California Dreaming? The 'Right To Know' Bill

There is a huge amount of focus on data protection and privacy laws around the world.  The latest battleground is in California which is proposing to become the first US state to provide similar rights to its citizens to the subject access rights granted to EU citizens under European law.  Could we be getting closer to harmonisation of EU and US privacy laws?

California's Right To Know Bill proposes that any organisation which holds a California resident's personal information must disclose it within 30 days of request together with names and contact information of third parties with whom the citizen's data has been shared in the previous 12 months and without charge.   Should a request be declined, the citizen will have a right of action against the organisation and may seek a court Order compelling disclosure of the requested information.

Those of you familar with the 'subject access right' under the UK's Data Protection Act will instantly recognise some key similarities between the current UK/EU rights and the proposed 'Right to Know' under California law.

If passed, California would become the first US state to grant this right to its citizens.  Whilst harmonisation of privacy laws across the US and Europe is incredibly unlikely, the introduction of equivalent rights across EU and certain US states demonstrates the increasing importance of individuals' right to privacy on a global scale (together with the associated individuals' rights of control and transparency over their personal data).  On a positive note, California has frequently been at the cutting-edge of privacy laws in the US and has seen other states following its lead (California's law on mandatory breach notifications in 2002 has since been followed in a further 46 states and its laws requiring the use of online privacy policies have become industry standard across the US).

The proposals in California may bring with it significant challenges for organisations who have not previously managed information in a way which would enable them to easily adapt their processes and systems to comply with these new rights (albeit many of the larger internet based organisations already have operations in Europe serving European users and will have developed processes to accommodate existing subject access requests which exist under EU laws). 

This is the core focus of the groups lobbying against the bill which includes a large number of 'Silicon Valley' based IT companies including start-ups who feel that they burden of legal and regulatory compliance in this area will become too complex and expensive.  The California legislature has sought to appease these groups by making some practical recommendations (some of which are equally applicable to the position under current European laws):

  • Don't store data unnecessarilly (in line with the 5th principle of the UK's Data Protection Act).
  • Anonymise data before it is shared (an update on the regulator's view of anonymisation will be posted here soon).
  • Requests will be limited to one per person every 12 months (similar, albeit more explicit, than the conecpt in Section 8 of the UK's DPA which permits a data controller to elect not to respond to a request unless a 'reasonable' interval has elapsed since the date of the last request).
  • An organisation can elect not to respond to individual requests by providing a notice detailing what information is being collected, what data will be shared and with whom (this is similar to the fair processing information requirement in the UK's DPA, but the concept of a general right to 'opt-out' of the subject access regume by providing this information is very different - in practice, it may be extremely difficult to develop a workable notice which provides sufficient information to the citizen).

Whilst this right is contained in a bill in a single US state which still faces a huge amount of lobbying (and may therefore be seen as a relatively small step), it is nonetheless a step in the right direction towards EU and US laws recognising similar basic concepts of privacy and the indviduals' right to control and transparency of their data.  In short, it is a significant signal of intent & provides further momentum to privacy issues rising higer on the corporate agenda and risk-radar.

This information is intended as a general discussion surrounding the topics covered and is for guidance purposes only. It does not constitute legal advice and should not be regarded as a substitute for taking legal advice. DWF is not responsible for any activity undertaken based on this information.