Peter Macdiarmid/Getty Images for Somerset House
show image

Oscar Williams

News editor

Data Protection Bill amended to prevent criminalisation of security research

The government has caved into calls for an amendment to the Data Protection Bill after privacy researchers warned that the legislation would criminalise their work.

Researchers seeking to expose weak data anonymisation said that a ban on re-identification would prevent them from carrying out legitimate research.

The bill introduces unlimited fines for people who “intentionally or recklessly re-identify individuals from anonymised or pseudonymised data”. But the revised version exempts researchers conducting “effectiveness testing”.

Under the law, researchers would have to notify the Information Commissioner’s Office if they had successfully re-identified data intended to be anonymous. The researchers would have three days to submit their notification, which would have to show they were working in the public interest.

Lukasz Olejnik, a security researcher and one of the most outspoken critics of the original bill, described the amendment as a reasonable compromise.

“GDPR is meant to be a strong data privacy regulation. So naturally nobody should expect it to be potentially misused against legitimate researchers acting in the public interest,” he told NS Tech. “[It] is a reasonable compromise, even though privacy research ends up being regulated in the United Kingdom.”

Olejnik also welcomed the opportunity for greater collaboration between researchers and the ICO: “It highlights the important role of Data Protection Authorities under GDPR. In this sense, I rate UK’s GDPR variant as a role model for other European GDPR implementations.”

He added: “What will be important is how ICO will actually handle this communication, which could typically be of rather technical nature.”

The government’s decision to incorporate the EU’s General Data Protection Regulation into the Data Protection Bill was welcomed by many in the tech industry last year.

But the legislation has faced intense scrutiny in the House of Lords. Writing for NS Tech today, Jenny Jones, a Green Party member of the house, accused the government of using the legislation to water down migrants’ rights.

She wrote: “The truth is that this is another bogeyman excuse being used by the government to grant wholesale infringements on people’s privacy rights.”