On May 3, Sara DePaul, SIIA’s Senior Director for Technology Policy, moderated a panel at the IAPP’s Global Privacy Summit 2019 in Washington DC on “Balancing Transparency and Privacy in Open Access to Public Records.” The panel featured the views of Cindy Van Ort, Chief Privacy Officer of Thomson Reuters; Chris Calabrese, Vice President for Policy at the Center for Democracy and Technology; and David Cuillier, Associate Professor at the University of Arizona School of Journalism. The panelists engaged in a spirited discussion and found a few high-level points of consensus, such as: that the use of public records confer important social benefits, that open access and use can yield the potential for harmful results that should be accounted for, and that the treatment of public records by privacy laws can raise First Amendment concerns that must be balanced by policymakers. They differed, however, in whether and how a privacy law should apply to public records data. SIIA will continue to advocate for accurate government recordkeeping and the ability to access public records, subject to restrictions in the event harms stemming from the use of public records can be demonstrated.
What are the Issues?
SIIA framed the discussion at the outset by noting that public records play a vital role in creating an informed citizenry, enabling rapid and inexpensive access to credit, and promoting public safety (such as identifying the location of missing and exploited children). For purposes of this discussion, the panel defined public records as those maintained and made publicly available by agencies, departments, or offices of the federal, state, and local governments (e.g. court filings, census data, and property records). While these records are available and hold value individually, they can be leveraged for socially beneficial uses in the aggregate. Commercial entities can collect and aggregate the data into useable digital files, which are then maintained, updated, and made available to the public and institutional customers.
The intersection of public records data and its commercial collection raises a number of privacy questions, such as: If our privacy laws restrict the use of public records data, what benefits are we losing and what harms are we avoiding? Would a privacy regulation preventing the flow of public records data implicate First Amendment concerns? And if this information is public, is there a privacy interest in it at all? Moderated by SIIA, the panelists discussed these questions and more. Here are some highlights where critical points of consensus emerged.
Public Records: What are the Costs and the Benefits?
SIIA began the panel discussion by asking each of the panelists to identify the benefits and costs of commercial access to public records data, specifically focusing on identifying the goods we want to preserve and the harms we want to avoid. There was general agreement that the commercial use of public records data confers societal benefits, and that actions can and should be taken to mitigate potential harms. The panelists differed, however, in whether a privacy law would be necessary to ameliorate the risk factors.
Cindy Van Ort noted that as a society we reap enormous benefits from the commercial collection of public records, and that any harms, on balance, are minimal because the information is public and thus already available for use by third parties without restriction As an example, Ms. Van Ort referenced the use of public records data by law enforcement through Thomson Reuters Clear platform to locate and stop the San Bernardino shooters.
Chris Calabrese agreed that the commercial processing of public records yields social benefits, but argued that policymakers should focus on whether the use of that data impacts privacy, rather than on whether information is public or private. He continued on to say that commercial databases ought to have a mechanism for information to be removed when such risk exists, such as the publication of the home addresses of law enforcement officers or domestic violence victims. Similar care should be taken where there is the potential for disparate discriminatory end uses of public records data.
David Cuillier pointed to the concrete benefits that can be derived from public records data, citing James Hamilton’s Democracy’s Detectives for the statistic that the societal ROI for every $1 spent by news organizations producing document-based investigative reporting is $287. Mr. Cuillier talked about the importance of public records data for a free press, noting that it is essential for accurate reporting and the ability of the media to inform the citizenry of government actions, and abuses of power.
Should a Privacy Law Regulate Public Records Data?
The panelists differed in their views on whether or not a privacy law should regulate public records data. Ms. Van Ort cautioned that policymakers should not treat all commercial uses of public records data with the same brush through privacy legislation. She noted that Thomson Reuters deploys self-regulatory mechanisms, including deletion requests, that can and do address reasonable risks of harm from public records data. Mr. Calabrese, in contrast, argued that a privacy law should cover all data, irrespective of its public nature, to prevent harmful consequences. He argued that self-regulatory mechanisms are insufficient and a privacy law is necessary to mandate that all commercial entities have mechanisms to remove data when appropriate. For his part, Mr. Cuillier agreed that a privacy law should prevent individual harms derived from the use of public record data, but cautioned against a privacy law prohibiting the commercial collection and use of public records data. He noted that once information is made available through a public record, it is by definition public and cannot and should not be subject to government action to prevent the use of the information.
Who Should be Responsible for Correcting and Deleting Public Records Data?
