The Privacy Issue Goes Global

By Bob Violino

Governments around the world are beginning to look at how companies
will use RFID.

  • TAGS

As the debate about RFID and privacy heats up, companies should keep in mind that many governments have existing laws and regulations that govern the gathering and processing of personally identifiable information. Recent rulings make it clear that these laws and regulations

will apply to the use of RFID technologies.

Some companies haven’t begun to consider the privacy issue. Others are developing policies but worry about closing off areas of potential value. Many companies fail to take into account existing privacy regulations applicable to data processing that involves personally identifiable information. If the private sector doesn’t take action, governments are likely to step in and decide the issue for retailers and manufacturers.

A committee set up by Japan’s Ministry of Economy, Trade and Industry to look into the use of RFID in the supply chain recently issued draft guidelines “to clarify fundamental policies for consumer privacy protection on electronic tags for every category of business.” The guidelines incorporate some of the policy recommendations made by EPCglobal, the nonprofit organization commercializing Electronic Product Code technology. For instance, consumers must be notified when an item they buy has an RFID tag, and they should have the right to deactivate or remove the tag. The Japanese guidelines say that if RFID data is associated with personally identifiable information in a database, the country’s Personal Information Protection Law applies.

Japan’s guidelines pertain only to one country. But a ruling in Portugal sheds light on how RFID will be treated under privacy laws in all European Union countries. In January, Portugal’s National Data Protection Commission ruled that RFID use is subject to the country’s data protection laws, such as Act 67/98 on the Protection of Personal Data, and the commission outlined the privacy obligations of those using the technology. Portugal’s Act 67/98 took an EU directive on privacy protection and made it effective domestically. The EU directive requires member countries to “protect the fundamental rights and freedoms of natural persons, and in particular their right to privacy with respect to the processing of personal data.”

Additional worries

The January ruling made it clear that Portugal’s privacy laws will apply to RFID. The commission stated: “It is easy to imagine and develop systems that, starting with data collected via [RFID], make it possible to interconnect with personal databases for simple identification or, for example, to identify credit card purchases, create customer profiles, and locate persons via the [RFID] tags in their possession.”

Act 67/98 said that the potential to read RFID tags remotely, without the knowledge and consent of the people carrying them, and the potential misuse of personal data have created “additional worries” about data protection. It said RFID manufacturers must find technological solutions to protect the public, and users of the technology must be aware of their legal obligations under existing privacy law.

The commission’s decision called special attention to the section of Portugal’s Act 67/98 that requires parties to notify the National Data Protection Commission “before carrying out any wholly or partly automatic processing operation or set of such operations intended to serve a single purpose or several related purposes.” In other words, if you plan to link RFID data with personally identifiable information about EU citizens in an information processing system in Portugal, you’ll have to explain how the processing will take place and for what purposes. Other countries in the European Union, such as the United Kingdom, Spain and Italy, require data processors to register with a data-protection authority before undertaking activities involving personally identifiable information.

The Portuguese decision also stressed the applicability of other fair-information practices to personally identifiable information linked to RFID. Under the “notice” principle, companies need to inform consumers that RFID equipment is being used (through a label on products or signs in stores, for example). Under the “choice” principle, in most circumstances consumers must have the option to opt out of any personally identifiable data collection. In cases where RFID readers are being used in stores or other public areas, consumers must be given notice if tags they’re carrying are being read and personally identifiable data is collected.

Data protection rules apply

The ruling by the Portuguese commission confirms that companies using RFID to collect personally identifiable information are subject to the EU’s data protection rules. Other EU governments are likely to make the same decision when considering local data collection and processing of personal data.

Elliot Maxwell, a fellow of the Center for the Study of American Government at Johns Hopkins University and the chairman of EPCglobal’s International Policy Advisory Council, says companies that want to operate globally are increasingly adopting uniform enterprise-wide privacy policies based on the well-established practices for the fair use of information. It’s too complex and costly to build different IT systems to manage personally identifiable data in the United States, Europe, Asia and Latin America. Because many countries outside the EU are using the European data protection rules, which incorporate the fair-use principles, those rules may well become the de facto standard for protecting personal information.

“Companies that build systems that honor fair information practices are likely to be in compliance with the vast majority of local laws and regulations,” Maxwell says.

Maxwell believes that companies must begin formulating their policies now (see Start a Privacy Dialogue). Policies that respect privacy and build trust with customers are better in the long run than policies that produce short-term gains by exploiting personal information. “If you understand the concerns of your more privacy-sensitive customers, you can meet the needs of your entire customer base, as well as those of policymakers,” he says. “The costs of responding to these concerns are far lower than the costs of ignoring them—which potentially include damage to a company’s reputation, loss of customers, sanctions for violating existing laws and demands for new regulations.”