18013-5 is transactional and implied consent - it is insufficient and that's why this WG exists
This provides no assurances to the individual that the entities/actors operating or providing the systems and the operating organizations should or can be trusted to provide privacy protective/respecting services.
The individual should be able to reasonably assume (especially if the organization is certified as conforming to the specifications) that the organizations are 'doing what they should be doing'.
Specify a set of principles for mobile credentials and associated data
Define expectations on the organizations and suppliers regarding their mobile credential-related products, mobile credential-related services and use of those products and services
Need to be cautious to avoid trying to cover all of data protection and information management
Organizations are expected to operate their own privacy program - this WG will give them material to address mobile credentials - this WG will not define their privacy program generally
Should document the foundation principles up front and put them in the Implementer's guidance so that readers of any of the documents starts from the same understanding
QQ: Is credentials/presentation aggregation in scope?
