The European Commission (EC) has joined with commercial stakeholders, supply chain standards organization GS1, privacy watchdogs and the European Network and Information Security Agency (ENISA) in signing a voluntary agreement to establish guidelines for all companies in Europe, in order to address the data-protection implications of radio frequency identification technology prior to RFID tags being placed into the market.
In certain respects, Europe has led the way in RFID adoption. The technology is used by postal systems, transportation agencies, libraries and, increasingly, retailers across the European Union. And this strong adoption rate has been matched by coordinated efforts to ensure that the use of RFID does not erode Europeans’ personal privacy, or the protection of personally identifiable information.
The agreement, titled “Privacy and Data Protection Impact Assessment (PIA) Framework for RFID Applications,” is designed to address and protect consumer privacy in a proactive manner, before RFID tags become ubiquitous within consumer goods and services. It was created in response to a set of privacy objectives that the EC issued in 2009 (see European Commission Issues RFID Privacy Recommendations), and ENISA—the European Union agency dedicated to improving information and cyber-security across EU member-states—played an active role in its formation.
This new PIA framework is designed such that all end users (referred to in the document as RFID application operators), across all industries, will be able to utilize it as guidance in implementing RFID technology. The framework calls for RFID application operators to first conduct an internal review, to determine if a proposed deployment would require an assessment. This is a simple step involving a decision tree. If the proposed application will involve processing or linking to personal data, or if the tags will be carried by an individual, then an assessment is required. The PIA is a four-step process that entails a detailed description of the application, followed by a list of the potential risks to personal privacy that it represents, documentation of proposed technical and organizational controls to mitigate those identified risks, and finally a report that lays out this process in detail, outlining how the risks will be resolved, as well as any residual risks that could still remain.
GS1, through its EPCglobal RFID division, issued its own, similar set of recommendations with the Guidelines on EPC for Consumer Products document, developed in 2003 and adopted in 2005.
Miguel Lopera, GS1’s president and CEO, stated at the PIA signing ceremony—which was held today in Brussels—that his organization “has strongly supported a co-regulatory approach through all the preparatory discussions that led to this text,” and that his organization welcomes the initiative. “I would also like to acknowledge the substantive and constructive dialogue we have had with the data-protection authorities throughout,” he said.
The creation of the framework, Lopera noted, should encourage greater adoption of RFID technology. “The use of the PIA framework will increase consumer trust in the technology, which will increase adoption of RFID technology in Europe,” he said. “I’d like to point out that our GS1 EPCglobal applications were developed so that no personal data is actually present on a tag.”
Neelie Kroes, the VP of the European Commission for the Digital Agenda (formerly known as the Commission for Information Society and Media), said at the PIA signing ceremony that the framework is a win-win scenario for industry and consumers alike, since it provides RFID application operators with a roadmap for deploying the technology in compliance with existing EU privacy laws: the EU Data Protection Directive of 1995, and the ePrivacy Directive of 2002. “It is obvious that technology evolves faster than legislation,” she said. “The various parties gathered today have recognized this, and decided that this PIA framework was the most effective and efficient way to protect the privacy of European citizens without stifling innovation when using RFID applications.”
According to the European Commission, an estimated 2.8 billion RFID tags are expected to be sold this year—a third of those in Europe.