You are currently browsing EDRi's old website. Our new website is available at https://edri.org

EDRI-gram

If you wish to help EDRI promote digital rights, please consider making a private donation.


Flattr this

logo

EDRi booklets

EC Draft Recommendation on RFID Privacy and Security published

27 February, 2008
» 
|

(Dieser Artikel ist auch in deutscher Sprache verfügbar)

The European Commission published the Draft Recommendation on RFID Privacy and Security on the Your Voice in Europe-Platform for public consultation.

After a public consultation on RFID Privacy Issues in 2006, some conferences and workshops and various discussions on the topic within the RFID Expert Group, this publication finally represents the measures that the Commission recommends to the member states and stakeholders, in order to achieve a high level of privacy and data protection in the context of RFID applications.

EDRi welcomes this Draft Recommendation, which contains various important measures, like the recommendation that RFID reading areas as well as RFID tagged object should be marked with a clear sign indicating the presence of RFID tags or readers. Also the recommendation to conduct a Privacy Impact Assessment before the deployment of RFID applications and to provide information on the policy governing the use of this particular application are important measures to inform individuals of the presence and the purpose of a given RFID application.

Regarding RFID use in the retail environment, the Commission addresses two scenarios:

a.When a RFID application processes personal data or when it is likely that personal data will be created, the retailer should deactivate the tag unless the consumer requests otherwise.

b.When the application does not process personal data and it is unlikely that personal data will be generated through the application, the retailer must only provide facilities to deactivate or remove the tag.

As already expressed in our contributions to the RFID Expert Group, EDRi strongly asks for an opt-in regime unless there are sufficient mechanisms in place to grant the individual full control over the RFID tags in his or her possession and the data stored on them.

The problems with the two retail-scenarios differentiated by the Commission are, that on the one hand the privacy risks not only stem from the RFID application in question but from the unique identifier stored on the tag as well as from the fact that this identifier can be utilised by any RFID application looking for a unique identifier for a person. This problem will not necessarily show up in the privacy risk assessment conducted for the RFID application in question.

On the other hand, experience shows that industry representatives and application operators often have problems with identifying privacy and data protection threats. Especially the concept of personal data is often not properly understood. Therefore it is not unlikely that application operators will not recognize privacy and data protection problems and leave the consumers with the burden to ask for deactivation or removal of the tags.

EDRi will therefore continue to argue for the implementation of binding policy requiring the deactivation or removal of RFID tags unless sufficient technical measures are in place to give individuals full control over the RFID tags in their possession.

The discussion on RFID, privacy and security will certainly continue, not only in the RFID Expert Group, but also amongst the public and the stakeholders. But not only discussions, also improvements are requested, as the Commission clearly states that it will evaluate the implementation of the Recommendation in three years time, in particular with a focus on systems "providing automatic deactivation at the point of sale on all items except where consumers specifically opted in to the RFID application."

For now, it is important that the general public provides the Commission with its opinions on the Draft Recommendation. Both approval and criticism are equally welcome.

Draft Recommendation on the implementation of privacy, data protection and information security principles in applications supported by Radio Frequency Identification (RFID): your opinion matters!
http://ec.europa.eu/yourvoice/ipm/forms/dispatch?form=RFIDRec

RFID and Informed Consent - Using and removing of RFID functionality (5.12.2007)
http://www.edri.org/edrigram/number5.23/rfid-informed-consent

European Data Protection Supervisor's opinion on RFID (16.01.2008)
http://www.edri.org/edrigram/number6.1/edps-opinion-rfid

Article 29 Working Party: Opinion no. 4/2007 on the concept of personal data (20.06.2007)
http://ec.europa.eu/justice_home/fsj/privacy/docs/wpdocs/2007/wp136_en...

(contribution from Andreas Krisch - EDRI-member VIBE! - Austria)

‹ Germany: New basic right to privacy of computer systemsupMEP pressures for criminalizing copyright infringements ›
Printer-friendly version
 
Site by Floatleft.

Syndicate:

Syndicate contentCreative Commons License

With financial support from the EU's Fundamental Rights and Citizenship Programme.
eu logo