What responsibilities should those who collect personal data have?

The FCC pointed out in its Broadband Plan that “the fiduciary and legal responsibilities of those who collect and use that data are (…) unclear," and that “once consumers have shared their data, they often have limited ability to see and influence what data about them has been aggregated or is being used.” (p. 53).

There are a few federal laws which allow an individual to access and correct his personal data:

Right of access provided by U.S. Federal Laws
Some federal laws require that the consumer has access to his information after it has been collected. For instance, §609 of the FCRA gives consumers the right to ask a consumer reporting agency to disclose (almost all of) the information in their file, along with the source of this information. The disclosure must be made in writing (§610 of the FCRA).

As for medical information, 45 C.F.R. § 164.524 provides an individual with a right to access, inspect and obtain a copy of his protected health information contained in a designated record set.

The Cable Communications Policy Act of 1989 (CCPA) provides cable subscribers access to all their personally identifiable information which is collected and maintained by a cable operator. This information must be made available to them at reasonable times and at a convenient place designated by the cable operator.

Right to correct data provided by U.S. Federal Laws
Federal laws also sometimes give the data subject the right to correct his personal information. A consumer may correct information in his credit file if it is inaccurate, and §611 of the FCRA provides with a procedure in case of disputed accuracy. The consumer may notify the consumer reporting agency directly, which must then reinvestigate free of charge, correct the file or delete the item from the file if inaccurate. The Family Educational Rights and Privacy Act of 1974 gave students the right to inspect their records and correct their information, and under the CCPA, a cable operator must provide its subscribers with a reasonable opportunity to correct any error in their information.

European Law
In contrast, the European Directive 95/46/EC clearly states that “any person must be able to exercise the right of access to data relating to him which are being processed, in order to verify in particular the accuracy of the data and the lawfulness of the processing.” This right of access is provided by article 12 of the Directive, and it is the data controller who is in charge of insuring that data subjects can exercise their rights. A data controller is defined by article 2(d) as “the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data.”

The data controller responsibilities start when the data is collected, until the data is destroyed. Pursuant to the article 6 of the Directive, “every reasonable step must be taken” to ensure that inaccurate data are either deleted or corrected.

Recommendation 4.15 of the Broadband plan proposes that Congress should consider helping the development of trusted ”identity providers” to assist consumers in managing their data. But wouldn’t it be more efficient to provide American data subjects with a general right to access and correct all of their personal data?