Data, disclosure and de-identification – Will proposed offences in the Data Protection Bill make criminals of us all?
De-identification of personal data is an important and widely used strategy deployed to mitigate the risk of unauthorised disclosure or access.
The techniques that are deployed are varied. They do not necessarily render the data ‘anonymous’ as defined by the General Data Protection Regulation (GDPR). That is often not their intention. Deliberate, and sometimes technically sophisticated, efforts to subvert those security measures are a legitimate cause for concern. There can be little principled objection to outlawing such steps by individuals who have no legitimate reason to possess the de-identified data, less still ‘re-identify’ it.
The criminalisation of ‘re-identification’ proposed in cl 162 of the Data Protection Bill is not an entirely novel innovation. Such a measure has been under active consideration in Australia for some time. The Australian proposal was limited to information which was made publicly available by a public authority and criminal liability was limited to entities rather than individuals. The proposal was heavily criticised, not least because the available defences were ‘reverse onus’ provisions (or at least they were regarded as ‘reverse onus’ by eminent legal authorities in Australia).
The proposed offence
In this article I use regulatory proceedings as a context in which to consider the scope of the proposed offence and available defences. In such proceedings it is common for witness statements and documentary evidence to be redacted to remove identifiers of complainants, witnesses and others.
Those steps are not intended to withhold the identities of those individuals from the other party or parties. They serve to protect documents in transit and to reflect the anonymisation of non-parties during the course of first instance hearings. The personal data is therefore ‘de-identified’.
I note that where first instance decisions are appealed to the High Court the ‘de-identification’ is often abandoned, with key players being ‘re-identified’. However, such ‘re-identification’ happens at a more mundane level during the course of such investigations. ‘De-identified’ material sent between the parties may be ‘re-identified’ by information in the subject line or text of a covering email. It may be contextually ‘re-identified’ when the document is filed with other material which provides additional information permitting
This article explores where those instances of ‘re-identification’, which are not obviously inappropriate and which occur as part of the legitimate conduct of the prosecutor/defence team, are caught by the proposed criminal offence of ‘re-identification’ contained in clause 162 of the Data Protection Bill.
The proposed offence of re-identification is defined by reference to the process of de-identification of personal data, in the following way:
- It is an offence for a person knowingly or recklessly to re-identify information that is de-identified personal data without the consent of the controller responsible for de-identifying the personal data.
- For the purposes of this section:
- personal data is ‘de-identified’ if it has been processed in such a manner that it can no longer be attributed, without more, to a specific data subject;
- a person ‘re-identifies’ information if the person takes steps which result in the information no longer being de-identified within the meaning of paragraph (a).
It will be noted that effectively implemented redaction is sufficient to meet the definition of ‘de-identification’.
The absence of the controller’s consent is an element of the o ence. The consent in question is that of the controller ‘responsible for de-identifying’. As it is not the consent of the data subject it is not clear whether consent in this section bears the meaning of consent in the GDPR.
A legitimate recipient of de-identified information in the context of a regulatory investigation will already be aware of the identities of the individuals involved. However, that existing knowledge is not relevant to consideration as to whether the document is ‘de-identified personal data’ for the purposes of the offence (because of the qualifying words ‘without more’).
Furthermore, the communication may be from someone other than the controller responsible for de-identifying the data and the recipient may have no information as to the de-identifier’s consent or identity.
Thus, it appears that the mere act of filing the ‘de-identified’ data in the relevant case file may ‘re-identify’ it and presumptively constitute an offence, placing the onus on the accused to establish a defence. In those circumstances, it is necessary to consider the scope of the available defences and whether they serve as a suitable counterbalance to a very broadly drawn offence.
As with the proposed approach in Australia, the defences provided in cl 162 are reverse onus provisions. A frequent justification for reverse onus defences is that they relate to matters which are peculiarly within the knowledge of the defendant (see Lord Hope’s second consideration in R v DPP (ex p Kebilene)  2 AC 326). A further justification is that important matters have to be proved by the prosecution beyond reasonable doubt before any liability can attach to the accused (Lord Hope’s first consideration in Kebilene). It might be thought that that threshold is not met by the drafting of cl 162.
