California introduces 'right to know' data access bill, and why Silicon Valley will hate it

California introduces 'right to know' data access bill, and why Silicon Valley will hate it

Summary: As California considers going above and beyond what the EU gives its citizens in data access request rights, technology and Web firms in Silicon Valley will likely fight any hopes of such rights hopping across the Atlantic.


The European Union has long championed its citizens' right to submit a request to acquire the data a company holds on them in order to ensure that such data is up to date and correct. In recent years, one Austrian law student took this "habeas data" right to public light by demanding his Facebook data from the social network.

Americans do not have this right — and generally have almost zero legal protection from the state or federal government against data thefts, unauthorized disclosures and other privacy-related matters, unlike in the EU.

In the California State Assembly, a 'right to know' bill that would allow unprecedented personal access to your own data held by companies will be debated later this year. (Credit: LWY/Flickr: CC)

While the EU and the U.S. have never seen eye to eye on matters of data privacy and data protection in the legislative field, that may change in the form of a new California "right to know" law currently in the proposal stage. 

That is, however, if Silicon Valley doesn't fight back with the full force of its political lobby.

'Right to know' bill sets unprecedented level of personal data disclosure

Following lobbying efforts from two major U.S. privacy groups, the Electronic Frontier Foundation (EFF) and the Northern Californian branch of the American Civil Liberties Union (ACLU), California Assembly Member Bonnie Lowenthal has introduced a bill that may force companies operating in the state to follow EU-style data and privacy rules. 

Lowenthal, who represents part of the Los Angeles area, introduced the "Right to Know Act 2013" (AB 1291), which was amended and re-read for a second time on Monday introducing new clauses.

The new law introduced into the California legislative arena [PDF] would require any business that holds a customer's personal information to disclose it within 30 days of that customer's request. Adding to this, names and contact information of all third parties with which the business has shared that customer's data with during the previous 12 months must also be disclosed. And if that company declines, that citizen can file a civil complaint against that firm to force it to comply with the law.

Ultimately it gives California residents the right to access their own data held by a company offering a service they are using, allowing them to see the flow of data between one firm and another. It would be an unprecedented level of transparency not seen in legislative terms for quite some time. 

The EFF notes in a blog post that three safeguards are included in the draft law to prevent abuse of the system, while at the same time protecting smaller but burgeoning startups in the region which may not have the resources to respond to such requests. These are likely to appease some but may not settle their worries altogether.

Companies can choose to not store unnecessary data. Or, they could anonymize the data before disclosing it to third parties. Such measures would mean companies would not have to respond to data access requests. Also, if a company rejects a data access request, it can instead provide a notice about what data will be disclosed and to whom — either before or after it happens. And for companies that find such data access requests take up too many internal resources, such requests will be capped at one per person for every 12 months to prevent repeated requests.

Finally, it would seem, that the U.S. is catching up — at least on the privacy and the right for data access front. And while the EU pioneered such data access requests, its own laws were written during a time when the Web was still in its infancy and the Facebooks, Twitters and Googles of this world either didn't exist or had little interest in the law at the time.

The hope is that while the law, if passed, will be limited to California-based companies and California residents, it could eventually extend to other U.S. states. 

This has been seen with California's laws on Web sites describing data collection and use, resulting in privacy policies becoming a normal feature of a company's site — and also with California's laws for data breach notifications, which have since rolled out to 46 states following California's first enactment of such laws in 2002. 

Beware the lobby, prepare for opposition

But with all roads leading back to the giants of Silicon Valley and their large, almost limitless lobbying ability, any "right to know" bill will face its toughest opposition in California. 

Getting this bill into California law will be difficult, but it won't be impossible. And if it does, it could forge a wider path in which other states follow suit, if not at a wider federal level.

For the European Commission, which in January 2012 proposed a mass of changes to its 1995 Directive in the form of a 2013 Regulation — a one-size fits-all approach to unified data protection across the continent — its new proposed laws sparked a mass of lobbying by technology and Web giants alike.

Europe's Justice Commissioner Viviane Reding, who floated the proposals last year, said at a media meeting in Brussels last year that some Silicon Valley-based firms have lobbied "fiercely" in order to see these draft proposals have elements removed in part or entirely.

Around the same time, the EFF, the ACLU and the Electronic Privacy Information Center (EPIC) — among others — wrote to leading U.S. politicians seeking assurances that they would not, on behalf of the firms that have in turn lobbied them, hinder the process of new European data and privacy rules.

