Home Internet of Things Aerospace Apparel Energy Defense Health Care Logistics Manufacturing Retail

European Commission Issues Framework for Measuring and Mitigating RFID's Privacy Impact

GS1 expects the voluntary guidelines will increase consumer trust in the technology, thereby advancing the adoption of RFID in Europe.
By Mary Catherine O'Connor
Apr 06, 2011The European Commission (EC) has joined with commercial stakeholders, supply chain standards organization GS1, privacy watchdogs and the European Network and Information Security Agency (ENISA) in signing a voluntary agreement to establish guidelines for all companies in Europe, in order to address the data-protection implications of radio frequency identification technology prior to RFID tags being placed into the market.

In certain respects, Europe has led the way in RFID adoption. The technology is used by postal systems, transportation agencies, libraries and, increasingly, retailers across the European Union. And this strong adoption rate has been matched by coordinated efforts to ensure that the use of RFID does not erode Europeans' personal privacy, or the protection of personally identifiable information.

Neelie Kroes
The agreement, titled "Privacy and Data Protection Impact Assessment (PIA) Framework for RFID Applications," is designed to address and protect consumer privacy in a proactive manner, before RFID tags become ubiquitous within consumer goods and services. It was created in response to a set of privacy objectives that the EC issued in 2009 (see European Commission Issues RFID Privacy Recommendations), and ENISA—the European Union agency dedicated to improving information and cyber-security across EU member-states—played an active role in its formation.

This new PIA framework is designed such that all end users (referred to in the document as RFID application operators), across all industries, will be able to utilize it as guidance in implementing RFID technology. The framework calls for RFID application operators to first conduct an internal review, to determine if a proposed deployment would require an assessment. This is a simple step involving a decision tree. If the proposed application will involve processing or linking to personal data, or if the tags will be carried by an individual, then an assessment is required. The PIA is a four-step process that entails a detailed description of the application, followed by a list of the potential risks to personal privacy that it represents, documentation of proposed technical and organizational controls to mitigate those identified risks, and finally a report that lays out this process in detail, outlining how the risks will be resolved, as well as any residual risks that could still remain.

Login and post your comment!

Not a member?

Signup for an account now to access all of the features of RFIDJournal.com!

Case Studies Features Best Practices How-Tos
Live Events Virtual Events Webinars
Simply enter a question for our experts.
RFID Journal LIVE! RFID in Health Care LIVE! LatAm LIVE! Brasil LIVE! Europe RFID Connect Virtual Events RFID Journal Awards Webinars Presentations