back to article Re-identifying folks from anonymised data will be a crime in the UK

The British government is planning to impose criminal sanctions on people who intentionally re-identify individuals from data that should have protected their identities. The plans will be set out in the Blighty's Data Protection Bill – due to be introduced to Parliament next month – and could see an unlimited fine levied on …

  1. Falanx

    Let's see HMRC lead by example to the required standard, shall we?

  2. Anonymous Coward
    Anonymous Coward

    Oh good

    So encrypted traffic which is essentially anonymised data is safe? Are they cancelling out their own snoopers charter?

    Or are we heading for a standard "ah well, no, in that circumstance...terrorism...drugs...the children!"

    1. Doctor Syntax Silver badge

      Re: Oh good

      "Are they cancelling out their own snoopers charter?"

      Well, the document says Our vision is to make the UK the safest place to live and do business online. With the increasing volumes of personal data there is an increasing need to protect it. so they'll have to, won't they? Won't they?

    2. CrazyOldCatMan Silver badge

      Re: Oh good

      encrypted traffic which is essentially anonymised data is safe

      Encryption != anonymisation..

      (I understand that you were trying to make a point about the snoopers charter - however, it's much more helpful to make a point that's supported on a solid foundation and not an error.)

      1. Anonymous Coward
        Anonymous Coward

        Re: Oh good

        @CrazyOldCatMan

        I see where you're coming from. However...

        It is essentially anonymised if more than one person uses the associated internet connection and/or encrypted service.

        You can't specifically attribute an encrypted data stream to a specific person without decrypting the data.

        Just because X person is paying for a VPN service doesn't mean they are the sole consumer of it.

        Case in point, Daddy might pay for VPN services to protect his family and route all traffic over it using OpenWRT. Guests might visit and use his wifi.

        Coincidence != Causality.

        The only way to know for sure (if the VPN service is outside appropriate jurisdictions) who is doing what is to decrypt (and therefore deanonymise) the traffic.

  3. Jediben

    Looking forward to consent Ping-Pong, where oblivious users will grant permission via installing an app and accepting terms to harvest data, then reading about it in the newsfeed of said app, withdrawing consent and then immediately granting it again when they open the app once more...

    1. israel_hands

      RE "permission ping-pong"

      It shouldn't work out like that. Under GDPR if you don't choose to grant permission then they can't use that as a reason to refuse you access to the service, except where such permission is absolutely required to provide the service.

      So, Amazon can refuse to deliver a parcel to you if you refuse to share your address, because without knowing your address there's no way for them to deliver to your house, but Google can't refuse to let you use their search if you refuse to allow them to harvest your data.

      Interesting times ahead, depending on how this all shakes out, but it has the potential to properly bugger up entities which make their money solely out of harvesting user data. In my opinion, that's no bad thing, and the new regulations appear to have been well-written enough that they don't leave any obvious loopholes like the whole "implied consent accept our cookies" bullshit that plagued the last iteration.

      1. Doctor Syntax Silver badge

        "So, Amazon can refuse to deliver a parcel to you if you refuse to share your address, because without knowing your address there's no way for them to deliver to your house"

        Actually they could deliver a parcel to an Amazon locker without knowing your home address so they couldn't actually refuse to do business on that account.

        1. israel_hands

          You're entirely correct, but you're also agreeing with me. Note that I specifically stated they could not deliver to your home address without knowing it.

          GDPR states that if it isn't neccesary (and your locker example is a good illustration of that) then they can't refuse to take your order without that information.

          There may be an issue where billing address is required for card validation but if you were paying with a voucher then that wouldn't be relevant.

      2. CrazyOldCatMan Silver badge

        but it has the potential to properly bugger up entities which make their money solely out of harvesting user data

        Please, please - I really, really hope it does this. But it does need for everyone to at least understand the basics of GDPR (or at least the UK version) and to make sure that they hammer the organisations that fail.

        Maybe it's something that should be taught at school - preferrably by someone who knows about the subject and not by a harassed and overwhelmed teacher delivering a lesson plan that they've never seen before.

    2. streaky Silver badge

      where oblivious users will grant permission via installing an app and accepting terms to harvest data

      Terms like that tend to be inherently illegal in UK contract law, terms would stick as if the illegal part doesn't exist.

      1. Fink-Nottle

        >where oblivious users will grant permission via installing an app and accepting terms to harvest data

        "by clicking this link you agree that your data will not be anonymised, thus protecting you from cyber-criminals who wish re-identify individuals from anonymised data."

        I am confident my mum would click that link ...

  4. Alister Silver badge

    The government is planning to impose criminal sanctions on people who intentionally re-identify individuals from data that should have protected their identities.

    And what about companies and corporations who do it?

    It's most unlikely that individuals will be the worst culprits.

    1. Thoguht Silver badge

      Companies and corporations are people (legal persons) too in the eyes of the law.

      But really there will have to be lots of get-out clauses for this because otherwise it will hamstring all sorts of very nice people who are trying to keep us and our children safe.

    2. Doctor Syntax Silver badge

      "And what about companies and corporations who do it?"

      I'd hope that criminal sanctions would apply to officers of the company who sanction it. Even the mose eye-watering fines found only rebound on a CEO by their being sacked. Jail time would be a much more effective deterrent.

      1. Ken Hagan Gold badge

        "Even the most eye-watering fines found only rebound on a CEO by their being sacked."

