More RFID Journal Sites: RFID Journal Espanol RFID Journal Brasil RFID Journal Events RFID Journal Awards
Retail NEWS
Text size:
T
T
T
European Commission Issues RFID Privacy Recommendations
Arriving at the Recommendation
European consumers are particularly sensitive about data privacy. In the years leading up to Tuesday's recommendation, the European Commission held online and in-person consultations regarding RFID technology's impact on data privacy. In 2006, the EC released preliminary results of the consultations (see EU RFID Survey Shows Privacy Protection a Prime Concern). A survey indicated that nearly half of all respondents believed privacy-enhancing technologies should be mandatory in RFID applications, while 61 percent felt an RFID tag attached to products sold in retail stores should be automatically deactivated at the point of sale. In March 2007, the commission set up a stakeholders' group that examined privacy issues, among others (see EC Floats Plan to Facilitate RFID Usage).
Opt-In Policy
The final recommendation was issued following consultations with standardization organizations, consumer organizations, civil society groups and trade unions, as well as companies that manufacture, sell and utilize RFID technology.
The practice of deactivating a tag immediately upon purchase of a tagged item unless a consumer expressly opts in is something urged by many consumer advocates. However, many businesses in the RFID sector fought against making an opt-in policy mandatory (see EC Publishes RFID Privacy Policy Draft). Those companies argue that such a requirement would hamper many of RFID's post-sale benefits, such as more efficient recycling and management of warranties and repairs.
However, the recommendation also states: "In the retail trade sector, an assessment of the privacy and data protection impacts of products containing tags which are sold to consumers should provide the necessary information to determine whether there is a likely threat to privacy or the protection of personal data."
For Jimenez, this point is critical. Although the recommendation reads as if deactivation is required at the point of sale, she says, it essentially offers retailers a great deal of flexibility, assuming they can prove prior to implementation that their application poses no risk to privacy, or that they have a system in place to mitigate risk.
"The [recommendation's] deactivation provisions are linked to the results of privacy impact assessments," Jimenez states. "Retailers have to assess risk on a case-by-case and application-by-application basis." Such privacy impact assessments would need to be reviewed by national data-protection authorities.
Barrau agrees with Jimenez's interpretation, but warns: "We have to be clear on the fact that the privacy impact assessment needs to be carried out thoroughly and reviewed...A privacy impact assessment is not a way to avoid opt-ins."
more Retail articles
European consumers are particularly sensitive about data privacy. In the years leading up to Tuesday's recommendation, the European Commission held online and in-person consultations regarding RFID technology's impact on data privacy. In 2006, the EC released preliminary results of the consultations (see EU RFID Survey Shows Privacy Protection a Prime Concern). A survey indicated that nearly half of all respondents believed privacy-enhancing technologies should be mandatory in RFID applications, while 61 percent felt an RFID tag attached to products sold in retail stores should be automatically deactivated at the point of sale. In March 2007, the commission set up a stakeholders' group that examined privacy issues, among others (see EC Floats Plan to Facilitate RFID Usage).
Opt-In Policy
The final recommendation was issued following consultations with standardization organizations, consumer organizations, civil society groups and trade unions, as well as companies that manufacture, sell and utilize RFID technology.
The practice of deactivating a tag immediately upon purchase of a tagged item unless a consumer expressly opts in is something urged by many consumer advocates. However, many businesses in the RFID sector fought against making an opt-in policy mandatory (see EC Publishes RFID Privacy Policy Draft). Those companies argue that such a requirement would hamper many of RFID's post-sale benefits, such as more efficient recycling and management of warranties and repairs.
However, the recommendation also states: "In the retail trade sector, an assessment of the privacy and data protection impacts of products containing tags which are sold to consumers should provide the necessary information to determine whether there is a likely threat to privacy or the protection of personal data."
For Jimenez, this point is critical. Although the recommendation reads as if deactivation is required at the point of sale, she says, it essentially offers retailers a great deal of flexibility, assuming they can prove prior to implementation that their application poses no risk to privacy, or that they have a system in place to mitigate risk.
"The [recommendation's] deactivation provisions are linked to the results of privacy impact assessments," Jimenez states. "Retailers have to assess risk on a case-by-case and application-by-application basis." Such privacy impact assessments would need to be reviewed by national data-protection authorities.
Barrau agrees with Jimenez's interpretation, but warns: "We have to be clear on the fact that the privacy impact assessment needs to be carried out thoroughly and reviewed...A privacy impact assessment is not a way to avoid opt-ins."
