The collapse of confidence in anonymization (sometimes also known as de-identification) as a robust approach for preserving the privacy of personal data has incited an outpouring of new approaches that aim to fill the resulting trifecta of technical, organizational, and regulatory privacy gaps left in its wake. In the latter category, and in large part due to the growth of Big Data–driven biomedical research, falls a growing chorus of calls for criminal and penal offences to sanction wrongful re-identification of “anonymized” data. This chorus cuts across the fault lines of polarized privacy law scholarship that at times seems to advocate privacy protection at the expense of Big Data research or vice versa. Focusing on Big Data in the context of biomedicine, this article surveys the approaches that criminal or penal law might take toward wrongful re-identification of health data. It contextualizes the strategies within their respective legal regimes as well as in relation to emerging privacy debates focusing on personal data use and data linkage and assesses the relative merit of criminalization. We conclude that this approach suffers from several flaws and that alternative social and legal strategies to deter wrongful re-identification may be preferable.
Australian Government Productivity Commission. 2016. Data availability and use: Productivity commission draft report. Canberra: Commonwealth of Australia.
Australian Government. 2016. Linkable de-identified 10% sample of Medicare Benefits Schedule (MBS) and Pharmaceutical Benefits Schedule (PBS). https://data.gov.au/dataset/a8e3c0bc-44ac-4e9a-8b3c-b779438ddb10. Accessed February 4, 2017, but no longer available. An archived version can be found at https://web.archive.org/web/20170204164647/ https://data.gov.au/dataset/a8e3c0bc-44ac-4e9a-8b3c-b779438ddb10. Accessed 23 August 2017.
Barocas, S., and H. Nissenbaum. 2014. Big data’s end run around anonymity and consent. In Privacy, big data, and the public good, edited by J. Lane, V. Stodden, S. Bender, and H. Nissenbaum, 44–75. Cambridge: Cambridge University Press. CrossRef
Barth-Jones, D. 2012. The “re-identification” of Governor William Weld’s medical information: A critical re-examination of health data identification risks, then and now. https://papers.ssrn.com/sol3/papers.cfm?abstract_id=2076397. Accessed August 23, 2017.
Black Book Market Research. 2017. Healthcare’s digital divide widens, black book consumer survey. https://blackbookmarketresearch.newswire.com/news/healthcares-digital-divide-widens-black-book-consumer-survey-18432252. Accessed August 23, 2017.
Brandis, G. 2016. Amendment to the Privacy Act to further protect de-identified data. https://www.attorneygeneral.gov.au/Mediareleases/Pages/2016/ThirdQuarter/Amendment-to-the-Privacy-Act-to-further-protect-de-identified-data.aspx. Accessed August 23, 2017.
Cate, F.H., and V. Mayer-Schönberger. 2013. Notice and consent in a world of Big Data. International Data Privacy Law 3(2): 67–73. CrossRef
Commission d’accès à l’information du Québec. 2016. Rétablir l’équilibre: Rapport quinquennal 2016. Quebec City: Government of Quebec.
Contreras, J.L. 2016. Genetic property. Georgetown Law Journal. 105(1): 1–54.
Council of Canadian Academies. 2015. Accessing health and health-related data in Canada: The expert panel on timely access to health and social data for health research and health system innovation. Ottawa: Council of Canadian Academies.
Culnane, C., B. Rubinstein, and V. Teague. 2016a. Understanding the maths is crucial for protecting privacy. https://pursuit.unimelb.edu.au/articles/understanding-the-maths-is-crucial-for-protecting-privacy. Accessed August 23, 2017.
———. 2016b. Can the government really protect your privacy when it “de-identifies” public data? Sydney Morning Herald, December 5.
De Hert, P., and G. Boulet. 2016. The co-existence of administrative and criminal law approaches to data protection wrongs. In Enforcing privacy: Regulatory, legal and technological approaches, edited by D. Wright, and P. De Hert, volume 25 in the Law, governance, and technology series, 357–394. Springer.