        Define "eye-watering". I bet if I cost my company a "ten years' profit" fine, not only would I be sacked but also I wouldn't get the golden parachute and nor would I be offered the chance to walk straight into another job.

        1. Alan Brown Silver badge

          > Define "eye-watering".

          A long time ago in another country, the CEO of a company I worked for sent out this message:

          "I have no desire to go to jail for something one of my staff has done, therefore I wish to state in no uncertain terms that in light of recent legislation, undertaking the following activities is expressly prohibited for employees of this company at any level from the coalface to the boardroom."

          That's the kind of thing that gets attention.

  5. Vimes

    Existing law is rarely enforced in the UK. Just look at the farce that was the Google/NHS trials if you want one example, or the ICO's failure to act when 3UK proposed giving Shine/Rainbow the browsing habits of their customers.

    Huge fines have already been available for quite some time but the ICO seems to prefer using their toothless 'undertakings', and even getting that far seems to take an inordinate amount of effort.

    As for criminal offences, it might be worth remembering that the City of London Police were wined and dined by the very people that happened to be the subject of one of their investigations (Phorm) before conveniently closing it without prosecuting anybody.

    Forgive me if I fail to see anything changing any time soon.

    Why should those flouting the rules now be any more less confident about breaking them when GDPR/data protection bill comes into force? The price of avoiding justice seems to be little more than that of a good meal. We also have a regulator so keen to avoid enforcement that it's difficult to stop from asking ourselves why we should bother with them.

    P.S. 'cmomitting'?

    1. Teiwaz Silver badge

      City of London Police

      Surely being 'wined and dined' constitutes community Policing outreach? - The whole thing reminds me of Comic Strips 'Didn't you kill my brother'...

      I suspect the law will as usual only apply to the 'people' who actually have a vote but less say.

    2. Adam 52 Silver badge

      What El Reg missed, but the BBC noted, was that the GDPR right to take collective action has been omitted from the proposal. It's fairly obviously missing in the linked doc.

      So enforcement by consumer groups is dependent on the outcome of the Brexit negotiations. Otherwise it's little old you vs Google, and how do you think that will go?

      1. Doctor Syntax Silver badge

        "Otherwise it's little old you vs Google, and how do you think that will go?"

        Maybe you should ask Max Schrems that.

  6. Anonymous Coward
    Anonymous Coward

    Somewhat typical of this country to spend a lot of government time implementing new EU regs having already decided to leave the EU.

    1. Anonymous Coward
      Anonymous Coward

      I didn't vote to leave the EU, but I welcome this new UK law.

    2. insane_hound

      This is one of those situations where if we want to continue to transfer information between our companies and EU companies, we need to have regulations similar to GDPR.

    3. ArrZarr Silver badge
      Thumb Up

      This seems like the best thing to come out of Brexit so far to me, provided it actually gets enforced. Not being part of the EU means that we'll actually need to meet their standards for data protection for the "free flow" of data with the EU to continue.

      1. Adam 52 Silver badge

        "This seems like the best thing to come out of Brexit so far to me"

        It's the UK implementation of the EU's GDPR for heaven's sake. It's happening because of the EU and absolutely not because of Brexit.

        Same as pretty much all of our recent consumer protection legislation.

        1. Anonymous Coward
          Anonymous Coward

          consumer protection legislation

          Same as pretty much all of our recent consumer protection legislation.

          There is a difference here. The consumer protection stuff is an EU directive, which means that national parliaments are required to transpose it into national law. Some enact laws that go further than the directive, as the UK did for consumer protection. UK consumer protections go beyond the EU-mandated minima.

          GDPR is a Regulation, it is an EU law that is binding as-is on all EU members without any national legislation being required.

      2. Doctor Syntax Silver badge

        "This seems like the best thing to come out of Brexit so far to me, provided it actually gets enforced."

        It only "comes out of Brexit" in the sense that without Brexit there'd be no need for an act; GDPR would apply automatically - and would do so from between May and Brexit without the Act.

        1. Fred Dibnah

          So Brexit means the UK has to spend time/money drawing up a new law, when without Brexit it could have simply implemented the EU law. Doesn't sound like a good deal to me.

          1. Phil O'Sophical Silver badge

            Doesn't sound like a good deal to me.

            True. In fact, we could just get rid of Westminster altogether, and drop the keys to N°10 off in Brussels, think how much time/money we'd save then.

            Hell, I bet even the trains would run on time.

            1. strum Silver badge

              >In fact, we could just get rid of Westminster altogether,

              Fine by me. Strasbourg is much more democratic.

              1. Phil O'Sophical Silver badge

                Strasbourg is much more democratic.

                I'm genuinely curious about how you define "democratic".

                The European parliament has 751 members, elected last time round by only 42% turnout, much lower than most national elections. The number of MPs from each member is inversely proportional to the population, smaller countries have more MEPs per head than large ones and hence more weight.

                It can't decide to make law, it has to wait for the Commission to do that, after which the parliament can only change or reject it. It spends a fortune of taxpayers money every month switching between Brussels and Strasbourg to avoid upsetting the French even though most MEPs would prefer to be based solely in Brussels, but that would be vetoed by France.

                Frankly it's more like a company board than a parliament, I'd argue that most national parliaments, and regional assemblies, are more democratic and more representative of their constituents than it is.

