Cyber security researchers will be considered guilty until they prove their innocence under proposed changes to The Privacy Act 1998 put forward by the Attorney-General’s department.
The Privacy Amendment(re-identification Offence) Bill 2016 amends The Privacy Act 1998 to introduce provisions which prohibit conduct related to the intentional re-identification of de-identified personal information published or released by, or on behalf of, Commonwealth agencies in a generally available publication, and intentional disclosure of re-identified information.
“The Bill will provide stronger safeguards for individual privacy while supporting the Australian Government’s commitment to open data and the release of de-identified public sector datasets,” The Attorney-General’s department said in its submission to the Parliamentary committee currently reviewing the proposed legislation.
However, under the proposed changes, defendants would be forced to prove their innocence, as opposed to the prosecution having to prove their guilt beyond a reasonable doubt.
"The defendant entity or agency bears the evidential burden for each of these exceptions, which reverses the criminal law principle that the prosecution must prove every element of the offence," the Attorney-General's Department said in its submission to the Senate Legal and Constitutional Affairs Committee.
If passed into law, the proposed changes would be retrospectively applied from 29 September 2016, and individuals who fail to prove their innocence in a case brought against them could face two years imprisonment.
"Requiring the prosecution to prove that the above exceptions do not apply would effectively require proof of a negative, namely that there were no applicable contracts, functions, activities, Australian laws, or agreements which authorised the defendant entity or agency to engage in the conduct in question," the Department said.
"This would be extremely difficult and expensive for the prosecution to prove beyond reasonable doubt.
"By contrast, this information would be readily and cheaply available from the defendant agency or entity, which would have peculiar knowledge of applicable contracts, functions, activities, Australian laws, or agreements that could be used to justify their conduct," the Department said.
When the The Privacy Amendment (Re-identification Offence) Bill 2016 was originally introduced to parliament on 12 October, it included language which would make it a criminal offence to re-identify data sets that have been stripped of identifying markers for open publication by government agencies – even if re-identification occurs by accident.
However, a day later, the Office of the Attorney-General released a statement in which it said the government would provide an exemption to the amendment for those who alert the government of potential vulnerabilities in datasets, such as information security researchers.
In a separate submission to the Senate Legal and Constitutional Affairs Committee, the Australian Privacy and Information Commissioner, Timothy Pilgrim, said that while he recognised the Bill’s potential to be a privacy-enhancing tool by providing a deterrent against the intentional re-identification of certain datasets, the introduction of new criminal offences and civil penalties alone would be unlikely to eliminate the associated privacy risks.
“Rather, additional measures will be required for the policy objective to be supported,” he said.
Pilgrim added that agencies would need to implement practices, procedures, and systems to ensure they comply with the Privacy Act 1998.
“That includes taking reasonable steps to ensure personal information is not disclosed through open publication.”
“The open publication of de-identified datasets may always present some level of risk. Effective de-identification requires a careful consideration of all relevant contextual factors, to help ensure that the risk of re-identification, as well as other threats to privacy are minimised.
“I believe that the existing privacy capability of APS [Australian Public Service] agencies to manage privacy risks may need to be strengthened. Agencies must have the capability to manage the personal information that they hold in accordance with the Privacy Act, and in accordance with the broader community’s contemporary expectations,” he said.