The European Commission enters into a Privacy and Data Protection Impact Assessment Framework for RFID applications

The European Commission has formally entered into a Privacy and Data Protection Impact Assessment Framework for RFID Applications (PIA Framework) with industry and privacy and data protection watchdogs, in order to address privacy and data protection concerns over the use of smart tags. The agreement was signed by the Chairman of the Article 29 Data Protection Working Party, Jacob Kohnstamm; the Executive Director of the European Network and Information Security Agency (ENISA), Udo Helmbrecht; and European Commission Vice-President for the Digital Agenda, Neelie Kroes, on April 6, 2011.

Under the agreement, companies that use smart tags are encouraged to carry out a comprehensive assessment of privacy and breach of data protection risks and take measures to address such risks before any new smart tag application is introduced onto the market. The agreement is intended to give companies more legal certainty as to their potential risk of breaching data protection and privacy laws and to offer protection for EU citizens and consumers.

Smart tags or ‘Radio Frequency Identification Devices’

Smart tags, or RFIDs, are already used widely and their use is expanding. They are found in various devices, including mobile phones, bus passes, smart cards, retail security tags, cars and other tracking devices.

Microelectronic devices process data automatically from RFID tags when brought close to ‘‘readers’’ which activate them, pick up their radio signal and exchange data with them. Use of the technology has led to widespread concerns about privacy implications. The PIA Framework aims to ensure consumers’ privacy before RFID tags are introduced on a massive scale. Industry has estimated that there could be up to 50 billion smart tags in use by 2020.  

The privacy concerns arise out of third parties potentially being able to access the personal data held on the RFIDs without the owner’s permission. For example, drivers that pay tolls electronically to use roads, airport and car parks via data collected through RFID tags on their car windscreens might pass a reader outside those specific locations which would pick up the personal data, revealing identity information as well as the location of the car.

As for data protection, essentially, an RFID operator who collects or uses personal data via an RFID has a similar role to that of a data controller as defined in the EU Data Protection Directive (95/46/EC). Therefore, such an operator must comply with the legislation.

The PIA Framework Agreement

In May 2009, the European Commission issued a Recommendation on the implementation of privacy and data protection principles in applications supported by RFIDs and established a requirement for the endorsement by the Article 29 Data Protection Working Party of this industry-prepared PIA Framework.

The PIA Framework provides for a PIA process whereby a conscious and systematic effort is made by the organisation that wishes to employ RFID technology to assess the privacy and data protection impacts of a specific RFID application, with a view to taking appropriate actions to prevent or at least minimise those impacts before the particular smart tag is brought to market.

The idea of the PIA Framework is to assist the RFID operator to manage its risk as regards privacy and data protection and to protect consumers and citizens of the European Union. According to the European Commission, the PIA process will help RFID operators uncover the privacy risks associated with RFIDs, assess their likelihood and document the steps taken to address those risks.

This PIA process will result in a PIA Report, which should be made available to the relevant authorities as long as the information is not specifically pertinent to privacy and data protection implications. It will be up to Member States as to who the relevant authority is and whether provision of the Report should be mandatory or not.

The RFID operator should develop a PIA for each RFID application it operates. However, if it deploys several related RFID applications (in the same context or at the same premises), the operator need create only one report if the boundaries and differences between the applications are described in that report. If an operator reuses an RFID application in the same way for multiple products, services or processes, the operator need create only one report for all products, services or processes that are similar. For example, a car manufacturer deploying the same anti-theft mechanism in all cars under the same service conditions need prepare only one report. This is in addition to other specific applicable laws, regulations and other binding agreements.  

The PIA Process

The PIA Framework identifies two phases in the PIA process. The first is the “Initial Analysis Phase”, under which the operator must assess whether a PIA of its RFID application is required or not and whether such PIA process should be a “Full Scale” or “Small Scale” PIA. The second stage is the “Risk Assessment Phase”, which outlines the criteria and elements of Full and Small Scale PIAs.

Initial Analysis Phase

In the Initial Analysis Phase, the operator must decide whether it needs to implement a PIA process by examining the nature and sensitivity of the data it deals with, the nature and type of processing or collection of information it engages in and the type of RFID application in question. The PIA Framework agreement includes a tree diagram of the process that the operator must undertake to decide whether a PIA assessment is needed.

