Should the Freedom of Information Act extend to data in private companies?

Rep. Issa expressed support for reforming FOIA to include personal data held by companies.

The Freedom of Information Act (FOIA), which gives the people and press the right to access information from government, is one of the pillars of open government in the modern age. In the United States, FOIA is relatively new — it was originally enacted on July 4, 1966. As other countries around the world enshrine the principle into their legal systems, new questions about FOIA are arising, particularly when private industry takes on services that previously were delivered by government.

In that context, one of the federal open government initiatives worth watching in 2012 is ‘smart disclosure,’ the targeted release of information about citizens or about services they consume by government and by private industry. Smart disclosure is notable because there’s some “there there.” It’s not just a matter of it being one of the “flagship open government initiatives” under the U.S. National Plan for open government or that a White House Smart Disclosure Summit in March featured a standing room only audience at the National Archives. When compared to other initiatives, there has been relatively strong uptake of data from government and the private sector and its use in the consumer finance sector. Citizens can download their bank records and use them to make different decisions.

Earlier this summer, I interviewed Representative Darrell Issa (R-CA) about a number of issues related to open government, including what he thought of “smart disclosure” initiatives.

“These are areas of legitimate concern,” he said. “Europeans have a completely different set of criteria for what they consider to be data that can be released on behalf of their people. They are much more liberal in what you can find out but then they’re much more conservative in how long the data can be kept. We, on the other hand, limit how much data you can get by comparison. But you can keep it forever. It’s very hard to reconcile those two standards. But more importantly, the American people don’t agree with either one of them.”

Rep Issa told me that including data collected about individual by private actors, like financial institutions or insurers, is the “most important thing” that could be added to the Freedom of Information Act. That’s a notable position, given that the U.S. Federal Trade Commission called on Congress to enact baseline privacy legislation and more transparency of data brokers earlier this spring.

While online privacy debates have been going on in Washington for years now, legislators and regulators alike might consider the role of personal data ownership, where data is a currency that citizens control and may spend. As a matter of principle, the big (multi-billion dollar?) question may be whether the American people should have ownership of the data that is collected about them by, financial institutions, insurers, telecommunications companies or government agencies, similar to the credit report.

“As we’re reforming the Freedom of Information Act, the information held about you by anybody is yours unless there’s an affirmative defense to keep it,” said Rep. Issa.

For example, if you’re the subject of a criminal investigation in a drug deal, you shouldn’t be able to FOIA and find out what the feds know about you. That would be inappropriate for obvious reasons.If people are gathering the data about your financial well being and you want your FICO score, you should be able to get it. We accept that. So do you have a medical FICO score? Of course you do. You have a life insurance FICO score. I’m using the acronym, not for what it stands, but for how people look at it.

Each of those areas, you should give people access. The question is how do we get it into a common understanding of freedom of information both publicly and privately. And we should get there. And we can get there. I’ll go back to square one for a second. Without the DATA Act, you actually can’t expect your government to deliver it to you because they wouldn’t be able to find it. You’d be going agency to agency rather than saying, “Look, I want to know what you know about me. I want to know what you think about me. And I have a right.” Once we have a format in which they can’t hide behind [it] being burdensome to find it, then you should be able to get it.

I also asked Rep. Issa about the role of releasing government data into the marketplace plays in more transparent marketplaces, including data that private companies collect. I specifically called out the release of financial data, which is already released as XBRL data through the SEC’s Office of Interactive Disclosure. Issa said that “government being able to aggregate data [and] make it available in useable formats is one of the least expensive and most valuable things government does.”

When it came to the the initiatives that the Consumer Financial Protection Bureau, the U.S. Treasury Department and other federal agencies are taking, in terms of releasing government data back to the people, Rep. Issa highlighted some of the complexity he anticipates in personal data disclosures from industry:

“If you go back to your earlier question, what is somebody’s private information? That’s the only fly in that ointment,” said Rep. Issa. “If it’s my private information and I do not want to release it, then without a compelling need of America — not just a ‘nice to have,’ but compelling need — you don’t have the right to have it. So your point you’re leading to is well, shouldn’t they have all of this information? And the answer is, it depends. You know, people choose to belong to the Better Business Bureau. If they choose not to belong to the Better Business Bureau, should they have to give their information? The answer is no. If I belong to a credit rating agency or a credit exchange and I voluntarily give my credit experience so I can get other people’s credit experience, that’s an opt-in. One of the problems with the federal government is when they force the turning over of individual data and then use it for individual action against that entity, it’s a different standard than when they voluntarily receive data and aggregate it for the common good.”

When I asked FTC chairman Jon Leibowitz about whether citizens have a right to their data at a press conference earlier this year, he offered support for the idea:

“With respect to data brokers, these are cyberazzi that collect information from consumers and consumers have no interface with them,” he said. “They’re invisible to consumers. And so we have called for, and we actually have supported this for quite some time, legislation to create parameters and rights to correct inaccurate data by consumers in terms of baseline privacy. We’ve also called for specific data security legislation, which has been a bipartisan priority for the commerce committee and energy committee for quite some time.

… In the report, we talk about some of the gaps now, because it’s our sense that companies are doing things that are very much like credit reporting agencies, but they might not be within the ambit of the FCRA.”

As Congress open an inquiry into data brokers, it will be interesting to see whether legislators agree with Rep. Issa or the FTC chairman — and whether they draft bills that extend digital rights to data to citizens.

An earlier version of this post quoted FTC chairman Leibowitz as saying “data streaming,” not “data security.” We regret the error.

tags: , , , , ,
  • http://twitter.com/bwaber Ben Waber

    That seems very similar to the approach we take at Sociometric Solutions. We use wearable sensing devices in organizations to measure how interactive people are, how energetic they are, etc. We actually don’t give management access to individual data, but individuals essentially own their own data. If people want to stop participating (although we use an opt-in model) we can delete their data, and at the end of a project each person gets an individual report on their own data.

    This makes people much more willing to participate and is the right thing to do in my opinion. It becomes tricky, however, when your data is mashed up with data from other people.

  • Pingback: Rethinking regulatory reform in the Internet age - O'Reilly Radar

  • Pingback: Mr. Issa logs on from Washington - O'Reilly Radar