Brussels, 6th April 2011
Digital Agenda: new guidelines to address privacy concerns over use of smart tags
Today the European Commission has signed a voluntary agreement with industry, civil society, ENISA (European Network and Information Security Agency) and privacy and data protection watchdogs in Europe to establish guidelines for all companies in Europe to address the data protection implications of smart tags (Radio Frequency Identification Devices – RFID) prior to placing them on the market. The use of such smart tags is expanding enormously (around 1 billion in Europe in 2011) but there are widespread concerns about their privacy implications. RFIDs can be found in many objects from bus passes to smart cards that pay motorway tolls. Microelectronic devices can process data automatically from RFID tags when brought close to 'readers' that activate them, pick up their radio signal and exchange data with them. Today's agreement forms part of the implementation of a Commission Recommendation adopted in 2009 (see IP/09/740) that inter alia indicates that when consumers buy products with smart tags, they should be deactivated automatically, immediately and free-of-charge unless the consumer agrees explicitly that they are not.
Neelie Kroes, European Commission Vice-President for the Digital Agenda said "I warmly welcome today's milestone agreement to put consumers' privacy at the centre of smart tag technology and to make sure privacy concerns are addressed before products are placed on the market. I'm pleased that industry is working with consumers, privacy watchdogs and others to address legitimate concerns over data privacy and security related to the use of these smart tags. This sets a good example for other industries and technologies to address privacy concerns in Europe in a practical way."
The agreement signed today, "Privacy and Data Protection Impact Assessment (PIA) Framework for RFID Applications", aims to ensure consumers' privacy before RFID tags are introduced on a massive scale (see IP/09/952). Around 2.8 billion smart tags are predicted to be sold in 2011, with about one third of these in Europe. But industry estimates that there could be up to 50 billion connected electronic devices by 2020.
RFID tags in devices such as mobile phones, computers, fridges, e-books and cars bring many potential advantages for businesses, public services and consumer products. Examples include improving product reliability, energy efficiency and recycling processes, paying road tolls without having to stop at toll booths, cutting time spent waiting for luggage at the airport and lowering the environmental footprint of products and services.
However RFID tags also raise potential privacy, security and data protection risks. This includes the possibility of a third party accessing your personal data (e.g. concerning your location) without your permission.
For example, many drivers pay tolls electronically to use roads, airport and car parks based on data collected through RFID tags on their car windscreens. Unless preventative action is taken, RFID readers found outside those specific locations could unwittingly lead to privacy leaks revealing the location of the vehicle. Many hospitals use RFID tags to track inventory and identify patients. While this technology can improve the overall quality of healthcare, the benefits must be balanced with privacy and security concerns.
Comprehensive assessment of privacy risks
Under the agreement, companies will carry out a comprehensive assessment of privacy risks and take measures to address the risks identified before a new smart tag application is introduced onto the market. This will include the potential impact on privacy of links between the data collected and transmitted and other data. This is particularly important in the case of sensitive personal data such as biometric, health or identity data.
The PIA Framework establishes for the first time in Europe a clear methodology to assess and mitigate the privacy risks of smart tags that can be applied by all industry sectors that use smart tags (for example, transport, logistics, the retail trade, ticketing, security and health care).
In particular, the PIA framework will not only give companies legal certainty that the use of their tags is compatible with European privacy legislation but also offer better protection for European citizens and consumers.
In May 2009 all interested stakeholders from industry, standardisation bodies, consumers' organisations, civil society groups, and trade unions, agreed to respect a Recommendation from the European Commission laying out principles for privacy and data protection in the use of smart tags (see IP/09/740). Today’s PIA Framework is part of the implementation of the 2009 Recommendation. Information gathered during the PIA framework drafting process will also make a valuable contribution to discussions on the revision of EU rules on Data Protection (see IP/10/1462 and MEMO/10/542) and on how to address the new challenges for personal data protection brought by technological developments.
For more information:
Link to the PIA framework
Digital Agenda website:
Neelie Kroes' website: http://ec.europa.eu/commission_2010-2014/kroes/
Follow Neelie Kroes on Twitter: http://twitter.com/neeliekroeseu