California's politicians face a similar problem. While in 1995, the same proposal was ratified into law by the European Parliament as Lowenthal is proposing for California today, most companies that are throwing their hat into the lobbying ring today didn't exist then.

This bill, if passed, will have a significant impact on major Silicon Valley-based companies — not limited to Facebook, Twitter, Google, and other companies that offer Web services. These companies will be unlikely to favor of such laws, and will likely lead to anger among Web firms that hold political sway due to their pillar-like status in the California economy. 

For the EU, which has had such laws since the Data Protection Directive was ratified in 1995, Silicon Valley firms that expanded into Europe have known no different for nearly two decades.

The resolve of California's state legislations, however, may not find it as easy to turn its homegrown massive tax contributing companies away so easily. Despite the fact that these Silicon Valley technology and Web companies already have systems in place, thanks to EU law, to offer up data access to those who request it, the California draft bill goes above and beyond the EU's legislative provisions.

Law student Max Schrems sparked a data access storm when he ultimately forced Facebook to alter its privacy practice. 

Under EU law, a company must allow European citizens to access data held on them by a company. Because Facebook operates in the EU out of Ireland, an EU member state, he requested his entire cache of Facebook data. He received his data on multiple CDs with documents spanning more than 1,200 pages. But he claimed it wasn't enough and filed a number of complaints with the Irish data protection authority.

A change in Californian law may nudge the U.S. towards an "EU way of thinking" regarding data protection law. While Europe's laws are far from perfect — with loopholes that still allow the U.S. government to acquire EU-based data through unauthorized channels — it offers an unparalleled level of protection to its 500-plus million population that has since been a model for other countries and states across the world. 

For Silicon Valley-based giants, it boils down to advertisers — the core business of many of these firms. California's law will allow its residents to see the paper trail behind their data, such as where their data has been handed to, like advertisers. 

According to an S-1 filing with the U.S. Securities and Exchange Commission in February 2012, Facebook said:

Our business is subject to complex and evolving U.S. and foreign laws and regulations regarding privacy, data protection, and other matters. Many of these laws and regulations are subject to change and uncertain interpretation, and could result in claims, changes to our business practices, increased cost of operations, or declines in user growth or engagement, or otherwise harm our business. 

California's legislators will have a fight on their hands, not least from their own corporate citizens. For the likes of Facebook, Twitter and Google, the greatest threat they can throw to the state of California is that they will up and leave and find another state to do business in. Such action may be unlikely, but the possibility is enough to ruffle the feathers of the state government, which will want to keep such companies firmly in their place — more than anything for the kudos and the tax collection purposes.

The bill is expected to be debated in the next few months. But hold onto your hats for this will be a bumpy, and likely disappointing ride. 

Facebook declined to comment on this report.

Topics: Privacy, Government US, Legal, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • If, We the people..

    ..would take notice and actually voice our opinions we might realize we are far more powerful then facebook or google.

    Just threaten to stop using them.
  • I would love to know....

    what Google has collected on me without my knowlege. They seem to have their fingers in everything.
    Test Subject
    • What google collects about you
    • What a great idea!

      If this was worldwide, we could do a DDOS attack on Google. Just imagine billions of people asking to see the profiles that Google has stored on them. That could tie them up for a while.
  • It's interesting to see that some companies may have the internal

    resources to provide personal data to other companies, but not to the people the data is about. Maybe they should just set up an automated way to provide copies to the people when they provide it to others.

    One thing that should come out of this is it shouyld allow people to find out if someone has stolen their identity on-line.
    Deadly Ernest
    • Wary of Automation

      You have a good point about the resources, but if the process is automated, then expect criminals to impersonate you, to find everything they didn't already know about you. Convenience is such the double-edged sword.
  • RE:California introduces 'right to know' data access bill

    There seems to two issues here.

    01) My right to see my data and to make sure what's there is accurate & correct. I would think that Companies would jump at this. It would make their marketing far more accurate and potentially lead to fewer litigation due to it being incorrect.

    02) My right to see what data has been collected and how it has been shared. Mixed concerns here. I understand the desire to do custom target marketing. And in some ways I'm for that as it leads to better deals for products that I'm actually interested in.
  • So it would apply to CA residents?

    I help maintain a blog for a private individual. It is religious in nature. To date they have run it as a personal experience. No company involved. I gets about 2000 to 5000 unique visitors per day. Some from California.

