In general simplistic terms, the main components of a radio frequency identification (RFID) infrastructure are a microchip and a reader. The microchip, or tag, consists of an electronic circuit which stores structured information, together with an antenna which communicates such data via radio waves. The reader incorporates an antenna and a demodulator which translates the incoming analogue information from the radio link to digital data which is subsequently processed by a computer.

Deployment of this technology depends on the different technical possibilities which are available on the market to satisfy the various business requirements. In the European sphere, the use of this technology has been taking shape in various sectors, including the aviation and healthcare sectors, retail applications, security and access control.

Whereas some RFID applications exist and do not pose any threat to the privacy of individuals, on the flipside, there are systems which collect information and are directly or indirectly linked to personal data, thus identifying a natural person. This correlation implies that the data controller who is deploying a similar technology is subject to the provisions of the Data Protection Directive and thus must adhere to the privacy principles emanating from the legislation.

A hypothetical scenario would be for a chain supermarket giving out tagged devices to customers, for instance tokens, enabling the operation of shopping carts which customers re-use each time they visit the store. Such a mechanism would permit the store to set up a file, using the identification number stored in the tagged device, enabling it to monitor which products an individual (identified by the token) purchases, how often such products are used and in which of the stores the consumer makes the purchase.

The store could make inferred assumptions about an individual’s income, health, lifestyle and buying habits. This information could be used for various decision-making exercises, including but not limited to, marketing practices and dynamic pricing. Since the device would identify the individual when entering the store, the consumer could be targeted with tailored marketing in the light of the recorded habits. In this way, various decisions could be made about that identified individual without his or her informed consent.

The European Commission has recently issued a recommendation on the implementation of privacy and data protection principles in the applications supported by RFID. According to the recommendation, once a framework for privacy and data protection impact assessments is defined and adopted, each member state should ensure that an operator conducts a privacy impact assessment of the RFID application prior to its deployment. Operators will also be required to report the outcome of the privacy assessment to the national data protection authority.

By means of this recommendation, the Commission created a process with the objective to achieve several benefits in terms of the data protection requirements. Given that the privacy assessment favours the ‘privacy by design’ concept, data controllers will be assisted in addressing the privacy and data protection issues before deploying the application. In this manner, data controllers avoid the significant costs, and often unsatisfactory solutions, which might arise when privacy features must be ‘bolted on’ to an already deployed product.

This assessment will also assist the data controllers to address data protection risks in a comprehensive manner. Indeed, the assessment is part of the tools which helps to assess privacy risks and which finds technical and organisational measures to protect personal data against unauthorised disclosure or access. This process does also provide an opportunity to reduce legal uncertainty and avoid the loss of trust from the public that could otherwise burden the data controller when data protection issues are not properly and adequately addressed.

Information from these privacy impact assessments will certainly be a solid tool for the data protection authorities to identify best practices regarding the way data protection is implemented by the industry and in those member states that require prior checking of RFID applications. It may even simplify the process for both authorities and controllers.

The development of such assessments is deemed to be a contributing factor to the competiveness of the European RFID industry by fostering innovative approaches to address data protection and privacy issues, through technologies such as data anonymisation, partial tag deactivation and lightweight cryptography.

Across Europe, there are already similar applications in operation and which process personal information without satisfying the legal requirements set out in the data protection directive. The data protection working party, an independent European advisory body on data protection and of which this Office is a member, has been calling on stakeholders to capitalise on proper data protection advice and grab any opportunity to create assessment tools that can be applied to existing RFID applications.

The main data protection and privacy concerns arising from the use of RFID technology derive from the surreptitious, unwanted individual tracking performed by unauthorised access to the tag’s disclosed information or memory content. As a consequence, the European privacy fora have been discussing this matter for some time in order to install a solid framework on which the sector can operate with due respect to the individual’s right to privacy.

Mr Deguara is the head of the technical unit in the Office of the Data Protection Commissioner.

Sign up to our free newsletters

Get the best updates straight to your inbox:
Please select at least one mailing list.

You can unsubscribe at any time by clicking the link in the footer of our emails. We use Mailchimp as our marketing platform. By subscribing, you acknowledge that your information will be transferred to Mailchimp for processing.