Under proposed changes to The Privacy Act 1998 put forward by the Attorney-General’s department, cybersecurity researchers will be considered guilty until they prove their innocence. The amendment introduces provisions that prohibit intentional re-identification of de-identified personal information published or released by, on or behalf of, Commonwealth agencies in a general available publication. An effort to provide stronger safeguards for individual privacy, the proposed changes could be retrospectively applied from Sept. 29, 2016. Those who fail to prove their innocence could face two years’ imprisonment. It will be important for agencies to implement practices, procedures and systems to ensure they comply with the Privacy Act 1998.