    So would she/we have to respond to such requests? If she incorporates as a non profit would she/we have to respond? Does that include email correspondence? If someone leaves their email address when they comment on a post do we have to track these and let them know how many we have and if we've shared them with anyone else. (We get requests all the time in comments to give someone else their email address.?

    We are NOT in CA.
    • Do not share anyone's info with anyone else.

      When request comes in for everything on a user of your website, if all you have is their name and email address, then that is all you have.
  • great idea

    I'd like this to include the government. There is no reason to exclude them.
  • Who owns this any way

    Maybe the question should be "Why do company own my data"? This is my data not theirs. I have to give it to them or they would not have it. I do not think they should be able to do any thing with my data. Maybe we should be writing laws that really protect the people.
    • You should start reading the EULA's

      Chances are you have given them permission to farm your data.
      • Why are EULAs allowd to be "Get out of Jail Free" cards?

        Why are these horrendous EULAs allowed? If the law states that terms may not change at the whim of the software company, and that purchase and use of software does not automatically grant the software company the right to demand your info and use it, etc..., then EULAs will stop being the "get out of jail free" card that software publishers are using them as.

        The guy selling tacos on the corner COULD have a sign on his cart saying that by purchasing that taco, you agree to all of his terms, which may change retroactively at his discretion, and (all your bases belongs to him.) They law would smack him down in a heartbeat. So why do software companies get to do it? Why do service companies like Google and your phone provider get to do it? Why does every website get to do it? (Besides the obvious answer that the Taco Vendors Association doesn't have the money to buy or rent politicians the way other industries do.)
  • How to beat the threat of upping sticks

    If the big players threaten to up sticks and take their business out of the state, then the supporters of this proposal could use that as a **HUGE** PR boost in support - and a big PR hit for the companies.

    Just think of the headlines you could spin along the lines of " is so scared of letting you know what information it keeps about you, and who it's sold that to, that they are prepared to leave the state to avoid telling you. Isn't that enough justification for you having the right to know about it ?"
    It's the PR equivalent of asking someone if they've stopped beating their wife ! If they aren't holding and selling information about you that you ought to know about, then they really have no reason to fight the proposal - and conversely, if they are fighting the proposal then what are they hiding ?
  • Should Stalking be legal? Isn't that really what Facebook & Google does?

    If a person were to follow me around all day, and record all the movements that I make during that day, I would essentially be stalked, which, I am not entirely sure, but I believe is probably illegal. Facebook or Google, track you online, and record what you do, where you go, who you talk to, what you say, when you say it, how long you say it. With mobile phones, companies such as Apple can watch where you go, and when, and then they put it in a database, to "help track you better" essentially. It's like everyone is now being stalked constantly.

    Is this freedom? People think they have more freedom, but they are really monitored more than any other time in human existence. Telcom's advertise that they give you the freedom to go where you want, where you want. But really it is freedom tethered to various disparate systems that track where you are, and what you are doing.

    Monolithic companies don't "care" about anyone. If they are giving you something for "free", it is because they are getting something far more valuable from you, you just don't realize it... until it's too late, and they have all kinds of information on you.
    • Sorry if I got off topic

      What I really wanted to say was, good work Cali! Lead the way.
  • Agreed with bill.tkach

    The fact that they are by definition stalking everyone who uses those sites, what about if we want them to delete that information....? (you know that's not going to happen) What about the security measures of the the request? What is going to stop a hacker from making a pseudo page of someone on facebook and request information? or any other website at that matter. How does the request process go?....... I guess they have yet to figure that out
    - `_` - Don't get me wrong i'm all about it, I just hope they find a secure way of doing it. I don't really want to give a hacker another way of finding info. about someone else.
    ISS Tech
  • Misunderstanding of "rights"

    "Americans don't have these rights"...
    As rights come from God, not government, we either have them, or we don't. If we do, then they're either not at present protected by law, and/or are being violated by government.
  • "Cyberazzi"

    First, check out for more on this whole personal data issue.

    Also, according to the U.K. Guardian, France’s minister for innovation and technology commissioned a report that “classifies users of sites like Facebook and Google as unpaid labourers (sic). The logic being that, in using these services, you are giving away valuable personal information, which can be used to gain revenue from targetted (sic) advertising. It's a sort of digital prostitution ring that is making Google around $30bn a year, including an estimated $2bn in France. 'In light of these galling facts,' the report concludes, 'France should introduce a tax on the collection of personal data.”' ...A possible next step for CA.