The European Commission has produced a number of recommendations designed to address concerns over the effect of radio frequency identification (RFID) tags on privacy and personal data protection.

RFID TECHNOLOGY

A basic RFID system consists of a tag that identifies itself to a reader when within the reader’s range. Billions of RFID tags are sold annually worldwide for use in fields including manufacturing, transport, security, retail and e-payment.

THE PRIVACY ISSUES

RFID tags can be used to collect personal data, for example by tying a customer’s credit card details to a product, or an RFIDbased transport ticket system that allows customer itineraries to be stored and read. Data can be processed without physical contact or visible interaction between the tag and reader and without the individual concerned being aware of it. RFID technology is used increasingly in the retail sector and concerns focus in particular on the risk of theft or misuse of personal data held on RFID tags and accessed by RFID readers.

EU DIRECTIVES

The Data Protection Directive (95/46/EC) provides that a person must give freely his or her specific and informed consent before any personal information is processed. The e- Privacy Directive (2002/58/EC) prohibits interception and surveillance of personal information unless the users concerned have given their consent. The Commission has clarified expressly that the e-Privacy Directive covers RFID networks in its proposals for reform of the EU telecoms package. The Commission’s recommendations provide guidance on how to implement RFID applications in a manner that complies with these Directives.

THE RECOMMENDATIONS

EU Member States are asked to provide a framework for privacy and data protection impact assessments (PIAs). RFID operators would be required to conduct PIAs in order to understand and act on the possible privacy and data protection threats that the presence of the RFID tag creates. The level of detail of the assessment should be appropriate to the privacy risks possibly associated with the RFID application. The PIA must be sent to the national data protection authority in advance of deployment of the application.

Operators will also be asked to ensure that consumers understand clearly the type of personal data collected and the purpose it will be used for. Operators should also provide clear labelling to identify RFID readers.

A common European sign, developed by European standards organisations, should be applied to any retail product containing a smart chip. Furthermore, RFID retailers should deactivate or remove tags at the point of sale unless consumers give their informed consent (“opt-in”) to keep tags operational. Deactivation or removal of tags by the retailer should be immediate, free of charge and verifiable by the consumer.

The retail opt-in requirement does not apply, however, if the PIA concludes that tags remaining operational after the point of sale do not represent a likely threat to privacy or the protection of personal data. Nevertheless, retailers should make available and free of charge an easy means to deactivate or remove these tags.