The RFID (radio frequency identification) camps are many and varied throughout the world. Privacy proponents are calling the security risks from RFID technology monumental and ripe for data and identity theft. The federal government has decided that when coupled with pin codes and/or protective sleeves, RFID technology used in passports and passport cards is safe. The European Commission has said it believes that RFID technology can be safe, provided its new recommendations are followed.

On Tuesday, May 12, 2009, the European Commission adopted a set of recommendations, hoping to ensure that companies involved in the design or operation of RFID products respect the individual’s fundamental right to privacy and data protection, contained in the charter of fundamental rights of the European Union. The recommendations can be read in full here (pdf link).

Members of the European Union are required to report back in two years regarding the steps taken to conform to the recommendations, and the Commission will publish a report within three years of its impact assessment and success with implementation to date.

The recommendations require that all operators in the European Union, regardless of whether those operators are subject to other obligations under The EU Data Protection Directive 95/46/EC, comply with its steps set forth in the recommendations. The following are some of the more significant recommendations:

  • Member States should ensure that industry, in collaboration with relevant civil society stakeholders, develops a framework for privacy and data protection impact assessments.
  • Member States should support the Commission in identifying those applications that might raise information security threats with implications for the general public. For such applications, Member States should ensure that operators, together with national competent authorities and civil society organisations, develop new schemes, or apply existing schemes, such as certification or operator self-assessment, in order to demonstrate that an appropriate level of information security and protection of privacy is established in relation to the assessed risks.

  • Without prejudice to the obligations of data controllers, in accordance with Directives 95/46/EC and 2002/58/EC, Member States should ensure that operators develop and publish a concise, accurate and easy to understand information policy for each of their applications. The policy should at least include: (a) the identity and address of the operators, (b) the purpose of the application, (c) what data are to be processed by the application, in particular if personal data will be processed, and whether the location of tags will be monitored, (d) a summary of the privacy and data protection impact assessment, (e) the likely privacy risks, if any, relating to the use of tags in the application and the measures that individuals can take to mitigate these risks.
  • Member States should ensure that operators take steps to inform individuals of the presence of readers on the basis of a common European sign, developed by European Standardisation Organisations, with the support of concerned stakeholders. The sign should include the identity of the operator and a point of contact for individuals to obtain the information policy for the application.
  • On the basis of a common European sign, developed by European Standardisation Organisations, with the support of concerned stakeholders, operators should inform individuals of the presence of tags that are placed on or embedded in products.
  • When conducting the privacy and data protection impact assessment as referred to in points 4 and 5, the operator of an application should specifically determine whether tags placed on or embedded in products sold to consumers through retailers who are not operators of that application represent a likely threat to privacy or the protection of personal data.
  • Retailers should deactivate or remove at the point of sale tags used in their application unless consumers, after being informed of the policy referred to in point 7, give their consent to keep tags operational. Deactivation of the tags should be understood as any process that stops those interactions of a tag with its environment which do not require the active involvement of the consumer. Deactivation or removal of tags by the retailer should be done immediately and free-of-charge for the consumer. Consumers should be able to verify that the deactivation or removal is effective. (Not applicable if the privacy and data protection impact assessment concludes that tags that are used in a retail application and would remain operational after the point of sale do not represent a likely threat to privacy or the protection of personal data. Nevertheless, retailers should make available free-of-charge an easy means to, immediately or at a later stage, deactivate or remove these tags.)
  • Deactivation or removal of tags should not entail any reduction or termination of the legal obligations of the retailer or manufacturer towards the consumer.
  • Members States, in collaboration with industry, the Commission and other stakeholders, should take appropriate measures to inform and raise awareness among public authorities and companies, in particular SMEs, of the potential benefits and risks associated with the use of RFID technology. Specific attention should be given to information security and privacy aspects.
  • Member States should cooperate with industry, relevant civil society stakeholders and the Commission to stimulate and support the introduction of the ‘security and privacy by design’ principle at an early stage in the development of RFID applications.

Mark McCreary is a partner in Fox Rothschild’s Corporate Department, specializing in privacy and Internet law. If you have questions regarding this post, or any other privacy matter, you may contact Mark at (215) 299-2010 or mmccreary@foxrothschild.com.