Proposed amendments to the United Kingdom’s Data Protection Bill would help protect security researchers working with anonymized data.
Introduced by Lord Ashton of Hyde, Parliamentary Under-Secretary of State at the Department for Culture, Media and Sport, the draft changes (PDF) address Clause 162 of the third generation of data protection law that has entered the UK Parliament thus far.
This particular article makes it “an offence for a person [to] knowingly or recklessly to re-identify information that is de-identified personal data without the consent of the controller responsible for de-identifying the personal data.” In other words, a security researcher could potentially face criminal charges for proving that anonymized information can be manipulated in such a way that the subjects to which the data pertains can once again be attributed.
The Data Protection Bill as currently written (PDF) does outline certain “defenses” under which a person could justify their decision to re-identify. Those items include obtaining the consent of either the data subject or controller as well as proving that re-identification served the public interest.
Lord Ashton of Hyde’s changes add on to those possible exceptions with the introduction of “effectiveness testing conditions.” To meet those qualifications, a person would need to have acted with a view of testing the effectiveness of the de-identification measures in the aim of serving the public interest and not causing harm. That person would also need to have notified either the Commissioner or the controller(s) responsible for de-identifying the data about their re-identification within a period of less than 72 hours if possible.
A screenshot of one of some of Lord Ashton of Hyde’s proposed changes to the Data Protection Bill.
Privacy researcher Lukasz Olejnik feels that the changes are a step in the right direction. As he told The Register:
“GDPR is intended as a pro-consumer data privacy regulations. It was surprising that UK’s Data Protection Bill proposals’ contained clauses that potentially could later become misused to target security and privacy researchers…. [The proposed changes] contain some reasonable compromises. Although such research is still regulated, researchers acting in the public interest will have less to worry if they disclose vulnerabilities to Information Commissioner’s Office.”
The Data Protection Bill is separate from the EU GDPR. Yet as the Information Commissioner’s Office notes, the Bill helps specify how the Regulation applies to individual states like the United Kingdom. The ICO therefore feels “[i]t is therefore important the GDPR and the Bill are read side by side.”