Europeans should be able to have control over smart chips, a worldwide market set to grow five times over in the next decade, while still being able to easily use them to make everyday life simpler, says the European Commission. There are already over 6 billion smart chips, microelectronic devices that can be integrated into a variety of everyday objects from fridges to bus passes. With Radio Frequency Identification (RFID) technology, they can process data automatically when brought close to ‘readers’ that activate them, pick up their radio signal and exchange data with them. They are in the passes you use to enter your office and the smart cards that pay highway tolls. Today, the Commission adopted a set of recommendations to make sure that everyone involved in the design or operation of technology using smart chips respects the individual’s fundamental right to privacy and data protection, contained in the Charter of Fundamental Rights of the European Union proclaimed on 14 December 2007.
Advertisement
RFID stands for Radio-Frequency IDentification. It is a generic term that is used to describe a system that transmits the identity (in the form of a unique serial number) of an object or person wirelessly, using radio waves. A variety of different cards use RFID, such as contact-less or electronic access cards.
A basic RFID system consists of tags and readers. A tag contains the identity to be transmitted; and a reader emits radio signals with the purpose of reading/writing data to the tag. When an RFID tag detects the reader’s incoming signal (i.e. it passes through its reading range), it responds with an outgoing signal that contains its identity. The reader then receives the identity which is then passed to the host computer for processing.
RFID systems vary in complexity, for example some readers only work with some tags or tags are encrypted and only accept to communicate if they are interrogated with a password.
Worldwide sales of RFID tags reached approximately 2.16 billion in 2008, a substantial increase from the year before. In 2007, tags sold were used in smart cards and payment key fobs (36%), smart tickets/bank notes/secure documents (14%), cases or crates of consumer retail goods (13%), retail apparel (5%), animals (5%), and books (4%).
RFID technology can be applied in many fields: manufacturing and production, transport and logistics, retail trade, public transport, health care, anti-counterfeiting, ticketing, e-payment, security, recycling and more. It is a powerful technology to optimise existing processes, improve reliability, offer new services and, more broadly, increase productivity.
Some examples: tags in transport tickets allow for faster check-in and eliminate the use of paper tickets; tags in access badges conveniently replace keys (faster access, no need to replace key-locks when lost); tags in retail products improve their management (improved traceability, improved product recalls, helps retailers make sure all sizes of a cloth are in store, etc).
RFID technologies can store complex data and communicate information automatically, while at the same time they can be embedded within products or are so small that they can hardly be seen by the human eye. Therefore, if unaware or uninformed of their use by retailers, RFID tags and readers could also be used without the prior consent or knowledge of consumers. Many RFID tags contain unique identification numbers, meaning that two tagged products can be distinguished from one another. If a tag is within the reading distance of a reader, it can be read even if it is hidden from direct view, in a bag or pocket (e.g. through a piece of cloth).
If an object containing an RFID tag is within reading distance of a reader, the tag can be read even if someone is not actively using the object (as opposed to, for example, a debit card being swiped).
Commissioner Viviane Reding, the EU’s Commissioner for Information Society and the Media, has said:
The Directive on the protection of personal data (95/46/EC) offers a legal framework for the processing of personal data, saying that a person must freely give specific consent and be informed before their personal information is processed. The Directive on privacy and electronic communications (2002/58/EC) requires EU Member States to ensure confidentiality of the communications by prohibiting unlawful interception and surveillance of personal information unless the users concerned have given their consent.
In its proposals for reform of the EU telecoms, the Commission has included a clarification that public communications networks supporting RFID and similar devices are covered by the Directive on privacy and electronic communications.
These Directives are complemented by a Recommendation published today that interprets them by providing guidance on how to implement RFID applications in a manner that protects privacy and personal data. These include an opt-in approach giving citizens control over RFID.
For retail applications, the “opt-in” approach recommended by the European Commission means tags should be deactivated or removed if they present a threat to privacy or data protection, unless consumers give their consent to keep their tags active (i.e. they are opting-in).
