During the course of this inquiry a number of key issues concerning
the Privacy Amendment (Re-identification Offence) Bill 2016 (the bill) were
raised with the committee. These issues include:
releasing de-identified information;
criminalising the re-identification of data;
scope of the offences, including the entities captured by the
scope of the Minister's discretionary power to exempt;
retrospectivity of the bill; and
reversed burden of proof.
This chapter will outline the above issues raised by submitters,
and provide the committee's views and recommendations on the bill.
Releasing de-identified information
Submitters generally expressed their support for the bill's
objective of providing greater protection to an individual's privacy. However, some
submitters raised concerns that the bill would not necessarily achieve its policy
goals. One submitter questioned whether personal de-identified information
should be made public as the risk of re‑identification may be too great.
A number of submitters also highlighted that it may not be possible to truly de-identify
information in light of continuing advances in technology:
With more and more aspects of individual's lives involving
some aspect of online interaction, and the increasing sophistication of
data-mining technologies, the likelihood that even carefully de-identified data
sets can be re-identified is also increasing.
It is therefore likely that not even the most expertly
de-identified data sets will remain un-re-identifiable indefinitely.
The government has outlined its view that the benefits of open
data outweigh the risks of re-identification. This view was shared by the Productivity
Commission in its draft report Data Availability and Use. This report
stated that the risks of re‑identification of data and harm to an
individual were real and should not be trivialised, however noted that many of
these risks could be managed with the right policies and processes.
The report also noted that increasing data use does not necessarily put
individuals at a greater risk of harm.
It concluded that Australia stands out among other developed countries where
information, particularly in the area of health, is poorly used and suggested
that fundamental change was needed with the introduction of new legal and
These frameworks would work towards four key elements:
giving individuals more control over data held about them;
encouraging and enabling broad access to government datasets;
increasing the usefulness of publicly funded identifiable data
among trusted users; and
creating a culture where non-personal and non-confidential data
is released as a default.
The Office of the Australian Information Commissioner (OAIC)
agreed that a careful balance is needed between open data and privacy
protections and warned that the bill, in and of itself, would be unlikely to
eliminate the privacy risks associated with the publication of de-identified
OAIC outlined the need to consider whether the risk of re-identification is
sufficiently low for the data to be published openly, or whether other
safeguards should be applied, such as making the data available only to trusted
users with contractual or technological safeguards in place.
Criminalising re-identification of data
Some submitters raised concerns that to criminalise conduct
relating to re‑identification was not proportionate to other offences
within the Privacy Act, which generally attracts civil penalties.
The Law Council of Australia (LCA) noted that the introduction of criminal
sanctions was 'potentially disruptive and unworkable'.
The Attorney-General's Department (AGD) outlined that the Privacy
Act already contains a number of criminal offences in the credit reporting
context, as well as for failure to attend a conference when directed by the Australian
However, it has been noted that these offences 'are arguably exceptional' to
the Privacy Act, with the Australian Law Reform Commission having previously
recommended that the credit reporting offences be repealed and replaced with
The AGD explained the rationale for the criminal penalties within
the bill in the following way:
...de-identification of data is not without risk as it is not
possible to provide an absolute guarantee that de-identified information could
never be re‑identified. The Government needs to balance this risk against
the public benefit that the release of de-identified data presents.
Accordingly, the Bill provides for re-identification offences at sections 16D
and 16E as they are an appropriate mechanism to deter entities from doing
considerable harm by re-identifying and/or disclosing re-identified personal
Other submitters expressed a view that it is inequitable to criminalise
conduct relating to the re-identification of data but not to criminalise
conduct relating to poorly or improperly de-identified data. It was argued that
the harm would be caused by the publication of the poorly de-identified dataset
by the responsible agency and not by the entity that notices that the dataset
has been poorly de-identified.
The AGD explained that agencies are already subject to the
Australian Privacy Principles (APPs) under the Privacy Act and failure to
implement robust de‑identification processes may risk breaching the APPs.
In broad terms, the APPs are a set of principles concerning the handling, use
and management of personal information and these apply to Australian government
agencies, private health service providers, the private sector and not-for
profit organisations with an annual turnover of more than $3 million and some
small businesses. Under APP 1.2, agencies are required to implement practices,
procedures and systems to ensure that they comply with the Privacy Act, which
includes taking reasonable steps to ensure that personal information is not
disclosed through open publication.
To assist agencies to properly manage and de-identify data
increasing numbers of Commonwealth resources are being made available. This
includes guidance developed by the OAIC,
the Australian Bureau of Statistics,
and the Department of the Prime Minister and Cabinet.
