Thousands of pages of internal Facebook documents made public on Monday show a company whose own employees question its roles in the spread of dangerous content and calls to violence. As NBC News reported on the staff communications, “Facebook’s well-documented problems in abetting violent polarization and encouraging the spread of misinformation weren’t getting fixed, despite the company’s investments and promises.”
The more that businesses or organizations know about you, the more power they have to target, influence and manipulate you.
It’s clear that government action is needed. Frances Haugen, a former Facebook employee who came forward with documents exposing the company’s knowledge of the harm its products were causing, gave powerful testimony before the Senate Commerce Committee earlier this month. During her remarks, she called for the creation of a federal regulatory agency where people like her could serve a tour of duty after working in tech and bring their expertise to the world of oversight and regulation.
She rightly pointed out that “right now the only people in the world who are trained to … understand what’s happening inside of Facebook are people who grew up inside of Facebook, or Pinterest, or another social media company.”
The government’s regulation and enforcement capabilities have not kept pace as algorithms have evolved and data collection has grown from simple cookie tracking to extensive surveillance of individuals and communities. Even just a decade ago, we weren’t carrying smartphones in our pockets that knew everything about where we go, whom we talk to, and what we do — not to mention our heart rate, our step count and even our tone of voice.
In other words, our days weren’t being continually subdivided into bits of data that could be bought and sold. That shift, brought about by Facebook and other big tech companies, represents a huge threat to our privacy that the government must address. To meet the challenge, we need more than a bureau within the Federal Trade Commission (FTC) that draws its authority from a law passed in 1914, as some in Congress are pushing. That bureau would be a reactive, not a proactive body. Haugen is right: We need a federal agency whose sole focus is safeguarding Americans' personal data and civil liberties.
My legislation, the Data Protection Act, would create that agency, as well as a comprehensive data rights framework that can protect individual and collective privacy. Having a Data Protection Agency (DPA) would give our government the ability to not only evolve alongside the biggest companies in tech, but go toe-to-toe with them in the fight for privacy. Right now, the United States is one of few democracies, and one of the only members of the Organization for Economic Cooperation and Development, without such an agency.
The approach companies like Facebook take to data is motivated not by protecting our privacy but by growing their profit and power. The more that businesses or organizations know about you, the more power they have to target, influence and manipulate you. That power, especially when in the hands of bad actors, is extremely dangerous and capable of creating new, unexpected forms of injustice.
These threats are already in motion. Haugen’s whistleblowing and The Wall Street Journal’s subsequent Facebook Files investigation outlined, among many issues, how Instagram and its parent company Facebook have ignored the mental health crisis their product and algorithm is creating among teen girls. We see the same patterns across other social networks like YouTube, whose drive to keep people on the platform led to a data-based algorithm that fed viewers videos of conspiracy theories and extremist content. (YouTube has said it’s working to address these issues, though it has also disputed some of the methodologies used to reach these conclusions.)
The perils of misused data go beyond the way it’s used within these platforms, however. Unrestricted data collection can directly affect people’s ability to secure employment, insurance, credit and housing.
The Senate Commerce Committee is currently considering my legislation as it tackles the fundamental questions of what privacy and consumer protection mean in the digital age. I believe the best way to answer those questions is with a dedicated government agency.
The DPA would help us shift the balance of power away from big tech companies and the largest data aggregators, and put it back where it belongs in a democracy — with the people. People must have power over their own data and the right to know if companies are using it for profit. And the government must have the power to enforce those rights.
The DPA would move existing, disparate privacy roles from across the government to a centralized authority, creating a more consistent approach to privacy. It would also give consumers a clear place to turn with their privacy complaints. The DPA would not only establish a toll-free phone line and website to report issues, it would also develop a publicly available database to track all reported complaints.
The agency would also have more proactive capabilities. It would have the authority to require the review of high-risk data practices, techniques and applications and to regulate consumer scoring. It would also have the ability to write new rules and issue orders. And when it finds violations, the agency would have the authority to investigate, subpoena and collect fees. Those penalties could go into a Data Protection Civil Penalty Fund and be used for payments to victims of privacy violations; consumer or business education relating to data protection; or technological research.
If we do not make an effort to define and defend data rights now as my Data Protection Act does, it will soon be too late.
If we do not make an effort to define and defend data rights now as my Data Protection Act does, it will soon be too late. Tech companies are learning more and more about us while letting us learn less and less about them. The imbalance of power between the people and Big Tech is too large.
Our privacy enforcement regime needs new mandates and missions that protect against the individual and collective privacy harms that threaten the foundations of a democratic society. The American people need to have their right to privacy in the digital age defined, codified and defended by an agency built expressly to protect it. Establishing the DPA will help us to protect individual privacy and civil liberties and, ultimately, to safeguard American democracy.