FAQ on Radio Frequency Identification Devices (RFID)

March 6, 2008 // Published as a news service by IHS

"RFID tags are far cleverer than traditional bar codes. They have the potential to link everyday objects into an 'Internet of Things' that will greatly enhance economic prosperity and the quality of life. But as with any breakthrough, there is a possible downside - in this case, the implications of RFID for privacy," said Viviane Reding, EC commissioner for information society and media.

"This is why we need to build a society-wide consensus on the future of RFID, and the need for credible safeguards. Privacy is at the heart of our European model of society. RFIDs will therefore only become successful if they do not call into question the capability of every consumer to control the use of his or her personal data. I expect the industry to assume its responsibilities," Reding added.

This document provides answers to frequently asked questions about RFID.

Why is RFID on the European agenda?
Few new technologies attract as much attention from industry, consumer organisations and politicians as radio frequency identification devices, also called smart radio tags. The interest in RFID largely derives from the technology's rapid movement from the research lab to mass application, mirroring the evolution of GSM mobile phones in the 1990s.

The EC sees RFID as an emerging technology with great potential for economic operators in Europe and for European citizens. However, a precondition for the successful take-up of RFID is that it be introduced by industry in full respect of privacy, and that consumers remain in full control of their personal data.

Research must be pursued in the area of RFID to build and maintain Europe's leadership in the next generation of RFID technology and its applications. However, the development of RFID technology should not be considered an end in itself. The EC expects RFID to be the forerunner of many increasingly "intelligent" objects that interact with each other and help humans in ever more sophisticated ways.

The RFID market is expected to grow quickly over the coming years. In 2007, the overall market for RFID was estimated at €4.2 billion and 1.7 billion tags. Within 10 years, the overall RFID market is expected to be five times larger, with approximately 450 billion tags produced.

What has the EC done on RFID?
Recent actions of the EC on RFID can be summarised as follows:

• From March to October 2006, the EC conducted a series of workshops and a first public consultation to build a consensus on key issues associated with the development of RFID technologies.
• The outcome of these activities was summarised in a communication adopted by the EC in March 2007, which showed that further action was expected by the public in terms of privacy and data protection.
• In November 2006, the EC made radio spectrum available for RFID in the UHF band 865-868 MHz.
• In June 2007, the EC established an RFID Expert Group, which would, amongst other things, advise on the elements to be included in an upcoming EC legal instrument on the implementation of privacy, data protection and information security principles in applications supported by RFID.

From February to April 25, 2008, the EC is launching a public consultation on the draft text of an EC recommendation on the implementation of privacy, data protection and information security principles in applications supported by RFID. This consultation can be found at http://ec.europa.eu/yourvoice/ipm/forms/dispatch?form=RFIDRec.

The EC expects to adopt a legal instrument on RFID by summer 2008.

What has Europe done so far to ensure the privacy of its citizens in an RFID environment?
While there is broad recognition of the economic benefits of RFID, especially in fields such as transport and logistics, there is, at the same time, public concern that the large-scale use of RFID technology in daily products could come in conflict with the individual's right to privacy. Many organisations, data protection experts and consumer protection associations have therefore drawn public attention to this important concern.

The EC is very much aware of the importance of civil rights regarding information and communication technologies - and of privacy and data protection rights, in particular. European Union (EU) law addresses these concerns in various legal instruments, including the 1995 directive on the protection of individuals with regard to the processing of personal data and the free movement of such data. The directive created the so-called Article 29 Working Party, which advises the EC on data protection matters, including implications of new technologies like RFID.

The so-called "e-Privacy" directive of 2002 also deals with the processing of personal data and the protection of privacy in the electronics communications sector. It is currently being reviewed and the proposed revision includes some clarifications with regard to RFID technology.

The EC is also consulting the public on whether an additional legal instrument (such as a recommendation, although other legal instruments under Article 249 of the EC Treaty are an option) could add legal certainty and provide guidance on the interpretation of EU data protection law when RFID technologies are used. For details, see http://ec.europa.eu/yourvoice/ipm/forms/dispatch?form=RFIDRec.

