Privacy engineering can offer tremendous value to consumers. This is the premise of a new privacy engineering initiative launched by the National Institute of Standards and Technology (NIST) earlier this year. After two workshops, a webcast and substantial outreach to industry, NIST is still seeking feedback to help them provide technical guidance to information system users, owners, developers and designers.
On October 10, SIIA joined with a dozen industry groups in submitting comments to NIST to help scope their initiative. In the letter, the groups note that many of our member companies utilize privacy engineering solutions as part of their “privacy-by-design” practices and internal information management. And we concur that refining and improving privacy engineering processes requires a collaborative effort involving information technology, compliance, legal, product development, marketing, customer service and other functional areas.
However, as SIIA has often pointed out, expectations surrounding the collection and processing of personal information are not purely personal. They reflect evolving social norms – which often vary significantly across jurisdictions around the world. As technologies evolve to become instrumental in all facets of our lives, our experience and expectations of privacy also evolve. As for the legal framework, there are numerous ongoing discussions within myriad self-regulatory and governmental policy-making bodies, and a diversity of existing laws not just in the U.S., but around the world.
In short, the policy framework for privacy is still in flux. As a result, an exercise to develop guidance in the form of technical standards could prove counterproductive, getting ahead of diverse international user expectations and policies. The establishment of a technical framework or standard can only follow when we have achieved a consensus on policy objectives. In the absence of clear, predefined policies, the result could have a chilling effect on innovation, thrusting engineers into the complicated process of critical decision-making on the various gray areas of privacy expectations and legal requirements. For instance, is it really a matter for technical standards to be set by engineers whether a particular form of consumer consent should be opt-in or opt-out?
To that end, SIIA supports a more tailored effort, where NIST focus its efforts on cataloging, in a policy-neutral manner, how privacy engineers accomplish various privacy-by-design or information management processes. This represents a pivot from what policy goals should be to how privacy engineering might achieve privacy goals that are defined elsewhere.
We value NIST’s technical expertise and interest in contributing to the shared goal of promoting privacy by design, and by developing a catalog to this end, NIST can make a significant contribution to the field by undertaking such an initiative.