The RFID (radio frequency identification) camps are many and varied throughout the world. Privacy proponents are calling the security risks from RFID technology monumental and ripe for data and identity theft. The federal government has decided that when coupled with pin codes and/or protective sleeves, RFID technology used in passports and passport cards is safe. The European Commission has said it believes that RFID technology can be safe, provided its new recommendations are followed.
On Tuesday, May 12, 2009, the European Commission adopted a set of recommendations, hoping to ensure that companies involved in the design or operation of RFID products respect the individual's fundamental right to privacy and data protection, contained in the charter of fundamental rights of the European Union. The recommendations can be read in full here (pdf link).
Members of the European Union are required to report back in two years regarding the steps taken to conform to the recommendations, and the Commission will publish a report within three years of its impact assessment and success with implementation to date.
The recommendations require that all operators in the European Union, regardless of whether those operators are subject to other obligations under The EU Data Protection Directive 95/46/EC, comply with its steps set forth in the recommendations. The following are some of the more significant recommendations:
- Member States should ensure that industry, in collaboration with relevant civil society stakeholders, develops a framework for privacy and data protection impact assessments.
- Member States should support the Commission in identifying those applications that might raise information security threats with implications for the general public. For such applications, Member States should ensure that operators, together with national competent authorities and civil society organisations, develop new schemes, or apply existing schemes, such as certification or operator self-assessment, in order to demonstrate that an appropriate level of information security and protection of privacy is established in relation to the assessed risks.