Radio frequency identification (RFID) technology is considerably expanding throughout the world. It is used in sectors as diverse as transportation, distribution or health. This new technology provides extremely interesting economic prospects, notably for cost reduction, products traceability, or productivity gains. However, the European Commission has expressed concerns over the threat RFID poses to personal data protection.
RFID consists in the transmission of radio waves to or from a tag, in order to communicate the identity of the tag or the information it contains from a distance, in such a manner that the interaction may occur without the knowledge of the individuals concerned. Therefore, RFID can potentially process personal data concerning identified or identifiable individuals, without their knowledge or consent. Concerned with the privacy issues, the EC has laid down a framework for the development of RFID, so that the potential socio-economic benefits of this technology are not made at the expense of public interest and citizens’ privacy.
The commission’s recommendation of May 12, 2009 [SEC(2009)585] is consistent with Directive 95/46/EC on the processing of personal data, and Directive 2002/58/EC on privacy and electronic communications. Its content adds up to the existing framework governing personal data processing, which applies to RFID. However, contrary to the aforementioned directives, the recommendation merely provides guidelines, and its provisions are not obligatory.
Its aim is to provide Member States with a framework to ensure that the development of RFID is lawful, ethical, socially and politically acceptable, respectful of the right to privacy, and consistent with data protection principles.
Recommendations
Risk Assessment
The EC calls for the development of national frameworks for the assessment of the impact of RFID on privacy and data protection. According to the EC, Member States should notably ensure that operators (i.e., persons who determine the purposes and means of operating an RFID application):
- Conduct an assessment of the implications of the RFID application implementation for the protection of personal data and privacy, including whether the application could be used to monitor an individual.
- Take appropriate technical and organizational steps to ensure the protection of personal data and privacy.
- Designate a person or group responsible for reviewing the impact assessments and the appropriateness of the steps taken to ensure the protection of personal data and privacy.
Member States are asked to support the commission in identifying the RFID applications that might raise information security threats with implications for the general public, and develop or apply a scheme, such as certification or operator self-assessment, in order to demonstrate the appropriateness of the protection and security measures taken, in relation to the assessed risks.
Public Information
According to the recommendation, operators should develop and publish a concise, accurate and easily understood information policy for their RFID applications that would include the operator’s identity, the application’s purpose, the nature of the data processed, potential privacy risks, and a summary of the privacy and data protection impact assessment.
In addition to this general information, operators should indicate the presence of RFID readers to individuals through the use of a European logo. The use of a logo is also recommended to inform individuals of the presence of tags on products sold to consumers. In this case, the EC favors an ”opt-in” approach, meaning tags should be removed or deactivated when the sale of the product occurs, unless the consumer expressly agrees for the tag to remain active.
However, this ”opt-in” system would only be necessary where the impact assessment concludes that tags remaining operational represent a likely threat to privacy or the protection of personal data. Furthermore, the recommendation provides that the public should be informed of the potential benefits and risks of RFID technology. For the commission, raising awareness among the public is key to a satisfying development of RFID.
Conclusion
The commission recommendation appreciates both the benefits and risks associated with RFID. However, the framework it lays down in order to organize a lawful and satisfactory development of this technology is not binding for the Member States. Therefore there is no guarantee that national laws will develop the safeguards for which the commission calls.