RFID Recommendations in Europe

Radio-frequency identification (RFID) is the identification of products or living beings using applied or incorporated RFID tags (objects) by means of radio waves.

The RFID tag contains at least two components: the integrated circuit which stores and processes information, modulates and demodulates radio-frequency (RF) signals, and the antenna. RFID tags are active if they transmit signals and passive if an external source is required to determinate signal transmissions.

RFID tags can be miniaturised less then 0.05mm x 0.05mm. For example experts have connected tags to live ants for studies and the trend continues. Today RFID technology is used in most all domains, both commercial, governmental and scientific purposes.

RFID is also used today with financial cards, where the RFID tags are connected to the plastic bank card for contactless payments. The new EMV standard, based on chip and smart-card, developed by Europay, MasterCard and Visa has been developed for contactless payments, too.

The European Commission considers that Radio frequency identification (RFID) marks a new development in the Information Society where objects equipped with micro electronics that can process data automatically will increasingly become an integral part of every day life.

RFID is progressively becoming more common, and hence a part of individuals’ livesin a variety of domains such as logistics1, healthcare, public transport, the retail trade,in particular for improved product safety and faster product recalls, entertainment,work, road toll management, luggage management, and travel documents.

RFID technology has the potential to become a new motor for growth and jobs andthus make a powerful contribution to the Lisbon Strategy, as it holds great promise ineconomic terms, where it can bring about new business opportunities, cost reductionand increased efficiency, in particular in tackling counterfeiting and in managing ewaste,hazardous materials, and the recycling of products at their end of life.

RFID technology enables the processing of data, including personal data, over shortdistances without physical contact or visible interaction between the reader or writerand the tag, such that this interaction can happen without the individual concernedbeing aware of it.

RFID applications hold the potential to process data relating to an identified oridentifiable natural person, a natural person being identified directly or indirectly.They can process personal data stored on the tag such as a person's name, birth date oraddress or biometric data or data connecting a specific RFID item number to personaldata stored elsewhere in the system. Furthermore, the potential exists for thistechnology to be used to monitor individuals through their possession of one or moreitems that contain an RFID item number.

Because of its potential to be both ubiquitous and practically invisible, particularattention to privacy and data protection issues is required in the deployment of RFID.Consequently, privacy and information security features should be built into RFIDapplications before their widespread use (principle of ‘security and privacy-bydesign).

RFID will only be able to deliver its numerous economic and societal benefits ifeffective measures are in place to safeguard personal data protection, privacy and theassociated ethical principles that are central to the debate on public acceptance ofRFID.

Member States and stakeholders should, especially in this initial phase of RFIDimplementation, make further efforts to ensure that RFID applications are monitoredand the rights and freedoms of individuals are respected.

The rights and obligations concerning the protection of personal data and the freemovement of such data, as provided for by Directive 95/46/EC of the EuropeanParliament and of the Council of 24 October 1995 on the protection of individualswith regard to the processing of personal data and on the free movement of such data3and Directive 2002/58/EC of the European Parliament and of the Council of 12 July2002 on privacy and electronic communications4 are fully applicable to the use ofRFID applications that process personal data.

The principles laid down in Directive 1999/5/EC of the European Parliament and ofthe Council of 9 March 1999 on radio equipment and telecommunications terminalequipment and the mutual recognition of their conformity5 should be applied in thedevelopment of RFID applications.

The Opinion of the European Data Protection Supervisor6 provides guidance as to howto handle products that contain tags which are provided to individuals and calls forprivacy and security impact assessments to identify and develop ‘best availabletechniques’ to safeguard the privacy and security of RFID systems.

RFID application operators should take all reasonable steps to ensure that data doesnot relate to an identified or identifiable natural person through any means likely to beused by either the RFID application operator or any other person, unless such data isprocessed in compliance with the applicable principles and legal rules on dataprotection.

The Commission Communication of 2 May 2007 on ‘Promoting Data Protection byPrivacy Enhancing Technologies (PETs)’7 sets out clear actions to achieve the goal ofminimising the processing of personal data and using anonymous or pseudonymousdata wherever possible by supporting the development of PETs and their use by datacontrollers and individuals.

The Commission Communication of 31 May 2006 ‘A Strategy for a SecureInformation Society — Dialogue, partnership and empowerment’8 acknowledges thatdiversity, openness, interoperability, usability and competition are key drivers for asecure Information Society, highlights the role of Member States and publicadministrations in improving awareness and in promoting good security practices, andinvites private-sector stakeholders to take initiatives to work towards affordablesecurity certification schemes for products, processes and services addressing EUspecificneeds, in particular with respect to privacy.

The Council Resolution of 22 March 20079 on a strategy for a secure informationsociety in Europe invites Member States to give due attention to the need to preventand fight new and existing security threats to electronic communications networks.

