Whereas RFID tagging could allow many advantages related to production, tracking and tracing of people, animals and products, it cannot be at the expense of health, security, or the fundamental rights to privacy and data protection.

It seems currently socially unacceptable that citizens would be tracked and traced wherever they go, all the time. If citizens buy and carry products, this could allow indirect tracking and tracing. Clear information, accurate data, protection against abusive access and use of data are a legitimate requirement. Thus it needs to be clear what happens with data that are transferred via RFID from a tag to a reader. How do we know for sure that the data reading is correct, that the data are not hampered with, that someone who is not entitled to read the data does not read it? A data protection framework is already in place in order to protect our privacy. Next to that it is important to understand which RFID technologies may, and which will not affect physical health and safety.

Whereas a wide range of issues has been presented during this workshop, the discussion predominantly focused on privacy concerns and can be summarised as follows.

The debate about privacy and data protection is complex, also since the concept of privacy is not necessarily understood universally in the same way. Concepts are bound by cultural and temporal differences, and affected by trade-offs that occur over time. Although some people would not want to share personal data at request, others are willing to use loyalty cards that register their purchases at their name in return for some discounts or “air miles”. Notwithstanding shifting values, one should still regard technology developments in the light of existing value frameworks.

The trend towards ubiquitous computing and technology convergence leads to seamless integration of the physical world with cyberspace. Automatic participation in an “always on” Internet is not easy to reconcile with existing requirements, such as EU law, or the OECD privacy principles: What is the specific purpose of a given use of technology? What are the limitations to data collection? Is there transparency and control? This could all lead to loss of confidence and trust.

In such an environment, institutional privacy invaders are not the only issue: as both private and public environments become smart, there is a risk of a loss of accountability from all sides. At the same time privacy and data protection concerns are mainly foreseen when there is item level tagging at the consumer side; implementing RFID in a production environment (a closed system) raises fewer concerns.

Moreover, RFID is merely an input technology: a large part of the privacy and data protection issues arise at the application level and in particular at the back-end of it, where databases are amassing and analysing personal data.

Currently, the Data Protection Directive (1995/46/EC) and the Privacy and Electronic Communications Directive (2002/58/EC) address data protection, privacy and to a certain extent, security.

One of the important questions raised at the workshop is, what data carried on RFID tags can be defined as “personal data” (this is being researched by the Article 29 Working Party of Directive 1995/46/EC). As a person can be linked to a RFID serial number (e.g., through the tag in his/her clothes), the distinction between personal data and non-personal data could be blurred. Some speakers were concerned about the consequences following from the application of the aforementioned Directives to systems that use RFID. Participants suggested that the European Commission should clarify through guidance or indeed review regulations that are in place today.

Participants also indicated that the general principles included in existing legislation are general enough to cope with developments such as RFID. Regulation is only valid for a specific timeframe; due to advances in technology regulation can become obsolete and therefore one should be careful with too early or too detailed legislation. At the current early state of development of RFID, many speakers therefore suggested that guidelines and self-regulatory codes of conduct are needed to implement existing privacy framework and work out practical details. These guidelines would also involve consumers. However, participants were afraid of the lack of enforcement options and who should control appropriate use of RFID technology. There may be a role for a consumer ombudsman[1].

Also, the notion of the “privacy impact assessment” (PIA), or privacy threat analysis was introduced by some participants. Some even asked that such an analysis be mandated at EU level. As many operators and users of data-processing systems are not aware of the threats and possible abuses that concern personal data, such a PIA could provide an overview of threats and possible mitigation measures. In Canada, there is reportedly positive experience with privacy impact assessments. Such an approach could also be considered in Europe, although care should be taken that such instruments are also available to SMEs, and not too costly or unduly burdensome. Some even indicated in this context the possible involvement of the European Network Information Security Agency (ENISA).

According to several participants, notwithstanding the organisational and legal safeguards that can be put into place, an important role should be given to the consumers themselves[2]. Research suggests that users do not have sufficient knowledge of privacy-invading possibilities – they believe that technology is generally benign. A major information campaign to inform citizens and SMEs about the full potential (positive and negative) of RFID was strongly voiced.

Citizens are said to want the right to choose, but to do so, they would require a balanced overview of the advantages and disadvantages of the technology so as to be able to make informed decisions. This right to choose would require transparency from the side of the RFID systems operators about what data is captured at what point in time and at what place, and for what purpose. Such transparency would be important to develop trust and cooperation. According to various participants, RFID should be deployed in such a way that the consumer is in control and can either choose to take advantage of the benefits of RFID usage or value the costs higher and prefer to avoid RFID functionality. At the same time, choices should be easy for consumers to exercise: information concerning RFID should be clear, conspicuous and accurate.

Privacy-enhancing technologies (PETs) could provide solutions to some of the issues that may arise in the realm of privacy. Several stakeholders emphasise that privacy can and should be part of the design of the RFID system. Furthermore, it was suggested to build privacy into the design of an application-specific context (both technology and service), as for some applications this enhanced range would not be a problem. Some even pleaded for a mandatory usage of PETs.

Security and Identification

Although security and reliability are important from the RFID users’ (businesses) point of view, the issues in this area were hardly mentioned in the discussions. At this point in time, 100% accurate RFID reading cannot be guaranteed within the operational process of a firm and back-end systems such as databases are always under security threat. More research and development is still required for certain applications. This may not be directly the realm of governmental intervention, but it should be emphasized that RFID is still a set of technologies that are under development.

