Give Your Views to the EU—Now!

The potential of radio frequency identification to deliver value to companies and consumers across Europe is at risk. If you conduct business in Europe and think RFID might help you improve efficiencies, or if you sell RFID systems in Europe, you need to act—and soon.

The European Commission, which has been examining the privacy implications of RFID for a couple of years, has published draft recommendations that will likely reduce the business and consumer benefits of RFID (see European Commission Works on RFID Policy and Europe’s RFID Privacy Policy Might Be a Mistake). But before the European Union adopts these proposals, there’s still time to convince them they risk throwing the baby out with the bathwater.

The commission is currently soliciting feedback. The deadline to comment is April 25. You know opponents of RFID will be out there saying the proposals don’t go far enough. So it’s imperative that end users, vendors and anyone else associated with RFID submit comments before the industry is saddled with regulatory issues rendering RFID untenable in any consumer—and potentially supply chain—application.

It’s easy to make your opinion count—there’s an online form that will just take a few minutes to fill out. Here’s a link.

The form presents each article of the draft, then provides a place for you to enter your opinion. Article 1 is an overview of the recommendations, and Article 2 provides the definitions used in those recommendations. Many, however are overly broad.

A “public place,” for instance, is defined as “any area, including non-stationary means of public transport such as buses, planes, railways or ships, which can be accessed at all times or at certain times by everybody.” So if you tag something that ends up in the cargo hold of an airplane, is that plane considered a public place?
An “RFID application,” meanwhile, is defined as “a system to process data through the use of RFID tags and/or readers, a back-end system and/or a networked communication infrastructure.” This means most companies’ IT systems would be considered an RFID application, if they integrate data with their back end.

“Monitoring” is defined as “any activity carried out for the purpose of detecting, observing, copying or recording the location, movement, activities, image, text, voice, sound or state of an individual.” That means using RFID to detect or prevent theft might not be feasible.

Article 3 says: “Where it cannot be excluded that data processed in RFID applications can be related to an identifiable natural person by an RFID application operator or a third party, Member States should ensure that RFID application operators and providers of components of such applications take appropriate technical and organizational measures to mitigate the ensuing privacy and data protection risks.”

In other words, if there is a chance—no matter how small—that RFID data could be linked to an individual, national governments in Europe should legislate technical protections and organizational measures to prevent it. The fact is, as any lawyer would attest, there is no application for which you can guarantee, with absolute certainty, that an RFID tag won’t be linked to a specific person somehow or in some way, even if companies have the best intentions. It would make far more sense to say that where there is a reasonable likelihood RFID data will be linked to individuals, states should ensure there are protections in place.

Article 5 spells out some specific actions companies must take if they plan to employ RFID in “public spaces” (for instance, they must explain what their data storage policy is). However, as stated earlier, “public spaces” is not clearly defined, so these requirements could affect everyone.

Article 6 is problematic, because it requires users to establish security for RFID applications but doesn’t recognize that many companies might participate in a single application, such as supply chain management. Who is responsible if one company in a particular chain fails to adhere to the recommendations? All of them?
Article 7 singles out the use of RFID in retail, stating that if a retailer’s privacy assessment “shows significant likelihood of personal data being generated from the use of the application, the retailer has to follow the criteria to make the processing legitimate as laid down in directive 95/46, and to deactivate the RFID tag at the point of sale unless the consumer chooses to keep the tag operational.” That means retailers in Europe won’t be able to use RFID for reverse logistics, and the tags can’t be used in recycling applications.

Retailers will have to install RFID interrogators at every point of sale to deactivate the tags—even if a customer doesn’t request it. The additional cost might put some retailers off using RFID. A far more sensible approach would be to say that as long as retailers take steps to safeguard customer data, they can kill the tag at a customer’s request (an opt-out rather than opt-in approach). If there are repeated abuses of the technology, governments could then reexamine the opt-out scenario and require that tags be killed unless customers opt out.

When I consider the recommendations, it seems obvious the authors believe RFID technology is inherently bad, or somehow destined to be used for nefarious purposes. There is no balance between the need to protect the public and a desire not to kill adoption and innovation. Every protection is put in place, even if it risks killing the technology.

I find this both sad and frustrating, because over the past six years of covering RFID, I have seen many great applications of the technology that serve businesses and consumers alike, and I have yet to see any abuses. All the evidence suggests companies won’t abuse the technology.

Members of the commission should think about this: No patents involving tracking consumers have been implemented. Why? Because retailers don’t want to lose their customers. It’s as simple as that.

I fervently believe the technology will bring great benefits to consumers and businesses alike, and that abuses can be prevented. That’s why you need to submit your opinions before April 25. Click here now, and make sure your voice is heard.

Mark Roberti is the founder and editor of RFID Journal. If you would like to comment on this article, click on the link below. To read more of Mark’s opinions, visit the RFID Journal Blog or click here.