Senate introduces legislation criminalising re-identification of anonymised data

Australian Attorney-General George Brandis has introduced into the Senate the legislation criminalising the re-identification of de-identified datasets that are collected and published by the Commonwealth.

"The publication of government datasets, including de-identified data, enables the government, policymakers, researchers, and other interested persons to take full advantage of the opportunities that new technology creates to improve research and policy outcomes," the explanatory memorandum [PDF] to the Privacy Act amendment says.

"However, with advances in technology, methods that were sufficient to de-identify data in the past may become susceptible to re-identification in the future. The Bill is intended to act as a deterrent against attempts to re-identify de-identified personal information in government datasets and introduces criminal and civil penalties for the prohibited conduct."

The Privacy Amendment (Re-identification Offence) Bill 2016 [PDF] will be retrospectively applied from September 29, criminalising the re-identification of de-identified personal information under s16D and the disclosure of re-identified personal information under s16E, punishable by up to two years' imprisonment or 120 penalty units, or a civil penalty of up to 600 penalty units.

An additional civil penalty will require an entity that has re-identified personal information to notify the agency concerned "as soon as practicable after becoming aware that the information is no longer de-identified", as well as enforcing compliance with the agency's subsequent directions for handling the information.

Agencies must also inform the Information Commissioner, who has been vested with investigative powers under s36A and can apply to the Federal Court or Federal Circuit Court to impose civil penalties in circumstances where the criminal penalties cannot be imposed.

Sections 16D and 16E both contain a number of exceptions, however.

"The Bill does not apply to agencies, Commonwealth contracted service providers, and entities that enter into agreements with agencies if re-identification: Was done in connection with the agency's functions or activities, or was required or authorised to be done by or under Australian law; was done for the purposes of meeting (directly or indirectly) an obligation under a Commonwealth contract; or was done for the purposes of an agreement with the agency," the explanatory memorandum says.

"These exclusions will ensure these entities are not captured by the Bill's offences when engaging in ordinary functions and activities such as decryption activities to test information security."

Under s16G, the minister may also decide that a particular entity is exempt for the purposes of public interest. Specifically mentioned are cases of research involving cryptology, information security, and data analysis, or "any other purpose that the minister considers appropriate".

According to the government, the retrospective application of this law is "reasonable and necessary" due to the importance of the human right to privacy enshrined under Article 17 of the International Covenant on Civil and Political Rights (ICCPR).

"This action is necessary because releases of private information can have significant consequences for individuals beyond their privacy and reputation, which cannot be easily remedied," the explanatory memorandum says.

"This warrants swift and decisive action by the government to prohibit such conduct. Further, the retrospective commencement of the offences creates a strong disincentive for entities to engage in such conduct while the Parliament considers the Bill."

Brandis flagged last month that the government would be introducing such legislation to amend the Privacy Act for the purposes of protecting anonymised datasets, saying the "privacy of citizens is of paramount importance" to the government.

"There is a strict and standard government procedure to de-identify all government data that is published. Data that is released is anonymised so that the individuals who are the subject of that data cannot be identified," Brandis said in September.

"However, with advances of technology, methods that were sufficient to de-identify data in the past may become susceptible to re-identification in the future.

"The amendment to the Privacy Act will create a new criminal offence of re-identifying de-identified government data. It will also be an offence to counsel, procure, facilitate, or encourage anyone to do this, and to publish or communicate any re-identified dataset.

"The legislative change ... will provide that these offences will take effect from today's announcement."

Despite Brandis' professed commitment to Australian citizens' privacy, the government has yet to amend the same piece of legislation in order to implement a mandatory data-breach notification scheme for its data-retention legislation.

The Telecommunications (Interception and Access) Amendment (Data Retention) Act 2015, passed by the Australian government in March, came into effect last October and will see customers' call records, location information, IP addresses, billing information, and other data stored for two years by telecommunications carriers, accessible without a warrant by law-enforcement agencies.

The Joint Parliamentary Committee on Intelligence and Security recommended in February 2015 that Australia have data-breach notification laws in place before the end of 2015, prior to the implementation phase of the data-retention laws.

It is slated to be heard during the 2016 spring sittings [PDF] of Parliament, but was not on this week's legislative agenda.