July 12, 2007

European Concerns Over RFID Technology

Radio-frequency identification technology (or RFID as it is more commonly known) was first used in the 1940s for weapon identification and has since been widely used in payment systems, passports, theft detection devices, security systems/cards, the manufacturing process, student ID cards and as tracking devices for children, animals, prison inmates and parolees.

RFID is an "automatic identification method, relying on storing and remotely retrieving data using devices called RFID tags or transponders. An RFID tag is an object that can be attached to or incorporated into a product, animal, or person for the purpose of identification using radio waves. Most RFID tags contain at least two parts. One is an integrated circuit for storing and processing information, modulating and demodulating a radio frequency (RF) signal and perhaps other specialized functions. The second is an antenna for receiving and transmitting the signal. An emerging technology called chipless RFID allows for discrete identification of tags without an integrated circuit, thereby allowing tags to be printed directly onto assets at lower cost than traditional tags"(source: Wikipedia).

If your organisation has not yet considered using RFID, it is important to bear in mind that RFID is still (and will continue to be for a while) an emerging technology. Neither the investment (not only financial) which needs to be made nor the competitive advantage RFID could give your organisation should be underestimated. Implementation is also paramount; get it wrong and you may not see a return on your investment. The most important rule which should never be overlooked is; do not deploy any RFID technology within your organisation until it has been sufficiently and successfully tested.

What benefits and problems can RFID bring to your organisation?

Current trends indicate that the RFID market will grow fast over the next 10 years with the value of the market (including hardware, systems and services) expected to increase by a factor of 6 between 2007 and 2017.

In 2006, IDTechEx (a knowledge-based research and analysis consultancy company) analyzed the RFID market over the next 10 years and reported that:


  • there was a rapidly growing and diversifying market for RFID;
  • cumulative sales of RFID tags for 60 years until the beginning of 2006 totalled 2.4 billion, with 600 million tags being sold in 2005 alone. In 2006, it expected more than 1.3 billion tags to be sold; and
  • challenges with tag yield versus cost, frequency acceptance, specification creep and required performance levels were some of the key issues that needed to and were being resolved to grow the RFID market exponentially over coming years to be almost 10 times the size in 2016 that it will be in 2006 in value.

The benefits of RFID to businesses include:


  • improved data security and integrity;
  • more accurate location information;
  • more efficient market/productivity gains;
  • expedited processing;
  • improved customer service; and
  • tighter supply controls.

However, the more intensive and extensive use of RFID also raises major issues in the areas of privacy (because tags store and communicate personal data), security (the tag is the weakest link), technological reliability (not all events are registered and not all products can be scanned) and international compatibility (there is not one RFID standard). The major disadvantage to organisations wishing to implement RFID is the cost. It is also possible for RFID systems to be compromised e.g., by using a magnet or by placing two items which have tags against one another so that one tag overlays another.

The varied business applications currently using RFID and the expected influence these devices will have globally should mean that:


  • the costs of RFID go down;
  • the standards for RFID frequency and power will become more defined;
  • end-user knowledge about how RFID works improves; and
  • technical hitches (such as reader accuracy and interference from external substances) are overcome.

What are the United Kingdom and the European Union doing about RFID?

One of the key challenges for Europe is to create a common vision and a set of goals on how RFID can keep Europe more innovative and competitive in the world economy. At the same time citizens must have the tools and freedom of choice they need to protect their privacy and security.

The European Union has been raising concerns about RFID technology since 2005 when the Article 29 Data Protection Working Party published a working document highlighting the data protection issues arising from the use of RFID technology. Responses to the working document were published on 28 September 2005 and showed a divide on whether further privacy/data protection legislation was needed for RFID technology.

In May 2005, the European Union set up a project entitled "Building Radio Frequency IDentification for the Global Environment", to research, develop and implement tools to enable the deployment of RFID applications in Europe. In May 2007 it published its third newsletter (available on the website) on the status of the project to date.

On 9 March 2006, the EC launched a 4-month Europe-wide consultation on RFID tags and in August 2006 the Information Commissioners Office issued guidance on the use of RFID technology to collect personal data.

