Faegre Drinker Biddle & Reath LLP, a Delaware limited liability partnership | This website contains attorney advertising.
Filter your search:
Filter your search:
Updates
March 25, 2008

RFID Update

In response to the EC's communication to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions, the European Data Protection Supervisor (EDPS) has published its opinion.

Not surprisingly, the EDPS's opinion welcomes the EC's communication. It shares the same concerns as the EC that RFID systems may threaten individuals' data protection and privacy rights and calls for the EC to issue one or more documents (because it does not believe that "one size fits all") giving clear guidance on how to apply the current legal framework to the RFID environment. As expected, it is in favour of binding legislative measures rather than self-regulation on the basis that self-regulation would be voluntary and non-compliance would not always be effectively sanctioned.

Key highlights from the EDPS's opinion include:

  • data protection issues extend to the entire RFID infrastructure (not just the tags) and in order to comply with the EU data protection directive, RFID applications must be deployed with the necessary technical solutions to prevent or minimize the risks of unwanted disclosure and ensure that the processing or transfer of data only happens with informed consent;

     

  • data stored by an RFID tag is personal data and, even if the RFID tag does not include the names of individuals, privacy issues are raised by the tags' ability to be used for surveillance purposes. New privacy issues are introduced if products are tracked after the point of sale and consideration therefore needs to be given as to how personal and mobile the product is;

     

  • a "kill command" should be considered as a requirement for the design of RFID infrastructure so that RFID tags can be deactivated – enabling RFID tags to continue transmitting information after the point of sale would be unlawful unless the data controller has appropriate legal grounds (e.g., consent of individual, disclosure necessary in order to deliver a specific service requested by the individual and (depending on the RFID application) to protect the legitimate interests of the controller);

     

  • identifying the data controller in the case of RFID systems might be more difficult and will require closer examination as the controller who processes the data may frequently change because of the additional services which can be provided in relation to the product which has been tagged; and

     

  • unnoticed gathering and processing of information (which may be legitimate or illegitimate) could lead to profiles being built up on individuals without their knowledge. Individuals must therefore be alerted to (among others) the presence of readers/tags on products/packaging, the consequences of such presence in terms of information gathering and the purposes for which the information collected will be used. An "opt-in principle" at the point of sale should be implemented in all relevant RFID applications but the EDPS stresses the importance of a flexible approach to implementation of this principal.

The Organisation for Economic Cooperation and Development (OECD) has also recently published a report on the information security and privacy issues which RFID technology raises. The OECD's detailed report puts forward the OECD Security Guidelines and Privacy Guidelines as a framework for guiding the implementation of RFID systems but acknowledges that further discussions are needed to deal with a number of issues including the notion of personal data and data controller and when consent should and should not be required. The OECD stresses that the report relates to current and short-term uses of RFID technologies and that it is essential to monitor the evolution of RFID technologies and make any consequential changes to the report and/or draw further/different conclusions.

A set of frequently asked questions on RFID have been published by the EC and a draft recommendation on the privacy, data protection and information security aspects of RFID has also been published by the EC. The deadline for responding to the draft recommendation is 25 April 2008.

The European Economic and Social Committee has already published its opinion (for details on this opinion see our RFID European Economic and Social Committee Endorses EC Communication article).

A further communication is expected from the EC at the end of 2008 which will concentrate on the long-term policy options including whether further legislative steps should be taken to safeguard data protection and privacy.

The material contained in this communication is informational, general in nature and does not constitute legal advice. The material contained in this communication should not be relied upon or used without consulting a lawyer to consider your specific circumstances. This communication was published on the date specified and may not include any changes in the topics, laws, rules or regulations covered. Receipt of this communication does not establish an attorney-client relationship. In some jurisdictions, this communication may be considered attorney advertising.

Related Legal Services