Additionally, the OAIC is in the process of updating its de‑identification
guidance materials and advises that it expects these resources to be released
for consultation by early 2017.
As a way of strengthening the ability of Commonwealth agencies to
manage privacy risks the OAIC suggested the development of a Privacy Code
across the Australian public sector.
The OAIC explained that a Privacy Code could set out how one or more of the
APPs are to be applied and impose additional requirements to those contained in
the APPs, thereby supporting agencies towards best de‑identification
Scope of offences and civil penalties
Submitters were broadly concerned with two aspects relating to
the scope of the offences and civil penalties proposed in the bill: the entities
that would be captured by the new provisions; and that the provisions were
drafted too broadly.
It is noted that the bill has a wider reach than the Privacy Act
as, in addition to applying to Australian government agencies and private
sector organisations, it also applies to small businesses
and individuals acting in their private capacity. The bill has exclusions which
apply to agencies in connection with the performance of their functions and
activities, contracted service providers for the purpose of meeting an
obligation under a Commonwealth contract, and entities for the purpose of an
agreement with the agency.
A number of submitters were particularly worried that researchers
would be captured by the bill and that this would have the effect of discouraging
investigation and research into information security.
One submission suggested that the effect of criminalising re-identification of
data would be to:
...inhibit open investigation, which could mean that fewer
Australian security researchers find problems and notify the government.
Criminals and foreign spy agencies will be more likely to find them first.
The Explanatory Memorandum (EM) explains that proposed subsection
16CA(2) makes clear that an entity that is employed by, or engaged to provide a
service to, a State or Territory authority is exempt from the operation of the
The OAIC explains that:
... the majority of acts, practices, and/or organisations which
are currently exempt from the application of the Privacy Act will also be exempt
from the scope of the Bill. Acts or practices currently exempt from the Privacy
Act include acts done by media organisations in the course of journalism;
political acts and practices; and, as most Commonwealth legislation (including
the Privacy Act) does not bind the States and Territories, the activities of
state and territory bodies (including their employees) are also exempt. I note
that the majority of universities in Australia are State and Territory bodies.
However, some submitters remain concerned that the bill may
continue to bind State and Territory authorities which could capture
universities and researchers employed by universities.
The Attorney-General has reiterated that State and Territory authorities, which
includes universities, are not subject to the Privacy Act and therefore also
not subject to the offences and penalties of the bill:
I note that the provisions in the Bill do not apply to
universities or any other authorities established under State and Territory
authorities (see subsection 6C(1) of the Privacy Act, which states that an
organisation for the purposes of the Privacy Act does not include a State or
Territory authority): Under subsection 16CA(2) of the Bill this exemption also
applies to acts done in the course of employment or service by individuals
employed by, or engaged to provided services to, those exempt universities...
Two submitters expressed a view that researchers should not need
to be affiliated with a university or institution to fall outside of the scope
of the bill and claimed that their work in the area of cyber security would be
stifled due to the provisions of the bill.
The Attorney-General explained that the offences created under
the proposed sections of the bill would be unlikely to interfere with the
ability to conduct research which is in the public interest.
The AGD outlined that for those researchers who were not based in universities,
the exclusions in proposed subsections 16D(3)-(4), 16E(4)-(5), and 16F(6)-(7)
Additionally, provision is made for the Attorney-General to determine that an
entity is an exempt entity.
The Attorney‑General's determination power to exempt an entity will be
discussed later in this chapter.
The LCA suggested that it is unclear whether the exemption
provisions would apply to sub-contractors:
It is not clear whether this exemption is intended to apply
to sub-contractors of the entity which is the main contracted service provider.
The Explanatory Memorandum states the intention of the exemption is to allow
entities to engage in functions and activities such as information security
tests. It would not be uncommon for such tests to be carried out by sub‑contractors.
The AGD clarified that sub-contractors will be included in the
exclusion that applies to contracted service providers as sub-contractors are
included in the definition of 'contracted service provider' at section 6 of the
Nature of offences and civil
Some submitters were concerned that the offences were drafted too
broadly. One submitter suggested that rather than considering whether
re-identification was intentional, the offences should consider whether there
was any intent to use the data to do harm.
Another submitter claimed that the 'intention' requirement within these
offences is not clear.
The Australian Bankers' Association provided the following example of where it
is not clear whether the intention requirement within the bill would be
...a de-identified Government data set is used, and at some
stage in the analytics process is combined with another data set, for
commercial purposes including better consumer choice, and this leads to re‑identification
of the information.