    4. Phil O'Sophical Silver badge

      having already decided to leave the EU

      This has nothing to do with membership of the EU, but concerns countries where data on EU citizens is processed. Even the US will have to respect GDPR if it wants to handle data on European citizens.

      1. Lotaresco Silver badge

        "Even the US will have to respect GDPR if it wants to handle data on European citizens."

        And will be subject to the ECJ, something which Weak and Wobbly May has claimed will not happen to the UK after Brexit. Another U-turn looming there.

        1. Phil O'Sophical Silver badge

          subject to the ECJ, something which Weak and Wobbly May has claimed will not happen to the UK after Brexit.

          The ECJ rules on EU law. Doesn't matter where the parties involved are, it's the law in question that's the decider. Nothing about Brexit was ever going to change any of that, if you thought someone said otherwise then you misunderstood. Where the UK replaces EU law by UK law, the ECJ will not have jurisdiction. Where the UK is still affected by EU law, such as in dealings with EU countries, the ECJ will have jurisdiction. Just as it does for US, Chinese, and any other non-EU country that deals with the EU.

      2. Doctor Syntax Silver badge

        "Even the US will have to respect GDPR if it wants to handle data on European citizens."

        Quite so. What are they doing over there to provide similar legislation? Or is any UK or EU company using US data processing services going have to cross their fingers every time they say they're compliant?

    5. JohnMurray

      If they don't implement the EU GDPR in some way, then the EU data will not come here!

      Trade will cease...

    6. Anonymous Coward
      Anonymous Coward

      Here come the Brexitards...

  7. Mycho Silver badge

    "Except when we do it."

    1. wolfetone Silver badge

      "Do as we say, not as we do."

  8. Mark Randall

    IP Addresses

    The IP address stipulation is moronic.... exactly like you'd expect from this government.

    If someone accesses my servers for whatever reason, a legitimate right exists to retain the source used to connection from, and share and process it as necessary.

    1. Anonymous Coward
      Anonymous Coward

      Re: IP Addresses

      Umm, so does that mean using WHOIS will be illegal?

      1. TRT Silver badge

        Re: IP Addresses

        I do feel a little bit exposed in that my personal details are freely available from the domain registration service.

        1. CrazyOldCatMan Silver badge

          Re: IP Addresses

          I do feel a little bit exposed in that my personal details are freely

          Then ask them to be hidden. You have to provide them, but you can ask for anything other than your name to be not publically available.

          And this has been the case for quite a few years - but scum DNS Registars (GoDaddy - I'm looking at you) don't necessarily tell people.

      2. Adam 1 Silver badge

        Re: IP Addresses

        > Umm, so does that mean using WHOIS will be illegal?

        Real people do not need WHOIS.

    2. TRT Silver badge

      Re: "...and share and process it as necessary"

      Well, not per se under existing law.

      Klimas v Comcast 2003 and Robinson v Disney 2015 both ruled that the IP address alone is not PII, however when used in combination with other data sources the resultant information could be used to identify an individual.

      However, insofar as you don't use it to attempt to extract or compile PII, then existing law has determined that an IP address is not PII in itself. Typical, of course, of this Government to actually ignore the existing body of law and simply make stuff up as they go along. Why this particular item has to be specifically included rather than the USE of this information being legislated is just beyond me. Far more personally identifiable is the MAC address, and if THAT is not specifically mentioned in the law... I mean, that's a hole the size of Kansas. But Mme May was notorious for that kind of sloppy thinking and lack of technical understanding when she was home secretary... I don't think she'll hold her successors to a very high standard of competence.

      1. Phil O'Sophical Silver badge

        Re: "...and share and process it as necessary"

        Klimas v Comcast 2003 and Robinson v Disney 2015 both ruled that the IP address alone is not PI

        GDPR, however, explicitly says that it is.

        1. TRT Silver badge

          Re: "...and share and process it as necessary"

          From REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL - (30) "Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them."

          The GDPR definition is not in any way at odds with the existing body of law. It imposes upon a data controller an obligation to consider the implications to the end user of their storage of the information. It leaves the actual day to day implementation of techniques compatible with the law up to future adjudication to decide. GDPR also explicitly defines sensitive information rather than just personally identifiable information; a higher standard applies to these data.

          How the UK's Act will be worded remains to be seen. The devil is in the detail.

          1. Ledswinger Silver badge

            Re: "...and share and process it as necessary"

            How the UK's Act will be worded remains to be seen. The devil is in the detail.

            Not just the wording of the relevant acts, but interpretation and enforcement by the regulator. The significant sounding fines under GDPR are a maximum, and the term "up to" usually includes the value of zero.

            I expect post GDPR data protection to continue to be a concern for SMEs and mid-sized listed corporations, whilst the US-based mega corps are let off the hook time and again (or fined sums that are a flea bite in their enormous, tax-avoiding profits).

      2. Doctor Syntax Silver badge

        Re: "...and share and process it as necessary"

        "Typical, of course, of this Government to actually ignore the existing body of law and simply make stuff up as they go along."

        Parliament is sovereign. If they pass a Bill to designate IP addresses as being entitled to the same protection as PII they can do so.

        I'd expect that attempting to use an IP address on its own to identify a user in court would still be fraught with the same problems as a present.

      3. Anonymous Coward
        Anonymous Coward

        Re: "...and share and process it as necessary"

        MAC Address?