Furthermore, the fact that RFID is only an enabler may force the European Commission to go beyond the technology per se and focus on digital identity and identification. Looking at the discussions throughout the workshops, many of the issues hinge around the question whether RFID enables identification of a specific person (or animal, or service, although these uses are less contended) and the collection of data. A valid question is if Europe has not a more specific need for security enhancing standards compatible with the cultural importance given to privacy.

Health

At present, Council Recommendation 1999-519-EC concerning the limitation of exposure of the general public to electromagnetic fields (EMF) and Directive 2004-40-EC of the European Parliament and of the Council regarding minimum health and safety requirements for workers together with national regulations are part of the framework to protect human beings against the established adverse health effects that may result as a consequence of exposure to electromagnetic fields. Despite the fact that such health effects have not been demonstrated at this point in time as far as consumer products are concerned (by the numerous studies performed), the “principle of precaution” should continue to prevail in all circumstances and studies and testing must go on. The relatively low power of RFIDs compared to other typical wireless applications (mobile communications, broadcasting, radars, etc.) would imply that the risk profile of RFIDs is probably lower than for most wireless communications products. If RFIDs have specific characteristics (i.e. distinctively different from other wireless applications), this would require to address their potential health effects in any dedicated manner.

Another issue is the impact of RFID on biological pharmaceuticals, and RFID- tagged samples of living tissue. Currently, the effect of RFID-tagged blood bags on the quality of blood is being researched. However, it is under discussion whether the proper scientific approach is used and the outcomes are not yet available. One could also question the impact of RFID on pharmaceuticals. However, in the latter case the question arises whether a public body should pay for such research.

An original presumption was that non-ionising radiation does not affect tissue. However, the research in this field is still at an early stage. It is important that the necessary research is scheduled and takes place, and that there is clear communication on the current state-of-the-art knowledge with regard to the topic to prevent that deployment of RFID and other wireless technologies are not hindered by false information.

Environment and labour practices

During the workshop the environmental impact of a much wider implementation of RFIDs was mentioned as a major concern. Currently, little is known about waste generated by RFID tags.

Furthermore, the workshop addressed the issue of the use of RFID in the workplace[3]. The European Commission said it could not tolerate that data collected by the employer are used in any other ways than formally made known beforehand to the employee. Any misuse of this data would constitute a practice against the current EU laws.

Technology aspects

One of the objectives of European policy is to make Europe a global leader in crucial technological areas. Europe managed to reach that position in the rollout of cellular telephony. Also in RFID use Europe has taken a front-line position. However, at this point in time leadership in technology development has shifted to other countries. In order to not fall further behind, participants called on the European Commission and the EU Member States to support technology research and development.

Although the developments in RFID technology are progressing, there are still issues that need to be further researched regarding hardware reliability, manufacturing, systems integration, sensor network integration, air-interface, and communication protocols.

The vision of an “Internet of Things” is compelling, but many of the foreseen uses are not expected in the near future (according to some participants not in the next 10 years). Therefore, in the Community’s Seventh research Framework Programme (FP7) specific RFID applications could be targeted. For example, implementing RFID (in vehicles moving at higher speed) requires tradeoffs between speed and range, but also speed and reliability, and size, range and power needed. RFID applied at long range will make tags difficult to localise, especially if several items are in the same zone. Also in supply chain management speed versus accuracy is an issue that has not been resolved.

One of the workshop discussion points was that not all RFID issues should be linked to privacy. However, privacy-enhancing technologies, data synchronisation, data harmonisation, data encoding and security were flagged as important areas of research.

Furthermore, some of the participants contend that the RFID technology can and should be improved to encompass privacy requirements. Much advantage could be gained from co-ordination of research at a European level and this is certainly seen as an excellent role for the European Commission.

In summary

Privacy and data protection concerns arise when RFID tags relate to people. Not only when people use RFID tags for identification and access to services, but also when products with RFID tags are transferred to consumers. According to participants, this use can raise serious privacy concerns, but for other applications the issue seems less relevant.

Participants asked that current legislation be examined to see how specific threats to privacy and data protection from RFID applications are addressed while not unduly hindering RFID deployment. Guidelines and self-regulatory codes of conduct may be advisable at this stage.

Further measures may be also needed to protect consumers. There was a strong voice towards informing SMEs and citizens on specific aspects of RFID.

For the development of RFID applications it would be important to consider the privacy and data protection aspects already in the design phase and to consider using PETs. Support for collaborative research and development of RFID at European level can be useful.

[1] An ombudsman is an official, usually (but not always) appointed by the government or by parliament, who is charged with representing the interests of the public by investigating and addressing complaints reported by individual citizens.

[2] For example, several consumer privacy and civil liberty organisations have issued a position paper in November 2003 stating their opposition to item level consumer product tagging at least until appropriate solutions are developed and agreed upon regarding the protection of consumers against the potential risks of RFID technology. One of the organisations endorsing this position paper, the UK Notags participated in one of the workshops organised by the European Commission in May 2006.

[3] The UNI-Europa European trade union federation informed the European Commission in May 2006 that it was preparing a UNI Code of Good Practice for RFID in the workplace. Last year, the UK trade union GMB called on the European Commission to ban the use of RFID and GPS satellite linked wearable computers to tag and track workers in the workplace.