The Commission recommends that the presence of the tag is indicated through at least . Depending on the characteristics of the product (size, material, intended usage, etc.), the sign can be placed on the product itself, on its packaging, or on the shelf where it is located. The European Standardisation Organisations are currently defining a standard sign that will be used throughout Europe.
Most tags used for retail trade applications contain a unique number made of three parts: the first indicates the name of the first user of the tag, typically the producer of the product (e.g. Water Company ltd.), the second indicates the type of product (e.g. a 1.5l bottle of sparkling water) and the third is a serial number that identifies a precise product. Following the same example, all the bottles of a six-bottles-pack would have the same first and second part but would differ in the third part.
Associating the first number to the producer is something that many companies can do. Linking the second and third numbers to what they mean would require an agreement with the producer as the information usually lies in their internal computer systems.
The Commission recommends that consumers are informed of the data that is being processed; this includes informing consumers of the data contained on the tag, as well as how it is used and why it is used by retailers. This information should be provided to you by the organisation that is using the tag. In the case of retail products, this would typically be the producers of the product or the retailers themselves.
Organisations responsible for placing the tags should conduct to understand and act on the possible privacy and data protection threats that the presence of the tag creates. If this is done in the way recommended today by the European Commission, there should be no reason for privacy concerns.
Yes. Firstly, if the tag is likely to present a threat for your privacy or your personal data, the Commission recommends that the organisation that placed them should eliminate the threat, , or . Secondly, if the tag does not present a threat to your privacy or your personal data, and provided the tag was placed by your retailer, the Commission recommends that you can still ask the retailer to remove or deactivate the tags should you wish so.
It would only be possible to ‘track’ consumers if there were interconnected RFID readers but for the foreseeable future readers will only be located in a limited number of places (access control doors in companies, on public transport, etc.) and are usually not interconnected (readers from a public transportation company and a supermarket are not on the same system).
Tags that you carry can be ‘read’ by specific devices, but reading the content of a tag and making sense of what it means are two different things. Technical incompatibilities aside, if a retailer’s RFID reader comes close to and “reads” your public transport ticket, the chances are it will not understand it and will simply disregard the captured data.
This development will be kept under constant scrutiny by data protection authorities and by the European Commission.
In many cases, your contact-less card willcontain personal information. The type of personal information depends on the application of the RFID tag. For example, many public transportation applications include personal data on the card themselves, such as the number of journeys taken and when. This information is gathered for several reasons, including allowing you to claim back a journey charged but not taken. However, if personal data is stored on your transport card, the transportation company should inform you of the data the card contains.
The Commission recommends that consumers are of RFID tag use the first time the card is made available and entitled to ask for information at any time. For those cards that are rechargeable, the booth at which you can recharge them usually offers you this service.
The Commission recommends that employers inform their employees on the purposes of the application and the data processed. If applicable, this could include your arrival/departure times and how it is linked to your personal data. Your employer might simply use electronic cards for access control and nothing else.
If you are the organisation that of the application: yes, even if you are sub-contracting the operational aspects to a third party.
Every RFID operator must conduct privacy and data protection impact assessments (PIAs) in order to understand and act on the possible privacy and data protection threats that the presence of the tag creates. Many sources of information on how to conduct PIAs are available and can provide support, including the RFID service company who provides your RFID technology item or the data protection authority responsible for your organization.
Yes. RFID applications can become very complex and have consequences, notably for privacy, that were not initially intended. However, the level of detail of your assessment should be proportionate to the risks associated. Privacy and data protection impact assessments can be short if the risk is quickly determined to be insignificant.
Probably not, unless you are the organisation that decides the purposes and the means of the application or you process the data yourself.
The Recommendation does not include any provision specific to you. However, your clients are likely to rely on you to help them integrate the different recommended elements, such as the privacy and data protection impact assessment or the information to be provided to individuals, just as they have relied on you to advise on the choice of an RFID technology.
