Is standardization the new frontier for civil society?

A topic that has been comic up a lot in conversation is a trend towards pushing regulation work to standards bodies. More concretely, for regulation in the context of tech policy to outline goals, but to leave the work of concrete definitions out of the legal text and instead negotiate these questions in standards groups and bodies.

Without suggesting any malicious intent, moving important parts of setting the rules out of a process with built-in oversight and into another process potentially leads to a few big problems:

  • Implementation and enforcement: When legal documents don’t specify definitions, any mechanism of implementation and enforcement has blind spots right out of the gate. This is an issue in tech policy, where we’ve been seeing vague implementation guidelines and weak enforcement as some of the main problems that emerged (e.g. cookie banners, GDPR).
  • Lack of political oversight: The work of standards bodies operates, almost by definition, not under the same level of political transparency and scrutiny as more explicitly political processes. This undermines the political process, and trust in it.
  • Lack of participation: Often, standards bodies are very much dominated by big industry, because they are the only players who can afford to send delegates on an ongoing basis. What makes things worse is that not rarely, standards bodies meet in hard-to-reach locales, which aren’t accessible to civil society. They also are often run by consensus—meaning in practice that if one critical party cannot show up all the time, they could simply be side-stepped by voting in their absence.

In other words, civil society barely stands a chance in standards bodies. (Exceptions apply, obviously.)

We’re still working every day towards building policy and advocacy capacity in digital civil society so they can offer a meaningful voice besides industry and others. And already we see the next bottleneck down the road: Lack of capacity to participate in standard-setting processes.

I’m curious to learn about best practices to level the playing field, about research into this issue, and generally about any pointers to help amerliorate the situation. If you have any pointers, drop me a line?