be blocked.
More here:
To me what seemed as a gross hasty over-reaction has now been researched, thought through and very sensibly is being forced to be abandoned.
My view – a good thing too!
David.
I was stunned and speechless to read that "The bill exempts government agencies and their service providers." So it's AOK for Gov't and their service providers BUT not OK for anyone else!!! How hypocritical is that, Can anyone explain and justify the rationale please.
ReplyDeleteIt shows a lack of understanding. Anyone who wants the data re-identified for dubious purposes is hardly going to be worried by a law. Much better to require people to notify them the the data can be re-identified and let people try and do it, as surely we want to know that it is anonymous?? Its like passing a law that you are not permitted to break the law.
ReplyDelete