Home Internet of Things Aerospace Apparel Energy Defense Health Care Logistics Manufacturing Retail

Access This Premium Content

Options To Access This Article:

What Subscribers Are Saying

  • "Probably the best investment I've ever made."
    Steve Meizlish, President & CEO, MeizCorp Services, Inc.
  • "I have found that RFID Journal provides an objective viewpoint of RFID. It you are looking for a resource that provides insights as to the application and implications of deploying RFID, RFID Journal will meet your needs, It gives you a broad perspective of RFID, beyond the retail supply chain."
    Mike O'Shea, Director of Corporate AutoID/RFID Strategies & Technologies, Kimberly-Clark Corp.
  • "No other source provides the consistent value-added insight that Mark Robert and his staff do. In a world dominated by press release after press release, RFID Journal is developing as the one place to go to make the most sense out of the present and future of RFID in commerce."
    Bob Hurley, Project Leader for RFID, Bayer HealthCare's Consumer Care Division
  • "RFID Journal is the one go-to source for information on the latest in RFID technology."
    Bruce Keim, Director, Hewlett-Packard
  • "RFID Journal is the only source I need to keep up to the minute with the happenings in the RFID world."
    Blair Hawley, VP of Supply Chain, Remington Products Company

The Privacy Issue Goes Global

Governments around the world are beginning to look at how companies
will use RFID.
By Bob Violino
Apr 01, 2004—As the debate about RFID and privacy heats up, companies should keep in mind that many governments have existing laws and regulations that govern the gathering and processing of personally identifiable information. Recent rulings make it clear that these laws and regulations
will apply to the use of RFID technologies.

Some companies haven’t begun to consider the privacy issue. Others are developing policies but worry about closing off areas of potential value. Many companies fail to take into account existing privacy regulations applicable to data processing that involves personally identifiable information. If the private sector doesn’t take action, governments are likely to step in and decide the issue for retailers and manufacturers.

A committee set up by Japan’s Ministry of Economy, Trade and Industry to look into the use of RFID in the supply chain recently issued draft guidelines “to clarify fundamental policies for consumer privacy protection on electronic tags for every category of business.” The guidelines incorporate some of the policy recommendations made by EPCglobal, the nonprofit organization commercializing Electronic Product Code technology. For instance, consumers must be notified when an item they buy has an RFID tag, and they should have the right to deactivate or remove the tag. The Japanese guidelines say that if RFID data is associated with personally identifiable information in a database, the country’s Personal Information Protection Law applies.

Japan’s guidelines pertain only to one country. But a ruling in Portugal sheds light on how RFID will be treated under privacy laws in all European Union countries. In January, Portugal’s National Data Protection Commission ruled that RFID use is subject to the country’s data protection laws, such as Act 67/98 on the Protection of Personal Data, and the commission outlined the privacy obligations of those using the technology. Portugal’s Act 67/98 took an EU directive on privacy protection and made it effective domestically. The EU directive requires member countries to “protect the fundamental rights and freedoms of natural persons, and in particular their right to privacy with respect to the processing of personal data.”

Additional worries
The January ruling made it clear that Portugal’s privacy laws will apply to RFID. The commission stated: “It is easy to imagine and develop systems that, starting with data collected via [RFID], make it possible to interconnect with personal databases for simple identification or, for example, to identify credit card purchases, create customer profiles, and locate persons via the [RFID] tags in their possession.”

Act 67/98 said that the potential to read RFID tags remotely, without the knowledge and consent of the people carrying them, and the potential misuse of personal data have created “additional worries” about data protection. It said RFID manufacturers must find technological solutions to protect the public, and users of the technology must be aware of their legal obligations under existing privacy law.

The commission’s decision called special attention to the section of Portugal’s Act 67/98 that requires parties to notify the National Data Protection Commission “before carrying out any wholly or partly automatic processing operation or set of such operations intended to serve a single purpose or several related purposes.” In other words, if you plan to link RFID data with personally identifiable information about EU citizens in an information processing system in Portugal, you’ll have to explain how the processing will take place and for what purposes. Other countries in the European Union, such as the United Kingdom, Spain and Italy, require data processors to register with a data-protection authority before undertaking activities involving personally identifiable information.

The Portuguese decision also stressed the applicability of other fair-information practices to personally identifiable information linked to RFID. Under the “notice” principle, companies need to inform consumers that RFID equipment is being used (through a label on products or signs in stores, for example). Under the “choice” principle, in most circumstances consumers must have the option to opt out of any personally identifiable data collection. In cases where RFID readers are being used in stores or other public areas, consumers must be given notice if tags they’re carrying are being read and personally identifiable data is collected.

Data protection rules apply
The ruling by the Portuguese commission confirms that companies using RFID to collect personally identifiable information are subject to the EU’s data protection rules. Other EU governments are likely to make the same decision when considering local data collection and processing of personal data.

Elliot Maxwell, a fellow of the Center for the Study of American Government at Johns Hopkins University and the chairman of EPCglobal’s International Policy Advisory Council, says companies that want to operate globally are increasingly adopting uniform enterprise-wide privacy policies based on the well-established practices for the fair use of information. It’s too complex and costly to build different IT systems to manage personally identifiable data in the United States, Europe, Asia and Latin America. Because many countries outside the EU are using the European data protection rules, which incorporate the fair-use principles, those rules may well become the de facto standard for protecting personal information.

“Companies that build systems that honor fair information practices are likely to be in compliance with the vast majority of local laws and regulations,” Maxwell says.

Maxwell believes that companies must begin formulating their policies now (see Start a Privacy Dialogue). Policies that respect privacy and build trust with customers are better in the long run than policies that produce short-term gains by exploiting personal information. “If you understand the concerns of your more privacy-sensitive customers, you can meet the needs of your entire customer base, as well as those of policymakers,” he says. “The costs of responding to these concerns are far lower than the costs of ignoring them—which potentially include damage to a company’s reputation, loss of customers, sanctions for violating existing laws and demands for new regulations.”
To continue reading this article, please log in or choose a purchase option.

Option 1: Become a Premium Member.

One-year subscription, unlimited access to Premium Content: $189

Gain access to all of our premium content and receive 10% off RFID Reports and RFID Events!

Option 2: Purchase access to this specific article.

This article contains 966 words and 1 page. Purchase Price: $19.99

Upgrade now, and you'll get immediate access to:

  • Case Studies

    Our in-dept case-study articles show you, step by step, how early adopters assessed the business case for an application, piloted it and rolled out the technology.

    Free Sample: How Cognizant Cut Costs by Deploying RFID to Track IT Assets

  • Best Practices

    The best way to avoid pitfalls is to know what best practices early adopters have already established. Our best practices have helped hundreds of companies do just that.

  • How-To Articles

    Don’t waste time trying to figure out how to RFID-enable a forklift, or deciding whether to use fixed or mobile readers. Our how-to articles provide practical advice and reliable answers to many implementation questions.

  • Features

    These informative articles focus on adoption issues, standards and other important trends in the RFID industry.

    Free Sample: Europe Is Rolling Out RFID

  • Magazine Articles

    All RFID Journal Premium Subscribers receive our bimonthly RFID Journal print magazine at no extra cost, and also have access to the complete online archive of magazine articles from past years.

Become a member today!

RFID Journal LIVE! RFID in Health Care LIVE! LatAm LIVE! Brasil LIVE! Europe RFID Connect Virtual Events RFID Journal Awards Webinars Presentations