The “Way Forward” White Paper notes that “without decisive action the EU risks becoming irrelevant in ICT standard setting which will take place almost entirely outside Europe and without regard to European needs,” and “it is indeed imperative to modernise the EU ICT standardisation policy and to fully exploit the potential of standard setting.” This comment argues that the EU should adopt the “ex ante due process criteria” and the “ex post viability criteria” listed in § 2.1 of the White Paper as EU policy as EU ICT standardisation policy. Recognition of ICT standards developed by fora and consortia with reference to these criteria is a necessary but not sufficient condition to achieving modernisation of EU ICT standardisation policy, however. In order to marshal the expertise necessary to determine whether individual standards meet the criteria, a new EU authority may be required. Such an EU authority could use the criteria to accredit fora and consortia; review applications to recognize ICT standards produced by fora and consortia and make recommendations to the Commission; maintain a database of accredited fora and consortia, and recognized fora and consortia standards; and support networks of local, regional and global private stakeholders, national regulatory bodies, EU institutions and multilateral organizations to provide input into and disseminate the results agency deliberations. Standards issues related to e-signatures are used as an example to show why such an approach is needed and how it might work.

1. Introduction: Scope of Problem

The “Modernising ICT Standardisation in the EU—The Way Forward” White Paper notes that many important challenges are now facing EU regulators and legislators as result of a globalization of information and communication technology (ICT) product markets. The White Paper further notes that “without decisive action the EU risks becoming irrelevant in ICT standard setting which will take place almost entirely outside Europe and without regard to European needs,” and “it is indeed imperative to modernise the EU ICT standardisation policy and to fully exploit the potential of standard setting.” This comment focuses on these descriptions of the challenges facing EU institutions and on suggestions 2.1(a) and 2.5(h) and (i).

Outside ICT arenas, the EU has developed sophisticated institutional frameworks for coordinating regulation with standardisation, including New Approach directives as well as general product, food and medicinal product safety legislation (Hodges 2005). The White Paper highlights the lack of a comparable framework for ICT products and services, and proposes the creation of a new system for recognizing standards developed by global fora and consortia that support the goals of EU law and policy. This new system would permit recognition of global ICT standards only if the processes by which standards are developed meet certain minimum standards recognized by the World Trade Organization (WTO) Technical Barriers to Trade (TBT) Committee on Principles for the Development of International Standards (WTO 2002) regarding transparency and openness. In this comment, these principles will be referred to as “ex ante due process criteria.” In addition, the new system would require proof that the standards would be maintained in a responsible manner after recognition, which will be referred to as “ex post viability criteria.”

The White Paper was produced by DG Enterprise & Industry, but the issues it raises are relevant to the work of many different EU institutions, including DG Information Society in the areas of RFID and data protection issues, and interoperable authentication systems for e-Government; DG Health & Consumers in areas of interest to “digital consumers;” European network and Information Security Agency (ENISA) in the area of information security risk management; IDABC (Interoperable Delivery of European eGovernment Services to Public Administrations, Businesses and Citizens) in the area of interoperability. The effectiveness of EU regulations in these and other areas could be greatly enhanced by permitting collaboration between EU regulators and fora and consortia (“global ICT standard developing organizations (SDOs)”) as well as with European Standards Organizations (ESOs—CEN, CENELEC & ETSI). This is because voluntary standardarisation efforts cannot succeed without the support of industry, but with regard to standards that might be used to support European information society regulations, in recent years, industry has provided more support for the work of global ICT SDOs than for the work of ESOs in the area of ICT standards.

2. Suggestions in White Paper

This comment addresses three suggestions in the White Paper:

* Suggestion 2.1(a): The Commission suggests that “ex ante due process criteria” and the “ex post viability criteria” be integrated into future ICT standardisation policy.

* Suggestions 2.5(h) and (i): The Commission suggests that, subject to the criteria referenced in Suggestion 2.1(a), the scope of standards that can be referenced in EU legislation and policies be expanded to include standards developed by global ICT SDOs; and that better cooperation among global ICT SDOs and ESOs be promoted in a way that could lead to standards relevant to EU ICT legislation and policy could be issued by ESOs.
3. Winn Comments

These comments argue that the White Paper outlines a necessary but not sufficient strategy to address serious challenges to democratic national institutions created by globalization of markets and the growth of informal governance institutions with roots in global arenas. The criteria proposed in the White Paper for evaluation of standards developed by global ICT SDOs are an important first step in the direction of maintaining the relevance of European regulatory functions, but cannot be implemented effectively without taking the additional step of establishing a new European administrative agency to review global ICT standards in light of the requirements of EU legislation and policy. These comments make use of “new governance” principles to suggest what features such a new agency might have.

