This article is also available in:
Deutsch: ENDitorial: Keine Zustimmung zur RFID-Folgenabschätzung der Industrie

On 13 July 2010, the Article 29 Working Party adopted an opinion on the Industry Proposal for a Privacy and Data Protection Impact Assessment Framework for RFID Applications (Industry RFID PIA framework) in which it concludes it would not endorse the proposed document in its current form. Another opinion on this framework published by the European Network and Information Security Agency (ENISA) earlier this month also identified some major issues and areas of improvement.

In its analysis, the Article 29 Working Party identified three critical concerns:

The first is that no section of the Industry RFID PIA framework explicitly requires the RFID operator to identify or uncover privacy risks associated with an RFID application and that it therefore is not possible to evaluate if the measures proposed by the operator are adequate or proportionate to the risks, since these risks have not been identified in the first place.

Secondly, based on its opinion on the concept of personal data, the Article 29 Working Party clarifies with regard to RFID-tags containing a unique serial number (e.g. the Electronic Product Code, EPC) that "if the tag is carried by a person (...), and if the tag contains a unique ID, then by definition the tag contains personal data" and that this is the case "regardless of the fact that the 'social identity' (name, address etc.) of the person remains unknown". Therefore, the Working Party explains that it is not sufficient to consider whether the location of persons will be monitored through RFID applications but that it is also crucial to analyse the risk of unauthorized monitoring beyond the perimeter of the application. The Industry RFID PIA framework fails to explicitly address this issue.

Thirdly, the Working Party refers to item11 and 12 of the RFID Recommendation on RFID in the retail sector, and clarifies that these provisions mean that deactivation at the point of sale is the default behaviour unless the PIA concludes that tags remaining operational do not represent a likely threat to privacy or the protection of personal data.

In its opinion, ENISA concentrates on the methodological part of the framework and states that it "finds in this draft a very good starting point towards establishing a PIA framework." However, the major issue identified by ENISA is that the framework "is not based or does not follow a tested and comprehensive risk methodological basis, e.g. a risk management and an impact assessment methodology." Based on this major shortcoming, a lot of subsequent issues with the framework were identified by ENISA and recommendations given on how to address these shortcomings. In accordance with the concerns raised by the Article 29 Working Party, ENISA also states that the PIA process does not provide clear guidelines to identify the major risks and impacts of RFID applications regarding privacy and data protection.

Together, the opinions of the Article 29 Working Party and the ENISA, are an important contribution to the ongoing European debate on how to protect privacy and personal data in the area of RFID. A debate that culminated in May 2009 is the promising RFID Recommendation of the European Commission, part of which the Industry RFID PIA framework tries to implement.

While it is good to see that the European data protection and network security organisations responsibly and tirelessly provide their expertise to advance a privacy friendly development, it is rather strange that Industry - years after the RFID data protection debate started - still seems to have no full understanding of certain basic data protection principles (like the concept of personal data) and of what the obligations of RFID operators are.

This assumed lack of understanding results in a clear delay of the implementation of the RFID Recommendation, as the final RFID PIA framework was expected to be ready twelve months after the adoption of the Recommendation. Today, more than 14 months after the Recommendation was adopted, only a "starting point" for such a framework is available and a final result is not foreseable in the near future, if the recommendations of ENISA and the Article 29 Working Party are taken seriously and the pace of the past months is maintained.

European Digital Rights and its members will use the coming weeks to assess this unsatisfying development and decide on how to best contribute to a timely development towards a proper protection of the fundamental rights to data protection and privacy in the area of RFID.

Article 29 Working Party: Opinion 5/2010 on the Industry Proposal for a Privacy and Data Protection Impact Assessment Framework for RFID Applications (13.07.2010)
http://ec.europa.eu/justice_home/fsj/privacy/docs/wpdocs/2010/wp175_en...

ENISA: Opinion on the Industry Proposal for a Privacy and Data Protection Impact Assessment Framework for RFID Applications of March 31, 2010 (July 2010)
http://www.enisa.europa.eu/media/news-items/enisa-opinion-on-pia

Article 29 Working Party: Opinion 4/2007 on the concept of personal data (20.06.2007)
http://ec.europa.eu/justice_home/fsj/privacy/docs/wpdocs/2007/wp136_en...

EDRi-gram: Industry proposed RFID Privacy Impact Assessment Framework (19.05.2010)
http://www.edri.org/edrigram/number8.10/rfid-privacy-impact-assesment-...

Commission Recommendation on the implementation of privacy and data protection principles in applications supported by radio-frequency identification (12.05.2009)
http://ec.europa.eu/information_society/policy/rfid/documents/recommen...

EDRi-gram: EP calls for a clear legal framework for the Internet of Things (30.06.2010)
http://www.edri.org/edrigram/number8.13/european-parliament-on-interne...

(Contribution by Andreas Krisch - EDRi)