Chapter 2: Self-Regulation
2. Self-Regulation
2.1 Brief, General Arguments
What began in the 1990’s under the Clinton administration, self-regulation has been widely accepted as a means to embrace Internet and e-commerce technologies since it is regarded as a flexible framework which can keep up with changing technologies and social norms. Self-regulation has been discussed at length over the years but is still worth broadly re-iterating some of those arguments.
Benefits of self-regulation allows businesses to experiment with new rules through non-binding agreements[50] which in effect, can lead to best possible business practices and technical standards for industries. This usually incorporates trade organizations and voluntary programs to demonstrate compliance of certain standards through certification programs or trust seals which can swiftly adapt to changes in the market and thus allows industry expertise to draft codes which can promote the reputation of an industry and decrease government cost.[51] In markets that consist of both rapid change as well as heterogeneous technologies, the probability of information asymmetry – the mismatch of knowledge between regulators and market actors[52] - increases, posing a risk of additional costs of compliance versus any realized benefits. [53] The notion rests upon the idea that if industry is able to set appropriate standards and police itself, businesses can potentially mitigate increased operational compliance expenditures and invest in R&D.
More specifically, self-regulatory certification or seal programs can assist in fostering competition and especially where there may be a few ‘rogue’ players. [54] These programs publicly promote organizations that ‘play by the rules’ as well as theoretically benefitting consumers by providing an aid in reaching informed product purchasing decisions. Ultimately, self-regulation should be seen as a better alternative than purely unregulated markets where players are left to their own devices.
Drawbacks of self-regulation hinge on a multitude of factors. Some critics see self-regulation as undemocratic and illegitimate since industry decides for itself its own rules without allowing for public comment or voice into the process or standards that are set, [55] while others have focused on the lack of enforcement, participation, and accountability measures.[56] Furthermore, without proper oversight, there is a risk that particularly larger single entities can capture self-regulatory organizations (SRO’s) to gain significant control or influence over voluntary standards. If not strictly prohibited and enforced, this can lead to anti-competitive behaviour in an effort to dominate a particular market. Though seizure can still occur via regulatory capture, lobbying regulators is indirect and thus generally prohibits firms from investing in their own interests. [57]
Upon initial evaluation from this brief discussion, self-regulation may be a preferred route of regulating privacy and security for IoT since the general benefits appear on the outset, to outweigh the negatives. This is particularly true since IoT is a market of heterogeneous technologies and platforms. However, to make such a conclusion would be relatively short-sighted and particularly in-light of any analysis into the efficacy of such programs or initiatives.
2.2 Efficacy of Voluntary Self-Regulation
2.21 Considerations for Evaluating Efficacy
The justification to use self-regulation over the use of hard law by-way of government rules is only satisfied if it can yield more efficient compliance and results as an alternative. Therefore, if voluntary self-regulation is to be considered as a regulatory concept, such programs – whether via trade organizations that set industry standards or certifications to attest to a certain level of standardization - must prove to be more effective in nature.
It should be noted that there are inherent difficulties with evaluating whether SRO’s (or such programs) are effective at protecting privacy and security. Analysis of privacy compliance on the Internet generally resides on notice and consent which does not form the entire basis of data protection, and data protection is only a single form of privacy. Further, security can only be determined via the use of security certifications such as SSL or known data breaches. As most security practices are internal, it is difficult to definitively determine whether companies have correct measures in place as it is entirely possible to implement appropriate measures, yet suffer a breach.
2.22 The Conundrum of Trust, Financial Self-Interest, Awareness, & Industry Cooperation
Bearing in mind the aforementioned considerations for evaluating privacy and security measures, there have been several studies which have attempted to assess whether self-regulation is an effective means of regulation. These have primarily focused on online privacy but can serve as a theoretical benchmark for IoT.
While relatively out-of-date, analysis conducted in the early 2000’s suggests a lack of initiative on behalf of companies when given the option to self-regulate immediately challenging the viability of self-regulation alone as a sufficient regulatory mechanism. This particular investigation analyzed compliance in accordance with the FTC’s fair information principles and rather unsurprisingly discovered that one-third of sampled websites did not post a privacy policy. Further, out of those that did, only 14% were considered comprehensive.[58] Whereas this provides some insight into the behaviour of companies if given a choice of private self-regulation, it does not analyze whether a trade body or other industry-based programs had any role to play with the websites that did comply, let alone whether these types of programs assist in developing a trust relationship with consumers.
