For a long time, regulators and lawmakers took a hands-off approach towards technology companies. Initiatives to regulate the industry tended to be criticised as “stifling innovation” by lobbyists. Over the past few weeks, however, we have seen a rash of interventions on technology policy by social media leaders themselves, all of them having an impact on speech online.

After being grilled on Capitol Hill about Facebook’s plans to launch a global digital currency, Mark Zuckerberg, the company’s founder, promised that disinformation would be fought. Soon afterwards, however, Facebook listed the rightwing Breitbart News website among its “trusted” news sources and vowed to keep lies by politicians online.

A radically different approach was announced by Twitter’s Jack Dorsey, who tweeted that the company would stop running political advertisements all together. Now both Google and Facebook say they are considering a ban on micro-targeted political ads. But no matter how many individual decisions tech executives make, they should not distract from the bigger challenge of upholding the rule of law online. Corporate initiatives are no substitute for democratic lawmaking. A US Congressional hearing, however tough, is no alternative either. The appearance of Mr Zuckerberg before Congress left a sense that tech companies have bitten off more than they can chew, and lawmakers have lost their grip.

Part of the challenge lies in the asymmetry in access to data between the tech giants and democratically elected representatives or regulators. Companies know every detail of people’s lives, while citizens and lawmakers know very little about the inner workings of data collection or microtargeting algorithms. Without knowledge of how tech companies work, it is impossible to scrutinise their activities properly. We cannot rely on the bravery of whistleblowers to bring abuse to light.

In the absence of clear rules, and with stakes rising, we have seen a number of high-profile court cases brought forward. In October, WhatsApp (owned by Facebook) sued the Israeli surveillance company NSO Group for allegedly injecting spyware on the phones of human rights defenders and government officials. A month earlier Facebook itself faced a lawsuit in which the plaintiffs alleged the social network illegally allows employers to show job ads only to men. It is important that executives answer to lawmakers’ questions, but hearings in parliament risk distracting from the need for regulation.

Surely, companies can do the right thing even if regulations do not mandate it? David Kaye, UN special rapporteur on the promotion and protection of the right to freedom of opinion and expression, has urged tech companies to align their terms of use with human rights frameworks. But we cannot depend on the willingness of companies to act, without ensuring a level playing field.

The decisions social media executives do, and do not take, change the space for online speech for hundreds of millions of people. Governance of fundamental rights is thus privatised. The outcomes of the court cases, policies and business decisions will play out over time. But they are clearly disconnected from the rule of law and legal frameworks within which speech is protected, or exceptions to that freedom are mandated.

If we do not want tech executives to be the ones deciding which political ads or news sources are truthful or deceitful, whether whistleblowers are protected, or whether hacking technology is legal, we must take action. If we do not want Facebook to run financial markets, it should not be allowed to create a global digital currency.

It is time for clarity and accountability anchored in democratic foundations. Instead of depending on tech executives or going through more frustrating hearings that generate few structural solutions, lawmakers themselves should urgently start answering the difficult questions on how to ensure the rule of law applies online as it does offline.

The writer is international policy director at the Cyber Policy Center at Stanford