EP, EDPS and EDRi on RFID and the Internet of Things

By EDRi · March 24, 2010

This article is also available in:
Deutsch: [EP, EDPS und EDRi über RFID und das Internet der Dinge | http://www.unwatched.org/node/1792]

The European Parliament’s Committee on Industry, Research and Energy (ITRE)
discussed at its meeting on 17 March 2010 the draft report by rapporteur
Maria Badia i Cutchet on the Internet of Things (IoT). The report welcomes
the Communication from the Commission “Internet of Things -An action plan
for Europe” and endorses the Commission’s focus on safety, protection of
personal data and privacy and governance of the Internet of Things.

The draft report calls for further, more detailed assessments by the
Commission especially concerning – among others – privacy, data protection
and the right to the “silence of the chips”. It takes the view that the
actual functioning of the Internet of Things will be intrinsically linked to
the trust consumers have in the system and that specific European regulation
should be established if needed. Furthermore we welcome the Commissions’
intention to present in 2010 a Communication on privacy and trust
in the information society. We acknowledge the importance of this
communication and of the proposed measures for strengthening the rules
related to privacy and the protection of personal data.

Following the presentation of the draft report, EDRi was invited to present
to the ITRE Committee its views on data protection and privacy with regard
to the Internet of Things. EDRi’s presentation highlighted some of the main
difficulties of IoT applications, like the question of how to obtain
informed consent of data subjects when IoT systems are meant to operate
widely unnoticed “in the background”, how to identify the data controller
and data processor of IoT services in order to exercise data subjects rights
and how to determine and report data flows in IoT systems, when these flows
highly depend on external factors like e.g. the movements of a car in the
context of Intelligent Transport Systems.

As main requirements for a successful, data protection friendly
implementation of IoT systems, EDRi’s presentation emphasized that
individuals (as data subjects) need to be in control of these systems and
need to have a free choice of participation without discrimination (right to
the silence of the chips), that interactions with IoT systems need to be on
an anonymised basis whenever possible and that strict data minimisation and
strict purpose limitation are important cornerstones for IoT systems. In
short: Privacy, Data Protection and Security by Design were identified as a
fundamental requirement.

Furthermore EDRi called for an improved enforcement of data protection
legislation by strengthening the financial and personal resources of Data
Protection Authorities and by improving data protection education. A better
harmonisation of global data protection legislation was identified as one of
the main areas, where the European Parliament could have an important role
(see also the Civil Society Madrid Declaration: Global Privacy Standards for
a Global World).

Not in the context of the ITRE hearing but related to the topic, the
European Data Protection Supervisor published on 18 March his opinion on
“Promoting Trust in the Information Society by Fostering Data Protection and
Privacy”. Among other things the EDPS stressed the importance of Privacy by
Design as the guiding principle in Europe’s Digital Agenda and highlights in
the chapter on Radio Frequency Identification (RFID) – which is considered
to be an enabling technology of the Internet of Things – that in the context
of this technology, the existing data protection rules need to be
complemented with additional rules imposing specific safeguards,
particularly making it mandatory to embed technical solutions (Privacy by
Design) in RFID technology.

The EDPS expressed his concern that RFID operators in the retail sector may
overlook the possibility for RFID tags to be monitored by unwanted third
parties and thinks it is conceivable that self-regulation will not deliver
the expected results. He therefore calls upon the Commission to be ready to
propose legislative instruments regulating the main issues of RFID usage in
case the effective implementation of the existing legal framework fails. The
EDPS warns that the Commission’s assessment should not be unduly postponed
since this would put individuals at risk and would also be counterproductive
for the industry as the legal uncertainties are too high and entrenched
problems are likely to be more difficult and expensive to correct.

EDRi expressly welcomes the opinion of the European Data Protection
Supervisor and also understands it to be a valuable input to the informal
working group on the development of a RFID Privacy Impact Assessment
framework in which EDRi participates.

EP ITRE Draft report on the Internet of Things, Rapporteur: Maria Badia i
Cutchet (24.02.2010)

Communication from the Commission to the European Parliament,
the Council, the European Economic and Social Committee and the Committee of
the Regions of 18 June 2009 on the ‘Internet of Things – An action plan for
Europe’ (COM(2009)0278)

EDRi presentation at the EP ITRE hearing – Internet of Things: Privacy and
Data Protection (17.03.2010)

Civil Society Madrid Declaration: Global Privacy Standards for a Global

Madrid Declaration

Opinion of the European Data Protection Supervisor on Promoting Trust in the
Information Society by Fostering Data Protection and Privacy (19.03.2010)

(Contribution by Andreas Krisch – EDRi)