El Emam, K., and L. Arbuckle. 2014. De-identification: A critical debate. Future of Privacy Forum, July 24. https://fpf.org/2014/07/24/de-identification-a-critical-debate/. Accessed August 23, 2017.
Fisher, D. 2017. California law makes ransomware use illegal. Onthewire, January 4. https://www.onthewire.io/california-law-makes-ransomware-use-illegal. Accessed August 23, 2017.
Gellman, R. 2011. The deidentification dilemma: A legislative and contractual proposal. Fordham Intellectual Property, Media and Entertainment Law Journal. 21(1): 32–61.
Gorce, G., and F. Pillet. 2014. Rapport d’information fait au nom de la commission des lois constitutionnelles, de législation, du suffrage universel, du Règlement et d’administration générale sur l’open data et la protection de la vie privée. Number 469. Ordinary session of 2013–2014. April 16.
Hengesbaugh, B., M. Stoker, D. Krone. 2011. Ten steps every organization should take to address global data security breach notification requirements. The Privacy Advisor. 11(7): 1–6.
Hennigan, W.J., and B. Bennett. 2016. Criminal hackers now target hospitals, police stations and schools. Los Angeles Times, April 8.
IBM. 2016. Ransomware: How consumers and businesses value their data. https://www-01.ibm.com/marketing/iwm/dre/signup?source=mrs-form-10908. Accessed August 23, 2017.
Keen, A. 2016. E-stonia: The country using tech to rebrand itself as the anti-Russia. The Guardian, April 21.
Kuner, C. 2013. Transborder data flows and data privacy law. Oxford: Oxford University Press. CrossRef
Laurie, G., L. Stevens, K.H. Jones, and C. Dobbs. 2014. A review of evidence relating to harm resulting from uses of health and biomedical data. Nuffield Council on Bioethics.
Lowrance, W.W. 2002. Learning from experience: Privacy and the secondary use of data in health research. London: Nuffield Trust.
McGee, M.K. 2015. Prison term in HIPAA violation case. infoRisk Today, February 20. http://www.inforisktoday.com/prison-term-in-hipaa-violation-case-a-7938. Accessed August 23, 2017.
McLean, A. 2016. NSW Data Analytics Centre privacy guidelines under fire from private sector. ZDNet. November 17.
Middleton, K. 2016. Millions of Australians caught in health records breach. The Saturday Paper, October 8.
Narayanan, A., J. Huey, and E.W. Felten. 2015. A precautionary approach to Big Data privacy. http://randomwalker.info/publications/precautionary.pdf. Accessed August 23, 2017.
Nass, S.J., L.A. Levit, L.O. Gostin, and Institute of Medicine of the National Academies. 2009. Beyond the HIPAA privacy rule: Enhancing privacy, improving health through research. Washington, DC: National Academies Press. CrossRef
National Data Guardian for Health and Care. 2016. Review of data security, consent and opt-outs. https://www.gov.uk/government/publications/review-of-data-security-consent-and-opt-outs. Accessed August 23, 2017.
New Zealand Data Futures Forum. 2014. Harnessing the economic and social power of data. https://www.nzdatafutures.org.nz/sites/default/files/NZDFF_Key_recommendations.pdf. Accessed August 23, 2017.
Nissenbaum, H. 2016. Must privacy give way to use regulation? March 15 presentation as part of the Cybersecurity Speaker Series at Brown University.
Office of the Privacy Commissioner of Canada. 2016. Consent and privacy: a discussion paper exploring potential enhancements to consent under the Personal Information Protection and Electronic Documents Act. https://www.priv.gc.ca/en/opc-actions-and-decisions/research/explore-privacy-research/2016/consent_201605
Ohm, P. 2010. Broken promises of privacy. UCLA Law Review 57: 1701.
Organisation for Economic Co-operation and Development (OECD). 2013. The OECD privacy framework. http://oecd.org/sti/ieconomy/oecd_privacy_framework.pdf. Accessed August 23, 2017.
out-law.com. 2014. Google closes briefcase on Italian job: Execs “not liable” for privacy breach. The Register, February 6.