        Remote sites can't see a MAC address but any devices you directly connect to like a WiFi router would need to record the MAC for at least a temporary period to allow routing and DHCP.

        It may be possible to create a backhaul for a large data gatherer to provide WiFi routers out to all public WiFi areas and build a database of MAC addresses but it would seem to be of limited use when Beacons and cookies could gather a good percentage of the same data a lot cheaper.

        Anything government based would be using IMEIs and cell tower locations to track. An IP is far easier to use/abuse than a MAC for remote sites.

    3. Anonymous Coward
      Anonymous Coward

      Re: IP Addresses

      " a legitimate right exists to retain the source used to connection from, and share and process it as necessary"

      If it's just IPs from otherwise anonymous computers trying to connect to your mail server then you shouldn't feel you have a problem.

      But if you keep sufficient information for it to identify person in the EU (the IP plus other data from a reverse IP lookup, whois etc perhaps), then you will have to document internally that you do retain this data and how you process and make specific reference to the legal right you are claiming in your documentation.

      1. Anonymous Coward
        Anonymous Coward

        Re: IP Addresses

        you will have to document internally that you do retain this data and how you process and make specific reference to the legal right you are claiming in your documentation.

        Even more of a problem is that under GDPR you'll have to provide the owner of the data with a way to obtain it in a reasonable time, and in a standard format. Fine for a large business with a web presence, but how many small businesses will want to setup a portal where people can log in, identify themselves, and then recover all the info you have on them?

        I can see a market for third-party companies offering this as an online service.

      2. TRT Silver badge

        Re: IP Addresses

        I think what might swing it is the wording "natural person". My IPv4 address identifies only the corporation that has been allocated that range. It't not a natural person. However, my ISP has the ability to map my IP address to my particular NAT'd router at any particular time point. So really, my ISP could anonymise my IP address by jiggling it about a bit instead of only changing it once in a blue moon (seemingly quite literally that infrequently). How that all might be with IPv6 is another matter as intrinsic to the design is keeping a lot of the things the same and doing away with NAT.

        1. Simon Harris Silver badge

          Re: IP Addresses

          Well, if tying an IP address to an individual is considered unanonymising data, it gives a new string to the bow for winding up those "I'm from Microsoft/BT/whatever and we've discovered a lot of virus activity coming from your IP address" merchants who always seem to know your name when they call.

    4. Doctor Syntax Silver badge

      Re: IP Addresses

      "a legitimate right exists to retain the source used to connection from, and share and process it as necessary."

      What legislation do you rely on for this statement?

      You need to retain that address for as long as the connection remains current. Afterwards you might want to retain it, share it and process it but you have no right to do so.

      Nevertheless HMG might impose a duty on you to do so by their surveillance legislation. The document remains notably silent on this matter.

  9. TRT Silver badge

    IP addresses are "Personally identifiable information" are they?

    Despite Sony et al trying to say that you broke the law because your IP address was used to share e.g. Torrented pirate films, even when the IP address had been hijacked or was a shared one...

    Or when I store the IP address of a computer used to fill in a web-form in a school setting, so as to provide a 60 second hold-off against multiple submissions, where the same computer is used by a dozen different children one after another.

    Or do they mean e.g. IPv6? Some sort of personal IP address that travels with you across different networks, only it isn't really that is it, because you still need to route to a particular network - you can't hold routes to every single IP device in the universe in the one distributed table.

    That suggestion is just utterly ludicrous. Are you supposed to ask everyone "does your IP address identify you personally?" every time they go onto your network? Or are you expected just to encrypt ALL your logs even if doing so is a pointless and time-consuming task? We suddenly have to buy new networking hardware with processors rated at 20-30 times the previously required performance just to handle the encryption load?

    1. Doctor Syntax Silver badge

      Re: IP addresses are "Personally identifiable information" are they?

      "Or are you expected just to encrypt ALL your logs even if doing so is a pointless and time-consuming task?"

      Retail the logs long enough to provide the service and then delete them. Unless HMG rope you into providing them with free surveillance service you don't need to retain them.

      It's clear from comments here that the notion is deeply ingrained that everyone with a server has an expectation of mining every last nanobit* out of any data that passes it by. The whole basis of GDPR is that not only are you not actually entitled to do that any more, you're not allowed to. It's going to take some time to sink in.

      *Probably the best approximation to what it's really worth is all those "we think you'll like these" offerings are anything to go by.

      1. Doctor Syntax Silver badge

        Re: IP addresses are "Personally identifiable information" are they?

        "Retail the logs"

        Dammit! Retain!

        1. CrazyOldCatMan Silver badge

          Re: IP addresses are "Personally identifiable information" are they?

          "Retail the logs"

          Dammit! Retain!

          Well, for quite a lot of the "fringe" sites I suspect your first spelling is more accurate.

      2. Anonymous Coward
        Anonymous Coward

        Re: IP addresses are "Personally identifiable information" are they?

        Connection logs are the main tool to identify a malicious connection attempt. If you dispose of connection logs and then find out your database or website has potentially been hacked, well good luck finding out when, how and to what extent if any logs detailing connection activity are removed.

        This doesn't mean you are mining data or using it for marketing or other purposes, it's just common sense. Every decent decent firewall or IDS will keep a log of all connections with full connection details, it is expected by anyone who buys/uses one.

