AGD warned proposed data re-identification laws could kill the data research canary

Industry and government agencies have warned the Attorney-General's Department that the proposed data re-identification laws are too blunt to work.
Written by Chris Duckett, Contributor

New South Wales Acting Privacy Commissioner Elizabeth Coombs has warned the federal Attorney-General's Department (AGD) that if proposed laws criminalising the re-identification of de-identified data are enacted, it risks "killing the data canary".

In a submission to the Senate Standing Committee on Legal and Constitutional Affairs, Coombs said Australia's privacy laws are lagging, and that a piecemeal approach should not be taken.

"The concerns expressed to my office are that the draft legislation is too blunt an instrument to secure the advantages of responsible release of datasets while protecting citizens and government against mal-intended re-identification," Coombs wrote.

Under the laws introduced to the Senate in October, intentionally re-identifying a de-identified dataset will become punishable by up to two years' imprisonment, and the laws will be retroactively applied from September 29, 2016.

The proposed laws also move the onus of proof from the prosecution to the defendant, such that the defendant must prove that one of the exemptions in the legislation that allow re-identification work -- such as being contracted by the Commonwealth for such work, or employed by a university or other state government body -- apply to them.

In its submission, AGD admitted that the legislation was proposed as a response to an improperly de-identified dataset released by the Department of Health that was able to be partially re-identified by researchers at Melbourne University.

"The defendant entity or agency bears the evidential burden for each of these exceptions, which reverses the criminal law principle that the prosecution must prove every element of the offence," AGD said in its submission.

Coombs pointed out that not all actors are nefarious, and warned that the laws could suppress notification of when data is poorly de-identified.

"Provisions are needed to oblige the releasing entities to undertake their responsibility for releasing non-identifiable datasets, and to have in place processes to monitor and recall data sets," the acting privacy commissioner said.

"Balanced responsibilities will better achieve the deterrent effect envisaged, and additionally assist prosecutors and regulators to more effectively respond both to release of supposedly de-identified data and any subsequent re-identification."

Electronic Frontiers Australia (EFA) labelled the legislation as misguided, and said in its submission that the laws have been designed to deal with a symptom, rather than the cause.

"The law reveals a concerning lack of understanding of the complexities and challenges intrinsic in data de-identification, and the haste with which it was drafted suggests a knee-jerk response to recent events, rather than a considered, evidence-based approach," EFA said.

As the legislation stands, EFA said it would not deter malicious actors, especially given these acts would likely breach other existing criminal laws, which makes the proposed laws redundant.

"The proposed Bill creates no incentives for Australian government agencies or other organisations to increase their data security, or to adopt data austerity measures," EFA said. "Conversely, the proposed Bill creates (as intended) a strong disincentive for researchers to announce a real or potential vulnerability of re-identification.

"Both of the above will be to the detriment of the privacy of Australians."

EFA said the legislation should not be passed in any form, and instead Parliament should introduce a privacy tort, create data minimisation rules for the public service and the Australian Privacy Act, and pass data breach notification laws.

The Australian Privacy Foundation (APF) agreed that the proposed laws would not deter malicious actors, and would instead suppress researchers announcing their findings, thanks to a "shoot the messenger" approach.

"The concern and haste seems to be less about the risks of re-identification, which have long been known, and more about the sudden embarrassing publicity that predictably revealed 'the de-identification emperor has no clothes'," APF said.

"We consider that people who find vulnerabilities in de-identified data including possible re-identification should be able to communicate this publicly and not just to the government agency in question (which may have no incentive to reveal publicly that its methods are flawed or that its assurances of safety to data subjects are no longer reliable).

"The general public should be made aware of the vulnerabilities of de-identification technologies at the earliest possible time so they can can take prompt measures to protect their own data security and privacy. The reflexive secrecy of many federal agencies today is not conducive to public data safety."

The Australian Bankers Association said it could envisage a situation where large companies are caught up in the proposed laws, and said it would take time for its members to ensure that their systems and processes become compliant.

"The ABA and its members consider that the proposed regime set up by the Bill creates significant uncertainty for businesses which might otherwise use public sector data for legitimate commercial applications that create broad-ranging benefits," it said. "These new risks may mean that businesses choose not to use public sector de-identified data at all, reducing the benefits that could be realised from its use.

"The imposition of criminal offences across the broad spectrum of private sector organisations arising from this single instance where it is not evident that serious or any harm resulted for the individuals concerned, and without detailed analysis and consideration of the potential impacts on and implications for legitimate security and data analysis activities, should be considered carefully."

The Law Council of Australia recommended the reverse onus of proof provisions be removed, and a proper framework for data sharing across government agencies be established.

"In general, a reversal of the burden of proof is justified only where it can be argued that the defence might be said to be peculiarly within the knowledge of the defendant and/or where a particular matter would be extremely difficult or expensive for the prosecution to prove whereas it could be readily and cheaply provided by the accused.

"The Law Council considers that the matters to be established would not be extremely difficult or expensive for the prosecution to prove, as it would have access to relevant contracts, agreements, and determinations."

In an earlier submission, Australian Information and Privacy Commissioner Timothy Pilgrim said the introduction of new offences is unlikely to prevent the privacy risks of publishing de-identified data, and government agencies needed to lift their game.

"Agencies must have the capability to manage the personal information that they hold in accordance with the Privacy Act, and in accordance with the broader community's contemporary expectations," Pilgrim said. "This is particularly relevant where Australian government agencies may be considering whether and how to release valuable datasets which contain, or are derived from, personal information."

The information commissioner pointed out that online information is international, and a law in Australia cannot be applied to those not in the country.

Earlier this week, AGD announced a review of the mandatory telecommunications data retention legislation to explore whether retained data could be used for civil proceedings.

The department has only allowed 15 working days over the Christmas and summer break for those interested to respond to its review.

Editorial standards