Parliament of the Commonwealth of Australia, Senate. 2016. Privacy Amendment (Re-identification Act) Bill 2016: Explanatory Memorandum.
Pilgrim, T. 2016. De-identification: The de-vil is in the de-tail. The Mandarin, November 3.
Prainsack B. 2015. Why we should stop talking about data sharing. DNA Digest. http://dnadigest.org/why-we-should-stop-talking-about-data-sharing. Accessed August 23, 2017.
President’s Council of Advisors on Science and Technology. 2014. Big Data and privacy: A technical perspective. https://www.whitehouse.gov/sites/default/files/microsites/ostp/PCAST/pcast_big_data_and_privacy_-_may_2014.pdf. Accessed January 19, 2017, but no longer available. An archived version can be found at https://web.archive.org/web/20170119222000if_/https://www.whitehouse.gov/sites/default/files/microsites/ostp/PCAST/pcast_big_data_and_privacy_-_may_2014.pdf. Accessed August 23, 2017.
Robertson, J. 2013. Who’s buying your medical records? Bloomberg News, June 5. www.bloomberg.com/infographics/2013-06-05/whos-buying-your-medical-records.html. Accessed August 23, 2017.
Ruby, C.C., J.G. Chan, and N.R. Hasan. 2012. Sentencing. 8th ed. Markham: LexisNexis Canada.
Schneier, B. 2013. Why the NSA’s defense of mass data collection makes no sense. The Atlantic, October 21.
———. 2015. Data and goliath. W.W. Norton & Company.
———. 2016. Data is a toxic asset, so why not throw it out? CNN, March 1. http://edition.cnn.com/2016/03/01/opinions/data-is-a-toxic-asset-opinion-schneier/index.html. Accessed August 23, 2017.
Sorbie, A. 2016. Conference report: Liminal spaces symposium at the IAB 2016: What does it mean to regulate in the public interest? SCRIPTed. 13: 374–81. CrossRef
Spooner, R., and N. Towell. 2016. Fears that patients’ personal medical information has been leaked in Medicare data breach. Canberra Times, September 29.
Sweeney, L. 2000. Uniqueness of simple demographics in the U.S. population. Laboratory for Int’l Data Privacy’s Working Paper LIDAP-WP4.
———. 2015. Only you, your doctor, and many others may know. http://techscience.org/a/2015092903. Accessed August 23, 2017.
Tene, O., and J. Polonetsky. 2013. Big Data for all: Privacy and user control in the age of analytics. Northwest Journal of Technology & Intellectual Property. 11(5): 239–273.
Thomas R., and T. Walport. 2008. Data sharing review report. July 11. http://webarchive.nationalarchives.gov.uk/+/http:/www.justice.gov.uk/docs/data-sharing-review.pdf. Accessed August 23, 2017.
Tonry, M. 2009. The mostly unintended effects of mandatory penalties: Two centuries of consistent findings. Crime & Justice. 38(1): 65–114. CrossRef
Towell, N. 2016. 96,000 public servants in new data breach. Canberra Times, October 5.
U.K. Department for Digital, Culture, Media and Sport. 2017. A new data protection bill: our planned reforms: statement of intent. 7 August. https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/635900/2017-08-07_DP_Bill_-_Statement_of_Intent.pdf. Accessed 23 August 2017.
Yakowitz, J. 2011. Tragedy of the data commons. Harvard Journal of Law & Technology 25(1): 1–67.
———. 2015. Is de-identification dead again? Harvard Info/Law Blog, April 28. https://blogs.harvard.edu/infolaw/2015/04/28/is-de-identification-dead-again. Accessed August 23, 2017.
- Criminal Prohibition of Wrongful Re‑identification: Legal Solution or Minefield for Big Data?
Edward S. Dove
Bartha M. Knoppers
- Springer Netherlands
Neu im Fachgebiet AINS
Meistgelesene Bücher aus dem Fachgebiet AINS
Mail Icon II