A. Challenges of Globalisation and Informal Governance

Growth of informal ICT standards developers is a symptom of a larger problem: globalization is fueling the growth of private governance institutions, while traditional state and multilateral institutions designed to safeguard the public interest cannot adapt as quickly (Henson and Humphrey 2009). As the White Paper correctly notes, failure to expand the range of standards that can be recognized in connection with EU law and policy will undermine the effectiveness of both economic and social regulation in the EU. The OECD has defined economic regulations as those that intervene directly in market decisions such as pricing, competition, market entry, or exit; they support goals such as increasing economic efficiency by reducing barriers to competition and innovation, often through deregulation, and by improving regulatory frameworks for market functioning and prudential oversight. In the information society context, economic regulations might address interoperability, information security, and digital convergence infrastructure issues. The OECD has defined social regulations as those that protect public interests such as health, safety, the environment, and social welfare; with social regulation, social considerations may take priority over economic efficiency. In the information society context, social regulations might address data protection, consumer protection and digital inclusion issues.

Global ICT SDOs are examples of self-regulatory institutions (Winn 2006a). Self-regulatory institutions arise in response to market failures which private contract or property law alone cannot resolve, and when private institutions offer a more effective solution to the problem of market failure than public institutions (Ogus 1995). Among the benefits of self-regulatory institutions are greater expertise and technical knowledge of market conditions, greater ability to innovate, lower monitoring and enforcement costs, greater flexibility in administration and regulatory costs borne primarily by interested parties rather than taxpayers. Among the shortcomings of self-regulatory institutions are less transparency and accountability than public agencies, greater potential for self-dealing or rent-seeking behavior, and a tendency toward weaker enforcement than a comparable public agency could achieve (Id.).

Many global ICT SDOs have their roots in the US national economy (Winn 2009a). While legislation such as the 1984 National Cooperative Research Act and the 1993 National Cooperative Research and Production Act “enabled” the formation of fora and consortia by removing obstacles in US law, the real “driver” behind their growth has been producer demand for the rapid development of ICT standards tailored to market conditions. Growth of US-oriented global ICT fora and consortia coincided with a “deregulatory turn” in US politics. The possibility that organizers of global ICT SDOs may reap an economic windfall in less regulated markets in the US and in global arenas has fueled the proliferation of ICT SDOs to the point they may now be fragmenting rather than integrating global ICT markets (Cargill 2005). If the US, and by extension global markets, suffer from a surfeit of private standard-setting initiatives, the EU suffers from a deficit.

Global ICT standards tend to be based on the US deregulatory approach to social and economic policy, rather than the EU approach which often places a greater emphasis on precaution and inclusion (Winn & Jondet 2008, Winn & Jondet 2009). Areas in which the EU is currently developing social regulations to address information economy issues include DG Information Society’s work in the areas of RFID and data protection issues, and interoperable authentication systems for e-Government; DG Health & Consumers’s work in areas of interest to “digital consumers;” ENISA’s work in the area of information security risk management; and IDABC’s work in the area of interoperability.

Competition between EU and US players to decide whose standards will determine the architecture of global markets is part of a larger problem of regulatory competition between formal multilateral institutions and informal self-regulatory institutions (Henson and Humphrey 2009; Winn 2009a). Citizens in many countries around the world have an interest achieving a fair balance between public and private standardisation activities, and effective coordination of standardisation with legislation. For example, many US citizens might benefit if the EU succeeded in exporting its data protection norms through the global information architecture, given the failure of Congress to enact effective information privacy laws. This would merely reverse the outcome of regulatory competition in recent years which too often has resulted in the global propagation of privacy invasive technologies originally developed for US markets. In order for formal public governance institutions such as national governments, regional institutions and multilateral institutions to insure the legitimacy of globalisation, they will have to develop new mechanisms to preserve the effectiveness of democratically enacted social regulations such as data protection laws in the face of privacy invasive innovations in global markets. The White Paper outlines how such a mechanism might work in the ICT standards arena.

