Register research turned privacy disaster. Epicenter.works nominates Sebastian Kurz for a Big Brother Award

Research is important. Using research as a cover to obtain unchecked access to sensitive official data is not. At the beginning of July, the Austrian chancellor, Sebastian Kurz, submitted to pre-parliamentary consultation a bill that would cause a seismic shift in how the government treats its citizens’ data. EDRi's member epicenter.works shares that from a privacy perspective the present bill is fundamentally flawed and places an enormous amount of data covering the entire population at risk for abuse.

By Epicenter.works (guest author) · September 22, 2021

At the beginning of July, the Austrian chancellor, Sebastian Kurz, submitted to pre-parliamentary consultation a bill that would cause a seismic shift in how the government treats its citizens’ data. The bill on register-based research opens up government data bases (register data) to researchers, something that parts of the Austrian scientific community have wanted for many years. Certainly, government departments have been able to grant access to individual registers by way of regulation since 2018, but this option has rarely been used. Chancellor Kurz’ proposed law would establish a single point of access, the Austria Micro Data Center (AMDC). Epicenter.works welcome this centralisation at a single body and believe Statistics Austria, where AMDC will be located, is the right place for it. But from a privacy perspective the present bill is fundamentally flawed and places an enormous amount of data covering the entire population at risk for abuse. With AMDC as the central body, it is feasible to ensure the anonymisation of the data as well as the independence and transparency of the research projects that use them. But the present draft bill fails on both counts. Our legal statement explains the problems and offers solutions.

The public consultation lasts until 10 August and they hope that chancellor Kurz will yet overhaul this disastrous draft bill. To highlight the danger posed by his bill, epicenter.works have nominated Sebastian Kurz for the prize given to the worst privacy offenders, a Big Brother Award.

What types of data are at stake?

The proposed law covers the entirety of the data currently held by Statistics Austria, as well as data from other official registers previously approved for release to researchers by the responsible government department. Health data from the ELGA system are currently being discussed for release; this would include all patient files and medication. Many types of information from tax authorities are already held by Statistics Austria and would thus be included immediately. Also conceivable is the release of data from the court system, immigration authorities or from the recently extended education documentation system, which now saves an individual’s complete educational history up to retirement, from elementary school to training mandated by the unemployment agency (AMS).

All these different sources of data about individuals exist in a format that allows them to be combined to create and comprehensive profile of an individual. Precisely such a super-database should not exist according to the Austrian e-government principles. This was the reason for the introduction in 2004 of domain-specific personal codes that act as firewalls between government departments. This established principle is abolished by the bill, which instead creates an image of unparalleled depth of the entire population.

Statistics Austria is capable of thoroughly anonymising even such large quantities of data before releasing them to third parties. But the present draft restricts anonymisation to an exhaustive list of attributes. It allows replacement by pseudonyms only for name, address, and other unique identifiers, such as the social security number. With this approach it becomes a near-certainty that almost every individual is uniquely identifiable from the remaining data, which are therefore personal data as defined by the GDPR. This is not just our view, but also that of the Data Privacy Council in its critical statement on chancellor Kurz’ bill. Our medical histories and educational careers are very distinct and if, for instance, a small municipality has only one inhabitant aged 90, their year of birth and the name of that municipality are sufficient to positively identify this person.

Loopholes for research projects

The chancellery bill fails to ensure that only recognised research institutions obtain access to the data. A non-exhaustive list of institutions exists, but Statistics Austria can add further institutions based on loosely defined criteria. This is modelled on the EU statistics office Eurostat, whose list includes among others the business lobbying organisation Agenda Austria and Synthesis Forschung GmbH, a company that has programmed a controversial algorithm for the categorisation of job-seekers. Moreover, the explanatory notes to the bill suggest that banks and government departments should also be able to access the data, nor is access limited to domestic institutions. There are no criteria whatsoever for disclosing whether the intended research is in the public interest or which commercial interests it pursues. The “main results” must be published online, but all other results can be kept secret. Once an institution has been granted access to the register data, it may use them for other research purposes unrelated to the research proposal submitted.

Confidentiality of official statistics and remote access

Epicenter.works approve the plan included in the present draft bill to extend the confidentiality of official statistics to the staff members of institutions authorised to access the data; if they unlawfully disclose official statistics, they commit a criminal offence on a par with the unlawful disclosure of official secrets. Unfortunately, the wording of the provision is so broad that using the data for research interests other than the approved research proposal is not punishable. Another positive is that the data are made available to researchers by remote access only. However, the legal definition forgets that it is possible to copy the data from the secure computer over the network, and this is consequently not sanctioned under the present proposal.

If an institution breaches these rules and commits data misuse, it can be excluded from access to register data in the future. But the decision to exclude or not is made solely and exclusively by Statistics Austria. Neither the data subjects nor the public are informed about the misuse. Statistics Austria is under no obligation to act or, as the single supervisory authority, to report the misuse to another body, which is problematic since access to register data via AMDC is a revenue source for Statistics Austria. Institutions must pay anew for every additional research project. A key consideration in deciding whether an institution should be excluded in the future are the measures it takes to prevent misuse in the future. But the institution is not required to supply proof of these measures to Statistics Austria; instead, mere provision of prima facie evidence, a much lower standard, is sufficient.

Dismantling controls against misuse

What appears particularly disturbing in view of the enormous expansion of processing of the most sensitive personal data from almost all conceivable areas of life, is that the present draft bill dismantles the logging demands placed on research institutions. At present, every operation involving personal data must be logged, yet the draft wants to limit this without really giving a reason. A complete log of access to personal data is international standard practice, including in the sensitive areas of policing and intelligence. Log-keeping is often the only means to at least discover data misuse after the fact, for instance when a staff member has searched the data for their ex-girlfriend or persons of public interest. Dismantling these control instruments raises doubts about the chancellery’s motivation behind this draft.

Statistics Austria is responsible for checking logs as well as research results prior to publication. Its means of control, however, are limited to samples and algorithmic checks by the draft bill, which is downright asking for abuse.

Furthermore, the draft bill extends an increased protection to competing companies by preventing research organisations with commercial ties from obtaining data of other companies in the same market, but affords no comparable protection to individuals. Why are business interests deemed more worthy of protection than natural persons and the civil liberties of individuals?

Register data research: essentially a solvable problem

For each of the problems mentioned above, epicenter.works offer solutions in their statement. A central building block of these solutions is the creation of a register data research council. Similarly to the existing statistics and financial councils at Statistics Austria, it would deal with highly complex issues. An independent board of researchers and privacy advocates is needed to examine individual research requests and decide on access to personal data. It must be able to deny a research proposal if its objective is clearly not in the general public interest but rather fully in the commercial interest of individual companies. It must also be able to deny excessive requests for too much data, or limit them to aggregated and thoroughly anonymised data. But Statistics Austria is not equipped to deal with this type of decisions and needs the help of a neutral expert body.

With this approach, it will also be easy to provide transparent information on the approved research proposals, their objectives and the data made available. After all, these data concern all of us, and their collection has been paid for using our tax money. We ought to have the right to see who is using them and to what purpose. This would enable research that Austria needs for the benefit of the general population; but first, chancellor Kurz must avert the risk that this new instrument is misused.

Read epicenter.works’ legal statement here (German).

The article was first published by EDRi’s member epicenter.works here.

Image credit: Pixabay