        As far as web stats/analytic go. These are a very important tool for sites. Without them it is difficult to ensure that your site is working properly and the UX is correct. How do you know if your customer journeys are correct or that the visitor is being giving the correct information on a large site. Now a technical solution might be to run a one way hash on the IP, however as an IP is generally regarded as being fairly anonymous without a court order and any one way hashing could also be carried out be every other site using the same algorithm, the it would lead to the same tracking issues.

        It's not as easy as 'just destroy the logs every 24 hours'.

  10. James 51 Silver badge

    A lot of companies will find ways to ship the data out, to the illegal stuff in places like the US were it isn't illegal and ship the results or the decisions taken back to the UK/EU.

    1. Doctor Syntax Silver badge

      "A lot of companies will find ways to ship the data out, to the illegal stuff in places like the US were it isn't illegal and ship the results or the decisions taken back to the UK/EU."

      And after a few big finds get handed out they'll put more effort into finding ways to ensure that they don't. Not unless the US adopts similar legislation.

  11. g00se
    WTF?

    Anonymised?

    Does that even make sense? If people CAN be identified from data, then it's not ... anonymised... is it?

    1. Anonymous Coward
      Anonymous Coward

      Re: it's not ... anonymised... is it?

      I think we need to be clear what we are talking about.

      It seems a little akin to the wrong use of "sterilize" in homebrewing, when what is meant is "sanitize" ....

      It's not "anonymised", it's "decontextualised"

      1. Lotaresco Silver badge

        Re: it's not ... anonymised... is it?

        'It's not "anonymised", it's "decontextualised"'

        It's referred to in the trade as "de-identified" data. It's actually very difficult to do, because any information that could be used to identify an individual needs to be obscured in some (non-reversible) way. There's a good paper on the subject that explains how the Census data was handled, but I'm danged if I can find it at the moment. I'll provide a link when I can find my notes :-)

        1. Daggerchild Silver badge

          Re: it's not ... anonymised... is it?

          I don't have a lot of confidence identifiable patterns can be obscured in a lot of cases.

          e.g. Can you identify a Commentard coming from a different IP without logging in? Quite possibly, if they're interested in upvotes to their posts, have mutually exclusive activity times, no interest in things they've already read, excepting comments, which they click through to so fast you know they already read the article etc.

          If it's my job to make sure patterns can't be found, well, if looking is illegal I think this goes in the same bucket as possessing hacking tools, so you can test your own shields. You can be thrown to the wolves at any time. It's really no fun being one of the good guys.

    2. John Brown (no body) Silver badge

      Re: Anonymised?

      "Does that even make sense? If people CAN be identified from data, then it's not ... anonymised... is it?"

      Depends. On it's own, it may be. But in conjunction with other data that may not be available to the original anonymiser, some of the data me be deanonymised. Just ask AOL.

  12. Anonymous Coward
    Anonymous Coward

    I'm reminded of an episode of Scrubs where Dr. Kelso gives one of the Doctors a feedback form - which he promises is 100% anonymous - except for the part where he doesn't tell them that they're the only one filling in the feedback form.

    1. Anonymous Coward
      Anonymous Coward

      I used to have to fill out anonymous feedback forms for my employer.

      1) Business Unit

      2) Department

      3) Location

      Well, that's me de-anonymised.

  13. I am the liquor

    Making it a crime to de-anonymise data seems rather like shooting the messenger.

    Surely the real problem is at the other end of the line, with the person who claimed that the data was "anonymised" when it really wasn't, as a pretext for ignoring the normal restrictions on handling personal data.

    1. Adam 1 Silver badge

      This is my concern too. Making it a crime to de-anonymise some half arsed 'we used double ROT13 to protect our beloved customers' data' is a good thing. But the way I imagine this to be written will pretty much leave security researchers on the hook every time they discover data at risk. We saw this same lack of foresight down under with #censusfail and 'statistical linkage keys'. It boils down to whether the company finds it cheaper to comply with the legislated anonymisation requirements or just sue the researcher. I know where my money would bet.

      1. Lotaresco Silver badge

        "Making it a crime to de-anonymise some half arsed 'we used double ROT13 to protect our beloved customers' data' is a good thing."

        My concern is that there has been a lot of work in government to arrive at robust methods to de-identify data but to have that data still usable for statistics. Of course this takes time and money and a great deal of thought to ensure that the methods used really do result in data sets that cannot easily be converted to re-identify individuals.

        How much easier and cheaper for government to say "We'll make it a criminal offence to re-identify people, then we can use any old technique, yes including ROT-13, to obscure personal details. That "solves" the problem cheaply. Because of course no one would ever break the law. <rolls eyes>

        1. Boothy

          Part of the issue here is that the data still needs to be useful.

          Remove too much information, and it's no longer of use.

          That anonymous data could potentially be cross-checked with other data sources, and you can then de-anonymise it, despite no directly identifiable information being left in the original data.

          For example it might be work absence data, just containing dates and a reason for the absence (holidays, sick etc), and no other details. With the company using the data to predict things like cover requirements (like getting temps in over summer etc).

          But someone with access to their time management system, could correlate the dates in the anonymous data, against absence dates in the time management system, and de-anonymise it again.

          I think it's this type of scenario that the new law is trying to block.