While the AGD has not addressed this particular example, the AGD
has clarified in its submission that:
Unintentional re-identification that occurs as a by-product
of other public interest research using a government dataset, for example
through data matching, would not constitute an offence under section 16D. While
the offence for disclosure in section 16E applies to information which is
intentionally or unintentionally re-identified, the offence itself is confined
to the intentional disclosure of re-identified information to a person or
entity other than the responsible agency when the entity is aware the
information is re-identified. Merely disclosing that a de-identified dataset
published by government could be re-identified, or speculating about the
possibility of re-identification, would therefore not constitute an offence
under section 16E. Similarly, inadvertent disclosure of re-identified
information where the entity is not aware that the information is re‑identified
would also not constitute an offence.
A number of submitters noted that the Privacy Act only operates
in Australia and therefore de-identification or disclosure which occurs outside
of Australia would not be captured by the bill. For example, the OAIC noted
that information now traverses national borders and regulatory jurisdictions
and warned agencies to be mindful when releasing de-identified information as
entities outside Australia may not be subject to the jurisdiction of the
Breadth of the Minister's discretionary power to exempt
Proposed section 16G provides that the Minister may determine
that an entity, or class of entities, is an exempt entity for the purposes of
one or more of the offence provisions in relation to cryptology, information
security, data analysis, or 'any other purpose that the Minister considers
appropriate', and if the Minister is satisfied that it is in the public
interest to do so. While the determination is a legislative instrument, it is
not subject to disallowance pursuant to section 42 of the Legislation Act
The Scrutiny of Bills Committee noted that the Minister's
discretionary power to exempt an entity from proposed sections 16D, 16E or 16F
is based on a single criterion: that the Minister is satisfied that it is in
the public interest for the power to be exercised.
The Scrutiny of Bills Committee indicated that this may suggest that the
offence and civil penalty provisions are drawn too broadly.
In response to the concerns raised by the Scrutiny of Bills
Committee, the Attorney-General advised that he considered the offence and
penalty provisions of the bill appropriate and sufficiently defined. The
Attorney-General explained that the exemption provision:
...is intended to provide an appropriate balance between
protecting the privacy of individuals and allowing for legitimate research to
continue...It is my expectation that the predominant reason for an exemption
determination under section 16G will be in relation to the specific research
purposes involving cryptology, information security and data analysis which is
in the public interest. However, the ability to grant exemptions for 'any other
purpose' ensures there is appropriate flexibility in the event that other
legitimate reasons to grant exemptions arise in the future which are not
In view of the narrow scope of the proposed offences noted
above, I do not expect there will be a large number of entities who will need
exemptions for research in the public interest which requires the intentional
re‑identification of de-identified personal information published by a
In response to this assertion, the Scrutiny of Bills Committee
reiterated its view that 'it is appropriate that Parliament define the
boundaries of criminal wrong‑doing rather than leaving these boundaries
to depend (in part) on executive decision-making'.
While the Scrutiny of Bills Committee maintained its concerns, it noted the
importance of the information provided by the Attorney-General as a point of
access to understanding the law, and requested that key information be included
in the EM.
Some submitters expressed concern about the Attorney-General's
discretionary power to exempt certain entities.
The Australian Bankers' Association sought clarity on whether the Minister
might exempt commercial organisations, such as banks, which it argues are also
engaging in valuable research in areas of de‑identification techniques,
cryptology and information security.
The AGD provided further clarity about the process it would be
undertaking to determine classes of exempt entities for the purpose of proposed
...the department expects that the primary focus of any
determination will be on exempting classes of entities, rather than specific
individuals (although it would still be possible to exempt individual entities
if required). The department intends to conduct public consultation to
identify relevant classes of entities who may require exemptions prior to the
Attorney-General making any determination. The department will also consider
implementing a regular, annual consultation process for exemption instruments
to ensure there is greater certainty and a clear process for entities which may
It was also raised that the Minister's determinations would not
be subject to the rules of disallowance.
One submitter argued that preventing disallowance of potentially unfair
decisions by the executive in relation to exemptions could lead to an erosion
of the checks and balances that would normally be available.
The EM explains why the rules of disallowance do not apply to the
Minister's determinations. This includes providing commercial certainty to
entities that would likely be undertaking projects or research activities which
would involve a commercial benefit of some kind and would require a commitment
of resources to undertake from the outset, as well as the time critical nature
of some projects or research activities.