A trend in recent privacy legislation around the world is a move towards individual control rights, including the right for individuals to correct and delete personal data. With respect to public records data collected by commercial entities, this right can be particularly tricky. SIIA asked the panelists to discuss where the correction and deletion obligation should rest – with the commercial entity? Or with the government entity that created and published the record?
All of the panelists agreed that both government and commercial entities play a role in the correction and deletion of public records data. While the ultimate responsibility for the correction or deletion should rest with the government entity that publishes and maintains the record, there is a shared responsibility between the government and commercial sector to ensure the data is accurate and removed when necessary. The panelists noted, for example, that in order for correction and deletion to be meaningful, the commercial entities must update their database to allow for the accurate reflection of the corrections and deletions.
Notably, Ms. Van Ort and Mr. Calabrese differed on whether a privacy law is needed to mandate commercial correction and deletion. Ms. Van Ort pointed out that commercial entities like Thomson Reuters continuously update their platform, sometimes through daily feeds, which ensures accuracy as public records data changes, but which would make deletion at the commercial level ineffective. Mr. Calabrese advocated for a duty for commercial entities to disclose from where the public records data was derived in order for individuals to have the opportunity to correct or delete inaccurate or harmful information.
Does the CCPA Appropriately Regulate Public Records Data?
The California Consumer Privacy Act, which will take effect in January 2020, excludes “publicly available information” from its definition of personal data. The Act defines publicly available information so narrowly that it only covers information obtained from public records if it is used for a purpose that is compatible with the purpose for which the government maintained and published the public record. Currently, the California Assembly is considering AB 874, which would amend the CCPA to remove the compatible use limitation, thus effectively excluding all public records data from the scope of the Act, including the individual rights to correction and deletion.
The panelists discussed whether the CCPA as currently drafted, and as it may be amended, strikes the appropriate balance. Here, the panelists again found some consensus in opposition, with all agreeing that the CCPA’s compatible use test is not the best model, albeit it for different reasons.
Ms. Van Ort, for instance, supports AB 874, arguing that the CCPA’s compatible use test gets it wrong as a matter of policy and essentially brings all commercial uses of public records data under the scope of the CCPA. She asserted that the compatible use standard nullifies the exemption for public records data because, as a practical matter, it will be impossible to identify the original intention for the maintenance and availability of public records in order to determine a compatible use, especially where the use of the public records data changes over time, such as census data. Assuming that an original intention can be identified, Ms. Van Ort explained that it is unlikely that a commercial entity can identify a permissible compatible use because public records generally are maintained for narrow purposes.
Mr. Cullier agreed, arguing that the CCPA’s compatible use standard is unworkable. He questioned how an individual, entity, or news organization can establish a qualified compatible purpose and expressed concern that the test will not only impede our free press, but also the citizenry’s access to information about government programs and actions.
While Mr. Calabrese agreed that the compatible use standard is not the best model, he differed in his argument that a privacy law should cover all commercial uses of personal data, irrespective of whether the data is public or private. In other words, all personal data would need to meet the strictures of a privacy regulation, irrespective of its origin.
Does the Regulation of Public Records Data Raise First Amendment Concerns?
The bill history for AB 874 identifies First Amendment concerns as the basis for the amendment to remove the compatible use test and exempt public records from the scope of the CCPA. SIIA asked the panelists how policymakers should address First Amendment concerns when regulating the collection and use of public records data.
Ms. Van Ort pointed to the 2011 Supreme Court holding in Sorrell v. IMS Health that the “creation and dissemination of information are speech within the meaning of the First Amendment.” Relying on this opinion, Ms. Van Ort cautioned that policymakers must be careful not to pass privacy laws that are unconstitutional out of the gate. In her view, the CCPA, in particular, is likely unconstitutional under the Sorrell opinion, which struck down a Vermont law that restricted commercial speech by prohibiting the dissemination of data to block pharmaceutical marketing messages.
Mr. Calabrese agreed that the CCPA’s treatment of public records is not the best place to start the discussion. Instead, he advocated for the CDT’s approach in its model privacy legislation. Mr. Calabrese noted that the CDT considered the First Amendment in creating the model legislation, which confers individual control rights (like access, correction, and deletion), and prohibits secondary uses of sensitive data. According to Mr. Calabrese, the model legislation avoids content restrictions and is more robust for a First Amendment analysis.
SIIA was pleased to moderate this important discussion, and encouraged to find that the panelists were able to reach points of consensus, despite their diverse viewpoints. As SIIA has advocated at both the state and federal level, we believe that privacy regulations must be carefully crafted to maintain an open government data policy allowing for uses of that data, while preventing unintended and harmful uses of public records information.
Sara DePaul is SIIA’s Senior Director for Technology Policy and Enforcement.