Work done under the Initial Analysis Phase must be documented and made available to data protection authorities upon request.

Examples of applications requiring a Full Scale PIA include applications that process personal information or where the RFID itself contains personal data. In these cases, a highly detailed risk assessment will be necessary to ensure that appropriate controls are put in place. Operators should also consider whether the RFID’s information is likely to be used beyond the initial purpose or context understood by the individual whose data is being collected or processed, particularly if it could be used to process such data further or link to other personal data.

Small Scale PIAs follow the same process as Full Scale PIAs, but, given the lower risk profile, a Small Scale PIA is more restricted in its scope and level of detail.

Risk Assessment Phase

The objective of the Risk Assessment Phase is to identify the privacy risks caused by an RFID application, ideally at an early stage of system development. The objective is also to document how these risks will be mitigated through technical and organisational controls.

The PIA Framework agreement recommends that, to save time and cost, the Risk Assessment Phase should be carried out before final decisions on an RFID application’s structure are taken, so that mitigation strategies can be embedded into the system’s design and will not need to be “bolted on” later.

In the Risk Assessment Phase, the RFID operator must consider the likelihood of data protection breaches and privacy problems occurring via the use of the specific RFID in question, and their magnitude. Operators are advised to use the privacy targets of the EU e-Privacy Directive (2002/58/EC) as a starting point. Privacy risks would be high, the PIA Framework agreement suggests, if the RFID application might be susceptible to malicious attacks or because organisational or environmental privacy controls do not exist. Privacy risks might be small, it suggests, where their occurrence is unlikely or because the RFID application is already configured in a “privacy friendly way”.

In summary, the PIA process involves the following:

  • A description of the RFID application which gives a comprehensive and full picture of it, its environment and system boundaries  
  • Identification as to how the RFID application might threaten privacy and an estimation of the magnitude and likelihood of such risk. Annex III includes a list of potential privacy risks. For example, use of an application that results in data being collected beyond the extent necessary would constitute a potential risk, eg an RFID payment card that collects personal data that is used not only to process transactions but also to build individual profiles as well  
  • Documentation of current and proposed technical and organisational controls to mitigate identified risks. For example, technical controls such as default settings, authentication mechanisms and encryption methods might be incorporated into the RFID application itself, or non-technical controls such as operational and management procedures might be put in place. Annex IV gives further examples  
  • Documentation of the results of the analysis and the solutions, including any further remarks concerning risks and controls.  

The signed PIA Report should then be given to the company’s assigned data privacy/security officer in accordance with the RFID operator’s internal procedures.

Comment

On signing the PIA Framework agreement, Neelie Kroes, European Commission Vice-President for the Digital Agenda, said, “I warmly welcome today’s milestone agreement to put consumers’ privacy at the centre of smart tag technology and to make sure privacy concerns are addressed before products are placed on the market. I’m pleased that industry is working with consumers, privacy watchdogs and others to address legitimate concerns over data privacy and security related to the use of these smart tags. This sets a good example for other industries and technologies to address privacy concerns in Europe in a practical way”.

The Commission has also said that information gathered during the drafting process will make a “valuable contribution” to the ongoing discussions on the revision of EU rules on data protection and on how to address the new challenges for personal data protection that have arisen due to technological developments.

The PIA Framework agreement offers guidelines only, and is not legally binding. However, despite being voluntary, it is likely to be widely adopted, partly because compliance is not particularly onerous and partly to allay public fears.

EuroCommerce, one of the signatories to the agreement, has praised the document as a “successful example of self-regulation and proof that legislation is not always required to address matters that are of high concern for many people”. EuroCommerce Secretary General Xavier Durieu said: “With today’s official signature, two years of intensive work have come to fruition. This Framework sets concerns over privacy at rest, while at the same time giving RFID operators the flexibility they need to fully exploit the benefits of this technology”. Mr. Durieu went on to say that “…the work doesn’t end here. EuroCommerce is strongly committed to promoting the PIA Framework among its members to assure its wide application throughout the commerce sector”.

The Privacy and Data Protection Impact Assessment Framework for RFID Applications can be accessed here.

The European Commission’s statement on its signing of the Privacy and Data Protection Impact Assessment Framework for RFID Applications is available here.

A version of this article was first published in the World Data Protection Report in its April 2011 issue.