Article 29 consultations on RFID and DRM

By EDRi · February 9, 2005

The EU Data Protection Working Party is calling for public comments on two working documents on emerging technologies. One document explores the privacy implications of RFID chips, the other document covers digital management of rights systems (DRM).

The RFID document outlines the potential use of RFID technology in various sectors and the need to comply with the basic principles set out in the EU data protection directives whenever personal data are collected using RFID technology. The paper also provides guidance to manufacturers of the technology (RFID tags, readers and applications) as well as RFID standardisation bodies. They have a responsibility to design privacy compliant technology in order to enable deployers of the technology to carry out their obligations under the data protection directives.

The document points out that the privacy implications of RFID chips are not limited to cases where unique serial numbers are linked to an identity. The Working Party concludes that unwanted individual tracking, without a link to the identity of the data subject, also falls within the scope of the data protection Directive. This means that data protection rules will apply to a very broad spectrum of RFID applications.

“[..] Even if the individual is not immediately and directly identified at the item information level, he can be identified at an associative level because of the possibility of identifying him without difficulty via the large mass of information surrounding him or stored about him. Furthermore, the data collected from him can influence the way in which that person is treated or evaluated. This RFID use also carries serious data protection implications.”

The DRM document covers the deployment of on-line services using DRM systems and the processing of personal data to conduct investigations of users suspected of copyright infringement.

The Working Party is concerned about the fact that the legitimate use of technologies to protect works could be detrimental to the protection of personal data of individuals. As for the application of data protection principles to the digital management of rights, it notices an increasing gap between the protection of individuals in the off-line and on-line world, especially considering the generalised tracing and profiling of individuals.

“The Working Party seriously questions the use of identifiers for the purpose of tracing ‘a priori’ every user, in order to go back to a specific individual in case of a suspected copyright abuse. The tagging of a document should not be linked to an individual except if this link is necessary for the performance of the service or if the individual has been informed and has consented to it.”

The working paper also mentions the link between data retention and copyright enforcement. “ISPs can neither be obliged, except in specific cases where there is an injunction of enforcement authorities, to provide for a general ‘a priori’ storage of all traffic data related to copyright.”

As far as the investigation powers are concerned, the Working Party urges that investigations performed by private actors such as copyright holders must be performed in a clear legal framework, especially as to the information that can legally be collected.

Interested parties are invited to submit their comments to both documents before 31 March 2005.

Working document on data protection issues related to RFID technology (19.01.2005)

Working document on data protection issues related to intellectual property rights (18.01.2005)

Data Protection Working Party online consultations