          Still need good laws on the creation of the data in the first place of course :-)

      2. Doctor Syntax Silver badge

        "It boils down to whether the company finds it cheaper to comply with the legislated anonymisation requirements or just sue the researcher. I know where my money would bet."

        So do I, on the basis that pissing off an expert who can give evidence against you that could result in an eye-watering fine really isn't a good idea. If your legal department is any good they'll tell you that.

        1. Adam 1 Silver badge

          Then you are more courageous than me sir. I was using hyperbole with ROT13 (I hope that was obvious, sometimes tone can't be easily carried). My point is that a combination as simple as gender/date of birth/postcode is frighteningly close to unique. Under this sort of rule, could such a study such as that undertaken by Harvard in the link even be possible?

          Security researchers shouldn't have to risk their personal freedom to responsibly disclose anonymisation vulnerabilities that may be exploited by less savoury types. The company will argue that they acted on good faith when some combination of data which was exploited was not commonly known to leak identities and that they took reasonable steps to check their process up front (security experts at 12 paces). They're just the victim of bad advice, or advice that was considered best practice at the time. But that horrible security researcher is in violation of this shopping list of laws. We at ACME totally support security research but the actions of this researcher are just beyond the pale. Plus she even used end to end encryption like a terrorist. There is also the recent arrest of the Wannacry ratchet. If he's innocent, then this is exactly the sort of thing that turns would be researchers to other endeavours. If he's guilty, I guess that proves the companies point that these researchers are just criminal haxors. They can't win either way.

    2. the spectacularly refined chap

      Surely the real problem is at the other end of the line, with the person who claimed that the data was "anonymised" when it really wasn't, as a pretext for ignoring the normal restrictions on handling personal data.

      This can happen quite easily if multiple sources are cross-referenced. Consider a trainee GP and to review their work as part of that training you have a document giving the date and time of consultation and anonymised clinical summary of the case. On the other you have financial and auditing records giving the date and time of consultation and the patient seen.

      The first document holds sensitive information in anonymised form. The second holds PII but not of an overly sensitive nature - merely the fact someone went to see a doctor. However, put the two together and it is trivially easy to get back to "Mr X is suffering from erectile dysfunction."

      1. I am the liquor

        "This can happen quite easily if multiple sources are cross-referenced."

        Well yes, and what that tells you is that the GP's data, in the example you gave, was not, in fact, anonymous. It was personal. It contained information that could be used to identify the individual. The users of it were just claiming it to be anonymous to circumvent restrictions on handling personal data.

        There's only one kind of anonymous data in my book, and that's data which is _impossible_ to convert back to personal data. Yes, that is a very high bar. If it's possible to convert it back to personal data, then it is personal data - even if the law bans such a conversion in one particular country. Converting so-called "anonymised" data back to personal data should be a non-issue, because if it's not really anonymous, it should be handled as personal data already.

        1. Anonymous Coward
          Anonymous Coward

          "There's only one kind of anonymous data in my book, and that's data which is _impossible_ to convert back to personal data."

          And that probably rarely exists anywhere if the data has any real use or meaning. It could be ridiculously difficult to get to guarantee that.

  14. steelpillow Silver badge

    Really?

    "Oh, look, my AI Big Data analyser has just taught itself to recreate personal information from anonymised data and started selling it to our clients."

    "Well, stop it, then."

    "We have already, twice. It just keeps teaching itself new ways to do it."

    "Is there no way to stop it?"

    "Yes, tell it to stop adding value to our product."

    " > @!...* < "

    1. Doctor Syntax Silver badge

      Re: Really?

      Yes, tell it to stop adding value liabilities to our product.

      FTFY

      It's going to take time to adjust to the new reality.

  15. Anonymous Coward
    Anonymous Coward

    There feeling on here seems to be that nothing will change. I disagree - this has now become a potential cash cow so I think the ability to make millions will make this law a bit more enforced by the government.

  16. Anonymous Coward
    Anonymous Coward

    Strange legal loopholes....

    Does this mean that IT forensics are now illegal?

    I mean any self respecting IT criminal (I know... a rare breed) would try to clean up after herself and "anonymise" her actions....

  17. JetSetJim Silver badge

    Exceptions proving the rule

    You expect there to be no exemptions along the lines of "except where authorised and enacted by legitimate law enforcement/security agencies".

    No doubt there will be the usual clause where MPs are completely inviolable, also.

    1. Doctor Syntax Silver badge

      Re: Exceptions proving the rule

      "No doubt there will be the usual clause where MPs are completely inviolable, also."

      And if you ever need to discuss a confidential matter with your MP you'll realise the value of that.

  18. RabLutrai

    I wonder how this will mesh with their "Retain Internet Connection Records for a year" bill..

    1. Justice
      Facepalm

      About as well as the "right to be forgotten"

      1. Anonymous Coward
        Anonymous Coward

        right to be forgotten

        Me: "I demand to be forgotten"

        Business: "OK, We've forgotten you."

        Me: "Prove it!"

        1. Alister Silver badge

          Re: right to be forgotten

          Me: "Prove it!"

          Business: "I'm sorry, who are you?"

          1. CrazyOldCatMan Silver badge

            Re: right to be forgotten

            Business: "I'm sorry, who are you?"

            And the kicker - will they give you a "new customer" discount. If they won't, then they haven't forgotten you..

            1. Anonymous Coward
              Anonymous Coward

              Re: right to be forgotten

              Free Amazon Prime forever!

