EU supports RFID with proper protection of consumers' privacy

By EDRi · May 20, 2009

This article is also available in:
Deutsch: [EU unterstützt RFID mit ausreichendem Schutz für die Privatsphäre der Konsumenten | http://www.unwatched.org/node/1400]

The European Commission issued on 12 May 2009 a recommendation on the use of
RFID (radio-frequency identification) after a fifteen-month period of
consultations with supplying and using industries, standardisation bodies,
consumers’ organisations, civil society groups and trade unions.

Having in view the high continuous development of the smart chips industry,
the Commission drafted the recommendation to help in ensuring the protection
of the citizens’ fundamental rights to privacy and data protection as
stipulated in the Charter of Fundamental Rights of the European Union
proclaimed on 14 December 2007.

The non biding recommendation will ask retailers using RFID tags to store
and track products to deactivate them at the point of sale thus avoiding
potential privacy and security problems. The wish of the privacy protection
groups for opt-in principle is included in the recommendation thus giving
customers the possibility to agree to keep their tags active if they wish
to. This could be useful to identify a product found to be dangerous and to
retrieve it. Tags are to be deactivated should customers fail to opt-in.

The Commission recommends organisations using RFID systems to assess the
possible impact on privacy and data protection before using them, to act in
order to minimise “any risk of infringing people’s rights”, to inform
people who may be affected that the systems are in use by means of an
established logo that can be defined by standardisation organisations and to
inform the operators of the RFID systems on their purpose.

According to the recommendation, the national authorities should do their
best to increase the awareness of the public and small businesses on the
matter and to encourage research and development for more secure and privacy
friendly RFID systems.

Retailers are expected to use an established logo indicating the use of a
RFID tag on a product, to deactivate and remove such a tag in case of risks
to customers’ privacy or personal data security and even offer to do so even
if there is no such risk.

EDRi’s President and member of the EC RFID expert group, Andreas Krisch,
qualified the Recommandation as “a first important step towards the right
direction”, but “for the time being it is important that the privacy impact
assessments are carried out properly to determine the risks for individuals
personal data. In the retail sector RFIDs should be deactivated at check-out
since this is the point where they leave the control of the retail company
and they constitute a risk to individuals privacy when being kept active.”

He also insisted on the necesary next steps: “The success of this process
will depend on the ability of all stakeholders to continue the dialog that
was started with the RFID Expert Group. Member states now have an important
role to play in implementing the recommendation. They should actively
initiate a dialogue between DPAs, companies and civil society.”

The recommendation was also welcomed by BEUC, the European consumers’
organisation which considers it “an important first step towards finally
addressing some of the core consumer concerns linked to RFID”.

The opinion of the retailers is however divided. While the European Retail
Round Table representing big chains believes the recommendation
achieves the necessary balance between the benefits brought by RFID and the
provision of the highest standards of privacy and data protection, “allowing
the technology to develop while ensuring that those who use the technology
will use it responsibly and sensibly”, EuroCommerce believes the Commission
did not take into consideration ” practical consequences. On the contrary,
by adding constraints on operators, it will reduce the attractiveness of the
new technology for them. This will inevitably be reflected in the costs. If
RFID is to develop its full potential, and to contribute to European
competitiveness, it must be made easy, cheap and attractive, both to develop
and to use.”

In two years, Member States are to inform the Commission on the measures
they intend to take in order to meet the objectives of the Recommendation
and within two-three years, the Commission will report on the
Recommendation’s implementation including an impact analyisis on citizens as
well as companies and public authorities using smart chips.

EU pushes for smart tag revolution (12.05.2009)
http://www.euractiv.com/en/infosociety/eu-pushes-smart-tag-revolution/article-182203

Small chips with big potential: New EU recommendations make sure 21st
century bar codes respect privacy (12.05.2009)
http://europa.eu/rapid/pressReleasesAction.do?reference=IP/09/740

Recommendation of the Commission of the European Communities on the
implementation of privacy and data protection principles in applications
supported by radio-frequency identification (12.05.2009)
http://ec.europa.eu/information_society/policy/rfid/documents/recommendationonrfid2009.pdf