EU supports RFID with proper protection of consumers' privacy
This article is also available in:
Deutsch: EU unterstützt RFID mit ausreichendem Schutz für die Privatsphäre d...
The European Commission issued on 12 May 2009 a recommendation on the use of RFID (radio-frequency identification) after a fifteen-month period of consultations with supplying and using industries, standardisation bodies, consumers' organisations, civil society groups and trade unions.
Having in view the high continuous development of the smart chips industry, the Commission drafted the recommendation to help in ensuring the protection of the citizens' fundamental rights to privacy and data protection as stipulated in the Charter of Fundamental Rights of the European Union proclaimed on 14 December 2007.
The non biding recommendation will ask retailers using RFID tags to store and track products to deactivate them at the point of sale thus avoiding potential privacy and security problems. The wish of the privacy protection groups for opt-in principle is included in the recommendation thus giving customers the possibility to agree to keep their tags active if they wish to. This could be useful to identify a product found to be dangerous and to retrieve it. Tags are to be deactivated should customers fail to opt-in.
The Commission recommends organisations using RFID systems to assess the possible impact on privacy and data protection before using them, to act in order to minimise "any risk of infringing people's rights", to inform people who may be affected that the systems are in use by means of an established logo that can be defined by standardisation organisations and to inform the operators of the RFID systems on their purpose.
According to the recommendation, the national authorities should do their best to increase the awareness of the public and small businesses on the matter and to encourage research and development for more secure and privacy friendly RFID systems.
Retailers are expected to use an established logo indicating the use of a RFID tag on a product, to deactivate and remove such a tag in case of risks to customers' privacy or personal data security and even offer to do so even if there is no such risk.
EDRi's President and member of the EC RFID expert group, Andreas Krisch, qualified the Recommandation as "a first important step towards the right direction", but "for the time being it is important that the privacy impact assessments are carried out properly to determine the risks for individuals personal data. In the retail sector RFIDs should be deactivated at check-out since this is the point where they leave the control of the retail company and they constitute a risk to individuals privacy when being kept active."
He also insisted on the necesary next steps: "The success of this process will depend on the ability of all stakeholders to continue the dialog that was started with the RFID Expert Group. Member states now have an important role to play in implementing the recommendation. They should actively initiate a dialogue between DPAs, companies and civil society."
The recommendation was also welcomed by BEUC, the European consumers' organisation which considers it "an important first step towards finally addressing some of the core consumer concerns linked to RFID".
The opinion of the retailers is however divided. While the European Retail Round Table representing big chains believes the recommendation achieves the necessary balance between the benefits brought by RFID and the provision of the highest standards of privacy and data protection, "allowing the technology to develop while ensuring that those who use the technology will use it responsibly and sensibly", EuroCommerce believes the Commission did not take into consideration " practical consequences. On the contrary, by adding constraints on operators, it will reduce the attractiveness of the new technology for them. This will inevitably be reflected in the costs. If RFID is to develop its full potential, and to contribute to European competitiveness, it must be made easy, cheap and attractive, both to develop and to use."
In two years, Member States are to inform the Commission on the measures they intend to take in order to meet the objectives of the Recommendation and within two-three years, the Commission will report on the Recommendation's implementation including an impact analyisis on citizens as well as companies and public authorities using smart chips.
EU pushes for smart tag revolution (12.05.2009)
Small chips with big potential: New EU recommendations make sure 21st
century bar codes respect privacy (12.05.2009)
Recommendation of the Commission of the European Communities on the
implementation of privacy and data protection principles in applications
supported by radio-frequency identification (12.05.2009)