Will proposed offences in the Data Protection Bill make criminals of us all? Stewart Duffy investigates
- De-identified data may subsequently be re-identified, often through context.
- Clause 162, Data Protection Bill makes re-identification a criminal offence.
- Defences may centre on the ‘purpose’ of the re-identification or the ‘reasonable beliefs’ of the accused.
De-identification of personal data is an important and widely used strategy deployed to mitigate the risk of unauthorised disclosure or access. The techniques that are deployed are varied. They do not necessarily render the data ‘anonymous’ as defined by the General Data Protection Regulation (GDPR). That is often not their intention. Deliberate, and sometimes technically sophisticated, efforts to subvert those security measures are a legitimate cause for concern. There can be little principled objection to outlawing such steps by individuals who have no legitimate reason to possess the de-identified data, less still ‘re-identify’ it.
The criminalisation of ‘re-identification’ proposed in cl 162 of the Data Protection Bill is not an entirely novel innovation. Such a measure has been under active consideration in Australia for some time. The Australian proposal was
