Jane Winn, Technical Standards as Information Privacy Regulation
Comment by: Ed Felten
Published version available here: http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1118542
Workshop draft abstract:
Most information privacy laws are based on 20th century administrative law models, taking human conduct as the subject of regulation rather than the information architecture. Such regulations are clearly inadequate to control how computer systems process information, and that inadequacy will become more acute as pervasive computing grows. Technical standards may serve as a form of administrative law capable of directly targeting the information architecture as the subject of regulation. A technical standard is defined by ISO as a “document, established by consensus and approved by a recognized body, that provides for common and repeated use, rules, guidelines or characteristics for activities or their results, aimed at the achievement of the optimum degree of order in a given context.” The authority of technical standards as regulation has been both obscured and legitimated by the role of science and the technocratic professionalism in standard setting processes. More explicit systems for coordinating the work of conventional legal institutions and technical standard setting processes are needed to increase the effectiveness of information privacy laws. As part of a more general movement away from state regulation and toward enforced self-regulation by the private sector, such explicit systems have already been developed in areas such as product and food safety, and are emerging in information technology arenas. The Payment Card Industry Data Security Standard is part of a private self-regulatory system based on both legal rules and technical standards. Standardization of privacy impact assessments represents progress toward incorporation of technical standards into the framework of information privacy laws.