On May 12, 2009, the European Commission issued a Recommendation on The Implementation of Privacy and Data Protection Principles in Applications Supported by Radio-Frequency Identification. The recommendation recognizes the importance of RFID technology for businesses and industry to enhance efficiency. The Article 29 Working Party (hereinafter: Article 29 WP) did, however, express serious concerns about the impact of RFID technology on individuals’ privacy, since its deployment may entail robust information processing and novel monitoring practices.
Therefore, the recommendation urges industry to develop an RFID data privacy impact assessment (PIA) framework. RFID operators, i.e. those who determine the purposes and means of a RFID application, including data controllers of personal data using RFID applications, should conduct a PIA and make the results available to the relevant data protection authority (DPA) before its deployment.
The PIA framework should:
- support the principle of “privacy-by-design” by addressing privacy protections embedded in the technology;
- sensitize RFID operators by addressing the technical and organizational safeguards that need to be undertaken to secure personal data from unauthorized access or disclosure;
- enable both operators and DPAs to better understand the privacy and data protection impacts of RFID applications. Knowledge on PIA results is considered useful to DPAs to develop relevant RFID privacy guidelines for companies.
The recommendation requires industry to submit the proposed PIA framework to the Article 29 WP for approval. The Article 29 WP already assessed an earlier proposal for a PIA framework in a different recent opinion (of July 13, 2010, hereinafter: Opinion). Three main elements need to be addressed by the framework since they trigger the Article 29 WP’s concern:
- Identification of the privacy risks associated with the intended use of a specific RFID application
- Assessment of the privacy risks associated with the use and carrying of RFID tags in everyday life
- Clarifications on how RFID tags can be deactivated when used in the retail sector
Given these concerns, the Article 29 WP decided not to endorse the submitted framework proposal and encourages industry to improve the proposal based on the comments expressed in its
.
