EU Commission publishes voluntary guidelines on RFID and privacy

The Commission has agreed the guidelines with industry groups and data protection regulators in an attempt to address some of the privacy implications of the use of technology for consumer goods and services.

Companies that sign up to the guidelines agree to carry out a privacy risk assessment of products containing RFID chips. Those firms will have to establish measures to address the leak of private information from these devices before the product can be sold.

Companies signing up to the agreement 
(257KB / 24 pages) will draw up their own Privacy and Data Protection Impact Assessment (PIA) report  any RFID applications that make use of personal data and will hand that report over to 'a competent authority' for approval.

RFID chips are read by readers when they get within a few feet of them, meaning that organisations can learn not just what is on a chip but where the chip is. Chips are used by supermarkets to track stock, for example, but could also be used to store personal information.

Under the Commission-published guidelines, companies using the chips to store personal data will conduct a full PIA report.  A mini PIA audit is required in relation to RFID tags that a person may carry but which contain no personal data. No PIA is required for RFID tags on items not linked to personal information, such as supermarket pallets.

Information included in a PIA report will include information about the kind of personal data companies plan to store via RFID product tagging; the frequencies they will use to allow the tag to communicate with its reader, and how the company would seek to rectify a leak of the information to another source.

The voluntary agreement was formed by the European Commission in conjunction with industry experts on RFID to give companies complying with the guidelines legal certainty that their use of RFID devices complies with European privacy legislation.

The agreed framework, endorsed by the European Network and Information Security Agency (ENISA), partly implements a 2009 European Commission recommendation that RFID tags be deactivated 'automatically, immediately and free-of-charge' when a product is bought by a consumer.

"I'm pleased that industry is working with consumers, privacy watchdogs and others to address legitimate concerns over data privacy and security related to the use of these smart tags. This sets a good example for other industries and technologies to address privacy concerns in Europe in a practical way," said Neelie Kroes, European Commission vice president for the Digital Agenda.

The European Commission is working on a proposed update of the Data Protection Directive that will include references to new technologies.

Information gathered from industry users of RFID during the formulation of the new PIA guidelines will be valuable to how the European Commission revises its data protection laws, the Commission said.

Pinsent Masons and AmberhawkTraining will be running a data protection law update session on 11 April. Details and booking information (4-page / 164KB PDF)