Misconceptions in Privacy Protection and Regulation

Chris Culnane   | Bio
University of Melbourne, Australia
Kobi Leins | Bio
University of Melbourne, Australia


Privacy protection legislation and policy is heavily dependent on the notion of de-identification. Repeated examples of its failure in real-world use have had little impact on the popularity of its usage in policy and legislation. In this paper we will examine some of the misconceptions that have occurred to attempt to explain why, in spite of all the evidence, we continue to rely on a technique that has been shown not to work, and further, which is purported to protect privacy when it clearly does not. With a particular focus on Australia, we shall look at how misconceptions regarding de-identification are perpetuated. We highlight that continuing to discuss the fiction of de-identified data as a form of privacy actively undermines privacy and privacy norms. Further, we note that ‘de-identification of data’ should not be presented as a form of privacy protection by policy makers, and that greater legislative protections of privacy are urgently needed given the volumes of data being collected, connected and mined.


ACCC. 2019. CDR Rules (banking). https://www.accc.gov.au/focus-areas/consumer-data-right-cdr-0/cdr-rules-banking. Accessed 12/12/2019.
ACCC. 2019. Digital Platforms Inquiry: Final Report. https://www.accc.gov.au/system/files/Digital%20platforms%20inquiry%20-%20final%20report.pdf. Accessed 12/12/2019.
Aggarwal, C.C., 2005. “On k-anonymity and the curse of dimensionality.” VLDB '05: Proceedings of the 31st International Conference on Very Large Data Bases, August, VLDB, pp. 901–909.
Aggarwal, G. ,Feder, T., Kenthapadi, K. , Motwani, R,, Panigrahy, R. and Thomas, D. and Zhu, A. (2005). “Approximation Algorithms for k-Anonymity”. Proceedings of the International Conference on Database Theory, ICDT 2005, January 5-7, Edinburgh, UK.
Australian Law Reform Commission. 2014. Serious Invasions of Privacy in The Digital Era (ALRC Report 123). https://www.alrc.gov.au/publications/1-executive-summary/should-new-tort-be-enacted. Accessed 12/12/2019.
Barbaro, M. and T. Zeller Jr. 2006. “A Face Is Exposed for AOL Searcher No. 4417749.” New York Times, New York, 9 August. https://www.nytimes.com/2006/08/09/technology/09aol.html. Accessed 12/12/2019.
Culnane, C., B. I. P. Rubinstein and V. Teague. 2017. “Health Data in an Open World.” arXiv https://arxiv.org/abs/1712.05627. Accessed 12/12/2019.
Culnane, C., B. I. P. Rubinstein and V. Teague, 2019. “Stop the Open Data Bus, We Want to Get Off.” arXiv https://arxiv.org/abs/1908.05004. Accessed 12/12/2019.
Department of General Practice, University of Melbourne. 2018. Data for Decisions: Data Sharing Agreement Summary. https://medicine.unimelb.edu.au/__data/assets/pdf_file/0003/2733267/Summary-of-Agreement-for-Provision-of-Data.pdf. Accessed 12/12/2019.
Department of Health. 2016. Public Release of Linkable 10% sample of Medicare Benefits Scheme (Medicare) and Pharmaceutical Benefits Scheme (PBS) Data. http://www.pbs.gov.au/info/news/2016/08/public-release-of-linkable-10-percent-mbs-and-pbs-data. Accessed 12/12/2019.
El Emam, K. and F. K. Dankar. 2008. “Protecting Privacy Using k-Anonymity.” Journal of the American Medical Informatics Association, 15 (5): 627–637.
El Emam, K., et al. 2012. “De-identification methods for open health data: the case of the Heritage Health Prize claims dataset.” Journal of Medical Internet Research, 14 (1): e33.
Google. 2019. Google Analytics Terms of Service. https://marketingplatform.google.com/about/analytics/terms/us/. Accessed 12/12/2019.
Health Insurance Portability and Accountability Act of 1996, Pub L 104–191, 110 Stat 1936.
Hern, A. 2014. “New York taxi details can be extracted from anonymised data, researchers say.” The Guardian, online, 28 June. https://www.theguardian.com/technology/2014/jun/27/new-york-taxi-details-anonymised-data-researchers-warn. Accessed 12/12/2019.
