ENDitorial: Industry RFID PIA: not endorsed in its current form

This article is also available in:
Deutsch: [ ENDitorial: Keine Zustimmung zur RFID-Folgenabschätzung der Industrie | http://www.unwatched.org/node/2094]

On 13 July 2010, the Article 29 Working Party adopted an opinion on
the Industry Proposal for a Privacy and Data Protection Impact Assessment
Framework for RFID Applications (Industry RFID PIA framework) in which it
concludes it would not endorse the proposed document in its current
form. Another opinion on this framework published by the European Network
and Information Security Agency (ENISA) earlier this month also identified
some major issues and areas of improvement.

In its analysis, the Article 29 Working Party identified three critical
concerns:

The first is that no section of the Industry RFID PIA framework
explicitly requires the RFID operator to identify or uncover privacy risks
associated with an RFID application and that it therefore is not possible to
evaluate if the measures proposed by the operator are adequate or
proportionate to the risks, since these risks have not been identified in
the first place.

Secondly, based on its opinion on the concept of personal data, the
Article 29 Working Party clarifies with regard to RFID-tags containing a
unique serial number (e.g. the Electronic Product Code, EPC) that
“if the tag is carried by a person (…), and if the tag contains a unique
ID, then by definition the tag contains personal data” and that this is the
case “regardless of the fact that the ‘social identity’ (name, address etc.)
of the person remains unknown”. Therefore, the Working Party explains
that it is not sufficient to consider whether the location of persons will
be monitored through RFID applications but that it is also crucial to
analyse the risk of unauthorized monitoring beyond the perimeter of the
application. The Industry RFID PIA framework fails to explicitly address
this issue.

Thirdly, the Working Party refers to item11 and 12 of the RFID
Recommendation on RFID in the retail sector, and clarifies that these
provisions mean that deactivation at the point of sale is the default
behaviour unless the PIA concludes that tags remaining operational do
not represent a likely threat to privacy or the protection of personal data.

In its opinion, ENISA concentrates on the methodological part of the
framework and states that it “finds in this draft a very good starting point
towards establishing a PIA framework.” However, the major issue identified
by ENISA is that the framework “is not based or does not follow a tested and
comprehensive risk methodological basis, e.g. a risk management and an
impact assessment methodology.” Based on this major shortcoming, a lot of
subsequent issues with the framework were identified by ENISA and
recommendations given on how to address these shortcomings. In accordance
with the concerns raised by the Article 29 Working Party, ENISA also states
that the PIA process does not provide clear guidelines to identify the major
risks and impacts of RFID applications regarding privacy and data
protection.

Together, the opinions of the Article 29 Working Party and the ENISA, are an
important contribution to the ongoing European debate on how to protect
privacy and personal data in the area of RFID. A debate that culminated in
May 2009 is the promising RFID Recommendation of the European
Commission, part of which the Industry RFID PIA framework tries to
implement.

While it is good to see that the European data protection and network
security organisations responsibly and tirelessly provide their expertise to
advance a privacy friendly development, it is rather strange that
Industry – years after the RFID data protection debate started – still seems
to have no full understanding of certain basic data protection principles
(like the concept of personal data) and of what the obligations of RFID
operators are.

This assumed lack of understanding results in a clear delay of the
implementation of the RFID Recommendation, as the final RFID PIA framework
was expected to be ready twelve months after the adoption of the
Recommendation. Today, more than 14 months after the Recommendation was
adopted, only a “starting point” for such a framework is available and a
final result is not foreseable in the near future, if the recommendations
of ENISA and the Article 29 Working Party are taken seriously and the pace
of the past months is maintained.

European Digital Rights and its members will use the coming weeks to assess
this unsatisfying development and decide on how to best contribute to a
timely development towards a proper protection of the fundamental rights to
data protection and privacy in the area of RFID.

Article 29 Working Party: Opinion 5/2010 on the Industry Proposal for a
Privacy and Data Protection Impact Assessment Framework for RFID
Applications (13.07.2010)
http://ec.europa.eu/justice_home/fsj/privacy/docs/wpdocs/2010/wp175_en.pdf

ENISA: Opinion on the Industry Proposal for a Privacy and Data Protection
Impact Assessment Framework for RFID Applications [of March 31, 2010] (July
2010)
http://www.enisa.europa.eu/media/news-items/enisa-opinion-on-pia

Article 29 Working Party: Opinion 4/2007 on the concept of personal data
(20.06.2007)
http://ec.europa.eu/justice_home/fsj/privacy/docs/wpdocs/2007/wp136_en.pdf

EDRi-gram: Industry proposed RFID Privacy Impact Assessment Framework
(19.05.2010)
http://www.edri.org/edrigram/number8.10/rfid-privacy-impact-assesment-industry

Commission Recommendation on the implementation of privacy and data
protection principles in applications supported by radio-frequency
identification (12.05.2009)
http://ec.europa.eu/information_society/policy/rfid/documents/recommendationonrfid2009.pdf

EDRi-gram: EP calls for a clear legal framework for the Internet of Things
(30.06.2010)
http://www.edri.org/edrigram/number8.13/european-parliament-on-internet-of-things

(Contribution by Andreas Krisch – EDRi)