[pic] | COMMISSION OF THE EUROPEAN COMMUNITIES |

Brussels, 15.3.2007

SEC (2007) 312

COMMISSION STAFF WORKING DOCUMENT

Accompanying document to theCOMMUNICATION FROM THE COMMISSION TO THE EUROPEAN PARLIAMENT, THE COUNCIL, THE EUROPEAN ECONOMIC AND SOCIAL COMMITTEE AND THE COMMITTEE OF THE REGIONS Radio Frequency Identification (RFID) in Europe: steps towards a policy framework {COM(2007) 96 final} RESULTS OF THE PUBLIC ONLINE CONSULTATION ON FUTURE RADIO FREQUENCY IDENTIFICATION TECHNOLOGY POLICY "The RFID Revolution: Your voice on the Challenges, Opportunities and Threats"

Table of Contents

1. Executive summary 3

2. Introduction 6

3. Questionnaire 6

4. Respondents 7

5. General Questions 10

6. RFID Use 12

7. Security, Privacy and Data Protection, and Safety 16

8. Standardisation and Interoperability 20

9. Radio Spectrum 22

10. Research 25

11. How the consultation has been perceived 27

1. Executive summary

An online public consultation on future Radio Frequency Identification (RFID) policy was held from July to September 2006 on the website "Your Voice in Europe" (http://ec.europa.eu/yourvoice). In total, 2190 respondents (citizens, manufacturers, system integrators, academic and scientific institutions, public bodies and regulators, etc.) from all European Union Member States and beyond answered questions on:

- RFID use

- Privacy, Data Protection and Security

- Standardisation and Interoperability

- Radio Spectrum

- Research

The consultation brought into focus the large interest of Europeans in an open debate about RFID and its application. Despite the technical complexity of RFID and the wide variety of issues associated with its development and deployment about 70% of all answers were from 'interested citizens'.

Overall, 60% of respondents feel that there is insufficient information available to make an informed analysis of RFID technologies. There is therefore considerable support for awareness and information campaigns.

Views on whether RFID can improve the lives of Europeans are evenly split. The benefits mentioned include food safety (identification of allergens, more comprehensive information, easier product recalls), healthcare (prevention of drug misuse, authentication) or supply chain management (fewer stocks-out, better after sales service). Privacy, health and environmental risks are among the RFID concerns given.

Privacy

The headline issue for most is privacy. Although the vast majority of RFID applications today only identify goods or track production processes, it is widely recognised that RFID technology can also be used to process personal information collected directly or pooled from various sources. But privacy is seen as being more than just the security of the devices or the protection of the personal data per se (integrity, illegal access, etc.). It extends to the use of personal data in networks; its storage, collection and how it is linked to different sources.

Adequate privacy safeguards therefore are revealed as necessary for the public to accept RFID. For instance, when used in supermarkets, 66% asked for a clear indication of the presence of a tag. There is considerable concern (74%) about the uncontrolled use by employers of RFID to track the movements of workers inside, but also outside of work. However, there is more acceptance of the use of RFID in applications such as the tracking and tracing of dangerous goods.

Respondents believe privacy protection measures will mostly emerge from technological solutions (70%), awareness-raising (67%) and updating of regulations (55%).

Research and technical harmonisation to provide a high level of privacy, based on common standards or guidelines, is seen as desirable by many. Indeed, a clear majority of the respondents believe that research should focus primarily on the development of privacy-enhancing technologies.

Regulatory certainty is sought by industries that wish to deploy RFID and by users. Although comprehensive privacy legislation, based on the general Data Protection directive[1], already exists guided by data protection authorities in all EU Member States, 66% feel that the data protection legislation should be updated to encompass RFID usage, especially as regards personal data. Respondents had little confidence in self-regulation (about 15%).

Some respondents pointed to the risks of diverging legal regimes concerning privacy in Europe, the absence of the technical harmonisation and the consequent risks of legal uncertainty for both industry and users. Some suggested a need for additional guidance from the Article 29 Working Party[2] to specify how existing data protection legislation applies to different RFID sectoral applications. Indeed, it is important to note that the Article 29 Working Party is looking into the matter on how privacy issues are covered by the current legislative framework.

Others proposed to enact specific legislation. For example, item-level RFID tagging may be outside the scope of EU data protection and privacy legislation because there is no direct processing of personal data. Thus, consumer notice, choice and the right to object may require a mandatory feature to "kill" the RFID tag. Finally, 50% support specific risk assessments prior to introducing RFIDs.

Standards, Spectrum and Governance

There was general support for the need for robust standards to ensure the benefits of a wide take-up of RFID technologies and consumer choice, safety and convenience. 68% thought that the European Commission should take a more active role in setting RFID standards, in particular to ensure that standards comply with “European cultures and values”.

A majority (72%) of respondents think that the current allocation of UHF spectrum is sufficient to support the development of RFIDs for up to five or even ten years. However, there is recognition that further allocation may be needed in the longer term and that international standardisation in how the spectrum is used should be pursued.

The governance of RFID databases, especially as the first step towards the Internet of Things, also provokes concern by 86% most of whom call for a system that is transparent, fair and non-discriminatory.

2. Introduction

Radio Frequency Identification (RFID) stakeholders in Europe had the opportunity to let their voice be heard on future RFID policy through an online consultation from 3 July to 30 September 2006, on the website "Your Voice in Europe". To allow a wide consultation the core "citizen interest" questions were translated from English into French, German, Spanish, Italian, Dutch and Polish.

