Industry proposed RFID Privacy Impact Assessment Framework

By EDRi · May 19, 2010

This article is also available in:
Deutsch: [Industrie schlägt einen Rahmen zur Bewertung der Auswirkungen von RFID auf die Privatsphäre vor |]

Following the RFID recommendation issued by the European Commission on
12.05.2009, an informal working group on the implementation on the
recommendation was set up, especially focusing on the task of creating a
RFID Privacy Impact Assessment Framework. Members of the group were mainly
industry representatives, some representatives of European standardisation
organisations and a very limited number of civil society representatives –
EDRi amongst them. While the status of the group was strictly informal, its
meetings were facilitated and organised by the European Commission.

As suggested in the RFID recommendation the drafting of the Privacy Impact
Assessment (PIA) Framework was carried out by the industry. Other
stakeholders had the opportunity to comment on the respective current draft
version after three of the five meetings that took place in the course of
one year.

Following the RFID recommendation, the final industry proposal was submitted
for endorsement to the Article 29 Working Party on 31.03.2010. Almost one
month later, on 26.04.2010 – one day before it was published on the website
of the European Commission – the members of the informal working group also
received a copy of this final proposal from industry representatives.

Compared to the last known draft version the final proposal incorporates a
number of significant changes. EDRi therefore still needs to analyse the
final proposal in detail in order to gain a complete picture and to develop
a final opinion on the framework.

What can be said so far is that EDRi’s recommendation to base the PIA
Framework on an structured analytical approach as commonly used in IT risk
assessment (e.g. as provided by the German IT-Grundschutz Catalogues or the
EuroPriSe Criteria Catalogue) was not considered to be a suitable approach
for this Framework.

While the text of the framework states that “a PIA is a practical privacy
and data protection risk tool” (page 3) helping the RFID Application
Operator “to manage risks to its organisation and to users” (page 4), it
apparently fails to identify a single specific risk and suitable
counter-measures but rather concentrates on a general description of a
potential PIA process and the potential structure of PIA reports.

Analyse will show if the framework provides sufficient guidance for “RFID
Operators, regardless of their size and sector” (page 3) to properly analyse
the privacy and data protection risks associated with the use of RFID
technology and to answer these risks effectively.

According to the process defined in the Commission’s RFID recommendation, it
is now on the Article 29 Working Party to respond to the Industry proposal,
either by endorsement or otherwise. EDRi will continue to work on privacy
and data protection in the area of RFID and the Internet of Things and to
contribute at European and national levels to the creation of a
privacy-friendly information infrastructure.

The Industry Proposal Privacy and Data Protection Impact Assessment
Framework for RFID is publicly available on the website of the European

European Commission: Commission Recommendation on the implementation of
privacy and data protection principles in Applications supported by
radio-frequency identification (12.05.2009)

Industry Proposal Privacy and Data Protection Impact Assessment Framework
for RFID Applications (31.03.2010)

Bundesamt für Sicherheit in der Informationstechnik: IT-Grundschutz

European Privacy Seal: EuroPriSe Criteria

(contribution by Andreas Krisch – EDRi)