B. Strengths and Weaknesses of Due Process Development Criteria as a Strategy

While the “ex ante due process criteria” and the “ex post viability criteria” proposed in the White Paper would represent a positive new direction for EU ICT standardisation policy, they nevertheless represent an incomplete solution to the problem of eroding national and regional sovereignty in the face of growing global self-regulatory institutions. This is because they embody a procedural notion of legitimacy when a more nuanced notion of legitimacy may be required. The idea that the regulatory force of standards can be made legitimate by requiring standard developing organizations to mimic the behavior of democratic legislatures is simple and appealing, but often mistaken (Hodges 2005). This is because the content of standards may be too complex and technical for anyone without expert knowledge of the relevant technology to assess, making direct participation by end users of products based on the standards unhelpful. The public interest in fairly balancing competing private interests may sometimes be better served by improving ex post processes for reviewing the resulting standards than by mandating broad stakeholder participation the actual drafting process (Dixon 1978).

Different standard developing processes may be distinguished on the basis of how participants communicate with their leaders: some standard setting processes encourage the use of “exit” as a strategy for signaling dissatisfaction with an organization, while others encourage the use of “voice” (Hirschmann 1970). Exit is associated with the discipline of markets, because organizations that are in decline lose participants or customers. Leaders in such a system receive a clear signal regarding the level of dissatisfaction with the products or services they offer, but may receive little specific information about what is causing the exodus. Voice is the strategy of communicating complaints or proposals for change by means of political processes, and is a more likely strategy to be adopted if participants or customers feel loyalty to an organization that is currently failing to meet the needs of constituents, and are willing to work to reform the organization. Leaders of systems that rely on participants to bring problems to their attention benefit from more detailed information about how the organization is failing to meet their needs, but to the extent that the loyalty of participants prevents them from exiting the system, they may fail to respond adequately to the feedback that they receive. Insistence on a strict form of ex ante due process criteria for the recognition of global ICT standards may in effect codify a “voice” standard for legitimacy and hinder the development of alternative “exit” standards.

If EU regulators can clearly communicate the essential requirements of EU legislation and policy to global ICT SDOs, then some global ICT SDOs might choose to exit global markets fragmented by standards wars among competing global ICT SDOs and seek shelter under EU regulation. A similar process is already taking place in competition law, where the complaints of US high technology companies have been disregarded by US antitrust authorities, but acted upon by EU competition law authorities. By giving global ICT SDOs positive incentives to internalize EU regulatory norms and an institutional framework within which to recognize such actions, EU regulators can enjoy the benefits of innovation in global markets largely paid for by industries based outside the EU. Countries with national health administrations that place caps on the prices paid for prescription medicines developed by US pharmaceutical companies enjoy a similar benefit when those pharmaceutical companies are forced to recoup a disproportionate share of their development costs through higher prices in the US domestic market.

C. Possible Sources of Regulatory Models

EU law recognizes standards as an integral part of a regulatory framework in several different areas that might provide legislative models for a new EU ICT standards agency. For example, New Approach directives harmonise only essential requirements of product regulations, delegate to one of the ESOs the development of voluntary standards which are recognized by publication in the Official Journal (OJ), and provide that member states shall presume that goods comply with the essential requirements of legislation if they have been certified compliant with the relevant standards. While the “associative regulation” structure of the New Approach may once have been controversial (McGee & Weatherill 1990, Egan 2001), it is now generally considered as having made major positive contributions to the growth of the internal market. Manufacturers of medical products must normally submit their products for pre-market approval by the European Medicines Agency (EMEA), which in some cases may be covered by New Approach Directives and harmonised standards. Products subject to the General Product Safety Directive may also be covered by New Approach Directives and harmonised standards. The European Food Safety Authority (EFSA) has incorporated reference to voluntary standards such as Hazard Analysis and Critical Control Points (HACCP) into its regulatory framework.

While EU legislation provides several examples of co-regulatory authority shared by regulators and SDOs, the US Food and Drug Administration Modernization Act of 1997 (FDAMA) might provide an even more suitable model for co-regulation based on selective recognition of global ICT standards. The FDAMA establishes a procedure by which standards task groups in the US FDA Center for Devices and Radiological Health evaluate new and existing standards to determine their relevance to the FDA’s premarket review process (Marlowe & Phillips 1998, Pilot and Waldmann 1998, US FDA 2007). After the FDA makes the decision to recognize standards, it publishes that information in the US Federal Register, and also makes available information about recognized consensus standards in a database accessible through its website. The FDA will consider recognizing standards that are developed by organizations that follow transparent development processes. Manufacturers of medical devices may then submit proof of compliance with “recognized consensus standards” to meet some of the requirements of the FDA pre-market review process.