A 2015 analysis of websites however, can provide assistance in determining whether SRO memberships have any particularly benefits. As a successor of the above study, this particular evaluation concluded that membership with an industry SRO does not have any effect on trust with consumers and nor is there any particular benefit for members over non-members.[59] This aligns with other studies into voluntary SRO’s across other industries such as the Responsible Care program whereby it was discovered that not only was there no evidence to indicate that membership influenced the rate of environment improvement amongst its members but that in fact, members improved slower than non-members.[60]
The same 2015 website study also assessed industry certifications to further understand whether certifications could establish a level of trust. But the evidence from this analysis ascertained that there was no such evidence to suggest that websites which paid for certification from TRUSTe (now TrustArc) improved any privacy and security outcomes[61] questioning the viability of such programs. Using TrustGuage as a measure of trustworthiness, it conversely uncovered that sites which have the TrustArc certification were generally deemed as more trustworthy. What is noteworthy in this case, is that this was not true in all cases and found other evidence across other sites to suggest that the certification actually damaged trust levels. Therefore, voluntary certifications may have some role to play in promoting consumer trust but should be mentioned that these same sites were also more likely to suffer a data breach.[62]
Consequently, the trust in which consumers may place into certifications are only as effective as defined as the perception of the consumer. If a wide range of marks or certification are available - particularly across a wide-ranging sector such as IoT - it may become difficult for both business and consumers to discern any credible differences.[63] SRO’s also often operate behind an opaque set of standards[64] that are not made publicly available and, combined with limited or no publication as to how companies test against these set standards, a false sense of protection on the part of the consumer can ensue. This false sense of security is further exemplified since most voluntary certification programs gain funding from certifying companies. There could very well be an argument that if certifiers are receiving financial benefit from the companies in which it certifies, there is limited incentive to revoke a certification from a company for non-compliance.
Consumer awareness is also problematic with such initiatives since voluntary programs tend to suffer from lack of consumer awareness and understanding. On one hand, the uptake of the EDAA OBA (online behavioural advertising) icon from ad businesses in Europe and its public disclosures can indicate a level of success but on the other, the program lacks in user awareness and at one point, consumer understanding as an opt-out for only targeted advertising. With awareness levels measuring at 5% across Europe in 2011 and only improving by a single percentage point by 2013,[65] it was subject to much industry criticism for missing its intended purpose. Though awareness levels of the icon and its associated text have since increased to 27% according to a report produced in January 2017[66] in light of consumer awareness programs and an upwards trending use of OBA, it is still hard to argue that this is a significant number.
For self-regulation to work in practice, industry must also buy into the concept and agree on a code since it is otherwise hard on bottom-line profits when programs are only undertaken by a single entity.[67] If businesses cannot see the true benefits versus cost trade-off behind a voluntary scheme, one of two options are likely; first, a business as well as others may adopt a ‘wait and see’ approach. If a number of businesses take this approach, the voluntary program will immediately fail from lack of participation. Second, only a few businesses may join a program in hopes that it will develop a norm within the industry. While in some sense this gives a competitive advantage, this is only true if consumers are aware of the program’s benefits to them. Ultimately, this could also result in limited participation and eventually, failure of the SRO and any resulting industry standards. This is not uncommon - the Online Privacy Alliance failed for this reason and at one point, the Network Advertising Alliance (NAI) suffered a similar fate in 2002.
Even still, programs which can be deemed as rather successful can still suffer from voluntary short-comings. There is much discussion whether the Electronic Product Code can constitute as self-regulation[68] or self-control[69] but nonetheless, it is a subscriber-based organization comprising of industry focused on the creation of global standards alongside non-binding guidelines on consumer choice, education, retention, and security practices. As guidelines are provisional,[70] it incorporates the changing nature of technology and remains jurisdictionally-neutral. Upon first glance, the program seems credible but has been noted that the guidelines mask underlying issues of non-consensus on privacy policy[71] and does not promote any compelling reason to a company to join. Furthermore, long-term sustainability may be challenged for any program as there are no binding mechanisms in place for business to remain part of an SRO and outside forces can easily compel a business to leave such a program.
Though not an in-depth discussion since ample literature already exists, it is worth mentioning the other serious flaws with self-regulatory programs. SRO’s have been well documented to incorporate other serious issues of accountability stemming from a lack of independence, [72] inability to keep abreast of changing technologies, [73] and last but most notably, do not possess the ability to properly enforce sanctions against non-compliant participating companies. [74]
2.3 Evaluation in the Context of IoT
Though there are inherent short-comings of pure self-regulatory efforts, the examples mentioned should not be deemed as complete failures since self-regulation will (or at least should) have a role to play in managing privacy and security in IoT. Self-regulatory cultures can tolerate both risk and failure well, leading to a significant impact on innovation. Since government does not play a prominent role, inquiry and discussion are promoted[75] which in turn, drives change and technological advancement.
Other aspects - particularly the ability for self-regulation to transcend national borders should not be overlooked. Such a regulatory scheme does not require bilateral agreements between countries with various political systems and legal traditions. This lends itself well to the IoT as technology, data flows, and the Internet itself, is not bound by jurisdiction. Thus, jurisdictionally-neutral sets of rules from self-regulatory bodies allows both development of technology and multi-national businesses to continue operating relatively unhindered. Of course, this is only true so long as any initiatives themselves are not fragmented as this will only jeopardize any success.
The soft-enforcement mechanisms found in self-regulatory efforts may also aid in IoT’s development since it does not impact business in the same manner. For instance, if an SRO were to use public naming and shaming to leverage its compliance mechanisms, the resulting bad publicity may have short-term effects on a business but does not generally lead to a loss in money or customers.[76] This is naturally only ‘effective’ if a company has voluntarily joined a program. Moreover, the ability for industry seals and certifications to potentially bring a level of trust to consumers is also not to be ignored since this can encourage consumer uptake of new technologies and thus, spur economic growth (as highlighted in chapter one).
