The European Union Works Out RFID Privacy Legislation
The European Union already has established privacy policies intended to protect citizens' personal data. Now it's looking more closely at radio-frequency identification.
The European Union is exploring ways to protect citizens' privacy with regards to personal data gathered using radio-frequency identification technology.
The union created a working group that in mid-January published its first assessment--Working Document 105. The group is asking individuals to E-mail comments on its findings by March 31 to firstname.lastname@example.org.
- Why Rational Development Solutions for Power?
- 2012 IBM Chief Information Security Officer Assessment
The document outlines RFID's potential in a variety of business sectors, including health care, retail, pharmaceutical, and logistics, and calls attention to the need for companies to comply with principals in EU privacy directives whenever personal data is collecting using RFID technology. The document also guides makers of RFID tags, readers, and applications, as well as standards bodies, on their responsibility to develop privacy-compliant technology.
Europe already has sweeping privacy laws in place to protect consumers across the continent. For example, retail stores must disclose the presence of RFID tags on products and the presence of readers, how the retailer intends to gather and control the information, the purposes for which the information will be used, who will control the data, how to discard the tag from the product, how to exercise the right to access the information on the tag, and more.
The new working group says it has found other issues with regard to RFID that need to be addressed. RFID technology increases the potential for direct marketing with item-level tagging, since shoppers could be recognized and their movements tracked while in stores, according to the group.
Another concern for the EU working group is the use of applications that link an RFID-enabled plastic card with a consumer's bank-account number to enable payment processing, similar to a credit card, without having to swipe the magnetic strip.
Manufacturers of RFID equipment and applications should be held equally responsible for building tags, readers, and printers that protect consumers' right to privacy, the document states. The group stresses there is continuing need for further research and development on issues related to encryption that protect personal information on the tags. It wants to make sure the RFID tag doesn't divulge information that would link the consumer with the product the consumer is buying. If the tag is permanently affixed to the garment, for example, the working group says there should be a way the consumer can delete the information written on the RFID tag or cut it out once the garment is paid for.
For passports and other government-issued identification that must not be altered, the working group suggests using standard authentication protocols from the International Standards Organization to encrypt the data and make it unavailable to those without authorization.