European Data Protection Supervisor's opinion on RFID

By EDRi · January 16, 2008

(Dieser Artikel ist auch in deutscher Sprache verfügbar)

In the context of increasing debates in the European Union over the RFID
policy, Peter Hustinx, the European Data Protection Supevisor (EDPS),
published on 20 December 2007 his opinion on the growing use of RFID chips
in consumer products and other new applications affecting individuals.

EDPS published this opinion as a response to the European Commission’s
communication on Radio Frequency Identification (RFID) in Europe that was
released in March 2007, but taking into consideration other actions, such as
the creation by the EC of the RFID expert group, where EDRi is a member.

Peter Hustinx, explained the role of RFID and its relation with the
privacy issues: “RFID systems could play a key role in the development of
the European Information Society but the wide acceptance of RFID
technologies should be facilitated by the benefits of consistent data
protection safeguards. Self-regulation alone may not be enough to meet the
challenge. Legal instruments may therefore be required to guarantee that the
technical solutions to minimise the risks for data protection and privacy
are in place.”

EDPS confirms that the wide use of RFID-technology is fundamentally
new and may have a fundamental impact on our society and on the protection
of fundamental rights in our society, such as privacy and data protection.
He underlined the basic five privacy and security issues that can be
distinguished in this respect: the identification of the data subject, the
identification of the data controller, the decrease meaning of the
traditional distinction between the personal and the public sphere, the
consequences of the size and physical properties of RFID-tags and the
lack of transparency of the processing.

The Opinion has highlighted several direct recommendations to the Commission
including the provision of a clear guidance on how to apply the current
legal framework to the RFID environment and the identification of “Best
Available Techniques” which will play a decisive role in the early adoption
of the privacy-by-design principle.

EDPS also tackled the issue of a specific legislation for the main issues of
RFID-usage in relevant sectors and considered that such legislation would be
needed if the proper implementation of the existing legal framework failed.
Such a legislation “must be considered as a ‘lex specialis’ vis-a-vis
the general data protection framework. This legislative measure should also
address the privacy and data protection concerns that arise in certain RFID
applications, such as item level tagging before the point of sale, which may
not necessarily involve the processing of personal data.”

In any event, EDPS emphasised the need to lay down “the opt-in principle at
the point of sale as a precise and undeniable legal obligation, also for
RFID applications that fall outside of the scope of the Data protection
Directive and to ensure the mandatory deployment of RFID applications with
the appropriate technical features or ‘privacy by design’.”

EDPS opinion on the communication from the Commission on Radio Frequency
Identification in Europe: steps towards a policy framework
(20.12.2007)
http://www.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2007/07-12-20_RFID_EN.pdf

EDPS Opinion on RFID: major opportunities for Information Society but
privacy issues need to be addressed with more ambition (20.12.2007)
http://www.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/EDPS/PressNews/Press/2007/EDPS-2007-13-EN_RFID.pdf

EDRi-gram: RFID Expert Group – Kick Off (6.06.2007)
http://www.edri.org/edrigram/number5.11/rfid-workgroup

EDRi-gram: RFID and Informed Consent – Using and removing of RFID
functionality (5.12.2007)
http://www.edri.org/edrigram/number5.23/rfid-informed-consent