Additionally, the requirement for the Minister to consult with the Commissioner
prior to making any determination was considered to provide a degree of
scrutiny and transparency.
The Scrutiny of Bills Committee considered that the rationale
provided in the EM in relation to the Minister's determination not being
subject to the rules of disallowance was sufficient, and made no further
comment in relation to this issue.
A number of submitters raised concerns relating to the
retrospective application of the bill.
If the bill is passed, the proposed new offences
would operate from 29 September 2016, being the date of the Attorney-General's
media release advising of the government's intention to introduce a criminal offence
of re‑identifying de‑identified government data.
It is noted that while proposed section 16F applies to conduct from 29
September which re-identifies personal information, the obligation to notify
the responsible agency does not apply until after royal assent.
The LCA outlined its opposition to laws that apply
retrospectively. In particular, it noted that retrospective measures generally
offend rule of law principles, namely, that 'the law must be readily known and
available, and certain and clear'.
It cited a number of High Court decisions which cautioned against retrospective
legislation and emphasised the principle that the criminal law needs to be
known by those who are subject to it.
The retrospective application of the bill was also raised by the
Senate Standing Committee for the Scrutiny of Bills. The Scrutiny of Bills
Committee noted that it has consistently commented on making 'legislation by
press' and that its concerns are particularly acute in relation to provisions
which create new offences.
In response to the Scrutiny of Bills Committee's concerns the
Attorney‑General acknowledged that while retrospective offences challenge
a key element of the rule of law, the retrospective application of this bill
was made clear when the amendments were announced. The Attorney-General
explained that given the significant consequences for individuals if personal
information was released, the government considered it important to provide a
strong disincentive to entities who may have considered re-identification or
disclosure of personal de-identified data while the Parliament considered the
The Scrutiny of Bills Committee acknowledged the importance of protecting
privacy and reputation however, noting that:
...this is not, in itself, sufficient to override this general
principle [that laws should only operate prospectively]. The importance of laws
operating only prospectively is particularly acute in relation to the criminal
law, where conduct should only be criminalised from the date the law making the
conduct criminal commences. This supports long-recognised criminal law
principles that there can be no crime or punishment without law.
The Parliamentary Joint Committee on Human Rights outlined its
concerns relating to the incompatibility of these retrospective offences with
article 15 of the International Covenant on Civil and Political Rights
(ICCPR). The Human Rights Committee noted that 'as an absolute right that
cannot be limited, there can be no justifiable limitation on the prohibition on
retrospective criminal laws so as to accord with human rights law'.
It requested advice from the Attorney-General as to whether consideration has
been given to amending proposed paragraphs 16D(1)(c) and 16E(1)(c) so that
these sections operate from the date of Royal Assent. To date, the
Attorney-General has not responded to the Human Rights Committee's report.
Several submitters referred to the ability of government to
back-date laws to a press release date as setting a dangerous precedent.
While another submitter explained that after its first announcement, a
spokesman for the Attorney-General's office informed the media that there would
be provision made for legitimate research to continue. The submitter noted that
they had interpreted this to mean that 'all' legitimate research would
be allowed as opposed to 'some' legitimate research may be exempt.
The submitter stated that researchers may be left in the situation of being
unable to tell the government what they had discovered during the time that
they thought the investigation was legal.
The AGD explained that:
The Guide to Framing Commonwealth Offences, Infringement
Notices and Enforcement Powers provides that offences may be made
retrospective where there is 'a strong need to address a gap in existing
offences, and moral culpability of those involved means there is no substantive
injustice in retrospectivity.' The government considers that these narrowly
prescribed offences meet these requirements.
The AGD went on to explain that the recently identified
vulnerability in the Department of Health's dataset showed that there were gaps
in privacy legislation and that the government acted immediately to strengthen
protections for personal information against re-identification.
It noted that the bill provides a strong disincentive to entities who may have
been tempted to attempt re‑identification of any published datasets while
the parliament considers the bill. Additionally, the AGD explained that the
government acted to ensure that the retrospective application is only for a
short period of time.
