Facebook’s and Google’s Breaches Show It’s Time for an Internet Bill of Rights

Our Founding Fathers drafted the Bill of Rights to safeguard our freedoms in the physical world. Today, as Americans are living more of their lives online, the digital age demands that we have new rights to protect our freedoms in the cyber world.

To secure these rights, we will have to overcome gridlock and a knowledge gap in Congress. Following the Equifax breach nearly a year ago and the Facebook hearings on Cambridge Analytica six months back, Congress still hasn’t acted. Besides a few hearings that exposed our Senators’ lack of knowledge of the Internet, Congress adjourned two weeks early to extend the midterm campaigns, instead of staying to work on passing an Internet-reform bill.

The lack of urgency in Congress has persisted even in the wake of recent revelations that a Facebook security breach exposed 50 million users’ personal information to attackers and Google let third-party app developers access information on users who did not give them permission. The truth is that most elected officials and their legislative staff on Capitol Hill simply lack the necessary expertise to write rules for the Internet.

Since I represent Silicon Valley, Democratic Leader Nancy Pelosi tapped me in April to draft a set of principles for an Internet Bill of Rights. Instead of only focusing on privacy and the right to protect one’s own identity and data, I included principles ensuring net neutrality and universal access to the Internet.

In total, with the help of consumer groups and World Wide Web founder Tim Berners-Lee, we came up with ten principles that can help define rights in the digital age. I imagine thoughtful Republicans such as U.S. Representatives Mike Coffman and Will Hurd, along with Matt Lira from the White House’s Office of American Innovation, could collaborate on legislation based on these principles. They are as follows:

First, you should be able to know and access what personal data of yours companies collect. Instead of reading a long and convoluted legal document, it should be clear and in plain language what information of yours is being collected.

Second, you should be able to opt-in and consent when that personal data is being collected and shared. It should be clear exactly what you are consenting to, but such prompts shouldn’t be relentless to the point of fatigue.

Third, you should be able to correct or delete incorrect personal data, assuming such action does not violate the First Amendment. This right is not the same as the European Union’s “Right to be Forgotten,” given that we have the First Amendment protecting the press’ free speech in the U.S. In the 2014 case Garcia v. Google, the Ninth U.S. Circuit Court of Appeals wrote that “such a ‘right to be forgotten,’ although recently affirmed by the Court of Justice for the European Union, is not recognized in the United States.”

Fourth, if you allow a company to collect your personal data, that data should be properly secured. If for some reason there is a breach, that company must notify you in a timely manner, not only when it’s financially convenient. Last year, despite knowing about the security breach on July 29, Equifax waited until Sept. 7 until they notified their customers. Similarly, Facebook shouldn’t have been able to wait years to publicly announce its Cambridge Analytica breach.

Fifth, you should be able to have data-portability and move your personal data from network to network. It’s your data and you should have the right to move it if you want — including moving your personal network from Facebook or Snapchat to any other social media platform.

Sixth, you should have access to a free and open Internet despite efforts by the Trump Administration and FCC Chairman Ajit Pai to dismantle net-neutrality protections. Internet service providers should not be permitted to block, throttle and unfairly favor certain content, applications, services or devices.

Seventh, you should be able to access the Internet without the collection of data that is unnecessary for providing the requested service. An Internet service provider reasonably needs to know your name and address. But it’s hard to imagine why a provider would need to collect your Internet browsing habits other than to sell your data.

Eighth, you should be able to access multiple viable, affordable Internet platforms, services and providers with clear and transparent pricing. According to the FCC, 30% of Americans have only one choice for broadband service. Thirteen percent don’t have access to a provider at all. All Americans must have access to the Internet in today’s digital world, and the market needs competition to drive affordable prices.

Ninth, just like you can no longer be discriminated against at the lunch counter, you should have the right to not be exploited or unfairly discriminated against based on your personal data. For instance, advertisements for high-paying jobs should not be disproportionately shown to men, and if you search for black names and fraternities, you shouldn’t be more likely to see advertisements for arrest records.

Tenth, in the case where an entity collects your personal data, it must adopt cybersecurity best practices. There should be an understanding and trust that your privacy and data will be protected. Entities need to be held legally responsible for not implementing reasonable business practices.

My hope is that these ten rights will begin the much-needed and long-overdue conversation in Congress to guide a legislative solution that restores our privacy and protection online.

The American people can no longer wait while their data is being collected, shared and stolen on the web. The Internet can be a tool for more freedom and prosperity, but only if proper rules and guidelines exist. Our constituents tasked us to make those rules. It is now up to Congress to answer that call and bring our laws into the 21st Century.