This article is also available in:
Deutsch: Industrie schlägt einen Rahmen zur Bewertung der Auswirkungen von RFI...
Following the RFID recommendation issued by the European Commission on 12.05.2009, an informal working group on the implementation on the recommendation was set up, especially focusing on the task of creating a RFID Privacy Impact Assessment Framework. Members of the group were mainly industry representatives, some representatives of European standardisation organisations and a very limited number of civil society representatives - EDRi amongst them. While the status of the group was strictly informal, its meetings were facilitated and organised by the European Commission.
As suggested in the RFID recommendation the drafting of the Privacy Impact Assessment (PIA) Framework was carried out by the industry. Other stakeholders had the opportunity to comment on the respective current draft version after three of the five meetings that took place in the course of one year.
Following the RFID recommendation, the final industry proposal was submitted for endorsement to the Article 29 Working Party on 31.03.2010. Almost one month later, on 26.04.2010 - one day before it was published on the website of the European Commission - the members of the informal working group also received a copy of this final proposal from industry representatives.
Compared to the last known draft version the final proposal incorporates a number of significant changes. EDRi therefore still needs to analyse the final proposal in detail in order to gain a complete picture and to develop a final opinion on the framework.
What can be said so far is that EDRi's recommendation to base the PIA Framework on an structured analytical approach as commonly used in IT risk assessment (e.g. as provided by the German IT-Grundschutz Catalogues or the EuroPriSe Criteria Catalogue) was not considered to be a suitable approach for this Framework.
While the text of the framework states that "a PIA is a practical privacy and data protection risk tool" (page 3) helping the RFID Application Operator "to manage risks to its organisation and to users" (page 4), it apparently fails to identify a single specific risk and suitable counter-measures but rather concentrates on a general description of a potential PIA process and the potential structure of PIA reports.
Analyse will show if the framework provides sufficient guidance for "RFID Operators, regardless of their size and sector" (page 3) to properly analyse the privacy and data protection risks associated with the use of RFID technology and to answer these risks effectively.
According to the process defined in the Commission's RFID recommendation, it is now on the Article 29 Working Party to respond to the Industry proposal, either by endorsement or otherwise. EDRi will continue to work on privacy and data protection in the area of RFID and the Internet of Things and to contribute at European and national levels to the creation of a privacy-friendly information infrastructure.
The Industry Proposal Privacy and Data Protection Impact Assessment Framework for RFID is publicly available on the website of the European Commission.
European Commission: Commission Recommendation on the implementation of
privacy and data protection principles in Applications supported by
radio-frequency identification (12.05.2009)
http://ec.europa.eu/information_society/policy/rfid/documents/recommen...
Industry Proposal Privacy and Data Protection Impact Assessment Framework
for RFID Applications (31.03.2010)
http://ec.europa.eu/information_society/policy/rfid/documents/d31031in...
Bundesamt für Sicherheit in der Informationstechnik: IT-Grundschutz
Catalogues
https://www.bsi.bund.de/cln_156/EN/Topics/ITGrundschutz/ITGrundschutzC...
European Privacy Seal: EuroPriSe Criteria
https://www.european-privacy-seal.eu/criteria/EuroPriSe%20Criteria%20C...
(contribution by Andreas Krisch - EDRi)