Data re-identification criminalisation law should be passed: Senate committee

A Senate committee has recommended that legislation criminalising the re-identification of de-identified datasets that are collected and published by the Commonwealth should be passed through Parliament despite concerns about the scope of the law, its reversal of the burden of proof, exemptions under it, and the retrospective nature of it.

Under the laws introduced to the Senate in October, intentionally re-identifying a de-identified dataset will become punishable by up to two years' imprisonment, with the laws to be retrospectively applied from September 29, 2016.

Tabled in Parliament on Tuesday night, the Senate Legal and Constitutional Affairs Legislation Committee's report outlined several key issues with the Bill: The release of de-identified information; the criminalisation of re-identifying data; the scope of the offences; the scope of the minister's exemption powers; the retrospective application of the laws; and the reversed burden of proof from the prosecution to the defendant.

According to the Senate committee, however, these concerns are all overridden by "the gap that was recently identified in privacy legislation".

"The committee is of the view that the Bill provides a necessary and proportionate response," it said.

In regards to the retrospective application of the Bill, the committee defended it by saying "the minister's announcement was in the current term of Parliament, was very specific, and indicated clearly that the legislation was to apply from the date of the announcement. There is sufficient particularity in the announcement to alert would-be offenders of the nature of the offence."

On the Bill's scope, and whether it will prevent research into information security, cryptology, and data analysis, the committee said it has been "reassured" that the AGD will exempt such researchers from prosecution under the Bill.

Senators from both the Labor and Greens parties dissented with the committee's recommendations, saying that the Bill should not be passed because it is "disproportionate" to the aforementioned gap in privacy legislation, and also does not achieve its objectives.

"The Bill adopts a punitive approach towards information security researchers and research conducted in the public interest. In contrast, government agencies that publish poorly de-identified information do not face criminal offences and are not held responsible," Labor and Greens senators argued.

"It penalises public interest research and discourages open investigation and discussion of potential issues relating to information security. The disproportionate response is also evidenced through the retrospective application of the Bill, as well as the reversal of the burden of proof."

The Attorney-General's Department (AGD) had previously responded to each of the key issues raised in submissions.

In relation to the release of de-identified information, AGD said that having access to open data carried benefits outweighing the risk of the data being re-identified; defended the criminalisation by calling this an "appropriate mechanism to deter entities from doing considerable harm"; said researchers would be excluded from the Bill for "unintentional re-identification that occurs as a by-product of other public interest research using a government dataset"; and explained that the discretionary power will "provide an appropriate balance between protecting the privacy of individuals and allowing for legitimate research to continue", and added that it will consult publicly to determine what classes of entities should be exempt.

On the issue of retrospectivity, AGD simply said that a strong incentive was needed to deter entities from re-identifying information while the Bill was progressing through Parliament -- but did not respond to a claim by the Parliamentary Joint Committee on Human Rights stating that this contravenes Article 15 of the International Covenant on Civil and Political Rights, which states that "No one shall be held guilty of any criminal offence on account of any act or omission which did not constitute a criminal offence, under national or international law, at the time when it was committed."

The AGD also said the reversal of the burden of proof is "reasonable and appropriate" in this case as it would be simple for entities to demonstrate that their actions fall into one of the exemptions, despite its inconsistency with the legal presumption of innocence.

AGD had previously admitted that the legislation was proposed as a response to an improperly de-identified dataset released by the Department of Health that was able to be partially re-identified by researchers at Melbourne University.

In December, New South Wales Acting Privacy Commissioner Elizabeth Coombs warned AGD that if the data re-identification laws are enacted, it risks "killing the data canary".

"The concerns expressed to my office are that the draft legislation is too blunt an instrument to secure the advantages of responsible release of datasets while protecting citizens and government against mal-intended re-identification," Coombs said.

Electronic Frontiers Australia (EFA) also labelled the legislation as being misguided, and suggested that Parliament instead introduce a privacy tort, create data minimisation rules for the public service and the Australian Privacy Act, and pass data breach notification laws.

"The law reveals a concerning lack of understanding of the complexities and challenges intrinsic in data de-identification, and the haste with which it was drafted suggests a knee-jerk response to recent events, rather than a considered, evidence-based approach," EFA said in its submission.

"The proposed Bill creates no incentives for Australian government agencies or other organisations to increase their data security, or to adopt data austerity measures. Conversely, the proposed Bill creates (as intended) a strong disincentive for researchers to announce a real or potential vulnerability of re-identification.

"Both of the above will be to the detriment of the privacy of Australians."