California introduces 'right to know' data access bill, and why Silicon Valley will hate it
As California considers going above and beyond what the EU gives its citizens in data access request rights, technology and Web firms in Silicon Valley will likely fight any hopes of such rights hopping across the Atlantic.
The European Union has long championed its citizens' right to submit a request to acquire the data a company holds on them in order to ensure that such data is up to date and correct. In recent years, one Austrian law student took this "habeas data" right to public light by demanding his Facebook data from the social network.
Americans do not have this right — and generally have almost zero legal protection from the state or federal government against data thefts, unauthorized disclosures and other privacy-related matters, unlike in the EU.
While the EU and the U.S. have never seen eye to eye on matters of data privacy and data protection in the legislative field, that may change in the form of a new California "right to know" law currently in the proposal stage.
That is, however, if Silicon Valley doesn't fight back with the full force of its political lobby.
'Right to know' bill sets unprecedented level of personal data disclosure
Following lobbying efforts from two major U.S. privacy groups, the Electronic Frontier Foundation (EFF) and the Northern Californian branch of the American Civil Liberties Union (ACLU), California Assembly Member Bonnie Lowenthal has introduced a bill that may force companies operating in the state to follow EU-style data and privacy rules.
Lowenthal, who represents part of the Los Angeles area, introduced the "Right to Know Act 2013" (AB 1291), which was amended and re-read for a second time on Monday introducing new clauses.
The new law introduced into the California legislative arena [PDF] would require any business that holds a customer's personal information to disclose it within 30 days of that customer's request. Adding to this, names and contact information of all third parties with which the business has shared that customer's data with during the previous 12 months must also be disclosed. And if that company declines, that citizen can file a civil complaint against that firm to force it to comply with the law.
Ultimately it gives California residents the right to access their own data held by a company offering a service they are using, allowing them to see the flow of data between one firm and another. It would be an unprecedented level of transparency not seen in legislative terms for quite some time.
The EFF notes in a blog post that three safeguards are included in the draft law to prevent abuse of the system, while at the same time protecting smaller but burgeoning startups in the region which may not have the resources to respond to such requests. These are likely to appease some but may not settle their worries altogether.
Companies can choose to not store unnecessary data. Or, they could anonymize the data before disclosing it to third parties. Such measures would mean companies would not have to respond to data access requests. Also, if a company rejects a data access request, it can instead provide a notice about what data will be disclosed and to whom — either before or after it happens. And for companies that find such data access requests take up too many internal resources, such requests will be capped at one per person for every 12 months to prevent repeated requests.
Finally, it would seem, that the U.S. is catching up — at least on the privacy and the right for data access front. And while the EU pioneered such data access requests, its own laws were written during a time when the Web was still in its infancy and the Facebooks, Twitters and Googles of this world either didn't exist or had little interest in the law at the time.
The hope is that while the law, if passed, will be limited to California-based companies and California residents, it could eventually extend to other U.S. states.
This has been seen with California's laws on Web sites describing data collection and use, resulting in privacy policies becoming a normal feature of a company's site — and also with California's laws for data breach notifications, which have since rolled out to 46 states following California's first enactment of such laws in 2002.
Beware the lobby, prepare for opposition
But with all roads leading back to the giants of Silicon Valley and their large, almost limitless lobbying ability, any "right to know" bill will face its toughest opposition in California.
Getting this bill into California law will be difficult, but it won't be impossible. And if it does, it could forge a wider path in which other states follow suit, if not at a wider federal level.
For the European Commission, which in January 2012 proposed a mass of changes to its 1995 Directive in the form of a 2013 Regulation — a one-size fits-all approach to unified data protection across the continent — its new proposed laws sparked a mass of lobbying by technology and Web giants alike.
Europe's Justice Commissioner Viviane Reding, who floated the proposals last year, said at a media meeting in Brussels last year that some Silicon Valley-based firms have lobbied "fiercely" in order to see these draft proposals have elements removed in part or entirely.
Around the same time, the EFF, the ACLU and the Electronic Privacy Information Center (EPIC) — among others — wrote to leading U.S. politicians seeking assurances that they would not, on behalf of the firms that have in turn lobbied them, hinder the process of new European data and privacy rules.
California's politicians face a similar problem. While in 1995, the same proposal was ratified into law by the European Parliament as Lowenthal is proposing for California today, most companies that are throwing their hat into the lobbying ring today didn't exist then.
This bill, if passed, will have a significant impact on major Silicon Valley-based companies — not limited to Facebook, Twitter, Google, and other companies that offer Web services. These companies will be unlikely to favor of such laws, and will likely lead to anger among Web firms that hold political sway due to their pillar-like status in the California economy.
The resolve of California's state legislations, however, may not find it as easy to turn its homegrown massive tax contributing companies away so easily. Despite the fact that these Silicon Valley technology and Web companies already have systems in place, thanks to EU law, to offer up data access to those who request it, the California draft bill goes above and beyond the EU's legislative provisions.
Law student Max Schrems sparked a data access storm when he ultimately forced Facebook to alter its privacy practice.
Under EU law, a company must allow European citizens to access data held on them by a company. Because Facebook operates in the EU out of Ireland, an EU member state, he requested his entire cache of Facebook data. He received his data on multiple CDs with documents spanning more than 1,200 pages. But he claimed it wasn't enough and filed a number of complaints with the Irish data protection authority.
A change in Californian law may nudge the U.S. towards an "EU way of thinking" regarding data protection law. While Europe's laws are far from perfect — with loopholes that still allow the U.S. government to acquire EU-based data through unauthorized channels — it offers an unparalleled level of protection to its 500-plus million population that has since been a model for other countries and states across the world.
For Silicon Valley-based giants, it boils down to advertisers — the core business of many of these firms. California's law will allow its residents to see the paper trail behind their data, such as where their data has been handed to, like advertisers.
According to an S-1 filing with the U.S. Securities and Exchange Commission in February 2012, Facebook said:
Our business is subject to complex and evolving U.S. and foreign laws and regulations regarding privacy, data protection, and other matters. Many of these laws and regulations are subject to change and uncertain interpretation, and could result in claims, changes to our business practices, increased cost of operations, or declines in user growth or engagement, or otherwise harm our business.
California's legislators will have a fight on their hands, not least from their own corporate citizens. For the likes of Facebook, Twitter and Google, the greatest threat they can throw to the state of California is that they will up and leave and find another state to do business in. Such action may be unlikely, but the possibility is enough to ruffle the feathers of the state government, which will want to keep such companies firmly in their place — more than anything for the kudos and the tax collection purposes.
The bill is expected to be debated in the next few months. But hold onto your hats for this will be a bumpy, and likely disappointing ride.