More RFID Journal Sites: RFID Journal Espanol RFID Journal Brasil RFID Journal Events RFID Journal Awards
Home / Supply Chain / RFID Standards / Privacy / Operations / Inventory/Warehouse Management / Innovation / Asset Tracking / Transport / Retail / Manufacturing / Defense / Aerospace
Retail EDITOR'S NOTE
Text size:
T
T
T
Give Your Views to the EU—Now!
An "RFID application," meanwhile, is defined as "a system to process data through the use of RFID tags and/or readers, a back-end system and/or a networked communication infrastructure." This means most companies' IT systems would be considered an RFID application, if they integrate data with their back end.
"Monitoring" is defined as "any activity carried out for the purpose of detecting, observing, copying or recording the location, movement, activities, image, text, voice, sound or state of an individual." That means using RFID to detect or prevent theft might not be feasible.
Article 3 says: "Where it cannot be excluded that data processed in RFID applications can be related to an identifiable natural person by an RFID application operator or a third party, Member States should ensure that RFID application operators and providers of components of such applications take appropriate technical and organizational measures to mitigate the ensuing privacy and data protection risks."
In other words, if there is a chance—no matter how small—that RFID data could be linked to an individual, national governments in Europe should legislate technical protections and organizational measures to prevent it. The fact is, as any lawyer would attest, there is no application for which you can guarantee, with absolute certainty, that an RFID tag won't be linked to a specific person somehow or in some way, even if companies have the best intentions. It would make far more sense to say that where there is a reasonable likelihood RFID data will be linked to individuals, states should ensure there are protections in place.
Article 5 spells out some specific actions companies must take if they plan to employ RFID in "public spaces" (for instance, they must explain what their data storage policy is). However, as stated earlier, "public spaces" is not clearly defined, so these requirements could affect everyone.
Article 6 is problematic, because it requires users to establish security for RFID applications but doesn't recognize that many companies might participate in a single application, such as supply chain management. Who is responsible if one company in a particular chain fails to adhere to the recommendations? All of them?
more Retail articles
"Monitoring" is defined as "any activity carried out for the purpose of detecting, observing, copying or recording the location, movement, activities, image, text, voice, sound or state of an individual." That means using RFID to detect or prevent theft might not be feasible.
Article 3 says: "Where it cannot be excluded that data processed in RFID applications can be related to an identifiable natural person by an RFID application operator or a third party, Member States should ensure that RFID application operators and providers of components of such applications take appropriate technical and organizational measures to mitigate the ensuing privacy and data protection risks."
In other words, if there is a chance—no matter how small—that RFID data could be linked to an individual, national governments in Europe should legislate technical protections and organizational measures to prevent it. The fact is, as any lawyer would attest, there is no application for which you can guarantee, with absolute certainty, that an RFID tag won't be linked to a specific person somehow or in some way, even if companies have the best intentions. It would make far more sense to say that where there is a reasonable likelihood RFID data will be linked to individuals, states should ensure there are protections in place.
Article 5 spells out some specific actions companies must take if they plan to employ RFID in "public spaces" (for instance, they must explain what their data storage policy is). However, as stated earlier, "public spaces" is not clearly defined, so these requirements could affect everyone.
Article 6 is problematic, because it requires users to establish security for RFID applications but doesn't recognize that many companies might participate in a single application, such as supply chain management. Who is responsible if one company in a particular chain fails to adhere to the recommendations? All of them?
READERS' COMMENTS
EC's draft recommendations
I'd like to thank Mark Roberti for his article "Give Your Views to the EU - Now!" (7 April). I'm currently in charge within DG Information Society and Media (INFSO) of the European Commission of the RFID dossier, and hence of the draft recommendation. A public consultation has been published for a period of 9 weeks (ending 25 April) and its results will obviously be taken into account by the Commission in its finalisation of the policy document. Here we find Mark's articles inspiring and always very useful for us to remain informed of RFID trends and developments worldwide and for different sectors and applications. His "call" on stakeholders concerning the draft EC recommendation, although critical of several aspects of the recommendation, will be duly considered as a relevant and positive contribution to the overall debate. I'd like to tell Mark each article in the draft recommendation is an integral part of it. The provisions concerning PIAs, codes of conduct, information on RFID use, security risk management, awareness raising actions, support for R&D, and the use of RFID in retail should not be seen as individual entities but as a set of inter-related entities which have to be set in conjunction with one another in a continuum. This said, I take note, among other things, of Mark's observation that some definitions and other parts of the draft recommendation are not sufficiently clearly specified. So, many thanks again, and let's hope that at the end we'll find a common path. Gerald Santucci, Head of Unit, DG INFSO/D4
Posted By: G. Santucci 4/09/2008 at 7:17:28 AM