European RFID Guide Sets NFC Privacy Guidelines

The European Commission vice president Neelie Kroes has received a report from the European Network and Information Security Agency (ENISA), industry, and privacy and data protection watchdogs that establishes guidelines to address the data protection implications of smart tags prior to placing them on the market.

The guide is an all-embracing undertaking for governing how implementers handle privacy issues regarding smart tagging using radio frequency identification devices (RFID). It has particular implications for the manufacturers of mobile phones and computers, plus issuers of smartcards such as the Oyster card and other near-field communication (NFC) payment cards and devices.

Rethinking NFC Implementations

This could cause several smartphone makers, who are already well down the path of introducing NFC technology into upcoming models, to take a sharp intake of breath. Compliance is not mandatory but ignoring the guidelines could mean breaches of EU data protection laws. Smart tags can be used to track individuals and therefore could easily contravene the EU Data Protection Directive, for example.

Privacy groups have expressed concern over the security and data protection risks and the possibility of third parties gaining access to users’ location data. There is also the likelihood that smart tags could be used within retail groups to study buying habits of customers without using a more overt customer loyalty scheme, such as those operated by supermarket chains like Tesco.

According to the EC group, which authored the agreement, around 2.8 billion smart tags are expected to be sold in 2011, with about one third of these in Europe. By 2020, this could increase to up to 50 billion connected electronic devices.

RFID tags in devices offer many potential advantages for businesses, public services and consumer products. Examples include improving product reliability, energy efficiency and recycling processes; cutting time spent waiting for luggage at airports; lowering the environmental footprint of products and services; and making payment systems faster using touch-in/touch-out payment pads.

Under the agreement, companies will carry out a comprehensive assessment of privacy risks and take measures to address the risks identified when a new smart tag application is developed. This will include the potential impact on privacy through links between the data collected and transmitted with other data. This is particularly important in the case of sensitive personal data such as biometric, health or identity data.

Historic Moment

The publication of The Privacy and Data Protection Impact Assessment (PIA) Framework for RFID Applications has been hailed by Kroes as an “historic moment” because of the breadth of consultancy.

“Your collective commitment will make a significant difference to the way citizens consider RFID and similar technologies throughout the world,” she told the authors. “Industry stakeholders, as well as defenders of the privacy rights of citizens and consumers, can be proud that this was achieved with consensus in such a short space of time.”

The PIA Framework does not try to constrain the use of smart tags but ensures that working practices comply with the EU Data Protection Directive of 1995 and the ePrivacy Directive of 2002.

Work on the report commenced in May 2009 and an initial report was submitted almost a year later. Between April 2010 and the publication this week, the report was discussed and refined to produce a document to meet the concerns and requirements of all involved parties.

“It is obvious that technology evolves faster than legislation. The various parties gathered today have recognised this and decided that this PIA Framework was the most effective and efficient way to protect the privacy of European citizens without stifling innovation when using RFID applications,” Kroes said.

The agreement is seen as a supplemental document that builds on a recommendation adopted in 2009 that governs how consumers buy products with smart tags. This states that the tags should be deactivated automatically, immediately and free-of-charge unless the consumer agrees to commit to the purchase.