EU Drafting New RFID-Oriented Privacy Protections

The European Union has made its draft policy recommendations for RFID deployments available for review. The EU is enhancing its existing Data Protection Directive to cover specific concerns arising from RFID use, and hopes to have the new policy in place later this summer.
Published: February 28, 2008

This article was originally published by RFID Update.

February 28, 2008—The European Union has released an official recommendation for new policies to address privacy threats arising from the use of RFID systems. The RFID Recommendation will be open for public comment through April 25, 2008, and the EU plans to implement its resulting new policy by the summer. The policy is being developed to supplement the existing EU Data Protection Directive to cover circumstances specific to RFID.

“The EU Data Protection Directive has been transposed by all member states into their national legislation. Although this directive is technologically neutral and its principles and provisions are sufficiently general, its practical applicability can be difficult to evaluate in some RFID scenarios,” Gérald Santucci, head of the EU’s networked enterprise & radio frequency identification unit, told RFID Update in an e-mail. “The Recommendation does not create new rules but rather uses a ‘soft law’ mechanism to complement the directive with a specific interpretation for RFID applications.”

“Soft law” is commonly used in EU communication. Its legal bearing is somewhat unclear and the term’s context is similar to “guidelines” or “code of conduct.”

The 10-point Recommendation includes numerous recommended actions and best practices for companies implementing RFID systems to consider. It was motivated by the growing use of RFID in European retail, but the EU wants to promote it to other sectors as well. Highlights from the Recommendation include:

  1. Privacy assessments should be conducted before RFID applications are implemented.
  2. Organizations should designate a person responsible to monitor privacy assessments.
  3. Results should be made public.
  4. Industry and professional organizations are encouraged to create RFID implementation guidelines and codes of conduct.
  5. Signs should be used to make the public aware where RFID is in use.
  6. A standard logo should be developed and used to indicate products that include RFID tags.
  7. RFID applications should employ “state of the art” security.
  8. Retailers should give consumers the option to opt out of RFID systems and should not charge or otherwise penalize consumers to deactivate tags.
  9. The EU should provide a follow-up report within three years of the final Recommendation being implemented.

The Recommendation is intended to help — not inhibit — European RFID adoption, Santucci explained. “A top priority for Europe is to create trust in RFID technology. Trust is paramount for the social acceptance of RFID. So long as European citizens consider RFID to be more threatening to their privacy than previous innovations which pervaded the personal sphere — such as mobile phones or surveillance cameras — Europe’s industry will trail behind its competitors because of increasing difficulties to deploy applications.”

Individuals can view and comment on the complete recommendation, but must provide some demographic information to access it. Comments are welcome from non-EU residents. More information is also available on the EU RFID policy website.

The EU was considering RFID-specific legislation about a year ago, but decided not to pursue regulation (see EU’s Decision Not to Legislate RFID is Conditional). The current effort comes at a time when European retailers are increasingly using RFID in everyday operations, a point not lost on EU policy makers.

“RFID applications in the retail sector will increasingly be implemented at item level, not just pallet or case level. This individualization of RFID tags de facto increases the sensitivity of consumers to the actual use of the technology,” said Santucci. “The European Commission aims to facilitate a balanced approach to these issues by encouraging the dialogue between industry and customers, in particular to create agreements, for example codes of conduct, that ensure that all involved have proper possibilities to protect their interests.”

METRO Group is one of Europe’s largest retailers and a heavy item-level RFID user (see METRO Unveils Warehouse-to-Checkout RFID System and Why METRO’s Item-Level RFID Deployment Matters), but is far from the only one. Also see the following for coverage of other recent rollouts: