This article is also available in:
Deutsch: Europa-Parlament für klaren gesetzlichen Rahmen für das Internet der...
In a resolution on the Internet of Things, adopted on 15 June 2010, the European Parliament (EP) welcomes the communication of the Commission on the topic and in principle endorses the broad outlines of the action plan to promote the Internet of Things.
The Parliament however takes the view that the development of new applications and the actual functioning and business potential of the Internet of Things will be intrinsically linked to the trust European consumers have in the system, and points out that trust exists when doubts about potential threats to privacy and health are clarified. It stresses that this trust must be based on a clear legal framework, including rules governing the control, collection, processing and use of the data collected and transmitted by the Internet of Things and the types of consent needed from consumers.
The Parliament further notes that the Internet of Things will lead to the collection of truly massive amounts of data and calls on the Commission, in this connection, to submit a proposal for the adaptation of the European Data Protection Directive with a view to address the data collected and transmitted by the Internet of Things.
In the view of the Parliament, respect for privacy and the protection of personal data together with openness and interoperability are the only ways the Internet of Things will gain wider social acceptance. The EP firmly believes that all users should have control over their personal data and stresses that a precondition for promoting technology is the introduction of legal provisions to reinforce respect for the fundamental values and for the protection of personal data and privacy.
In the context of privacy by design, the European Parliament also notes the opinion of the European Data Protection Supervisor (EDPS) on this topic, who stressed the importance of Privacy by Design as the guiding principle and highlighted that in the context of RFID, the existing data protection rules need to be complemented with additional rules imposing specific safeguards, particularly making it mandatory to embed technical solutions (Privacy by Design) in RFID technology. He furthermore expressed his concern that RFID operators in the retail sector may overlook the possibility for RFID tags to be monitored by unwanted third parties and thinks it is conceivable that self-regulation will not deliver the expected results. He therefore called upon the Commission to be ready to propose legislative instruments regulating the main issues of RFID usage in case the effective implementation of the existing legal framework fails.
This call for a regulation of the main issues of RFID usage now obviously gained support from the European Parliament which, in addition, underlines that RFID applications must be operated in accordance with the rules on privacy and data protection enshrined in Articles 7 and 8 of the Charter of Fundamental Rights of the European Union.
The resolution of the Parliament not only addresses the European Commission but also calls on manufacturers to secure the right to "chip silence" and calls for RFID application operators to take all reasonable steps to ensure that data does not relate to an identified or identifiable natural person unless such data is processed in compliance with the applicable principles and legal rules on data protection.
It is the believe of the Parliament that a general principle should be adopted whereby Internet of Things technologies should be designed to collect and use only the absolute minimum amount of data needed to perform their function, and should prevent from collecting any supplementary data. It calls for a significant amount of the data shared by the Internet of Things to be made anonymous before being transmitted, in order to secure privacy.
The European Parliament believes in the importance of ensuring that all fundamental rights - not only privacy - are protected in the process of developing the Internet of Things and calls on the Commission to monitor closely the implementation of the European regulations already adopted in this area and to present, by the end of the year, a timetable for the guidelines it intends to propose at the EU level for improving the safety of the Internet of Things and of RFID applications.
As EDRi-gram reported earlier this year the resolution was drafted by MEP Maria Badia i Cutchet, rapporteur to the European Parliament's Committee on Industry, Research and Energy (ITRE) including opinions of the Committees on International Trade, Internal Market and Consumer Protection and Legal Affairs.
The EP Resolution has to be seen not only in the context of the European Commission's communication on the Internet of Things and the EDPS opinion on Privacy by Design, but also of the European Commission's RFID recommendation and the Industry proposal for an RFID Privacy Impact Assessment, which unfortunately fails to identify a single specific risk.
In this context, the resolution of the European Parliament can be seen as another strong signal towards the European Commission to act without undue delay to effectively protect the fundamental rights of individuals affected by RFID and other technologies related to the Internet of Things and towards manufacturers and RFID application operators to take their obligations serious and effectively secure privacy and data protection rights of all persons affected by their products and applications.
European Parliament resolution of 15 June 2010 on the Internet of Things
(2009/2224(INI)) (15.06.2010)
http://www.europarl.europa.eu/sides/getDoc.do?pubRef=-//EP//TEXT+TA+P7...
Communication to the European Parliament, the Council, the EESC and the
committee of the Regions: Internet of Things - An action plan for Europe
(18.06.2009)
http://ec.europa.eu/information_society/policy/rfid/documents/commiot2...
EDRi-gram: EP, EDPS and EDRi on RFID and the Internet of Things (24.03.2010)
http://www.edri.org/edrigram/number8.6/ep-edps-edri-policy-rfid
EDRi-gram: Industry proposed RFID Privacy Impact Assessment Framework
(19.05.2010)
http://www.edri.org/edrigram/number8.10/rfid-privacy-impact-assesment-...
Commission Recommendation on the implementation of privacy and data
protection principles in applications supported by radio-frequency
identification (12.05.2009)
http://ec.europa.eu/information_society/policy/rfid/documents/recommen...
(Contribution by Andreas Krisch - EDRi)