Answer to RFID consultation Italian privacy authority

The Italian data protection authority (Garante della Privacy) has opened a consultation on
privacy issues related to RFID tags, loyalty cards, digital TV (pay per view etc.) and video-telephoning. The Italian Winston Smith project (defending e-privacy since 1999) has responded with a specific legal proposal to control the use of RFID-tags. These mini-chips are becoming smaller and cheaper everyday, and can be read out at a distance. The main privacy-concern about the tags is that individual consumption-patterns can be tracked and traced by any outsider with a reader, especially when the individual purchaser is identified via a loyalty-card.

The Winston Smith Project wants legal rules that oblige manufacturers to make RFID tags easily identifiable and removable. Secondly, the presence, type and position of RFID tags must be clearly advertised on the packaging of an article and/or on the article itself. Thirdly they demand permanent deactivation of RFID tags when buying the product or when usage of the RFID tag has ended. Finally, they claim all data collected by RFID readers should be treated as personal data, to which all regular privacy-principles apply. Collection, storage and further processing may only happen within the boundaries of a strict and publicly known goal.

The Winston Smith Project states: “Data mining techniques in sales and RFID databases can transform us in ‘RFID Christmas trees’, making us identifiable and traceable for successive readings, and permanently tying us to our buying activities. The fact that currently most RFID tags can only be read by very nearby terminals (tens of centimetres) is not very reassuring; already specialised terminals have been developed that can read RFID data in the range of tens of meters.”

The Italian group sees a possible solution in a maximum term for conservation of these data. In case of additional processing or conservation for a longer time, companies should notify the Data Protection Authority. Furthermore, these rules should not only apply to RFID related data, but to all kinds of new electronic databases, such as GSM location data, web log-files and data generated by wireless networks.

Consultation Italian DPA (closes 15.01.2005)
http://www.garanteprivacy.it/garante/doc.jsp?ID=1078227

Legal proposal from the Winston Smith Project (03.01.2005)
http://www.winstonsmith.info/proposta_di_legge_rdp_v5.rtf

International RFID Position Statement, endorsed by EDRI (20.11.2003)
http://www.privacyrights.org/ar/RFIDposition.htm

(Thanks to Andrea Glorioso, Italian consultant on digital policies)