watching the watchers —

California lawmaker introduces unprecedented personal data disclosure bill

"Right to Know Act of 2013" would force companies to tell Californians what they know.

It may seem odd, but in the European Union citizens have a near-blanket right to compel companies to release personal data held about them. The concept is sometimes referred to in its Latin shorthand: habeas data. It’s the principle through which an Austrian law student has become a thorn in the side of Facebook, trying to compel the social network to disclose the vast amount of data that it holds about him.

Here in the United States, we generally don’t have this right.

But after lobbying by the Electronic Frontier Foundation and the American Civil Liberties Union of Northern California, California Assembly Member Bonnie Lowenthal (who represents parts of the Los Angeles area) recently introduced a bill that could extend that concept to the Golden State for the first time. The "Right to Know Act of 2013" (AB 1291) was re-read and amended a second time on Monday.

The Legislative Counsel’s Digest summarizes the bill as it is currently written this way:

This bill would instead require any business that retains a customer’s personal information, as defined, or discloses that information to a third party, to provide at no charge, within 30 days of the customer’s specified request, a copy of that information to the customer as well as the names and contact information for all third parties with which the business has shared the information during the previous 12 months, regardless of any business relationship with the customer. This bill would require that a business subject to these provisions choose one of several specified options to provide the customer with a designated address for use in making a request for copies of information under these provisions.

If a company does not comply, citizens can file a civil suit to force compliance.

California has a history of pushing privacy concepts into law and influencing non-California businesses to comply. For example, the California Online Privacy Protection Act requires websites to prominently describe data collection and use. (Condé Nast, Ars’ parent company, does this even though it is not based in California.)

As the EFF wrote on Tuesday: “Hopefully, as companies put efficient systems into place to enable Californians to learn what is happening to their data, it will be easy for the companies to make those systems available to people outside of California. And like California’s model for data breach notification laws, (first enacted in California in 2002 and now integrated into law in 46 states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands), transparency will become the default, helping consumers while saving companies money down the line.”

Channel Ars Technica