Neelie Kroes Vice-President of the European Commission for the Digital Agenda Smart tags - working together to protect privacy Privacy and Data Protection Impact Assessment Framework Signing Ceremony Brussels, 6th April 2011
European Commission - SPEECH/11/236 06/04/2011
Other available languages: none
Vice-President of the European Commission for the Digital Agenda
Smart tags - working together to protect privacy
Privacy and Data Protection Impact Assessment Framework Signing Ceremony
Brussels, 6th April 2011
Today we are putting consumers' privacy at the centre of Radio Frequency Identification Devices (RFID) technology, also known as smart tags.
This is a truly historic moment, and I want to thank our industry and civil society partners.
This Privacy and Data Protection Impact Assessment Framework for RFID Applications, which you have developed together on a voluntary approach to protect the privacy rights of European citizens, is a first-of-its-kind milestone in Europe.
I know that over the past two years you have all worked and acted on this issue with great boldness and dedication. I commend industry for having taken up this challenge, the European Network and Information Security Agency for its contribution to the definition of a risk assessment methodology, and consumer organisations and privacy groups for their constant and relentless efforts in the refocusing and advancement of the work. Your collective commitment will make a significant difference to the way citizens consider RFID and similar technologies throughout the world. Industry stakeholders, as well as defenders of the privacy rights of citizens and consumers, can be proud that this was achieved with consensus in such a short space of time.
It took industry from May 2009 to March 2010 to work out and submit its initial proposal and then from April 2010 to January 2011 to make the final proposal meeting the different requirements of all the parties concerned, including the Member States' national data protection authorities. The EU's Article 29 Data Protection Working Party was indeed, throughout the process, a discreet but creative and dedicated player. Thanks to its early effective guidance, the final PIA Framework proposal fully complies with EU data protection legislation.
The RFID Privacy Impact Assessment (PIA) Framework sets an example for industry in Europe and in the world by taking legitimate privacy concerns of people seriously and proactively addressing them. It effectively creates a win-win situation for business and consumers, as well as a pragmatic way to ensure safeguards for privacy. More specifically, it provides its future users with a comprehensive description of what should be done to deliver RFID applications that are compliant with the EU data protection Directive of 1995 and the ePrivacy Directive of 2002.
It is obvious that technology evolves faster than legislation. The various parties gathered today have recognised this and decided that this PIA Framework was the most effective and efficient way to protect the privacy of European citizens without stifling innovation when using RFID applications.
After today the PIA Framework has to prove its worth in the "real world" Only its genuine, resolute and consistent application by all the stakeholders will ensure its credibility and force.
Therefore, in line with the Opinion of the Article 29 Data Protection Working Party, I call on industry to monitor and enforce the application of this Framework and see how it can contribute to addressing the needs and expectations of society.
In addition, the European Commission has issued a mandate to the European Standards organisations CEN and ETSI to assess if a translation of the PIA Framework into a standard is feasible. Should the answer be positive, application engineers will get standards or European norms that can be used without further need for specific knowledge about privacy requirements.
This PIA Framework for RFID Applications constitutes an interesting model that could be used for other similar situations or areas, such as smart metering and online behavioural advertising.
It is indeed worth stressing that the risk assessment methodology that underlies this Framework is independent of any industry and technology.
Therefore, what we celebrate today is not only the successful completion of a challenging task, "how to protect the privacy of European citizens when using RFID", it is potentially also the start of a new policy approach, in fact a new commitment to involving all stakeholders in the process of solving privacy problems.
Everyone knows that privacy and security challenges of the Internet are inhibiting faster adoption of information and communications technologies. We desperately need concepts and proven solutions, both technological and regulatory, to ensure that the Internet will further develop in a privacy-friendly and secure way.
Maybe the PIA Framework, the fruit of the public-private joint venture that we celebrate today, shows the way to go. If, as I believe, this is the case, we should not let that opportunity slip by.