The European Commission has published guidelines that companies can follow to assess the privacy implications of their use of Radio Frequency Identification (“RFID”) tags, also known as “smart tags”.
On 6 April 2011, the European Commission signed a voluntary agreement with various parties, including industry groups, the European Network and Information Security Agency (“ENISA)” and EU privacy and data protection watchdogs to address the data protection and privacy implications of RFID applications.
Uses of RFID tags
RFID tags are commonly used on products, for example, by supermarkets to track stock. As the cost of equipment decreases and reliability increases RFID tags are becoming more prevalent and the uses broadened. The European Commission expects around 2.8 billion RFID tags to be sold in 2011, with about a third of these being sold in Europe. Industry groups estimate that this figure could leap to 50 billion by 2020. With RFID tags set to become ubiquitous it is important to review the potential privacy, data protection and security risks.
RFID tags can be used to store personal information and mobile phones utilising RFID technology can store credit card numbers to allow for mobile payment. The technology has been exploited for consumer convenience such as through the automatic payment of road tolls without having to stop at a toll booth. This occurs as the RFID tag is automatically “read” by a reader when it comes within range (normally a few metres).
Whilst the advantages of this technology are clear, the risks for data protection and privacy must be considered. The RFID tags can hold personal data and need to be adequately secure, so the personal data is not released to other readers. Each time a tag is read it also reveals the location of that tag, or in many cases, the person carrying it.
Companies that sign up to the guidelines will agree to undertake personal data and privacy impact assessments of RFID applications before they are released onto the market. The type of impact assessment required will depend upon whether personal data will be processed, if so, a full-scale impact assessment will be required. If personal data will not be processed but the tag will be carried by a person a small scale impact assessment is required. No impact assessment will be required if there will not be any processing of personal information and the tag will not be carried by a person, for example, if the RFID tag is used to track pallets of stock.
Once the impact assessment is completed it should be documented in a report, recording the type of information collected, how this is shared and stored, potential risks and how these will be overcome.
One of the risks that has been a subject of wide debate is the use of RFID tags for profiling and tracking of individuals. If a RFID tag is left activated on a pair of jeans which are sold, this tag could be used to track the individual and build up a picture of their movements and purchasing habits from the records as the tag passes through readers. This type of data is potentially very valuable for advertisers for the purposes of targeted advertising and can pose a serious risk to the individual’s privacy. The European Commission recommends that retailers selling to consumers should deactivate or remove RFID tags at the point of sale unless consumers give their informed consent to keeping the tags operational.
The guidelines are voluntary. However, there are a number of advantages for companies in choosing to sign up and follow them. The agreement offers certainty to companies which observe the guidelines certainty that their use of RFID tags are legal and comply with European privacy legislation.
As well as legal certainty, compliance with the code can have benefits for the brand. As consumers become increasingly concerned about their privacy and how their data is being used, being able to demonstrate compliance with a voluntary code can help to establish consumer trust and confidence.