A framework developed at Community level for conducting privacy and dataprotection impact assessments will ensure that the provisions of this Recommendationare followed coherently across Member States. The development of such frameworkshould build on existing practices and experiences gained in Member States, in thirdcountries and in the work conducted by the European Network and InformationSecurity Agency (ENISA).

The Commission will ensure the development of guidelines at Community level oninformation security management for RFID applications, building on existing practicesand experiences gained in Member States and third countries. Member States shouldcontribute to that process and encourage private entities and public authorities toparticipate.

An assessment of the privacy and data protection impacts carried by the operator priorto the implementation of an RFID application will provide the information required forappropriate protective measures. Such measures will need to be monitored andreviewed throughout the lifetime of the RFID application.

In the retail trade sector, an assessment of the privacy and data protection impacts ofproducts containing tags which are sold to consumers should provide the necessaryinformation to determine whether there is a likely threat to privacy or the protection ofpersonal data.

The use of international standards, such as those developed by the InternationalOrganisation for Standardisation (ISO), codes of conduct and best practices which arecompliant with the EU regulatory framework can help to manage information securityand privacy measures throughout the whole RFID-enabled business process.

RFID applications with implications for the general public, such as electronic ticketingin public transport, require appropriate protective measures. RFID applications thataffect individuals by processing, for example, biometric identification data or healthrelateddata, are especially critical with regard to information security and privacy andtherefore require specific attention.

Society as a whole needs to be aware of the obligations and rights that are applicablein relation to the use of RFID applications. The parties that deploy the technologytherefore have a responsibility to provide individuals with information on the use ofthese applications.

Raising awareness among the public and small and medium-sized enterprises (SMEs)about the features and capabilities of RFID will help allow this technology to fulfil itseconomic promise while at the same time mitigating the risks of it being used to thedetriment of the public interest, thus enhancing its acceptability.

The Commission will contribute to the implementation of this Recommendationdirectly and indirectly by facilitating dialogue and cooperation among stakeholders, inparticular through the Competitiveness and Innovation framework Programme (CIP)established by Decision No 1639/2006/EC of the European Parliament and of theCouncil of 24 October 200611 and Seventh Framework Research Programme (FP7)established by Decision No 1982/2006/EC of the European Parliament and of theCouncil of 18 December 2006.

Research and development on low-cost privacy-enhancing technologies andinformation security technologies is essential at Community level to promote a widertake-up of these technologies under acceptable conditions.

This Recommendation respects the fundamental rights and observes the principlesrecognised in particular by the Charter of Fundamental Rights of the European Union.In particular, this Recommendation seeks to ensure full respect for private and familylife and the protection of personal data.

Scope of REFID recommendations

The Recommendation provides guidance to Member States on the design and operation ofRFID applications in a lawful, ethical and socially and politically acceptable way, respectingthe right to privacy and ensuring protection of personal data.

The Recommendation provides guidance on measures to be taken for the deployment ofRFID applications to ensure that national legislation implementing Directives 95/46/EC,99/5/EC and 2002/58/EC is, where applicable, respected when such applications aredeployed.

Definitions

For the purposes of this Recommendation the definitions set out in Directive 95/46/ECshould apply. The following definitions should also apply

(a)‘radio frequency identification’ (RFID) means the use of electromagnetic radiating wavesor reactive field coupling in the radio frequency portion of the spectrum to communicate to orfrom a tag through a variety of modulation and encoding schemes to uniquely read theidentity of a radio frequency tag or other data stored on it.

(b)‘RFID tag’ or ‘tag’ means either a RFID device having the ability to produce a radio signalor a RFID device which re-couples, back-scatters or reflects (depending on the type of device)and modulates a carrier signal received from a reader or writer

(c)‘RFID reader or writer’ or ‘reader’ means a fixed or mobile data capture and identificationdevice using a radio frequency electromagnetic wave or reactive field coupling to stimulateand effect a modulated data response from a tag or group of tags

(d)‘RFID application’ or ‘application’ means an application that processes data through theuse of tags and readers, and which is supported by a back-end system and a networkedcommunication infrastructure;

(e)‘RFID application operator’ or ‘operator’ means the natural or legal person, publicauthority, agency, or any other body, which, alone or jointly with others, determines thepurposes and means of operating an application, including controllers of personal data usingan RFID application;

(f)‘information security’ means preservation of the confidentiality, integrity and availabilityof information;

(g)‘monitoring’ means any activity carried out for the purpose of detecting, observing,copying or recording the location, movement, activities or state of an individual.

Privacy and data protection impact assessments

Member States should ensure that industry, in collaboration with relevant civil societystakeholders, develops a framework for privacy and data protection impact assessments. Thisframework should be submitted for endorsement to the Article 29 Data Protection WorkingParty within 12 months from the publication of this Recommendation in the Official Journalof the European Union.

