ENDitorial: RFID PIA: Check against delivery

This article is also available in:
Deutsch: [ENDitorial: RFID PIA – Auf die Umsetzung kommt es an | http://www.unwatched.org/EDRigram_9.10_ENDitorial_RFID_PIA_Auf_die_Umsetzung_kommt_es_an]

In the context of the Hungarian Presidency of the European Council, the
European Commission and the Hungarian Innovation Office jointly organised
the IoT 2011 conference on the Internet of Things, earlier this week.

One of the main sessions was devoted to privacy and data protection in the
IoT age. The main points of the presentations in this session included the
high importance of technology design for any form of Internet regulation
(with reference to Lessig’s “Code is law”), the need for a reduction of
bureaucracy in data protection and the importance of accurate information on
the consequences of IoT applications for individuals’ privacy. The experts
stressed that it was important to maintain the existing data protection
principles also in an IoT age and that commercial competition must not take
place at the cost of reduced data protection standards.

Risk assessments like the RFID Privacy Impact Assessment (PIA) were
mentioned as an important tool that also enables end users (the data
subjects) to take informed decisions regarding the processing of their
personal data.

RFID and PIAs also became a topic during the Questions and Answers of the
following session, where Christian Plenge, Head of Architecture, Frameworks
& Innovation at METRO Systems GmbH (a company of one of the worlds largest
retailers, Metro Group), informed the audience that Metro had decided to
leave RFID tags on their products active after the point of sale and to
offer their customers the possibility to deactivate the tags on request. An
option which, according to Mr. Plenge, was only chosen once so far, when a
data protection group was given a tour in an RFID-equipped store.

This statement is of particular interest as the European Commission’s
recommendation on RFID data protection suggests at points 11 and 12, that
retailers deactivate or remove RFID tags at the point of sale unless
consumers give their informed consent or a PIA concludes that the tags do
not represent a likely threat to privacy or the protection of personal data.

When being asked by EDRi if his statements could be understood that way that
Metro Group has decided not to follow the European Commissions
recommendation, Mr. Plenge said that the PIA they had conducted had
concluded that there was no likely threat to privacy or the protection of
personal data and that their activities were therefore in line with the EC
recommendation.

This view is also promoted on the website of Metro’s Future Store
Initiative, which claims that Metros RFID use is “in full compliance with
existing provisions” and that their “transponders, …, do not store any
personal consumer information”. The Electronic Product Code (EPC; which is a
worldwide unique identifier) would only refer to product and process
information and “(p)ersonal data is neither disseminated nor stored”.

For an audience not familiar with the data protection problems of RFID
applications and the discussions in the European Commission’s RFID Expert
Group and elsewhere, this statement might be convincing at first sight.

The fact is however, that the question whether unique identifiers stored on
RFID tags constitute personal data or not, has been discussed at length at
various occasions and that Metro was well involved in these debates. As a
result of these debates – and of the process leading to the RFID PIA
framework – the answer to this question formally given in not one but
actually two working papers of the Article 29 Working Party (WP175 and
WP180): “… when a unique identifier is associated to a person, it falls in
the definition of personal data set forth in Directive 95/46/EC, regardless
of the fact that the ‘social identity’ (name, address, etc.) of the person
remains unknown (i.e. he is ‘identifiable’ but not necessarily
‘identified’).” (WP175, p. 8)

In the case of Metro’s RFID use, this means that Metro – contrary to their
public statements – is in fact processing personal data of their customers
(the EPCs) and that Metro puts the personal data of their customers at risk
(which e.g. could be tracked by third parties without their knowledge) by
not deactivating the RFID tags at the point of sale and not taking any other
measures to mitigate the risks (at least as far as we know from Mr. Plenge
and the above mentioned corporate website).