Reverse burden of proof
Proposed subsections 16D(2)-(5), 16E(3)-(6) and 16F(5)-(8) of the
bill provide a number of exemptions to the offences and civil penalties
relating to re‑identification and disclosure of de‑identified
personal information, and the requirement to inform the responsible agency of
the de-identified information. In particular, these provisions reverse the
burden of proof by requiring the entity to prove that the re‑identification
or disclosure of the de-identified information was consistent with one of the
the entity is an agency and the act was done in connection with
the performance of the agency's functions or activities, or the agency was
required or authorised to do the act under Australian law or court order;
the entity was a contracted service provider for a Commonwealth
contract to provide services for a responsible agency and the act was done for
the purposes of meeting (directly or indirectly) an obligation under the
the entity entered into an agreement with the responsible agency
to perform functions or activities on behalf of the agency, and the act was
done in accordance with the agreement; or
the entity is an exempt entity for the purpose of a determination
in force under section 16G and the act was done for a purpose specified in the
determination and in compliance with any conditions specified in the
The statement of compatibility contained in the EM noted that
reversing the burden of proof is generally not consistent with the presumption
of innocence under article 14(2) of the ICCPR, however it considered that in
this case it was reasonable and appropriate for the burden of proof to be
The EM states that government does not anticipate that it will be difficult for
an entity to demonstrate that its actions falls within one of the exemptions,
that it is expected that the prosecution will not proceed where it is clear
that the entity will rely on an applicable defence during the proceedings, and
that it reflects the seriousness of the prohibited conduct.
The Parliamentary Joint Committee on Human Rights considered the
information provided within the EM and concluded the reversed burden of proof
contained within the bill was compatible with the presumption of innocence
contained in article 14 of the ICCPR on the basis that the burden was
evidentiary in nature, rather than legal.
The Human Rights Committee expressed the view that 'the measures are likely to
be a proportionate limitation on the presumption of innocence'.
The Scrutiny of Bills Committee also considered the information
contained within the EM and sought further justification from the Attorney‑General
and requested that the principles set out in the Guide to Framing
Commonwealth Offences, Infringement Notices and Enforcement Powers (the
Guide) be addressed.
In response to concerns raised by the Scrutiny of Bills Committee the
Attorney-General explained that relevant matters would be peculiarly within the
knowledge of the defendant and it would be significantly more difficult and
costly for the prosecution to prove that the exclusion did not apply.
However, the Scrutiny of Bills Committee noted that page 50 of
the Guide states that the fact that it is difficult for the prosecution to
prove a particular matter has not traditionally been considered a sound justification
for placing a burden of proof on the defendant.
Despite the additional information provided by the Attorney-General, the
Scrutiny of Bills Committee remained of the view that the reversal of the
evidentiary burden of proof may not be framed in accordance with the relevant
principles set out in the Guide:
...it is not apparent to the committee that it would be
particularly onerous for the prosecution to prove the existence of an agreement
or contract with the Commonwealth, given there does not seem to be any
impediment on the Commonwealth supplying evidence of that agreement or contract
to the prosecution. It is also not apparent, on the information provided to the
committee, that such matters would be peculiarly within the knowledge of
The Scrutiny of Bills Committee noted the importance of the
information provided by the Attorney-General as a point of access to
understanding the law, and requested that the information be included in the EM.
The committee notes the concerns that have been expressed about
aspects of this bill by submitters, including the introduction of criminal
offences, the reversed burden of proof and the retrospective application of the
bill. However, given the gap that was recently identified in privacy
legislation, the committee is of the view that the bill provides a necessary
and proportionate response. In arriving at this conclusion the committee has
given careful consideration to the need to balance the benefits that open data
can provide with the need to strengthen the protections to the privacy of
Australians while also continuing to encourage research in the areas of
information security. The committee considers that the bill achieves this
The committee acknowledges the Scrutiny of Bills Committee’s
comments on retrospective legislation—and the information provided by the
Attorney-General and published in that committee’s Tenth Report of
2016—and is generally reluctant to endorse laws that operate retrospectively.
However, in this instance the committee notes that the Minister’s announcement
was in the current term of parliament, was very specific, and indicated clearly
that the legislation was to apply from the date of the announcement. There is
sufficient particularity in the announcement to alert would-be offenders of the
nature of the offence.
The committee also notes concerns expressed by the research
community but has formed the view that researchers employed by States and
Territories (which includes most universities) will not fall within the scope
of the Privacy Act. Additionally, the bill has exclusions for agencies in
connection with their functions and activities or authorised by law, for
contracted service providers for the purpose of meeting an obligation under a
Commonwealth contract and for entities in accordance with an agreement between
the entity and the responsible agency. Moreover, the committee is reassured by
the consultation process the AGD will put in place to ensure that researchers not
connected to universities will have an opportunity to be considered within a
class of entities subject to the Minister’s exemption determination powers.
2.51 The committee recommends that the bill be passed.
Hon Ian Macdonald
Navigation: Previous Page | Contents | Next Page