You are currently browsing EDRi's old website. Our new website is available at https://edri.org

EDRI-gram

If you wish to help EDRI promote digital rights, please consider making a private donation.


Flattr this

logo

EDRi booklets

ENDitorial: RFID PIA: Check against delivery

18 May, 2011
» 

This article is also available in:
Deutsch: ENDitorial: RFID PIA – Auf die Umsetzung kommt es an

In the context of the Hungarian Presidency of the European Council, the European Commission and the Hungarian Innovation Office jointly organised the IoT 2011 conference on the Internet of Things, earlier this week.

One of the main sessions was devoted to privacy and data protection in the IoT age. The main points of the presentations in this session included the high importance of technology design for any form of Internet regulation (with reference to Lessig's "Code is law"), the need for a reduction of bureaucracy in data protection and the importance of accurate information on the consequences of IoT applications for individuals' privacy. The experts stressed that it was important to maintain the existing data protection principles also in an IoT age and that commercial competition must not take place at the cost of reduced data protection standards.

Risk assessments like the RFID Privacy Impact Assessment (PIA) were mentioned as an important tool that also enables end users (the data subjects) to take informed decisions regarding the processing of their personal data.

RFID and PIAs also became a topic during the Questions and Answers of the following session, where Christian Plenge, Head of Architecture, Frameworks & Innovation at METRO Systems GmbH (a company of one of the worlds largest retailers, Metro Group), informed the audience that Metro had decided to leave RFID tags on their products active after the point of sale and to offer their customers the possibility to deactivate the tags on request. An option which, according to Mr. Plenge, was only chosen once so far, when a data protection group was given a tour in an RFID-equipped store.

This statement is of particular interest as the European Commission's recommendation on RFID data protection suggests at points 11 and 12, that retailers deactivate or remove RFID tags at the point of sale unless consumers give their informed consent or a PIA concludes that the tags do not represent a likely threat to privacy or the protection of personal data.

When being asked by EDRi if his statements could be understood that way that Metro Group has decided not to follow the European Commissions recommendation, Mr. Plenge said that the PIA they had conducted had concluded that there was no likely threat to privacy or the protection of personal data and that their activities were therefore in line with the EC recommendation.

This view is also promoted on the website of Metro's Future Store Initiative, which claims that Metros RFID use is "in full compliance with existing provisions" and that their "transponders, ..., do not store any personal consumer information". The Electronic Product Code (EPC; which is a worldwide unique identifier) would only refer to product and process information and "(p)ersonal data is neither disseminated nor stored".

For an audience not familiar with the data protection problems of RFID applications and the discussions in the European Commission's RFID Expert Group and elsewhere, this statement might be convincing at first sight.

The fact is however, that the question whether unique identifiers stored on RFID tags constitute personal data or not, has been discussed at length at various occasions and that Metro was well involved in these debates. As a result of these debates - and of the process leading to the RFID PIA framework - the answer to this question formally given in not one but actually two working papers of the Article 29 Working Party (WP175 and WP180): "... when a unique identifier is associated to a person, it falls in the definition of personal data set forth in Directive 95/46/EC, regardless of the fact that the 'social identity' (name, address, etc.) of the person remains unknown (i.e. he is 'identifiable' but not necessarily 'identified')." (WP175, p. 8)

In the case of Metro's RFID use, this means that Metro - contrary to their public statements - is in fact processing personal data of their customers (the EPCs) and that Metro puts the personal data of their customers at risk (which e.g. could be tracked by third parties without their knowledge) by not deactivating the RFID tags at the point of sale and not taking any other measures to mitigate the risks (at least as far as we know from Mr. Plenge and the above mentioned corporate website).

Mr. Plenge's statement at the European Commission's IoT 2011 conference is of particular importance as it was made several weeks after European Commission Vice President Neelie Kroes, representatives of the European RFID industry, the chairman of the Article 29 Data Protection Working Party and the executive director of ENISA formally signed the RFID Privacy Impact Assessment Framework as a tool of industry self regulation for data protection compliant RFID applications. Before the signing ceremony took place, this framework was formally endorsed by the Art. 29 Working Party with working paper 180, in which the Working Party reconfirmed their above mentioned statement on unique identifiers being personal data.