Nevertheless, the fox watching over the henhouse seems like a correct appropriation of self-regulation since it requires businesses to watch over themselves with a risk of putting commercial gains ahead of the consumer. Thus, only government oversight can provide legitimacy and accountability to assist in assuring proper consumer protection. Still, government regulation seems to be unavoidable wherever there may be an issue of fundamental rights at play and surveys conducted in 2012-2013 indicate - at least in Europe - that a mix of soft and hard approaches for crucial issues such as privacy, safety, and health may be most appropriate for IoT.[77] Coupled with this discussion, it would insinuate that a purely soft self-regulatory approach may not be sufficient in such matters and that government intervention via legislation is welcome.
__________________________________________________________________
[50] Virginia Haufer, A Public Role For The Private Sector: Industry Self-Regulation In A Global Economy (Brookings Institution Press 2013) p 4
[51] Douglas Michael, Federal Agency Use Of Audited Self-Regulation As A Regulatory Technique (1995) 47 Administrative Law Review p 181
[52] See n. 44
[53] Otto Keck, 'A Theory Of White Elephants: Asymmetric Information In Government Support For Technology' (1988) 17 Research Policy
[54] See n. 44 p 179
[55] See n.46, p 2
[56] Robert Gellman, Failures of Privacy Self-Regulation in the United States. in Paul Wright and Paul De Hert, Enforcing Privacy: Regulatory, Legal and Technological Approaches (Springer 2016)
[57] See n.45
[58] Mary J. Culnan, 'Protecting Privacy Online: Is Self-Regulation Working?' (2000) 19 Journal of Public Policy & Marketing p 23
[59] Siona Listokin, 'Industry Self Regulation of Consumer Data Privacy and Security' (2015) 32 The John Marshall Journal of Information Technology & Privacy Law p 26
[60] Andrew A. King, Michael J. Lenox, 'Industry Self-Regulation Without Sanctions: The Chemical Industry's Responsible Care Program' (2000) 43 Academy of Management Journal p 709-714
[61] See n. 55, p 25-26
[62] Ibid., p 24
[63] Rowena Rodrigues, David Wright and Kush Wadhwa, 'Developing A Privacy Seal Scheme (That Works)' (2013) 3 International Data Privacy Law
[64] Ibid.
[65] Kate Kaye, 'Study: Consumers Don't Know What Adchoices Privacy Icon Is' (2014) available at <http://adage.com/article/privacy-and-regulation/study-consumers-adchoices-privacy-icon/291374/> accessed 4 July 2017
[66] EDAA, 'European Advertising Consumer Research Report 2015: Consumer Awareness & Impact of European Self-Regulatory Programme for OBA' (2015) available at http://www.edaa.eu/edaa-news/new-research-shows-growing-awareness-of-the-oba-icon-and-understanding-of-this-eu-industry-initiative-to-give-control-over-targeted-advertising-choices/> accessed 2 July 2017 whereby awareness measured at 21%; EDAA, '2016 European Advertising Consumer Research Index' (2017) available at <http://www.edaa.eu/wp-content/uploads/2017/01/EDAA_Infographic_2016-Final.pdf> accessed 2 July 2017 states that awareness measured at a 6% increase from 2015
[67] See n. 46, p 24
[68] Laura Hildner, 'Defusing The Threat Of RFID: Protecting Consumer Privacy Through Technology-Specific Legislation At The State Level' (2006) 41 Harvard Civil Rights-Civil Liberties Law Review at p 146-149
[69] Christian Floerkemeier, The Internet Of Things (Springer 2008) p 199
[70] GS1 Guidelines on the Use of EPC/RFID For Consumer Products available at <https://www.gs1.org/guidelines-epc> accessed 7 July 2017
[71] See n. 64, p 148
[72] Molly Cohen, Arun Sundararajan, 'Self-Regulation And Innovation In The Peer-To-Peer Sharing Economy' (2015) 82 The University of Chicago Law Review Dialogue p 127-128
[73] World Privacy Forum, 'The Network Advertising Initiative: Failing At Consumer Protection And At Self-Regulation' (World Privacy Forum 2007) p 19
[74] Andrew A. King and Michael J. Lenox, 'Industry Self-Regulation Without Sanctions: The Chemical Industry's Responsible Care Program' (2000) 43 Academy of Management Journal p 709-914
[75] Stephen Ezell, Philipp Marxgut, 'Comparing American And European Innovation Cultures' (2016) p 193
[76] Jacob Kohnstamm, Getting Our Act Together: European Data Protection Authorities Face up to Silicon Valley. in Paul Wright and Paul De Hert, Enforcing Privacy: Regulatory, Legal and Technological Approaches (Springer 2016)
[77] European Commission, 'Report On The Public Consultation on IoT Governance' (2013) p 13;25