Brussels, 12 May 2009
"While smart chips working with RFID technology can make businesses more efficient and better organised, I am convinced they will only be welcomed in Europe if they are used by the consumers and not on the consumers. No European should carry a chip in one of their possessions without being informed precisely what they are used for, with the choice of removing or switching it off at any time. The 'Internet of Things' will only work if it is accepted by the people."
Viviane Reding, EU Commissioner for Information Society and Media
What is RFID?
RFID stands for Radio-Frequency IDentification. It is a generic term that is used to describe a system that transmits the identity (in the form of a unique serial number) of an object or person wirelessly, using radio waves. A variety of different cards use RFID, such as contact-less or electronic access cards.
How does RFID work?
A basic RFID system consists of tags and readers. A tag contains the identity to be transmitted; and a reader emits radio signals with the purpose of reading/writing data to the tag. When an RFID tag detects the reader's incoming signal (i.e. it passes through its reading range), it responds with an outgoing signal that contains its identity. The reader then receives the identity which is then passed to the host computer for processing.
RFID systems vary in complexity, for example some readers only work with some tags or tags are encrypted and only accept to communicate if they are interrogated with a password.
Are there many RFID tags?
Worldwide sales of RFID tags reached approximately 2.16 billion in 2008, a substantial increase from the year before. In 2007, tags sold were used in smart cards and payment key fobs (36%), smart tickets/bank notes/secure documents (14%), cases or crates of consumer retail goods (13%), retail apparel (5%), animals (5%), and books (4%).
What are the benefits of RFID?
RFID technology can be applied in many fields: manufacturing and production, transport and logistics, retail trade, public transport, health care, anti-counterfeiting, ticketing, e-payment, security, recycling – and more. It is a powerful technology to optimise existing processes, improve reliability, offer new services and, more broadly, increase productivity.
Some examples: tags in transport tickets allow for faster check-in and eliminate the use of paper tickets; tags in access badges conveniently replace keys (faster access, no need to replace key-locks when lost); tags in retail products improve their management (improved traceability, improved product recalls, helps retailers make sure all sizes of a cloth are in store, etc).
What are the apprehensions about the effect of RFID tags on privacy and personal data protection?
RFID technologies can store complex data and communicate information automatically, while at the same time they can be embedded within products or are so small that they can hardly be seen by the human eye. Therefore, if unaware or uninformed of their use by retailers, RFID tags and readers could also be used without the prior consent or knowledge of consumers. Many RFID tags contain unique identification numbers, meaning that two tagged products can be distinguished from one another. If a tag is within the reading distance of a reader, it can be read even if it is hidden from direct view, in a bag or pocket (e.g. through a piece of cloth).
If an object containing an RFID tag is within reading distance of a reader, the tag can be read even if someone is not actively using the object (as opposed to, for example, a debit card being swiped).
Because of these concerns that the Commission has today outlined principles for protecting privacy and data protection as RFID tags play a greater role in daily life. What is the Commission's view on data privacy in the Information Society?
Commissioner Viviane Reding, the EU's Commissioner for Information Society and the Media, has said: "Privacy is a particular value for us Europeans; a value reflected in European laws for many years. However, in spite of the many advantages of technological development, there is an undeniable risk that privacy is being lost to the brave new world of intrusive technologies. On the global information highways, personal information is increasingly becoming 'the new currency'. And I believe that Europeans in many ways take fuller advantage of new technologies than other continents – just look at Europe's strong broadband and mobile phone take-up. I believe that Europeans must have the right to control how their personal information is used."
What has the EU done to ensure the privacy of its citizens in an RFID environment?
The Directive on the protection of personal data (95/46/EC) offers a legal framework for the processing of personal data, saying that a person must freely give specific consent and be informed before their personal information is processed. The Directive on privacy and electronic communications (2002/58/EC) requires EU Member States to ensure confidentiality of the communications by prohibiting unlawful interception and surveillance of personal information unless the users concerned have given their consent (IP/09/571).
In its proposals for reform of the EU telecoms, the Commission has included a clarification that public communications networks supporting RFID and similar devices are covered by the Directive on privacy and electronic communications.
These Directives are complemented by a Recommendation published today that interprets them by providing guidance on how to implement RFID applications in a manner that protects privacy and personal data. These include an opt-in approach giving citizens control over RFID.
What is the "opt-in" approach recommended by the European Commission?
For retail applications, the "opt-in" approach recommended by the European Commission means tags should be deactivated or removed if they present a threat to privacy or data protection, unless consumers give their consent to keep their tags active (i.e. they are opting-in).
I am an individual buying a product that contains an RFID tag...
...How can I know if a product that I am buying has a tag?