What are the main features of the EC's draft recommendation currently under public consultation?
The main elements proposed in the draft recommendation are as follows:

• Operators should conduct a risk assessment prior to deploying an RFID application to ensure privacy risks have been properly evaluated. This assessment, which reflects good business practice, will be useful for industry, which can expect, in return, a broader acceptance of its RFID applications.
• Industry is encouraged to establish codes of conduct governing the use of RFID. These codes can be sector-specific to reflect the different ways operators use technology.
• Operators should provide a minimum level of information to users of tagged products, such as the purpose of the application or the identity of the operator.
• Operators should follow a series of information security measures when deploying RFID applications. One of those requirements is to use recent technology when deploying such applications (not superseded technology).
• Specific provisions should apply to the retail sector when a product containing an RFID tag is sold. The EC is considering a harmonised sign that would inform consumers when RFID tags are used. In addition, to guarantee consumer choice and control, RFID tags that contain personal data should be automatically deactivated at the point of sale, unless the consumer decides otherwise.
• Member states are encouraged to raise awareness among citizens and small to medium-sized enterprises through information campaigns or large-scale pilot projects.
• Member states should continue their efforts in research and development to improve the privacy features of RFID.

For the full draft recommendation and a more detailed explanation, see http://ec.europa.eu/yourvoice/ipm/forms/dispatch?form=RFIDRec.

What have data protection officials in the EU said so far on RFID?
The Article 29 Working Party, which gathers all national data protection authorities of the EU, has adopted several documents:

• Document 105 on Data Protection Issues related to RFID Technology (Jan. 19, 2005) provides guidance to RFID users on the application of basic principles in the EC directives, particularly the data protection directive and the directive on privacy and electronic communications.
• The results of the public consultation on Article 29 Working Document 105 (Sep. 25, 2005) indicates different views among respondents regarding the definition of "personal data," as well as the level of further guidance needed from the EC on privacy and data protection issues arising from RFID.
• An opinion on the concept of personal data (June 20, 2007), which refers to RFID several times, provides guidance on the concept of personal data in Directive 95/46/EC and related European Community legislation and its application in different situations.

These texts can be obtained at http://ec.europa.eu/justice_home/fsj/privacy/workinggroup/wpdocs/2005_en.htm.

In December 2007, the European Data Protection Supervisor (EDPS) adopted an opinion on the March 2007 communication of the EC. EDPS is an independent supervisory authority devoted to protecting personal data and privacy and promoting good practice in the EU institutions and bodies. The opinion can be obtained at http://www.edps.europa.eu/EDPSWEB/edps/lang/en/pid/45.

What are the next steps?
On the basis of the outcome of the current public consultation (which runs until April 25, 2008), the EC intends to finalise a legal instrument on ensuring privacy and the protection of personal data in an RFID environment by summer 2008.

Furthermore, a separate and broader debate on the so-called "Internet of Things" has been initiated starting in 2008. This debate focuses, in particular, on the issues of privacy, trust and governance; it might lead to further actions by the EC.

What is meant by "Internet of Things"? What is the link with RFID?
The Internet of Things is a catch phrase expressing a vision foreseen by experts who share the view that in the future the real world (or day-to-day objects) will come closer to the virtual world (the Internet).

Other phrases, such as "ubiquitous networked society," "ambient intelligence" or "ubimedia" have been used to describe the Internet of Things. One can imagine walls that sense people's presence and adjust room temperature accordingly, smart refrigerators that detect food no longer fit for consumption and smart washing machines that select the appropriate programme, amount of water and powder, depending on the clothes inserted.

While depending on many other technologies, the Internet of Things vision relies partially on the development of RFID technologies.

How important is the international dimension of the debate on RFID?
The EC has integrated the international dimension of the debate on RFID for some time as many important applications, especially in the logistics sector, include the overseas transportation of tagged items, cases, parcels or containers. In this respect, the EC maintains a close and fruitful dialogue with its counterparts worldwide to address issues such as common standards and rules.

As an illustration of this permanent dialogue, during the Transatlantic Economic Council in April 2007, the EU and the U.S. jointly made the identification and development of best practices for RFID technologies one of their "Lighthouse priority projects."

More information on the public debate can be found at http://europa.eu.int/information_society/policy/rfid/.

Source: European Commission.