Feb 22, 2008The European Commission (EC) has drafted a set of recommendations regarding how to protect data and personal privacy in applications supported by RFID, and is asking industry stakeholders, as well as the general public, to comment on the document. Representatives from EPCglobal, a nonprofit organization working to commercialize Electronic Product Code (EPC) and RFID technologies in the supply chain, claim the draft lacks clarity and fails to address a number of important issues.
The commission, which acts as the European Union's executive body, has developed the draft over the past two years through its Information Society and Media Directorate-General. The EC has made the recommendations available to the public on its Web site and will accept comments on the document until April 25.
A number of stakeholder parties, including RFID vendors, analysts, end users and privacy groups, as well as several national government agencies from outside Europe, have provided input on the recommended policy. The EC has also collected public comments regarding specific issues it wanted addressed (see EC Takes RFID Survey, Schedules Final Conference). The EC's goal in creating the recommendations, which the European Union could ultimately turn into law, is to produce clear and stable policies that balance RFID's prospective benefits and its potential to encroach on civil liberties.
Elizabeth Board, however, who sits on EPCglobal's Public Policy Steering Committee, calls some parts of the draft "a little disappointing." Of particular concern, she says, is the document's Article 7, which proposes multiple scenarios for either deactivating an RFID tag attached to a product being purchased, or leaving it operational.
Article 7.3 stipulates that if there is a direct link between a consumer's personally identifiable information and an RFID tag linked to a purchased product—or if making such a link is possible—then the retailer must deactivate the product's RFID tag at the point of purchase, unless a consumer requests that it be left operational. (In such a scenario, the consumer must "opt-in" for the tag to remain active.) However, if there is no link between the tag and the consumer's personal information—and if there is no feasible means of creating such a link—then the retailer may leave the RFID tag operational as long as it also offers a means of deactivating it at the consumer's wish. (In this situation, the tag remains active, and consumers must "opt out" if they want the tag deactivated.)
"This is confusing because there could be a situation where linkage to a consumer's personal information is not clear," Board says. "For example, what if you pay for an item with a credit card? The tag might not contain personally identifiable information, but the retailer could link the two. So does that mean the tag would need to be killed? That's one of the things we will be asking the commission."
Gérald Santucci, head of the Information and Communication Technology (ICT) for Enterprise Networking unit of the Information Society and Media Directorate-General, says that in writing the draft policy, the Directorate-General worked closely with a group of RFID experts. These included EPCglobal members, Santucci says, as well as technology vendors, privacy law experts and advocates.
"I can tell you that in the more than six months of debate, the question of whether making [the deactivation of RFID tags] an opt-in or an opt-out scenario was a contentious matter," Santucci states. "People have different points of view on this; some have economic interests and others have social considerations, and you need time to work it out."
Today, Santucci adds, with few retailers in the EU using RFID tags at the item level, and no significant use of the technology at the point of sale, the scenario described in Article 7.3, in which retailers may need to deactivate the tag at the point of sale, is unlikely. Still, he says, the recommended policy is the means by which the commission believes it can remain in line with the EU's existing privacy laws regarding the electronic sharing of personal information.
In addition, Santucci says, an important element of the draft is Article 7.5, which states: "Within three years after the entry into force of this recommendation, the European Commission will review these provisions in order to assess the effectiveness and efficiency of systems to remove or deactivate tags with a view to providing automatic deactivation at the point of sale on all items except where the consumer has specifically opted-in to the RFID application." The background to this statement, according to Santucci, is that the EC is also funding research to develop RFID tags that can be deactivated and reactivated, so that consumers and retailers will no longer need to choose one scenario over the other.
"In Europe, there is a visible lack of trust in new technologies," Santucci says. "That is a fact. So we need to demonstrate the benefits of RFID and its uses. But where [the technology] shows any risk to privacy, we need to offer means of self-regulation." This, Santucci adds, is a preferred course to enacting laws.