D. Elements of Integrated Strategy

Before ending the current monopoly enjoyed by ESOs over standards that can be referenced in EU law and policy, a new European agency along the lines of ENISA, EFSA or EMEA would be needed. Applying principles articulated in the analysis of “new governance” (Parker and Braithwaite 2003, Salamon 2005, Ramsay 2006), the organization of such an agency might include:

1. Essential requirements of economic and social regulations articulated in technology-neutral, principles-based regulation;

2. Establishment of an EU-level independent agency to manage the process of accrediting global ICT SDOs based on the ex ante due process criteria, and reviewing individual standards submitted for review on the basis of ex post viability criteria as well as other factors defined by specific regulations or policies;

3. Establishment of a process for global ICT SDOs to be accredited before the submission of specific standards for review;

4. Establishment of a process for reviewing global ICT standards in relation to specific legislation or policies;

5. Establishment of a process for Commission approval of any recommendations made by the agency;

6. Establishment of systems to coordinate co-regulatory processes with member state and EU regulatory institutions, stakeholder organizations, public multilateral organizations, and informal global market governance institutions; and

7. Establishment of a system to monitor the impact of accreditation and standard approval decisions after they have been granted.

Such a framework would provide a transparent, accountable framework within which standards developed by global ICT SDOs such as the Internet Engineering Task Force (IETF), the World Wide Web Consortium (W3C), or the Organization for the Advancement of Structured Information Standards (OASIS) could be referenced in EU law and policy.

E. Examples: E-Signatures

In the 1990s, the question of whether special legislation to promote the use of “digital signatures” or electronic signatures executed within a “public key infrastructure” (PKI) was widely debated in both the US and EU. In the US, the issue was largely resolved at the federal level in 1997 when the Clinton/Gore Framework for Global Electronic Commerce policy framework was issued without reference to digital signatures. The 1999 Uniform Electronic Transaction Act (a model law for states) and the 2000 Electronic Signatures in Global and National Commerce Act formalized this policy decision by omitting any reference to electronic signatures requiring a PKI framework. Although some states such as Utah did enact digital signature laws, the technology never gained any significant adoptions in US markets (Winn 2001). Utah repealed its digital signature law in 2006 because it was never used. By contrast, the EU enacted the E-Signature Directive in 1999 to promote the use of “advanced electronic signatures” based on PKI. The European Electronic Signature Standardisation Initiative was also launched the same year to coordinate the development of reference standards for implementation of the E-Signature Directive.

Article 3(5) of the E-Signature Directive provides that the Commission may publish in the OJ reference numbers of generally recognized standards for e-signature products meeting the requirements contained in Annex II, point (f), and Annex III of the Directive. The following CEN Workshop Agreements were referenced in the OJ in connection with those requirements:

* Security Requirements for Trustworthy Systems Managing Certificates for Electronic Signatures

* Cryptographic Module for CSP Signing Operations with Backup – Protection Profile

Subsequent investigations by the Commission have revealed what legislators in Utah discovered: no one in the private sector in Europe wants to use e-signatures within a PKI framework (EU Commission 2006; Winn 2006b).

Outside of the EU, global ICT SDOs including the IETF, W3C, OASIS, the Liberty Alliance, and the Web Services Interoperability Organization have continued to analyze end user requirements for authentication and to develop new technical standards and business process standards to promote adoption of strong authentication technologies other than e-signatures used within a PKI. The result has been the emergence of “identity management” as a new framework for the development and use of authentication technologies. The White Paper proposes a mechanism that would permit EU regulators to recognize new identity management standards developed by global ICT SDOs as meeting some of the requirements of the E-Signature Directive where appropriate.

4. Conclusion

Competition between traditional ESOs and less formal global ICTs is only one example of a larger challenge to national and regional regulators arising from globalization and the growth of self-regulatory institutions. The White Paper suggests a strategy for incorporating the work of “good” global ICT SDOs (Cargill 2001) into EU legislation with “ex ante due process criteria” and the “ex post viability criteria.” The White Paper shows how the EU can use a strategy of selective incorporation to create strong positive incentives for global ICT SDOs to internalize EU legislative norms before development is complete. To execute the strategies outlined in the White Paper, a new EU regulatory agency may be required to insure that references to global ICT standards in EU law and policy are made in a principled, consistent manner.

References

Carl Cargill (2001). Testimony before the US House of Representatives Sub-Committee On Technology, Environment, and Standards on the Role of Consortia Standards in Federal Government.

Cargill, Carl (2005). ‘Eating Our Seed Corn: A Standards Parable For Our Time.’

Dixon, Robert (1978). Standards Development in the Private Sector: Thoughts on Interest Representation and Procedural Fairness. Boston: National Fire Protection Association.

Egan, Michelle (2001). Constructing a European Market: Standards, Regulation and Governance. New York: Oxford University Press.

