This article is also available in:
Deutsch: EP, EDPS und EDRi über RFID und das Internet der Dinge

The European Parliament's Committee on Industry, Research and Energy (ITRE) discussed at its meeting on 17 March 2010 the draft report by rapporteur Maria Badia i Cutchet on the Internet of Things (IoT). The report welcomes the Communication from the Commission "Internet of Things -An action plan for Europe" and endorses the Commission's focus on safety, protection of personal data and privacy and governance of the Internet of Things.

The draft report calls for further, more detailed assessments by the Commission especially concerning - among others - privacy, data protection and the right to the "silence of the chips". It takes the view that the actual functioning of the Internet of Things will be intrinsically linked to the trust consumers have in the system and that specific European regulation should be established if needed. Furthermore we welcome the Commissions' intention to present in 2010 a Communication on privacy and trust in the information society. We acknowledge the importance of this communication and of the proposed measures for strengthening the rules related to privacy and the protection of personal data.

Following the presentation of the draft report, EDRi was invited to present to the ITRE Committee its views on data protection and privacy with regard to the Internet of Things. EDRi's presentation highlighted some of the main difficulties of IoT applications, like the question of how to obtain informed consent of data subjects when IoT systems are meant to operate widely unnoticed "in the background", how to identify the data controller and data processor of IoT services in order to exercise data subjects rights and how to determine and report data flows in IoT systems, when these flows highly depend on external factors like e.g. the movements of a car in the context of Intelligent Transport Systems.

As main requirements for a successful, data protection friendly implementation of IoT systems, EDRi's presentation emphasized that individuals (as data subjects) need to be in control of these systems and need to have a free choice of participation without discrimination (right to the silence of the chips), that interactions with IoT systems need to be on an anonymised basis whenever possible and that strict data minimisation and strict purpose limitation are important cornerstones for IoT systems. In short: Privacy, Data Protection and Security by Design were identified as a fundamental requirement.

Furthermore EDRi called for an improved enforcement of data protection legislation by strengthening the financial and personal resources of Data Protection Authorities and by improving data protection education. A better harmonisation of global data protection legislation was identified as one of the main areas, where the European Parliament could have an important role (see also the Civil Society Madrid Declaration: Global Privacy Standards for a Global World).

Not in the context of the ITRE hearing but related to the topic, the European Data Protection Supervisor published on 18 March his opinion on "Promoting Trust in the Information Society by Fostering Data Protection and Privacy". Among other things the EDPS stressed the importance of Privacy by Design as the guiding principle in Europe's Digital Agenda and highlights in the chapter on Radio Frequency Identification (RFID) - which is considered to be an enabling technology of the Internet of Things - that in the context of this technology, the existing data protection rules need to be complemented with additional rules imposing specific safeguards, particularly making it mandatory to embed technical solutions (Privacy by Design) in RFID technology.

The EDPS expressed his concern that RFID operators in the retail sector may overlook the possibility for RFID tags to be monitored by unwanted third parties and thinks it is conceivable that self-regulation will not deliver the expected results. He therefore calls upon the Commission to be ready to propose legislative instruments regulating the main issues of RFID usage in case the effective implementation of the existing legal framework fails. The EDPS warns that the Commission's assessment should not be unduly postponed since this would put individuals at risk and would also be counterproductive for the industry as the legal uncertainties are too high and entrenched problems are likely to be more difficult and expensive to correct.

EDRi expressly welcomes the opinion of the European Data Protection Supervisor and also understands it to be a valuable input to the informal working group on the development of a RFID Privacy Impact Assessment framework in which EDRi participates.

EP ITRE Draft report on the Internet of Things, Rapporteur: Maria Badia i Cutchet (24.02.2010)
http://www.europarl.europa.eu/sides/getDoc.do?pubRef=-//EP//NONSGML+CO...

Communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions of 18 June 2009 on the 'Internet of Things - An action plan for Europe' (COM(2009)0278)
http://www.europarl.europa.eu/meetdocs/2009_2014/documents/com/com_com(2009)0278_/com_com(2009)0278_en.pdf

EDRi presentation at the EP ITRE hearing - Internet of Things: Privacy and Data Protection (17.03.2010)
http://www.edri.org/files/Krisch_EP-ITRE_Privacy_20100317.pdf

Civil Society Madrid Declaration: Global Privacy Standards for a Global World
http://thepublicvoice.org/madrid-declaration/

Opinion of the European Data Protection Supervisor on Promoting Trust in the Information Society by Fostering Data Protection and Privacy (19.03.2010)
http://www.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/...

(Contribution by Andreas Krisch - EDRi)