The proposed defences fall into two broad categories.
An exculpatory purpose
The first group of defences is set out in Cl 162(3) as follows:
(3) It is a defence for a person charged with an offence under subsection (1) to prove that the re-identification: (a) was necessary for the purposes of preventing or detecting crime, (b) was required or authorised by an enactment, by a rule of law or by the order of a court, or (c) in the particular circumstances, was justified as being in the public interest.
I leave aside consideration of sub-para (a) on the basis that it will not be broadly available in the context considered here.
The question as to whether the sort of re-identification referred to above is required or authorised by enactment or by rule of law is perhaps a more challenging question. I know of no enactment or rule of law which specifically authorises ‘re-identification’ in the context described. Perhaps the principle of open justice might be regarded as a rule of law requiring re-identification in the context of High Court appeals. That is a subject for another day.
The requirement to rely on a justification that the re-identification is ‘in the public interest’ brings with it a considerable degree of uncertainty. It will be rare that the actus reus of ‘re-identification’ could be regarded as positively being in the public interest, as distinct from it simply not being contrary to the public interest. It will not be sufficient that the re-identification was undertaken as part of the legitimate conduct of the defence case.
Reasonable belief defences
Reasonable belief defences are also available and fall into two broad categories:
- reasonable beliefs about the data
- reasonable beliefs in respect of the consent of the controller. I emphasise that an honest or genuine belief will not suffice.
The data subject
As currently drafted it would be a defence for the accused to prove that they acted in the reasonable belief that they were the data subject; or had the consent of the data subject; or that they would have had such consent if the data subject had known about the re-identification and ‘the circumstances of it’.
The qualification ‘and the circumstances of it’ suggests that the consent in question here is informed consent of the sort specified in the GDPR. Thus, in reality, the requirement would be for the defendant to prove they reasonably believed they had the informed consent of the data subject. By virtue of the GDPR, consent requires an affirmative act. At the very least it would be challenging for someone who had no direct knowledge of the data subject to prove a reasonable belief in such actual informed consent and no less difficult to prove a reasonable belief that the specific data subject would have consented. It is important to bear in mind that a single document, contextually filed, may result in re-identification of multiple data subjects. The defendant would be required to establish their reasonable belief in respect of each and every one.
A reasonable belief in the consent of the controller, or that the controller would have consented if they had known about the re-indentification and ‘the circumstances of it’, will also serve as a defence. Again, this must be consent to the re-identification and, it seems, the belief must be in the existence of informed consent. It must be remembered that the controller in question must be ‘the controller responsible for the de-identification’. It is not a defence to have a genuinely mistaken belief in respect of the identity of that controller. The identity will not always be apparent from the communications received.
Those provisions are problematic as, in many cases, redacted documents will refer to numerous data subjects. In some instances, their involvement may be remote and collateral. They may be unaware of the nature of the process in which it is being undertaken. That possibility is recognised in the GDPR by means of the exemptions to the notification requirements contained in Article 14. As noted above, obvious questions arise in relation to what would be required in order to prove consent in this context.
The Data Protection Bill is currently working its way through Parliament.
Three members of the House of Lords have opposed the adoption of cl 162 while others have proposed amendments. The offence is very widely drawn and risks criminalising unobjectionable conduct. It places too great a burden on the defendant. It is contained in a Bill which must complete its passage through Parliament swiftly and there is a danger that it will not receive sufficient consideration.
This article was first published by the New Law Journal on 19 January 2018 and is reproduced with kind permission.
This briefing is for guidance purposes only. RadcliffesLeBrasseur LLP accepts no responsibility or liability whatsoever for any action taken or not taken in relation to this note and recommends that appropriate legal advice be taken having regard to a client's own particular circumstances.