New Guidelines to RFID Privacy Impact Assessments

By EDRi · November 30, 2011

This article is also available in:
Deutsch: [Neuer Leitfaden zur RFID-Folgenabschätzung |]

On 25 November 2011 the German Federal Office for Information Security (BSI)
and the Institute for Management Information Systems of the Vienna
University of Economics and Business (WU) held an expert symposium on RFID
Privacy Impact Assessments in Berlin and presented their BSI Privacy Impact
Assessment (PIA) Guidelines.

The PIA guidelines are based on the RFID PIA Framework, a kind of
co-regulation instrument that was signed by Vice President of the European
Commission Neelie Kroes and industry representatives earlier this year. The
goal of the guidelines is to explain the PIA Framework and to provide RFID
application operators with an in-depth understanding of the framework
terminology and proposed procedures. The methodology outlined in the
document is understood to be a concretion of the generic process outlined in
the PIA framework.

The PIA guidelines will help European RFID operators to ensure a high level
of data protection, which can be seen as an important aspect of quality and
a unique selling proposition for European companies, said Professor Sarah
Spiekermann, Head of the Institute for Management Information Systems. The
PIA guidelines are available from the symposium website. PIA case studies
for three different sectors will soon be published by BSI.

In his presentation at the symposium the German Federal Commissioner for
Data Protection and Freedom of Information, Peter Schaar, explained that,
while Data Protection Authorities (DPAs) might not be able to check each and
every PIA report, in future, the results of privacy impact assessments and
the implementation of their results will be important aspects in data
protection inspections. He therefore asked, that PIA reports and the data
protection goals identified in the course of the PIA process should be made
transparent to DPAs and individuals.

Furthermore, Mr. Schaar called for PIA frameworks being defined on the
European level and for the establishment of a European data protection
competence centre, which should work on technical means and measures for
data protection.

The European Data Protection Supervisor, Peter Hustinx, stressed in his
contribution the need to reduce the unhelpful diversity in EU member states’
data protection legislation. While there is no need to reinvent data
protection, it is necessary to make the current principles work better, to
improve the definition of responsibilities and to ensure a better
compliance, he said. With regard to privacy impact assessments, Mr. Hustinx
envisaged that these could be optional in some cases while being compulsory
in others.

A coherent European approach to the implementation of the RFID Privacy
Impact Assessment Framework will be in the centre of a conference organised
by the European Commission on 8 February 2012 in Brussels, where experiences
with the PIA Framework and the future of the European Commission’s RFID
Recommendation will be discussed.

As EDRi already expressed earlier, the success of RFID Privacy Impact
Assessments will, to a large extend, depend on the quality of the
assessment. In particular, it will be crucial to address and eliminate risks
that stem from third parties and are not directly related with the RFID
applications operated by a given company, but facilitate the RFID tags
disseminated by the company.

Expert Symposium on RFID Privacy Impact Assessments, 25.11.2011, Austrian
Embassy Berlin

RFID Privacy Impact Assessment Guidelines

Federal Office for Security in Information technology – RFID PIA (only in

EDRi-gram: EU supports RFID with proper protection of consumers’ privacy

EDRi-gram: RFID Privacy Impact Assessment Framework formally adopted

EDRi-gram: ENDitorial: RFID PIA: Check against delivery

European Commission Conference: 08.02.2012: Implementation of the RFID
Privacy Impact Assessment (PIA) Framework

(Contribution by Andreas Krisch – EDRi)