Home Internet of Things Aerospace Apparel Energy Defense Health Care Logistics Manufacturing Retail

EC Publishes RFID Privacy Policy Draft

EPCglobal calls for clarification on proposed European Commission rules for the retail sector.
By Mary Catherine O'Connor
Feb 22, 2008The European Commission (EC) has drafted a set of recommendations regarding how to protect data and personal privacy in applications supported by RFID, and is asking industry stakeholders, as well as the general public, to comment on the document. Representatives from EPCglobal, a nonprofit organization working to commercialize Electronic Product Code (EPC) and RFID technologies in the supply chain, claim the draft lacks clarity and fails to address a number of important issues.

The commission, which acts as the European Union's executive body, has developed the draft over the past two years through its Information Society and Media Directorate-General. The EC has made the recommendations available to the public on its Web site and will accept comments on the document until April 25.

A number of stakeholder parties, including RFID vendors, analysts, end users and privacy groups, as well as several national government agencies from outside Europe, have provided input on the recommended policy. The EC has also collected public comments regarding specific issues it wanted addressed (see EC Takes RFID Survey, Schedules Final Conference). The EC's goal in creating the recommendations, which the European Union could ultimately turn into law, is to produce clear and stable policies that balance RFID's prospective benefits and its potential to encroach on civil liberties.

Elizabeth Board, however, who sits on EPCglobal's Public Policy Steering Committee, calls some parts of the draft "a little disappointing." Of particular concern, she says, is the document's Article 7, which proposes multiple scenarios for either deactivating an RFID tag attached to a product being purchased, or leaving it operational.

Article 7.3 stipulates that if there is a direct link between a consumer's personally identifiable information and an RFID tag linked to a purchased product—or if making such a link is possible—then the retailer must deactivate the product's RFID tag at the point of purchase, unless a consumer requests that it be left operational. (In such a scenario, the consumer must "opt-in" for the tag to remain active.) However, if there is no link between the tag and the consumer's personal information—and if there is no feasible means of creating such a link—then the retailer may leave the RFID tag operational as long as it also offers a means of deactivating it at the consumer's wish. (In this situation, the tag remains active, and consumers must "opt out" if they want the tag deactivated.)

"This is confusing because there could be a situation where linkage to a consumer's personal information is not clear," Board says. "For example, what if you pay for an item with a credit card? The tag might not contain personally identifiable information, but the retailer could link the two. So does that mean the tag would need to be killed? That's one of the things we will be asking the commission."

Login and post your comment!

Not a member?

Signup for an account now to access all of the features of RFIDJournal.com!

Case Studies Features Best Practices How-Tos
Live Events Virtual Events Webinars
Simply enter a question for our experts.
RFID Journal LIVE! RFID in Health Care LIVE! LatAm LIVE! Brasil LIVE! Europe RFID Connect Virtual Events RFID Journal Awards Webinars Presentations