The government is to amend the data protection bill to protect security researchers who work to uncover abuses of personal data, quelling fears that the bill could accidentally criminalise legitimate research.
The move follows a Guardian report on the concerns, and has been welcomed by one of the researchers who raised the alarm. "I am very happy with the amendments," said Lukasz Olejnik, an independent cybersecurity and privacy researcher.
The bill will contain a clause making it a criminal offence to "intentionally or recklessly re-identify individuals from anonymised or pseudonymised data", with the potential of an unlimited fine for offenders.
When it was first published in August, security researchers feared they could fall foul of the law if they carried out research demonstrating inadequate anonymisation on the part of others.
Now the government has introduced an amendment to the bill providing an exemption for researchers carrying out "effectiveness testing". Researchers would have to notify the Information Commissioner's Office (ICO) within three days of successfully deanonymising data, and demonstrate that they had acted in the public interest and without intention to cause damage or distress in re-identifying data.