European Privacy and Security Standards

By Henri Barthel

Compliance with regulatory requirements will help, not hinder, RFID adoption.


It’s not surprising that the European Union (EU)—an economic and political partnership among 27 countries, with 23 official languages—encompasses a diversity of cultures, laws and regulations, including many related to security and privacy. In 2006, the European Commission (EC), the executive body of the EU, launched a number of RFID initiatives and research projects to encourage RFID adoption across the EU. At the same time, the EC took the view that Europe needed a consistent approach to RFID adoption, and security and privacy regulations had to be improved and harmonized.

In May 2009, the EC published its recommendation “on the implementation of privacy and data protection principles in applications supported by radio-frequency identification.” The EC then mandated that the European Committee for Standardization (CEN), European Committee for Electrotechnical Standardization (CENELEC) and European Telecommunications Standards Institute (ETSI) implement the recommendations.

From 2010 to 2011, ETSI led the first phase of the work, consisting of analyzing the standards landscape, identifying gaps and suggesting areas in which new European standards and technical specifications would be relevant. A comprehensive report outlining several proposals aimed at promoting confidence and trust in RFID technology and its applications was issued. The EC approved the report and appointed CEN to develop the recommended standards and technical reports. This work started in January 2012 and is due to be completed in early 2014.

One major deliverable will be a formal European standard on Signage and Emblem, which will specify the data and graphics to be applied in areas where RFID is used. Another will be a formal standard on Privacy Impact Assessment, which will specify normative and informative procedures to enable a common European method for undertaking an RFID PIA. The PIA standard will be generic, with a special focus on major sectors, including banking, e-ticketing, libraries and retail.

Other deliverables will include technical reports analyzing the features of RFID devices that must be taken into account in assessing privacy, a report on RFID penetration testing, an RFID threat and vulnerability analysis, and a report on potential threats associated with the use of mobile phones as RFID readers. We expect the forthcoming CEN standards will be referred to by EU legislation, at which time they will become mandatory for RFID applications in Europe.

Some businesses and RFID solution providers are concerned that compliance with regulatory requirements will slow or discourage RFID adoption. In reality, the contrary is true, because the availability of precise standards throughout Europe will provide clarity and legal certainty. It will build confidence that organizations can implement RFID in a way that is secure and fully respectful of people’s privacy.

Henri Barthel is chairman of CEN/TC 225, the European standards committee on automatic identification technologies and applications. He also is VP of system integrity and global partnerships for GSI.