EC Sets out Privacy Requirements for Smart RFID Tags

The European Commission Tuesday set a code of conduct for companies using RFID (radio frequency identification) tags that it hopes will safeguard citizens' privacy and allow the quick rollout of the new technology.

Around 2.2 billion RFID tags were sold worldwide last year, a third of them in Europe, and were installed in a wide range of products including shipping containers and smart cards used in highway toll booths.

The Commission expects the use of RFID tags to grow to five times the current level over the next decade, as tags are added to common consumer items such as bus passes, refrigerators and even clothes.

There is "clear economic potential" in using RFID chips to allow communication between objects, said information society commissioner Viviane Reding in a statement. But she added that European citizens "must never be taken unawares by the new technology."

The Commission's code of conduct, which took the form of a formal recommendation to national governments, was welcomed by the industry.

"We now have clarity and a framework in which manufacturers and retailers can begin or expand deployments to deliver the benefits of RFID for consumers in Europe," said Miguel Lopera, chief executive of GS1 EPCglobal, an organization that promotes RFID standards.

Some companies have delayed development of RFID-based applications, knowing that this Commission recommendation was in progress, Lopera said. Consumers now stand to benefit from reduced prices, improved product availability, faster shipments, as well as post-sales benefits such as faster recalls and better repairs," Lopera added.

The Commission's recommendation comes after a lengthy consultation with privacy groups, consumer groups, retailers and makers of the smart chips, and is designed to allay fears that the new tags could be used to track citizens' movements or compromise their data protection.

It lays out four basic principles to protect privacy that all companies using or making RFID chips must respect:

-- The chip inside an RFID-enabled product must automatically deactivate at the point of sale once the product is bought by a consumer, unless the consumer expressly asks for it to remain active. The Commission said there could be exemptions to this "opt-in" system in cases that did not compromise consumer privacy, but only after an impact assessment and after informing the consumer that the chip would continue to work after the item is purchased.

-- Companies or public authorities using smart chips should give consumers clear and simple information so that they understand if their personal data will be used, the type of data collected (such as name, address or date of birth) and for what purpose. They should also provide clear labeling to identify readers, which are the devices that "read" the information stored in smart chips.

-- Retail associations and organizations should promote consumer awareness on products containing smart chips through a common sign to indicate when products use the technology.

-- Companies and public authorities should conduct privacy and data protection impact assessments before using smart chips. These assessments, reviewed by national data protection authorities, should ensure that personal data is secure and well protected.

The Commission's recommendation doesn't specify how RFID tags should be disposed of after being deactivated.

Subscribe to the Business Brief Newsletter

Comments