Cybersecurity researchers will be considered guilty until they prove their innocence under proposed changes to The Privacy Act 1998 put forward by the Attorney-General’s department.
The Privacy Amendment(re-identification Offence) Bill 2016 amends The Privacy Act 1998 to introduce provisions which prohibit conduct related to the intentional re-identification of de-identified personal information published or released by, or on behalf of, Commonwealth agencies in a generally available publication, and intentional disclosure of re-identified information.
“The Bill will provide stronger safeguards for individual privacy while supporting the Australian Government’s commitment to open data and the release of de-identified public sector datasets,” The Attorney-General’s department said in its submission to the Parliamentary committee currently reviewing the proposed legislation.
However, under the proposed changes, defendants would be forced to prove their innocence, as opposed to the prosecution having to prove their guilt beyond a reasonable doubt.
"The defendant entity or agency bears the evidential burden for each of these exceptions, which reverses the criminal law principle that the prosecution must prove every element of the offence," the Attorney-General's Department said in its submission to the Senate Legal and Constitutional Affairs Committee.
If passed into law, the proposed changes would be retrospectively applied from Sept. 29, 2016, and individuals who fail to prove their innocence in a case brought against them could face two years imprisonment.
"Requiring the prosecution to prove that the above exceptions do not apply would effectively require proof of a negative, namely that there were no applicable contracts, functions, activities, Australian laws, or agreements which authorised the defendant entity or agency to engage in the conduct in question," the Department said.
George Brandis - Australian Attorney General (picture courtsey of Neil Duncan & Deutsche Messe via Flickr)
"This would be extremely difficult and expensive for the prosecution to prove beyond reasonable doubt.
"By contrast, this information would be readily and cheaply available from the defendant agency or entity, which would have peculiar knowledge of applicable contracts, functions, activities, Australian laws, or agreements that could be used to justify their conduct," the Department said.
When the The Privacy Amendment (Re-identification Offence) Bill 2016 was originally introduced to parliament on 12 October, it included language which would make it a criminal offence to re-identify data sets that have been stripped of identifying markers for open publication by government agencies – even if re-identification occurs by accident.
However, a day later, the Office of the Attorney-General released a statement in which it said the government would provide an exemption to the amendment for those who alert the government of potential vulnerabilities in datasets, such as information security researchers.
Sign up for Computerworld eNewsletters.