New clause will allow researchers to test integrity of anonymized datasets without fear of reprisal
The UK government has put forward amendments the country’s Data Protection Bill that will exempt security researchers from laws preventing the de-anonymization of personal data.
Introduced on September 13, 2017, the Data Protection Bill aims to give UK residents more control over their data and support businesses in a post-Brexit Britain.
However, the new legislation caused a stir in the security community after it became apparent that white hat hackers could be criminalized for testing the integrity of anonymized datasets.
Clause 162 of the Data Protection Bill stipulates: “It is an offence for a person knowingly or recklessly to re-identify information that is de-identified personal data.”
The clause didn’t sit well with researchers, who drew attention to the fact that they may indeed be tasked with attempting to find flaws in an enterprise’s data anonymization methods.
The proposed amendment to the Data Protection Bill would permit researchers to conduct what the government calls “effectiveness testing” exercises, although white hats must inform the Information Commissioner’s Office (ICO) when their efforts to de-anonymize personal data prove successful.