  19. Anonymous Coward
    Anonymous Coward

    Better go arrest the Google BOD right now

    They will be using that fantastical A.I. of theirs to de-annonymise the data so that they can just carry on with business as usual and gather more and more data on each and every one of us and to hell with the consequences.

    Other slurping companies will be wanting to do the same.

  20. teebie

    Well that will fix everything then

    We might as well start letting HSCIC start spunking everybody's information at anyone who mentions a passing interest in it again.

  21. Treggy

    How exactly does one 'recklessly' perform high-level data analysis?

    1. Mr Sceptical
      Facepalm

      Extreme data-analysis?

      At the top of a waterfall, with a mains powered laptop? Whilst ironing?

    2. Doctor Syntax Silver badge

      "How exactly does one 'recklessly' perform high-level data analysis?"

      By telling the court you didn't mean to do it, it just happened that way.

      Look on it as a loophole blocked.

  22. Mage Silver badge

    intentionally re-identify individuals

    What about Security researchers and Privacy campaigners that are out to prove the data ISN'T anonymised? The people doing for gain will be

    a) Secretive

    b) Outside jurisdiction

    c) Probably very large companies already well known for exploiting and directly harvesting personal data.

    I have a better idea. No company should pass ANY data to a third party, except in the normal individual case (people making a purchase and company getting paid by 3rd party).

    NHS, HM Revenue (Road tax etc), Big retailers are already giving data they shouldn't basically to anyone "big" that offers something shiny.

    Actually abolish tolls and Road tax. Tax Electricity, LPG, Diesel, Petrol etc for vehicle use. Fairer as it's then based on road usage and resource consumption, not vehicle size or power which is unfair. Fuel use is anonymous, unless a fuel card is used.

    1. Doctor Syntax Silver badge

      Re: intentionally re-identify individuals

      Big retailers are already giving data they shouldn't basically to anyone "big" that offers something shiny.

      Because they think it's a risk worth taking. It'll stop being worth taking. As ever, some will only learn the hard way.

      Those vendor-specific email addresses I use could be quite handy.

    2. davidak

      Re: intentionally re-identify individuals

      Abolish Road Tax? Great news from the early part of the 20th century (not a typo, 20th is correct). It already has been.

      1. nijam

        Re: intentionally re-identify individuals

        > ...It already has been.

        No, just renamed, in fact. Several times... but still only renamed.

      2. Richard 12 Silver badge

        VED

        Depends on your definition.

        "A tax levied only to maintain the public roads" then yes, it was abolished along with National Insurance, income tax and all the other taxes initially created for some specific purpose.

        "A tax on vehicles using the public road network" then no, it still exists along with National Insurance, income tax, etc.

  23. Vimes

    De-anonymising data and then using it already seems to be a crime?

    From the ICO's own guidance:

    If you produce personal data through a re-identification process, you will take on your own data controller responsibilities. [Link - section 2]

    Also from the ICO on the subject of what a data controller is:

    8. The DPA draws a distinction between a ‘data controller’ and a ‘data processor’ in order to recognise that not all organisations involved in the processing of personal data have the same degree of responsibility. It is the data controller that must exercise control over the processing and carry data protection responsibility for it. This distinction is also a feature of Directive 94/46/EC, on which the UK’s DPA is based. [Link - page 4]

    So if you de-anonymise data & use it you're responsible under the DPA already, and since consent is supposedly already such an important part then it's difficult seeing how using de-anonymised data could be used legally today (assuming no legitimate interest case could be made)

    Like I said before: don't expect things to change.

    1. Doctor Syntax Silver badge

      "Like I said before: don't expect things to change."

      In some respects the new legislation will simply replace the old. The consequences, however do change. Criminal charges against individuals are one change.

  24. Anonymous Coward
    Anonymous Coward

    Kids under 13

    "[...] the UK's legislation will require that parents have to give consent for children to access online service for kids aged under 13. The GDPR's default age is 16."

    Do I read that correctly - the UK is allowing kids under 16 but over 12 to sign up to online services without parental permission - rather than a 16 threshold? The same government that is going to stop under-18s accessing whatever is considered unacceptable?

    How will parents give consent - is this the government's pr0n verification system being stretched into new areas?

    1. Doctor Syntax Silver badge

      Re: Kids under 13

      "How will parents give consent"

      It will be up to the service receiving consent to work that out - and to be able to persuade a court that its solution constitutes all reasonable efforts.

  25. Barrie Shepherd

    So the fines have been increased - window dressing! no corporation ever gets fined anything approaching the max - and to many the maximum fine is petty cash.

    I advocate legislating for damages, if they collect, share or associate data in breach then, apart from fines, the individual is entitled to damages say 25k per data 'bit'?

    We also need stronger (than proposed) law around what data companies are allowed to insist on. I recently had to give my date of birth to buy some theatre tickets! Totally unnecessary data collection irrelevant to the activity of selling theatre tickets.

    1. John Brown (no body) Silver badge

      "I recently had to give my date of birth to buy some theatre tickets!"

      Did you try refusing? Most times it's because marketing have told them to get the data but it's rarely mandatory unless there's a legal requirement. The customer facing staff are usually instructed to ask in a specific way for extra data so that the customer gets the impression they must give it or be refused.