Mr. Plenge's statement that, besides the visit of a data protection group, none of their customers ever requested that RFID tags on products should be deactivated, highlights the drawback of opt-out regimes. Most of the customers of retail stores are not data protection or RFID experts but ordinary citizens. They need to trust the retailers to be given accurate information and cannot base their shopping habits on general suspicion. Therefore consumers are not aware of any threats to their privacy and expect to have their personal data protected by default. It is therefore not a lack of interest but a lack of knowledge that leads to this total of zero deactivated RFID tags.

That it is not possible to sufficiently inform consumers about the data protection risks of RFID applications at the point of sale was - by the way - often claimed by industry representatives in the past couple of years of RFID data protection discussions. This is one of the reasons why EDRi always advocated for an opt-in regime instead of an opt-out one.

This current example of Metro Group's strategy is not only important because this company is one of the worlds largest retailers, the actions of which affect the data protection rights of a large number of individuals, but also because it gives an example of the practical value of self regulation tools like the RFID PIA framework.

In our EDRi-gram article on the signing ceremony we wrote amongst others: "The RFID PIA Framework is an important milestone on the way to the implementation of privacy friendly RFID applications. Now it is important that industry quickly but thoroughly implements the PIA in practice." As the Metro example suggests it is the word "thoroughly" that needs to be emphasised in this statement.

At Point 20 of the RFID recommendation, the European Commission announced that it would "provide a report on the implementation of this Recommendation, its effectiveness and its impact on operators and consumers," in particular as regards the measures recommended for RFID applications used in the retail trade, before the end of May 2012. In our view, it is important to make sure that global players like Metro Group are as well covered by this report as small and medium sized RFID operators, as their level of adoption not only affects a large number of individuals but also predetermines the level of compliance of the whole industry.

Point 5 of the RFID recommendation suggests that RFID operators make the results of their privacy impact assessments available to the competent authorities (the national data protection authorities; DPAs) at least six weeks before the deployment of the application. EDRi calls on the national DPAs, the European Data Protection Supervisor and the Article 29 Working Party to make a meaningful use of this opportunity by at least checking if the PIA was conducted on the basis of a correct definition of personal data and by providing statistics about how many PIA reports were made available to them, in which member states, and by which industries.

EDRi is well aware that this request comes at a time when most DPAs suffer from a lack of funding, staff and time. But we think that it is very important - also for the future use of such tools in other areas - to ensure that privacy risk assessments are carried out properly.

The RFID PIA Framework is an important milestone but we need to check against delivery.

IoT 2011
http://www.iot-budapest.eu/

EDRi-gram 9.7: RFID Privacy Impact Assessment Framework formally adopted (6.04.2011)
http://www.edri.org/edrigram/number9.7/rfid-pia-adopted-eu

EC recommendation (12.05.2009)
http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2009:122:00...

Metro Group Future Store Initiative: Privacy at METRO GROUP (last accessed on 18.05.2011)
http://www.future-store.org/fsi-internet/html/en/1674/index.html

Opinion 5/2010 on the Industry Proposal for a Privacy and Data Protection Impact Assessment Framework for RFID Applications (13.07.2010)
http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2010/wp175_en...

Opinion 9/2011 on the revised Industry Proposal for a Privacy and Data Protection Impact Assessment Framework for RFID Applications (11.02.2011)
http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2011/wp180_en...
http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2011/wp180_an...

(Contribution by Andreas Krisch - EDRi)

‹ CFP 2011 Conference to address the Future of Technology and Human RightsupRecommended Action ›
Printer-friendly version
 
Site by Floatleft.

Syndicate:

Syndicate contentCreative Commons License

With financial support from the EU's Fundamental Rights and Citizenship Programme.
eu logo