> There isn't much difference between giving this data to 20,000 researchers all over the world and simply publishing the data on the web.

As a researcher who regularly deals with such data there is a MASSIVE difference. Yes, I have access to the data but I am restricted on how it can be stored (no cloud), what I can and can't do with it, and for some of it I'm even mandated to destroy it once the research project is over. I have the informed consent of every participant, some of which withdrew halfway throughout the collection without any penalty to them. I also don't need a new law because I'm already bound by existing ones, by the contract I signed when I joined, and by the confidentiality agreement I signed when the project started. While I don't know that the leaker(s) will be identified, the existence of the data itself already calls for legal action while giving a starting point for investigation.

Your suggestion, on the other hand, seems to be "let's put this data out there without people's consent and make companies pinky promise that they won't use it in their black boxes in a way that's virtually impossible to detect or prosecute". Those two things are definitely not equivalent.

I am not arguing either way, but I think you missed the point.

When you give O(20000) people you have a 1-0.9999^20000 (high) probability that that will leak anyway (either 1/20000 people not following the rules, or just the accident/attack surface area).

[dead]