      I once had one try to tell me the info was required due to the Data Protection Act. She backed down when I ad libbed (ie made up) that the DPA makes it illegal to collect data not specifically required to provide the service offered and as the data collector she would be liable in law :-)

      1. CrazyOldCatMan Silver badge

        ad libbed (ie made up) that the DPA makes it illegal to collect data not specifically required to provide the service offered and as the data collector she would be liable in law :-)

        Which isn't actually too far from the DPA. Data collection should be "proportional to and required for, the service provided". So - if their is no age requirement in order to buy the ticket, asking for your age is actually against the DPA since it's neither proportional nor required.

  26. ashdav

    Who benefits?

    If anyone is ever fined through this how is the "victim" compensated?

    Does it all go into Gov coffers?

  27. scrubber

    Business as usual

    So, a company fucks up but people get prosecuted?

  28. Anonymous Coward
    Anonymous Coward

    wait.. what?

    One high risk anon in a postcode area will mean everyone else is abused by any self respecting quant. What benefit is the data otherwise?

  29. Anonymous Coward
    Anonymous Coward

    Just another box ticking exercise to satisfy the EU.

    Laws are for the little people.

    Although Sarcozy is the exception ;)

  30. Anonymous Coward
    Anonymous Coward

    Tell me - who writes these laws?

    King Canute?

    1. Doctor Syntax Silver badge

      Re: Tell me - who writes these laws?

      "King Canute?"

      This sort of comment is usually a good indicator that the commentard in question knows virtually nothing about pre-Conquest English history.

      1. CrazyOldCatMan Silver badge

        Re: Tell me - who writes these laws?

        knows virtually nothing about pre-Conquest English history.

        Especially as they spelt his name incorrectly.

      2. Anonymous Coward
        Anonymous Coward

        Re: Tell me - who writes these laws?

        Despite the intellectual snobbery, your comment is irrelevant.

        It does not matter whether you thought I meant the law makers considered themselves all powerful, or whether they realised they are powerless and will be ignored by virtually the whole world.

        The fact is that they are essentially pointless laws. Once the data has been deanonymised and published, it can't be put back in the bottle.

  31. Anonymous Coward
    Anonymous Coward

    Say bye bye to windows 10

    Given how windows 10 was designed specifically to profit off their user's data then when this law comes into effect they are going to have to accept that market is unavailible in Europe.

    Given how much it will cost them find and disable all the spyware in windows 10 it has got to be cheaper to make a windows 11.

  32. Stevie Silver badge

    Bah!

    "I name you Chalky White and claim my five pounds."

    "You're nicked, sunshine!"

  33. jake Silver badge
    Pint

    What happens if ...

    Stevie[0] decides to post AC here on ElReg.

    jake sez "I recognize that poster! That's not AC, that's Stevie!"

    Is jake going to get nicked[1] for "outing" Stevie-as-AC?

    Is ElReg going to get a visit from TheBeak for making it possible?

    [0] Your name was handy, don't take it personally. Beer?

    [1] Next time jake visits Albion, of course.

    1. Anonymous Coward
      Anonymous Coward

      Re: What happens if ...

      Only if it's Eadon....

    2. CrazyOldCatMan Silver badge

      Re: What happens if ...

      Is jake going to get nicked[1] for "outing" Stevie-as-AC?

      Nope - because jake isn't the data collector or controller.

  34. TheElder

    Identity

    My sign up full name here includes the last name Ng. Not given.

    I recently had to give my date of birth to buy some theatre tickets!"

    Jan 1 2001

    1. graeme leggett

      Re: Identity

      Not much use for an 18 and older performance. I take it those things could exist in theatre.... one of the more gruesome staging of a Greek tragedy perhaps.

      1. CrazyOldCatMan Silver badge

        Re: Identity

        Not much use for an 18 and older performance.

        Which doesn't require collecting the DOB - it merely requires the customer confirming that they are over 18.

        "Necessary and proportional"..

  35. Anonymous Coward
    Anonymous Coward

    Not customer information

    It's enhanced customer whale-song infused, experience data!

  36. TheElder

    Not much use for an 18 and older performance.

    People still know how to READ? What about universal ADHD? It's the 140 character thing...

    I would give you some examples but I only speak/read/write about 5 real languages and some more computer languages... Verstehen Sie mich? Forstår du mig? Und so weiter...

    1. CrazyOldCatMan Silver badge

      Re: Not much use for an 18 and older performance.

      People still know how to READ?

      Gu dearbh. Sans plus difficile!

  37. Roj Blake Silver badge

    Think of the Children!

    "...the UK's legislation will require that parents have to give consent for children to access online service for kids aged under 13. The GDPR's default age is 16."

    So the UK's interpretation of GDPR will allow 13-15 year olds to do what they like, which will not be the case elsewhere.

    This seems so completely at odds with the usual government mantra of "think of the children" that it sets alarm bells ringing.

    The cynic in me is wondering if it's so they can at some later point introduce some really draconian legislation affecting everyone with the usual justification that they're protecting the kids

    1. Anonymous Coward
      Anonymous Coward

      Re: Think of the Children!

      It's so it doesn't interfere with their pron sign-in rules. Wasn't it May's husband who bought pron on parliament expenses?

      1. Roj Blake Silver badge

        Re: Think of the Children!

        I think it was Jacqui Smith's hubby?

  38. cortland

    Didn't I see you the other day in the newspaper?

    Up shows the law, with handcuffs.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019