It's Time for a Digital Bill of Rights
Featured on EvolveTheLaw.com, April 27, 2018.
I’ve been saying it quietly for years. But after recent Congressional inquiries into Facebook’s data mining practices and revelations that companies like Palantir have monetized all data under the sun, it’s time to say it louder:
We need a national conversation about amending the U.S. Constitution to protect our fundamental and individual Right to Data – or a Digital Bill of Rights.
A Digital Bill of Rights would go a long way towards restoring America’s faith in our essential technological institutions. Additionally, it would provide clear, Federal guidance to enterprises providing legitimate services to consumers in the digital ecosystem.
I realize one doesn’t amend the Constitution willy nilly. It’s happened 17 times since the original Bill of Rights (containing the first 10 Amendments) was ratified in 1791 thanks to the efforts of James Madison and a band of activists known as the Anti-Federalists. Madison saw these rights as an essential “bulwark” against government intrusion and necessary for the “tranquility of the public mind.”
Indeed, Mr. Madison. “Tranquility of mind” is in short supply these days, especially as the average American learns more about data – how it’s accessed, processed and transferred between multiple institutions across the globe. Fact is, our modern lives are increasingly constructed and defined by our digital transactions, executed across platforms like social media and blockchain.
What’s clear now is our Right to Data is as fundamental as it is individual. Data is no longer simply a virtual representation of our real identities, be they political, financial, demographic, Instagraphic or otherwise. Data has become our real identities – and it needs Constitutional protection.
It’s not an insignificant problem that our present Constitution affords no individual data protection, or does so awkwardly through the Fourth Amendment protecting the right of the people to be secure in their “persons, houses, paper, and effects” against “unreasonable searches and seizures.” And it’s not the Founders’ fault they were drafting a document in the 18th century world of parchment paper and muskets and we’re now living in the world of Facebooks and Palantirs.
Constitutional Law scholars can try to apply 300-year old thinking to concepts like Big Data and Geo-Targeting like jamming a circle into a square. For example, when someone’s personal data is harvested for political targeting without clear and explicit user consent, is the right to be protected in your “house” or your “effects” violated? Has a physical “search” or “seizure” taken place? Strict Constitutionalists also can’t avoid the fact that the Fourth Amendment was primarily enacted with law enforcement in mind.
Beyond the Fourth Amendment, U.S. Federal agencies have enacted a series of administrative rules geared towards information security. This, in addition to the myriad individual States laws (Delaware recently enacted their own), and the fact that entire industries have now taken matters into their own hands by enacting comprehensive “self-regulatory” frameworks contributes to what security experts call our present “patchwork system” of Privacy Law.
It’s just that: a patch.
While the “patchwork system” affords some flexibility to enterprises engaging in large scale data processing – and is a tremendous boon to the legal services industry – multiple lawyers of legislation make it extremely difficult for legitimate players to comply. It also does nothing to enshrine our individual Right to Data – the thing we actually need to restore public trust in our critical technological institutions.
Recently, the European Union enacted the “General Data Protection Regulation.” The “GDPR” comes into effect later next month. It’s a big step towards protecting consumer privacy that American companies are taking seriously. I view the GDPR as very “American” in spirit. It vehemently seeks to protect individual rights, much like James Madison and the Anti-Federalists who fought for our original Bill of Rights back in 1791.
The U.S. would be wise to emulate the incoming E.U. privacy regulation in some fashion. Among some of what I’d like to see drafted into our Digital Bill of Rights is a right of erasure (or a right to be forgotten, requiring controllers of data to take steps to delete data under certain circumstances). We could also use a right of access (the right to obtain a copy of personal data processed in electronic format, including details on how your data was used across various entities). Importantly, by codifying our Right to Data, we would protect both American individuals operating in the digital ecosystem, and American institutions who, for the most part, genuinely wish to process data for good purposes in a way that is ethical, fair, and Constitutional.
So, what is Congress waiting for?
It’s time they bust out the 18th century parchment paper and start drafting our 21st century #DigitalBillofRights!