Kifer, D. and Machanavajjhala, A. 2011. “No free lunch in data privacy.” Proceedings of the 2011 ACM SIGMOD International Conference on Management of data, Athens, Jun 12-16, ACM, pp. 193-204.
Donald Kommers, D. and Russell R. Miller. 2012. The Constitutional Jurisprudence of the Federal Republic of Germany. Durham: Duke University Press.
Li, N., T. Li and S. Venkatasubramanian. 2007. “t-closeness: Privacy beyond k-anonymity and l-diversity.” 2007 IEEE 23rd International Conference on Data Engineering. Istanbul, IEEE, pp. 106-115.
Machanavajjhala, A., Kifer, D., Gehrke, J. and Venkitasubramaniam, M., 2007. “l-diversity: Privacy beyond k-anonymity”. ACM Transactions on Knowledge Discovery from Data, 1 (1): 3-es.
Meyerson A, Williams R, 2004. “On the complexity of optimal k-anonymity.” Proceedings of the twenty-third ACM SIGMOD-SIGACT-SIGART symposium on Principles of database systems, pp. 223-228.
Moller, R. 2019. Vox Media Privacy Policy Explained: What We Know about You. https://www.vox.com/recode/2019/12/10/20962868/vox-media-privacy-policy-explained-what-we-know-about-you. Accessed 12/12/2019.
NAB. 2019. Privacy Policy. https://www.nab.com.au/common/privacy-policy. Accessed 12/12/2019.
Narayanan, A. 2011. “An adversarial analysis of the reidentifiability of the heritage health prize dataset.” Unpublished manuscript.
Narayanan, A. and V. Shmatikov. 2007. “How To Break Anonymity of the Netflix Prize Dataset.” arXiv https://arxiv.org/abs/cs/0610105.
National Health and Medical Research Council. 2018. National Statement on Ethical Conduct in Human Research (2007) – Updated 2018). https://www.nhmrc.gov.au/about-us/publications/national-statement-ethical-conduct-human-research-2007-updated-2018. Accessed 12/12/2019.
Office of the Australian Information Commissioner. 2017a. De-identification Decision-Making Framework. https://www.oaic.gov.au/privacy/guidance-and-advice/de-identification-decision-making-framework/. Accessed 12/12/2019.
Office of the Australian Information Commissioner. 2017b. De-identification Decision-Making Framework Appendices. https://www.oaic.gov.au/privacy/guidance-and-advice/de-identification-decision-making-framework/. Accessed 12/12/2019
Office of the Australian Information Commissioner. 2018. De-identification and the Privacy Act. https://www.oaic.gov.au/privacy/guidance-and-advice/de-identification-and-the-privacy-act/. Accessed 12/12/2019.
Office of the National Data Commissioner. 2019. Data Sharing and Release Legislative Reforms Discussion Paper. https://www.datacommissioner.gov.au/resources/discussion-paper. Accessed 12/12/19.
Ohm, P. 2009. “Broken promises of privacy: Responding to the surprising failure of anonymization.” UCLA Law Review, 57 (6): 1701-1778.
Privacy Act 1988 (Cth). No. 119. Compilation No. 82 https://www.legislation.gov.au/Details/C2020C00025 , Accessed 16/04/2020.
Samarati, P. and L. Sweeney. 1998. “Protecting privacy when disclosing information: k-anonymity and its enforcement through generalization and suppression”. Technical Report SRI-CSL-98-04. Computer Science Laboratory, SRI International.
Telstra. 2019. Privacy Statement. https://www.telstra.com.au/privacy/privacy-statement. Accessed 12/12/2019.
Tinder. 2018. Privacy Policy. https://www.gotinder.com/privacy. Accessed 12/12/2019.
Torra, Vicenç, 2017. Data privacy: foundations, new developments and the big data challenge. Cham: Springer International Publishing.
Treasury Laws Amendment (Consumer Data Right) Bills Digest No. 68, 2018–19 (Cth). https://www.aph.gov.au/Parliamentary_Business/Bills_Legislation/bd/bd1819a/19bd068 Accessed 16/4/2020.
Zuboff, S. 2019. The Age of Surveillance Capitalism. London: Profile Books.
How to Cite
Culnane C, Leins K. Misconceptions in Privacy Protection and Regulation . LiC [Internet]. 2020Apr.16 [cited 2020May27];36(2):1-12. Available from: https://journals.latrobe.edu.au/index.php/law-in-context/article/view/110

Send mail to Author

Send Cancel