The U.S. Government Policy on Open Data Memo directs agencies to take into account the "mosaic effect."
Theoretically, it seems like the mosaic effect could justify the restriction of almost any data. If the mosaic effect is used to justify a data restriction, will there be any means of appeal?
The answer depends very much on the legal framework of the jurisdiction where the data is released. The question seems to be US-specific. I do not know the legal framework in the USA, but close examination of relevant US privcy laws (which I understand are very fragmented and difficult to understand) should tell you about what means of appeal there exist in the USA (on federal and on state level). The privacy laws of your jurisdiction should give both tell you what means of appeal there exists, and on what grounds you may make an appeal.
However, since this is an international forum, and by means of example on how privacy laws work in the specific jurisdiction I am familiar with, I would like to point that in the EU and EEA, this regulated by the Data Protection Directive (Directive 95/46/EC) where each member state must set up a supervisory authority, to make decisions about, among other things, the release of data that may affect privacy. Decisions by the supervisory authority which give rise to complaints may be appealed against through the courts (art. 28).
In Norway (EEA member state) the "supervisory authority" is known as "The Data Inspectorate", and there is also the "Privacy Appeals Board", which is the primary means of appeal for decisions made by "The Data Inspectorate" (decisions made by the "Privacy Appeals Board" may be appealed against through the courts, so there are also a secondary means of appeal available).
As for case law in Norway, the Mosaic Effect is often cited as grounds for not releasing data. What usually happens is that the "The Data Inspectorate" requires the data to be aggregated to the point where the Mosaic effect can longer be used to indentify individuals before the data is allowed to become public. However, aggregating data also removes information and therefore makes the data less useful, so a requirement to aggregate is often appealed against. EU/EEA law requires the supervisory authority to weigh the privacy risks against public utility when making a decion. In other words, if the privacy risks are low (e.g. the Mosacic effect will not expose sensitive personal data), and the public utility is high, a decision may be made to allow the data to be released without aggregation despite the Mosaic effect. Vica versa, data where the privacy risks are high, and the public utility is mariginal, the data may not be released at all, or only released as aggregates.
(I am a member of the "Privacy Appeals Board" in Norway, and has during my term of service heard several appeals where the Mosaic effect has been relevant.)
Data will still be available through Freedom of Information Act (FOIA) requests: http://www.foia.gov. (i.e., yes, there will be "means of appeal" for individuals requesting government data that has not been publicly released).
It seems as though if this can occur, it should restrict that data from being provided. I don't want identifiable data from being published or parts being combined to identify me. It would be easy to systematically combine these data sets to create identifiable and potentially harmful data.
You would have to provide sufficient evidence or justification for requesting those data parts to be available. A possible solution could be to partly de-identify some parts of the data to prevent the data from becoming identifiable.
I think there's a practical perspective. Regardless of the legal implications, how will this influence agency prerogatives? How much speculation will they engage in? I have grave concerns that the include of mosaic effect could swallow the pro-publication bias. The language (and process) needs to be clarified.