Member States should ensure that operators, notwithstanding their other obligationspursuant to Directive 95/46/EC:

(a) conduct an assessment of the implications of the application implementationfor the protection of personal data and privacy, including whether theapplication could be used to monitor an individual. The level of detail of theassessment should be appropriate to the privacy risks possibly associated withthe application;

(b) take appropriate technical and organisational measures to ensure the protectionof personal data and privacy;

 (c) designate a person or group of persons responsible for reviewing theassessments and the continued appropriateness of the technical andorganisational measures to ensure the protection of personal data and privacy;

(d) make available the assessment to the competent authority at least six weeksbefore the deployment of the application;

(e) once the framework for privacy and data protection impact assessments as setout in point 4 is available, implement the above provisions in accordance withit.

Information security

Member States should support the Commission in identifying those applications that mightraise information security threats with implications for the general public. For suchapplications, Member States should ensure that operators, together with national competentauthorities and civil society organisations, develop new schemes, or apply existing schemes,such as certification or operator self-assessment, in order to demonstrate that an appropriatelevel of information security and protection of privacy is established in relation to theassessed risks.

Information and transparency on RFID use

Without prejudice to the obligations of data controllers, in accordance with Directives95/46/EC and 2002/58/EC, Member States should ensure that operators develop and publish aconcise, accurate and easy to understand information policy for each of their applications. Thepolicy should at least include:

(a) the identity and address of the operators,

(b) the purpose of the application,

(c) what data are to be processed by the application, in particular if personal datawill be processed, and whether the location of tags will be monitored,

(d) a summary of the privacy and data protection impact assessment,

(e) the likely privacy risks, if any, relating to the use of tags in the application andthe measures that individuals can take to mitigate these risks.

Member States should ensure that operators take steps to inform individuals of the presenceof readers on the basis of a common European sign, developed by European StandardisationOrganisations, with the support of concerned stakeholders. The sign should include theidentity of the operator and a point of contact for individuals to obtain the information policyfor the application.

RFID applications used in the retail trade

On the basis of a common European sign, developed by European StandardisationOrganisations, with the support of concerned stakeholders, operators should informindividuals of the presence of tags that are placed on or embedded in products.

When conducting the privacy and data protection impact assessment as referred to inpoints 4 and 5, the operator of an application should specifically determine whether tagsplaced on or embedded in products sold to consumers through retailers who are not operatorsof that application represent a likely threat to privacy or the protection of personal data.

Retailers should deactivate or remove at the point of sale tags used in their applicationunless consumers, after being informed of the policy referred to in point 7, give their consentto keep tags operational. Deactivation of the tags should be understood as any process thatstops those interactions of a tag with its environment which do not require the activeinvolvement of the consumer. Deactivation or removal of tags by the retailer should be doneimmediately and free-of-charge for the consumer. Consumers should be able to verify that thedeactivation or removal is effective.

Point 11 should not apply if the privacy and data protection impact assessment concludesthat tags that are used in a retail application and would remain operational after the point ofsale do not represent a likely threat to privacy or the protection of personal data. Nevertheless,retailers should make available free-of-charge an easy means to, immediately or at a laterstage, deactivate or remove these tags.

Deactivation or removal of tags should not entail any reduction or termination of the legalobligations of the retailer or manufacturer towards the consumer.

Awareness raising actions

Members States, in collaboration with industry, the Commission and other stakeholders,should take appropriate measures to inform and raise awareness among public authorities andcompanies, in particular SMEs, of the potential benefits and risks associated with the use ofRFID technology. Specific attention should be given to information security and privacyaspects.

Member States, in collaboration with industry, civil society associations, the Commissionand other relevant stakeholders, should identify and provide examples of good practice in theimplementation of RFID applications to inform and raise awareness among the general public.They should also take appropriate measures, such as large-scale pilot projects, to increasepublic awareness of RFID technology, its benefits, risks and implications of use, as aprerequisite for wider take-up of this technology.

Research and Development

Member States should cooperate with industry, relevant civil society stakeholders and theCommission to stimulate and support the introduction of the ‘security and privacy by design’principle at an early stage in the development of RFID applications.

Follow-up

Member States should take all necessary measures to bring this Recommendation to theattention of all stakeholders which are involved in the design and operation of RFIDapplications within the Community.

Member States should inform the Commission at the latest 24 months following thepublication of this Recommendation in the Official Journal of the European Union of actiontaken in response to this Recommendation.

Within three years from the publication of this Recommendation in the Official Journal ofthe European Union, the Commission will provide a report on the implementation of thisRecommendation, its effectiveness and its impact on operators and consumers.