New GDPR Laws Could Hinder Data Breach Investigators

The Data Protection legislation in the United Kingdom is aims to protect British internet users’ privacy has come at a time when the European Union’s General Data Protection Regulation (GDPR) is about to take effect.

The GDPR is intended to synchronize data privacy laws and provide better protection and rights to people in Europe. The new data protection bill falls under GDPR which seeks to harmonize such laws. Although the primary objective of the proposed legislation is to ensure protection of privacy for British internet users, it may render the work of experts who uncover mishandling of personal data unlawful.

This bill will contain a clause that criminalizes intentional or reckless re-identification of individuals from pseudonymized or anonymous data. According to this proposal, persons who break it risk a maximum penalty of an unlimited fine.

Individuals whose privacy has been violated find the exercise of cross-referencing information, with other obtainable data to identify themselves (de-anonymizing), very challenging.

In 2006 for instance, anonymized data provided by AOL exposed criminal activity when it was de-anonymized by the process of cross-referencing using phonebook listing. Netflix was among the culprits and was litigated by a person whose sexual preference was disclosed by anonymized data. The investigations that underscore such illegalities are critical and need to be defended. However, the government’s proposed bill may end up criminalizing such efforts while doing little to prevent the release and distribution of poorly anonymized data.

The European General Data Protection Regulation is anticipated to become effective in May 2018 and will alter how public and private entities manage information of customers and other persons. It will likely strengthen data protection laws across Europe.

Given the above-proposed bill in Britain, security researchers acting in good faith could be inhibited. This will have a negative impact on an open investigation that could deny the government some critical information to uncover data abuse or criminalities.

The UK bill should consider exempting journalists, whistleblowers, and security researchers to prevent criminalizing their work that reveals mishandling of personal data.