EU Commission (2006). Report on the operation of Directive 1999/93/EC on a Community framework for electronic signatures. Brussels 15.3.2006 COM(2006) 120 Final.

Henson, Spencer and John Humphrey (2009). The Impact of Private Food Safety Standards on the Food Chain and on Public Standard-Setting Processes, ALINORM 09/32/9D-Part II. Rome: Joint FAO/WHO Food Standards Programme.

Hirschman, Albert O. (1970). Exit, Voice and Loyalty. Cambridge: Harvard University Press.

Hodges, Christopher (2005). European Regulation of Consumer Product Safety. Oxford: Oxford University Press.

Marlowe, Donald E. and Philip J. Philips (1998). “FDA Recognition of Consensus Standards in the Premarket Notification Program,” 32:3 Biomedical Instrumentation & Technology Journal 301-304.

McGee, Andrew and Stephen Weatherill (1990). ‘The Evolution of the Single Market—Harmonization or Liberalisation,’ 53 Modern Law Review 578-596.

Ogus, Anthony (1995). “Rethinking Self-Regulation,” 15:1 Oxford Journal of Legal Studies 97-108. Organization for Economic Co-operation and Development (1997). The OECD report on regulatory reform.

Parker, Christine and John Braithwaite (2003). “Regulation”, Peter Cane and Mark Tushnet, eds. Oxford Handbook of Legal Studies. New York: Oxford University Press.

Pilot, Larry R. and Daniel R. Waldmann (1998). “Food and Drug Administration Modernization Act of 1997: Medical Device Provisions,” 53 Food and Drug Law Journal 267-295.

Ramsay, Iain (2006). “Consumer Law, Regulatory Capitalism and the ‘New Learning’ in Regulation.” 28 Sydney L. Review 9-25.

Salamon, Lester (2005). “The New Governance and the Tools of Public Action: An Introduction,” Lester Salamon, ed., Tools of Government: A Guide to the New Governance. New York: Oxford University Press.

U.S. Food and Drug Administration (2007). Guidance for Industry and FDA Staff: Frequently Asked Questions on Recognition of Consensus Standards, September 17, 2007.

Winn, Jane K. (2009). Globalization and Standards: The Logic of Two-Level Games http://ssrn.com/abstract=1415424.

Winn, Jane K. (2008). Technical Standards as Data Protection Regulation http://ssrn.com/abstract=1118542.

Winn, Jane K. (2006a). Standard Developing Organizations as a Form of Self-Regulation http://ssrn.com/abstract=924008.

Winn, Jane K. (2006b). “US and EU Regulatory Competition and Authentication Standards in Electronic Commerce,” 5:1 Journal of IT Standards and Standardization Research 84-102(2006),

Winn, Jane K. (2001). The Emperor’s New Clothes: The Shocking Truth About Digital Signatures and Internet Commerce, 37 Idaho Law Review 353.

Winn, Jane K. and Benjamin Wright (2001, supp. 2009). Law of Electronic Commerce. New York: Aspen.

Winn, Jane K. and Jondet, Nicolas (2009) “A ‘New Deal’ for End Users? Lessons from a French Innovation in the Regulation of Interoperability” forthcoming William & Mary Law Review http://ssrn.com/abstract=1419750.

Winn, Jane K. and Nicolas Jondet (2008). Better Regulation for Consumers: Integrating ICT Standards and Consumer Protection http://ssrn.com/abstract=1303061.

World Trade Organization (2002). Decision of the Technical Barriers to Trade Committee on Principles for the Development of International Standards, Guides and Recommendations with relation to Articles 2, 5 and Annex 3 of the Agreement (Decisions and Recommendations Adopted by the Committee Since 1 January 1995, G/TBT/1/Rev.8, 23 May 2002, Section IX).

Short Biography

Jane K. Winn is Charles I. Stone Professor and a Director of the Law, Technology & Arts Group at University of Washington School of Law, Seattle, Washington USA. She received a B.Sc. (Econ) Hons. from Queen Mary College, University of London and a J.D. from Harvard Law School. She has been a senior lecturer at Melbourne Law School since 2001, and was a Fulbright Scholar in China in 2008. She represents the Liberty Alliance on the EU ICT Standards Board and was an advisor to the American Law Institution Principles of Software Contracts project. She is co-author of the leading US legal treatise on the law of electronic commerce and a student textbook on the same subject, as well as author of many articles and book chapters on international and comparative technology law issues. Her current research interests include electronic technology law developments in the United States, the European Union, and China.