RFID Privacy Impact Assessment Framework formally adopted

By EDRi · April 6, 2011

This article is also available in:
Deutsch: [RFID – Neue Datenschutzregeln formell verabschiedet | http://www.unwatched.org/EDRigram_9.7_PIA_fuer_RFID-Anwendungen_verabschiedet]

The Privacy Impact Assessment Framework for RFID applications (RFID PIA) was
officially signed by European Commission Vice President Neelie Kroes,
representatives of the RFID industry, the chairman of the Article 29 Working
Party, Jacob Kohnstamm, and the Executive Director of the European Network
and Information Security Agency (ENISA), Udo Helmbrecht. The ceremony took
place today, 6 April 2011, in the European Commission’s Berlaymont building
in Brussels.

In its 2009 recommendation on the implementation of privacy and data
protection principles in RFID applications, the European Commission
suggested that the RFID industry should develop a framework for RFID privacy
and data protection impact assessments. In the months following this
recommendation a first draft PIA framework was developed by an informal
working group of industry representatives to which EDRi and other
stakeholders were also invited to contribute their views.

This first draft RFID PIA framework was submitted for endorsement to the
Article 29 Working Party, which did not endorse the framework but published
on 13 July 2010 in its working paper no. 175 a request for improvements.
Further improvements were suggested by ENISA in July 2010.

In January 2011 a revised PIA Framework was submitted to the Article 29
Working Party, which formally endorsed it by publishing the framework as
an annex to its working paper no.180 on 11.02.2011.

In EDRi’s opinion the RFID PIA Framework, that was formally signed today,
properly follows a risk assessment methodology, which addresses the data
protection targets defined in the European data protection legal framework
and provides therefore a sound basis for a meaningful assessment of data
protection risks for RFID applications.

The RFID PIA Framework is an important milestone on the way to the
implementation of privacy friendly RFID applications. Now it is important
that industry quickly but thoroughly implements the PIA in practice.

Today’s formal signing ceremony took place before the background of the
German Big Brother Awards, which were presented in Bielefeld only a few days
earlier. One of the unpopular awards was given to the European Fashion Label
Peuterey for violating the data protection rights of their customers by
secretly tagging their fashion products with RFID chips.

The next twelve months will show how the new RFID PIA Framework is
received by industry, as the European Commission is expected to present its
report on the implementation of the RFID recommendation, its effectiveness
and its impact on operators and consumers in May 2012.

EDRi sincerely hopes that today’s important milestone will be followed by a
number of serious implementation efforts and that last week’s German Big
Brother Award was the last one in Europe that will be awarded to a RFID
operator.

Commission Recommendation on the implementation of privacy and
data protection principles in applications supported by radio-frequency
identification (12.05.2009)
http://ec.europa.eu/information_society/policy/rfid/documents/recommendationonrfid2009.pdf

EDRi-gram 7.10: EU supports RFID with proper protection of consumers’
privacy (20.05.2009)
http://www.edri.org/edri-gram/number7.10/rfid-european-commission-recommandation

Article 29 Working Party: Opinion 5/2010 on the Industry Proposal for a
Privacy and Data Protection Impact Assessment Framework for RFID
Applications
http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2010/wp175_en.pdf

ENISA Opinion on the Industry Proposal for a Privacy and Data Protection
Impact Assessment Framework for RFID Applications (31.03.2010)
http://www.enisa.europa.eu/media/news-items/enisa-opinion-on-pia

EDRi-gram 8.15: ENDitorial: Industry RFID PIA: not endorsed in its current
form (28.07.2010)
http://www.edri.org/edrigram/number8.15/article-29-no-to-rfid-pia

Article 29 Working Party: Opinion 9/2011 on the revised Industry Proposal
for a Privacy and Data Protection Impact Assessment Framework for RFID
Applications
http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2011/wp180_en.pdf

Annex: Privacy and Data Protection Impact Assessment Framework for RFID
Applications
http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2011/wp180_annex_en.pdf

EDRi-gram: German Big Brother Awards 2011 (6.04.2011)
http://www.edri.org/edrigram/number9.7/bba-germany-2011

(contribution by Andreas Krisch – EDRi)