U.S. Rep. Ro Khanna, D-California, unveiled his plans for an Internet Bill of Rights earlier this month and introduced his basic principles for his proposed legislation. But lawyers that spoke to Legaltech News said Khanna's principles were just that, a framework, and time would tell if those principles would become legislation.

In an Oct. 4 op-ed featured in The New York Times, Khanna listed 10 principles for his proposed Internet Bill of Rights. The list included providing citizens with access to all the personal data companies have collected about them; opt-in consent for the collection and sharing of their personal data; and allowing, when “context [is] appropriate and with a fair process,” individuals to obtain, correct or delete personal data held by a company.

Khanna's list also includes a standard for personal data being secured and notification in a “timely manner” when a security breach occurs, as well as prohibiting paid prioritization from internet service providers and providing internet service without the collection of data.

Khanna is running for re-election against a Republican challenger to continue representing California's 17th Congressional District, which is also the home of Silicon Valley.

Marc Rotenberg, executive director and president of the Electronic Privacy Information Center in Washington, D.C., called Khanna's principles for an Internet Bill of Rights “a very useful framework.”

“It sets out constructive proposals. It could be the basis for effective legislation,” he explained.

Lawyers contacted by Legaltech News agreed the proposed legislation signaled a general need for clear national legislation regarding data protection. “Some of these things [the Internet Bill of Rights principles] are totally uncontroversial and everyone would agree on,” said TechFreedom president Berin Szoka.

But Szoka did point out that Khanna's principles are just principles and not legislation that would provide specifics. Szoka also added that some of Khanna's principles did pose problematic possibilities.

Szoka cited the principle of not being exploited or discriminated based on personal data. It's illegal to discriminate based on race for credit and mortgage rates, he explained, but marketing based on a person's internet footprint is unclear.

Szoka also questioned if the principle of a data collection entity having “reasonable business practices and accountability to protect your privacy” would be nebulous and make the Federal Trade Commission akin to the Consumer Financial Protection Bureau.

“The implications for the commission could be a very broad authority,” he said. “[It] could be problematic and the commission could have a blank slate, and it would be hard to comply. You may say, 'I don't feel sorry for Google and Facebook,' but the smaller companies trying to become Google [or] Facebook won't be able to navigate,” which would ultimately risk less competition from startups.

The opt-in consent for the collection of data principle listed by Khanna favors a Google, Twitter, Facebook or Amazon, said Szoka.

Even if a Facebook or Google has an internet user's permission to collect his or her data, the moving data principle listed by Khanna may not contain important data that warrants specifically marking someone's information as belonging to them.

”Any access or portability right requires a company to verify the user. When a company isn't collecting sensitive information, is it accomplishing anything when they require you to make an account specifically verifying it's you,” Szoka said.

Szoka cited the Obama administration's 2012 Consumer Privacy Bill of Rights as a predecessor to Khanna's proposed Internet Bill of Rights. That report was based on a study released by the Department of Commerce Internet Policy Task Force and included a “Consumer Privacy Bill of Rights.” The Consumer Privacy Bill of Rights included the principles of consumers controlling what personal data companies collect and other rights. That legislation went nowhere.

Still, although the Obama administration's data privacy reform failed to come to fruition, national data protection regulation can be done, Szoka said. “The hard part is translating it into the real world and not being counterproductive.”