On April 6, 2011, the European Commission (“the Commission”) signed a voluntary agreement with private and public stakeholders to establish data protection guidelines for companies that use radio frequency identification device (“RFID”) technology within Europe.

The agreement, entitled “Privacy and Data Protection Impact Assessment Framework for RFID Applications” (the “Framework”) requires companies to conduct privacy impact assessments for all RFID applications they implement and to take measures to address identified data protection risks before those applications are deployed in the market. The Framework is intended both to assure companies that their use of RFID technology is compatible with European data protection legislation, and to enhance privacy protections for European citizens and consumers. Because privacy impact assessments must be made available to the national data protection authorities, the Framework provides a clear, comprehensive methodology to assess and mitigate RFID-related privacy risks that can be applied across all industry sectors.

The RFID Framework was designed in close cooperation with the European Network and Information Security Agency after consultation with the Article 29 Working Party.

In the future, privacy impact assessments also may become a useful tool for assessing privacy risks associated with other technologies. During the signing ceremony, Neelie Kroes, Vice President of the European Commission for Digital Agenda, said that this Framework for RFID applications would constitute “an interesting model that could be used for other similar situations or areas, such as smart metering and online behavioural advertising.”