The Commission recommends that the presence of the tag is indicated through at least a sign. Depending on the characteristics of the product (size, material, intended usage, etc.), the sign can be placed on the product itself, on its packaging, or on the shelf where it is located. The European Standardisation Organisations are currently defining a standard sign that will be used throughout Europe.
... What data is usually stored on tags?
Most tags used for retail trade applications contain a unique number made of three parts: the first indicates the name of the first user of the tag, typically the producer of the product (e.g. Water Company ltd.), the second indicates the type of product (e.g. a 1.5l bottle of sparkling water) and the third is a serial number that identifies a precise product. Following the same example, all the bottles of a six-bottles-pack would have the same first and second part but would differ in the third part.
... So, can anyone understand those three numbers?
Associating the first number to the producer is something that many companies can do. Linking the second and third numbers to what they mean would require an agreement with the producer as the information usually lies in their internal computer systems.
...How do I know what data is being used or gathered?
The Commission recommends that consumers are informed of the data that is being processed; this includes informing consumers of the data contained on the tag, as well as how it is used and why it is used by retailers. This information should be provided to you by the organisation that is using the tag. In the case of retail products, this would typically be the producers of the product or the retailers themselves.
...Should I worry about my privacy when purchasing products with tags?
Organisations responsible for placing the tags should conduct a privacy and data protection impact assessment to understand and act on the possible privacy and data protection threats that the presence of the tag creates. If this is done in the way recommended today by the European Commission, there should be no reason for privacy concerns.
...I don't want the products I purchase to be tagged. Can I ask the retailer to remove them?
Yes. Firstly, if the tag is likely to present a threat for your privacy or your personal data, the Commission recommends that the organisation that placed them should eliminate the threat, remove the tag, or deactivate it. Secondly, if the tag does not present a threat to your privacy or your personal data, and provided the tag was placed by your retailer, the Commission recommends that you can still ask the retailer to remove or deactivate the tags should you wish so.
...I have purchased a product that contains a tag. Can I be tracked once I leave the shop?
It would only be possible to 'track' consumers if there were interconnected RFID readers everywhere, but for the foreseeable future readers will only be located in a limited number of places (access control doors in companies, on public transport, etc.) and are usually not interconnected (readers from a public transportation company and a supermarket are not on the same system).
Tags that you carry can be 'read' by specific devices, but reading the content of a tag and making sense of what it means are two different things. Technical incompatibilities aside, if a retailer's RFID reader comes close to and "reads" your public transport ticket, the chances are it will not understand it and will simply disregard the captured data.
This development will be kept under constant scrutiny by data protection authorities and by the European Commission.
I use an RFID contact-less card to enter public transportation (or a museum, a stadium, etc)...
...What information does the card contain?
In many cases, your contact-less card will contain personal information. The type of personal information depends on the application of the RFID tag. For example, many public transportation applications include personal data on the card themselves, such as the number of journeys taken and when. This information is gathered for several reasons, including allowing you to claim back a journey charged but not taken. However, if personal data is stored on your transport card, the transportation company should inform you of the data the card contains.
The Commission recommends that consumers are informed of RFID tag use the first time the card is made available and entitled to ask for information at any time. For those cards that are rechargeable, the booth at which you can recharge them usually offers you this service.
I use a RFID electronic access card to enter my employer's building...
... Is my employer gathering information such as my arrival dates or how long I work?
The Commission recommends that employers inform their employees on the purposes of the application and the data processed. If applicable, this could include your arrival/departure times and how it is linked to your personal data. Your employer might simply use electronic cards for access control and nothing else.
I am a company who wants to implement a RFID application...
...Do I qualify as an RFID operator?
If you are the organisation that determines the purposes and means of the application: yes, even if you are sub-contracting the operational aspects to a third party.
...Do I need to conduct privacy and data protection impact assessments?
Every RFID operator must conduct privacy and data protection impact assessments (PIAs) in order to understand and act on the possible privacy and data protection threats that the presence of the tag creates. Many sources of information on how to conduct PIAs are available and can provide support, including the RFID service company who provides your RFID technology item or the data protection authority responsible for your organization.
...I only intend to put RFID tags on my products, not in personal employee devices. Do I still need to conduct a privacy and data protection impact assessment?
Yes. RFID applications can become very complex and have consequences, notably for privacy, that were not initially intended. However, the level of detail of your assessment should be proportionate to the risks associated. Privacy and data protection impact assessments can be short if the risk is quickly determined to be insignificant.
I am a service company which uses or manages RFID applications for my clients...
...Do I qualify as an RFID operator?
Probably not, unless you are the organisation that decides the purposes and the means of the application or you process the data yourself.
...If I do not qualify as an operator, what are my obligations?
The Recommendation does not include any provision specific to you. However, your clients are likely to rely on you to help them integrate the different recommended elements, such as the privacy and data protection impact assessment or the information to be provided to individuals, just as they have relied on you to advise on the choice of an RFID technology.