EC Draft Recommendation on RFID Privacy and Security published

By EDRi · February 27, 2008

(Dieser Artikel ist auch in deutscher Sprache verfügbar)

The European Commission published the Draft Recommendation on RFID Privacy
and Security on the Your Voice in Europe-Platform for public consultation.

After a public consultation on RFID Privacy Issues in 2006, some conferences
and workshops and various discussions on the topic within the RFID Expert
Group, this publication finally represents the measures that the Commission
recommends to the member states and stakeholders, in order to achieve a high
level of privacy and data protection in the context of RFID applications.

EDRi welcomes this Draft Recommendation, which contains various important
measures, like the recommendation that RFID reading areas as well as RFID
tagged object should be marked with a clear sign indicating the presence of
RFID tags or readers. Also the recommendation to conduct a Privacy Impact
Assessment before the deployment of RFID applications and to provide
information on the policy governing the use of this particular application
are important measures to inform individuals of the presence and the purpose
of a given RFID application.

Regarding RFID use in the retail environment, the Commission addresses two
scenarios:

a.When a RFID application processes personal data or when it is likely that
personal data will be created, the retailer should deactivate the tag unless
the consumer requests otherwise.

b.When the application does not process personal data and it is unlikely
that personal data will be generated through the application, the retailer
must only provide facilities to deactivate or remove the tag.

As already expressed in our contributions to the RFID Expert Group, EDRi
strongly asks for an opt-in regime unless there are sufficient mechanisms in
place to grant the individual full control over the RFID tags in his or her
possession and the data stored on them.

The problems with the two retail-scenarios differentiated by the Commission
are, that on the one hand the privacy risks not only stem from the RFID
application in question but from the unique identifier stored on the tag as
well as from the fact that this identifier can be utilised by any RFID
application looking for a unique identifier for a person. This problem will
not necessarily show up in the privacy risk assessment conducted for the
RFID application in question.

On the other hand, experience shows that industry representatives and
application operators often have problems with identifying privacy and data
protection threats. Especially the concept of personal data is often not
properly understood. Therefore it is not unlikely that application operators
will not recognize privacy and data protection problems and leave the
consumers with the burden to ask for deactivation or removal of the tags.

EDRi will therefore continue to argue for the implementation of binding
policy requiring the deactivation or removal of RFID tags unless sufficient
technical measures are in place to give individuals full control over the
RFID tags in their possession.

The discussion on RFID, privacy and security will certainly continue, not
only in the RFID Expert Group, but also amongst the public and the
stakeholders. But not only discussions, also improvements are requested, as
the Commission clearly states that it will evaluate the implementation of
the Recommendation in three years time, in particular with a focus on
systems “providing automatic deactivation at the point of sale on all items
except where consumers specifically opted in to the RFID application.”

For now, it is important that the general public provides the Commission
with its opinions on the Draft Recommendation. Both approval and
criticism are equally welcome.

Draft Recommendation on the implementation of privacy, data protection and
information security principles in applications supported by Radio Frequency
Identification (RFID): your opinion matters!
http://ec.europa.eu/yourvoice/ipm/forms/dispatch?form=RFIDRec

RFID and Informed Consent – Using and removing of RFID functionality
(5.12.2007)
http://www.edri.org/edrigram/number5.23/rfid-informed-consent

European Data Protection Supervisor’s opinion on RFID (16.01.2008)
http://www.edri.org/edrigram/number6.1/edps-opinion-rfid

Article 29 Working Party: Opinion no. 4/2007 on the concept of personal data
(20.06.2007)
http://ec.europa.eu/justice_home/fsj/privacy/docs/wpdocs/2007/wp136_en.pdf

(contribution from Andreas Krisch – EDRI-member VIBE! – Austria)