Australia - Criminal and civil penalties introduced for re-identification of de-identified information The Privacy Amendment (Re-Identification Offence) Bill 2016 (Cth) (Bill) was introduced into the Senate on 19 October 2016. If passed, the Bill will amend the Privacy Act 1988 (Cth) (Privacy Act) to prohibit conduct that intentionally re-identifies de-identified personal information datasets published by the Australian Government, or that discloses re-identified personal information. This new law will apply retrospectively to prohibited conduct that occurs from 29 September 2016 onward. The new law would introduce the following penalties for re-identification of de-identified personal information: • a criminal penalty of up to two years imprisonment, or a fine of AU $21,600; and • a civil penalty of up to AU $108,000 for individuals or AU $540,000 for bodies corporate. For the disclosure of re-identified personal information, a civil penalty of up to AU $36,000 for individuals (AU $180,000 for bodies corporate) will apply. The Bill supports the intended release by the Australian Government of de-identified datasets to benefit policymakers and researches, and includes exceptions for security research involving government datasets, with the relevant Minister to have discretion as to which organisations are exempt, and any conditions to be imposed. The new law would also require individuals and organisations to notify the responsible agency if deidentified personal information is re-identified. The relevant agency in turn would be required to inform the Australian Information Commissioner (Commissioner), allowing the agency to engage with the Commissioner in order to investigate the matter. The Explanatory Memorandum states that a key purpose of the Bill is to deter re-identification in light of technological advances that render previous methods of deidentifying data potentially ineffective. Within 24 hours of the Australian Government's announcement on the Bill, the Department of Health (Department) revealed a discovery by a group of University of Melbourne academics that it was possible to re-identify de-identified medical service provider numbers published on the Department's open data portal. The Bill is expected to pass Parliament with little opposition. The Bill and other parliamentary instruments are available here. The media release from the Office of the Attorney-General dated 28 September 2016 is available here. For more information, please contact Anne-Marie Allgrove, Toby Patten, Matthew Dempsey or Grace Loukides.
- Checklist Checklist: Complying with cookie requirements under the ePrivacy Directive and the GDPR (EU) Recently updated
- Checklist Checklist: Managing a dawn raid
- How-to guide How-to guide: Understanding key data protection definitions (EU)