Mr. Plenge’s statement at the European Commission’s IoT 2011 conference is
of particular importance as it was made several weeks after European
Commission Vice President Neelie Kroes, representatives of the European RFID
industry, the chairman of the Article 29 Data Protection Working Party and
the executive director of ENISA formally signed the RFID Privacy Impact
Assessment Framework as a tool of industry self regulation for data
protection compliant RFID applications. Before the signing ceremony took
place, this framework was formally endorsed by the Art. 29 Working Party
with working paper 180, in which the Working Party reconfirmed their above
mentioned statement on unique identifiers being personal data.

Mr. Plenge’s statement that, besides the visit of a data protection group,
none of their customers ever requested that RFID tags on products should be
deactivated, highlights the drawback of opt-out regimes. Most of the
customers of retail stores are not data protection or RFID experts but
ordinary citizens. They need to trust the retailers to be given accurate
information and cannot base their shopping habits on general suspicion.
Therefore consumers are not aware of any threats to their privacy and expect
to have their personal data protected by default. It is therefore not a lack
of interest but a lack of knowledge that leads to this total of zero
deactivated RFID tags.

That it is not possible to sufficiently inform consumers about the data
protection risks of RFID applications at the point of sale was – by the
way – often claimed by industry representatives in the past couple of years
of RFID data protection discussions. This is one of the reasons why EDRi
always advocated for an opt-in regime instead of an opt-out one.

This current example of Metro Group’s strategy is not only important because
this company is one of the worlds largest retailers, the actions of which
affect the data protection rights of a large number of individuals, but also
because it gives an example of the practical value of self regulation tools
like the RFID PIA framework.

In our EDRi-gram article on the signing ceremony we wrote amongst others:
“The RFID PIA Framework is an important milestone on the way to the
implementation of privacy friendly RFID applications. Now it is important
that industry quickly but thoroughly implements the PIA in practice.” As the
Metro example suggests it is the word “thoroughly” that needs to be
emphasised in this statement.

At Point 20 of the RFID recommendation, the European Commission announced
that it would “provide a report on the implementation of this
Recommendation, its effectiveness and its impact on operators and consumers,” in particular as regards the measures recommended for RFID
applications used in the retail trade, before the end of May 2012. In our
view, it is important to make sure that global players like Metro Group are
as well covered by this report as small and medium sized RFID operators, as
their level of adoption not only affects a large number of individuals but
also predetermines the level of compliance of the whole industry.

Point 5 of the RFID recommendation suggests that RFID operators make the
results of their privacy impact assessments available to the competent
authorities (the national data protection authorities; DPAs) at least six
weeks before the deployment of the application. EDRi calls on the national
DPAs, the European Data Protection Supervisor and the Article 29 Working
Party to make a meaningful use of this opportunity by at least checking if
the PIA was conducted on the basis of a correct definition of personal data
and by providing statistics about how many PIA reports were made available
to them, in which member states, and by which industries.

EDRi is well aware that this request comes at a time when most DPAs suffer
from a lack of funding, staff and time. But we think that it is very
important – also for the future use of such tools in other areas – to ensure
that privacy risk assessments are carried out properly.

The RFID PIA Framework is an important milestone but we need to check
against delivery.

IoT 2011
http://www.iot-budapest.eu/

EDRi-gram 9.7: RFID Privacy Impact Assessment Framework formally adopted
(6.04.2011)
http://www.edri.org/edrigram/number9.7/rfid-pia-adopted-eu

EC recommendation (12.05.2009)
http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2009:122:0047:0051:EN:PDF

Metro Group Future Store Initiative: Privacy at METRO GROUP (last accessed
on 18.05.2011)
http://www.future-store.org/fsi-internet/html/en/1674/index.html

Opinion 5/2010 on the Industry Proposal for a Privacy and Data Protection
Impact Assessment Framework for RFID Applications (13.07.2010)
http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2010/wp175_en.pdf

Opinion 9/2011 on the revised Industry Proposal for a Privacy and Data
Protection Impact Assessment Framework for RFID Applications (11.02.2011)
http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2011/wp180_en.pdf
http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2011/wp180_annex_en.pdf

(Contribution by Andreas Krisch – EDRi)