The EC's consultation ended in October 2006 with an open seminar presenting the preliminary findings from the 2,190 participants who contributed. The EC published the results of its consultation on 15 March 2007 in a communication to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions "Radio Frequency Identification (RFID) in Europe: steps towards a policy framework".

Among other things, the EC's communication:


  • highlighted "serious concerns that this pervasive and enabling technology might endanger privacy",
  • called for "adequate privacy safeguards as a condition for wide public acceptance of RFID",
  • stated that a "clear and predictable legal and policy framework is needed to make this new technology acceptable to users" which addresses "ethical implications, the need to protect privacy and security; governance of the RFID identity databases; availability of radio spectrum; the establishment of harmonised international standards; and concerns over the health and environmental implications", and
  • outlined the steps it would take over the next 2 years, including the establishment of an RFID Stakeholder Group to provide an "open platform allowing a dialogue between consumer organisations, market actors, and national and European authorities, including data protection authorities, to fully understand and take co-ordinated action on the concerns".

The Data Protection Directive (and therefore the Data Protection Act 1998 ("DPA")) protects personal data collected about individuals by RFID technology. The ePrivacy Directive (and therefore the Privacy and Electronic Communications (EC Directive) Regulations 2003), covers the processing of personal data in connection with the provision of publicly available electronic communication services in public communication networks. There are concerns that many RFID applications/systems may only fall under the Data Protection Directive and not the ePrivacy Directive.

Where RFID technology is being used to manage a supply chain or deter theft the processing of personal data may be justified under the DPA on the grounds that it protects the legitimate interests of the data controller. For other uses, unless an exemption can be relied upon the safest route would be to obtain consent from individuals by displaying clear notices next to, or on, the products which contain the RFID tags.

In June 2007 the German Presidency of the Council of the European Union, represented by the Federal Ministry of Economics and Technology in cooperation with the Federal Ministry of Education and Research, published a draft working document for the expert conference "RFID: Towards the Internet of Things" June 2007 which was presented during the RFID: Towards the Internet of Things conference in Berlin on 25 and 26 June 2007. The discussions during the conference will be included in the "European Policy Outlook RFID" and used to outline further action of the EU Member States, the European Commission, industry, organisations and the various stakeholders involved in RFID policies.

Following its communication, a recommendation is expected from the EC at the end of 2007 setting out the principles which public authorities and other stakeholders should apply in respect of RFID usage. A further communication is also expected at the end of 2008 which will concentrate on the long-term policy options including whether further legislative steps should be taken to safeguard data protection and privacy.

On 2 July the EC launched a consultation on the EU strategy for international co-operation on ICT with the aim to "formulate a more ambitious, targeted international EU strategy for ICT that explores new markets for EU industries, improves the competitiveness of Europe's ICT industry in global markets and promotes EU interests worldwide". RFID is one of the areas the EC is looking for input on in the consultation and it asks the following questions:


  • "Given that the protection of personal data is an important principle in the EU and is seen as a pre-condition for wide public acceptance of RFID, what privacy safeguards should be envisaged at an international level?"
  • "The Commission will support the development of a set of application-specific guidelines within the EU (code of conduct, good practices) by a core group of experts representing all stakeholders. Should there be, in parallel, international guidance on practical implementation of new technologies, such as RFID? If so, what should such guidance consist of?"
  • "How to ensure, at international level, that the system for registering and naming of identities in the future "Internet of Things" is interoperable, open, non-discriminatory and does not fall into the hands of interested parties that could use these databases and naming systems for illicit ends, whether they relate to commercial, security or political aspects of governance? What concrete actions should the European Union take at international level?"

The consultation closes on 17 September 2007 and the EC intends to publish the results in early 2008.


Services and Industries

The Faegre Drinker Biddle & Reath LLP website uses cookies to make your browsing experience as useful as possible. In order to have the full site experience, keep cookies enabled on your web browser. By browsing our site with cookies enabled, you are agreeing to their use. Review Faegre Drinker Biddle & Reath LLP's cookies information for more details.