EU lays out RFID data protection framework
30 July 2014 | 1969 views | 0
Source: European Commission
New EU-wide technical standards have been agreed that will help users of Radio Frequency Identification (RFID) smart chips and systems comply with EU Data Protection rules and the Commission's 2009 recommendation on RFID (see IP/09/740). A "data protection impact assessment" process has also been agreed.
Practical effects of these new standards will include:
People using electronic travel passes, or buying clothes and supermarket items with RFID tags in the label, will know that smart chips are present thanks to the RFID sign (see right).
Retailers can use RFID technology to improve stock management and prevent theft, confident that they are respecting current EU data protection rules.
RFID application developers can rely on the Privacy Impact Assessment standards to ensure "data protection by design" within EU data protection rules.
In sectors such as healthcare and banking where RFID use is exploding, this rapid set of changes will take place in the legal mainstream rather than in a grey zone.
European Commission Vice President @NeelieKroesEU said: "Smart tags and systems are part of everyday life now, they simplify systems and boost our economy. But it is important to have standards in place which ensure those benefits do not come at a cost to data protection and security of personal data". According to reports, the global market for RFID applications is expected to grow to $9.2 billion in 2014. Consumers should not face surveillance from RFID chips, they should be deactivated by default immediately and free-of-charge at the point of sale.
Companies or public authorities using smart chips should:
give consumers clear and simple information so that they understand if their personal data will be used, the type of collected data (such as name, address or date of birth, for example when registering for a travel subscription card) and for what purpose.
provide clear labelling to identify the devices that 'read' the information stored in smart chips, and provide a contact point for citizens to obtain more information.
should conduct privacy and data protection impact assessments, reviewed by national data protection authorities, before using smart chips.
Retail associations and organisations should promote consumer awareness on products containing smart chips through the use of a common European sign (see above).
These standards follow eight years of Commission policy action.
2006: largest ever policy-related consultation on digital issues (IP/06/289 and MEMO/06/112)
2009: adoption of Commission Recommendation on the implementation of privacy and data protection principles in applications supported by radio- frequency identification (IP/09/740)
2011: signing of the Privacy Impact Assessment framework, the first of its kind in Europe. The PIA framework was produced by industry in January 2011, endorsed by Art 29 data protection working party in February 2011, and signed by key stakeholders and Neelie Kroes on 6 April 2011 (see SPEECH/11/236). Today the Privacy Impact Assessment process has expanded to other new privacy-related areas like the certification of smart meters. It is due to be mandatory under new EU Data protection rules. The European Norms on RFID and the RFID Recommendation are based on the existing EC 95/46 data protection directive and the article 29 working party interpretation of it.