Govt could lose its battle to criminalise data re-identification

The federal government's attempts to criminalise those who point out badly de-identified government datasets could fall short after Labor and Greens MPs united against the effort. 

In October last year a data breach at the Department of Health prompted the government to introduce a bill which would see individuals and businesses who re-identify open public sector data face up to two years jail and hefty fines.

The Privacy Amendment (Re-identification Offence) Bill 2016 would also make it a criminal offence to publicly point out that supposedly de-identified data can be reversed.

The bill exempts government agencies and their service providers.

The government claimed the legislation would act as a deterrent against attempts to re-identify anonymised personal information, especially given "methods that were sufficient to de-identify data in the past may become susceptible to re-identification in the future".

The bill caused outrage in the research community, which claimed that legitimate research and public-interest revelations about badly de-identified datasets would be blocked.

Privacy advocates have also decried the push, with Privacy Commissioner Timothy Pilgrim arguing the government should instead focus its efforts on making sure it is protecting people's privacy through properly de-identified open datasets.

The bill was referred to the senate legal and constitutional affairs committee for scrutiny late last year.

The committee tabled its report to parliament today [pdf], with the government contingency of the group knocking back all criticisms and recommending the bill be passed.

In a dissenting report, however, Labor and Greens committee members argued the bill was a "disproportionate response" to the problem.

They argued it was the responsibility of government agencies to ensure any data they released to the public had been properly stripped of identifying markers.

"The bill adopts a punitive approach towards information security researchers and research conducted in the public interest. In contrast, government agencies that publish poorly de-identified information do not face criminal offences and are not held responsible," the Labor and Greens MPs wrote.

"Additionally, no consideration has been given as to whether an individual who re-identifies their own information, or their dependent's or client's information, should also be subject to the bill.

"The bill discourages research conducted in the public interest as well as open discussion of issues which may have been identified."

The dissenting MPs recommended the bill not be passed. The government will be unable to get the bill through the Senate and passed into law without the support of Labor and/or the Greens.