Industry and consumer organizations around Europe welcomed an official “recommendation on the implementation of privacy and data protection principles in applications supported by radio-frequency identification.” Issued this week by the European Commission (EC), the document outlines data privacy objectives suggested for use in the organization’s 27 member states.
The document advises that consumers should be informed of the presence of RFID tags placed on or embedded in products, and that tags should be removed or deactivated immediately—and without a fee—at the point of sale, unless a purchaser expressly consents to keep a tag operational. The decision whether or not such an opt-in policy is necessary, however, will be determined after a retailer assesses the privacy- and data-protection risks of its own particular RFID application.
The non-binding recommendation provides a data-protection framework, including guidance regarding opt-in requirements. Industry and consumer groups say the document paves the way for greater implementation of RFID technology.
EPCglobal, the nonprofit industry organization that promotes the development and standardization of Electronic Product Code (EPC) RFID technology, welcomed the move. “The recommendation is important because it provides certainty for the European market,” says Marisa Jimenez, EPCglobal’s Brussels-based public policy director for Europe. “The framework allows us to focus on innovation rather than privacy risks.”
Informationsforum RFID, a German association representing corporate users of RFID and other industry participants, also welcomed the recommendation. “After nearly two years of consultations,” Andrea Huber, the group’s CEO, said in a statement, “the recommendation creates a secure basis on which companies can plan their business activities.”
The European Consumers’ Organization, also known as the Bureau Européen des Unions de Consommateurs (BEUC), was pleased with the recommendation as well. The Brussels-based group, which advocates for consumers’ rights, participated in the two years of consultations.
Emilie Barrau, a legal officer at BEUC, says the recommendation was the best way to protect consumer data, though it still remains to be seen if it will be implemented. “In Europe,” she notes, “we have good data-protection laws, but often they’re not applied.”
Arriving at the Recommendation
European consumers are particularly sensitive about data privacy. In the years leading up to Tuesday’s recommendation, the European Commission held online and in-person consultations regarding RFID technology’s impact on data privacy. In 2006, the EC released preliminary results of the consultations (see EU RFID Survey Shows Privacy Protection a Prime Concern). A survey indicated that nearly half of all respondents believed privacy-enhancing technologies should be mandatory in RFID applications, while 61 percent felt an RFID tag attached to products sold in retail stores should be automatically deactivated at the point of sale. In March 2007, the commission set up a stakeholders’ group that examined privacy issues, among others (see EC Floats Plan to Facilitate RFID Usage).
Opt-In Policy
The final recommendation was issued following consultations with standardization organizations, consumer organizations, civil society groups and trade unions, as well as companies that manufacture, sell and utilize RFID technology.
The practice of deactivating a tag immediately upon purchase of a tagged item unless a consumer expressly opts in is something urged by many consumer advocates. However, many businesses in the RFID sector fought against making an opt-in policy mandatory (see EC Publishes RFID Privacy Policy Draft). Those companies argue that such a requirement would hamper many of RFID’s post-sale benefits, such as more efficient recycling and management of warranties and repairs.
However, the recommendation also states: “In the retail trade sector, an assessment of the privacy and data protection impacts of products containing tags which are sold to consumers should provide the necessary information to determine whether there is a likely threat to privacy or the protection of personal data.”
For Jimenez, this point is critical. Although the recommendation reads as if deactivation is required at the point of sale, she says, it essentially offers retailers a great deal of flexibility, assuming they can prove prior to implementation that their application poses no risk to privacy, or that they have a system in place to mitigate risk.
“The [recommendation’s] deactivation provisions are linked to the results of privacy impact assessments,” Jimenez states. “Retailers have to assess risk on a case-by-case and application-by-application basis.” Such privacy impact assessments would need to be reviewed by national data-protection authorities.
Barrau agrees with Jimenez’s interpretation, but warns: “We have to be clear on the fact that the privacy impact assessment needs to be carried out thoroughly and reviewed…A privacy impact assessment is not a way to avoid opt-ins.”
The EC’s recommendation further states that consumers are entitled to clear and simple information regarding the types of data that will be processed by a particular RFID application. It also recommends a common European symbol for products carrying RFID tags.
Jimenez says her group is also satisfied with this section of the recommendation, which lays out minimum transparency standards but offers retailers the freedom to choose how to inform consumers—for example, via statements on a Web site, through brochures or on posters. Still, she believes a global symbol denoting the presence of RFID would be better than one for Europe only.
“Manufacturers’ supply chains are global,” Jimenez says. “The obligation for a European logo may be a burden on them. A global logo is a much better way to go.”
Implementing the Recommendation
Within the next two years, EU member states must report on their efforts to meet the terms of the recommendation. Three years from now, the commission intends to analyze the impact its recommendation has had on companies, public entities and EU citizens.
For Barrau, implementation remains the big question mark. If her group could change the recommendation, she says, it would like that recommendation to be “more binding,” and to cover more than just data privacy. The group would like for the commission to develop guidance pertaining to the health, environmental and competition concerns that she believes surround RFID.
BEUC wants additional information regarding the cumulative effects of electromagnetic fields on human health, and is concerned that RFID tag disposal may strain recycling systems since tags are composed of different types of metals and are often embedded in packaging. Finally, the group worries that RFID tags could potentially be used to restrict competition by linking products together, such as printers and proprietary printer cartridges.
“While privacy and security are at the top of the list for consumer concerns,” Barrau states, “other areas still need to be addressed.”