3. Questionnaire

The questionnaire was divided in six main sections: General questions; RFID Use; Security, Privacy, Data Protection and Safety; Standardisation and Interoperability; Radio Spectrum; and Research.

In general, the questions were about the expected benefits, perceived threats and policy responses. The questionnaire was based on the results of a series of workshops organised in the first half of 2006. To have a single questionnaire, while avoiding a long and detailed list of questions, only the general public interest questions were mandatory. The more technical questions were optional.

Several questions allowed multiple answers, therefore the percentages do not always add to 100%. Percentages are based on the response rates to the respective question. The analysis is based on the total number of respondents to each question, regardless of the respondent's profile (industry/organisations, interested citizens), except where indicated. Some "open questions" allowed free text contributions.

A public conference on the results was held on 16 October 2006. This Commission Staff Working Document forms an annex to the Commission's Communication to the European Parliament, the Council, the European Economic and Social Committee, and the Committee of the Regions entitled "Radio Frequency Identification (RFID) in Europe: steps towards a policy framework". Further consultations will take place during 2007, at both national and EU level, with a view to moving towards a concrete policy approach in the near future.

All background documents are available on the Commission’s dedicated website (www.rfidconsultation.eu).

4. Respondents

Of the 2190 respondents, 92% were male (question No. 3). Nearly 65% of responses were from citizens and 15% from industry (question No. 5).

[pic]

[pic]

The respondents were nearly all less than 45 years old: 66% were 25-44 years, rising to 82% when added to the group 18-24 years (question No. 6).

[pic]

[pic]

Germany (43%) and France (24%) provided most of the responses, followed by Belgium, the United Kingdom and Austria (4-5% each). Non-EU countries accounted for 6%, mainly from the United States (question No. 7). For 33% the geographic area of respondent's activity was international (question No. 8).

[pic]

5. General Questions

A clear majority of respondents (about 61%) found that the information available for interested citizens was insufficient to come to an informed judgement on the pros and cons of RFID (question No. 9). As by definition the respondents are all aware of RFID this implies a significant information gap. The level of awareness varied also from one country to another and from one segment of the population to another.

[pic]

Views on the pros and cons of RFID are finely balanced. About 44% of respondents do not see great potential for RFID to improve the life of Europeans (question No. 10), while 41% are positive about it. Amongst different stakeholders (see graph) interested citizens are more sceptical about the positive aspects of RFID than industrial, academic and international organisation respondents.

[pic]

[pic]

Over half (52%) are aware of the efforts conducted by the existing forums to develop "fair information principles" and RFID best practices (question No. 11). This confirms that there is already a fair level of awareness of RFID in Europe but it also means that half are unaware which institutions shape the international debate on RFID.

[pic]

More than half of all the respondents answered the open question regarding the adequacy of current European Union data protection and privacy legislation to deal with privacy and/or security concerns about RFID (question No. 12). Approximately two-thirds feel that current legislation is inadequate and that existing laws should be modified to strengthen the protection of personal data and privacy, and to introduce proper safeguards. Also awareness raising and consumer education in the context of RFID deployment and its wide implications would be welcome.

Pointing out that the deployment of RFID technology might lead to more surveillance many suggest that RFID tags should be clearly and visibly marked, and 'kill' commands should be introduced. Although for many the anonymous use of RFID is sufficient. On the other hand, according to the majority self-regulation/industry guidelines are insufficient.

6. RFID Use

The consultation survey results indicate mixed views on the value of RFID for society and on how proactive the Commission should be in promoting RFID.

Although, a clear majority (65% out of 2190) consider that the European Commission does have a role to play in promoting the implementation of the technology, about 35% said the European Commission should not stimulate the take-up of RFID technology (question No. 13).

[pic]

Again, although many (45%) have a positive view on the use of RFID-based solutions in healthcare environments (question No. 14), almost as many (40%) have a negative view.

[pic]

[pic]

Overall, people are still uncertain about RFID and its potential impact on their lives. Furthermore, a breakdown by stakeholder categories shows again citizens being less favourable than international, industrial, and academic organisations (see graph).

There is clearer support for security applications (question No. 15) such as in identifying and tracing "light weapons and other dangerous products" (48% in favour), or "products that require a high reliability" (45%), or "authentication of pharmaceutical products”. Even so, 28% consider that the European Commission should have no role to play in this respect.

[pic]

Regarding the idea of European level harmonisation (question No. 16) the two top ranked fields are intermodal transport systems, container and shipment tracking systems, and the identification and tracking of pharmaceutical products in different Member States, cited in about 64% of 1351 responses to the question.

[pic]

Of 871 responses to the open question No. 17 on whether the European Commission should encourage Member States to define a legal, technical and organisational framework against counterfeiting, 47% were in favour but 33% were against all government intervention in the area, citing views such as:

- Combating counterfeiting is not the responsibility of governments as it is in the interest of the companies that make economic advantage out of it (luxury goods, pharmaceuticals…);

- The fight against counterfeiting is endless. Each solution would be bypassed by an intelligent counterfeiter. No taxpayers' money should be lost on this.

- Solutions would always result in misuses, tracking movements, rightly of wrongly, of people and surveillance would not be far behind.

[pic]

Even positive views on RFID-based anti-counterfeiting were coloured by scepticism on such measures due to doubts about their effectiveness and cost, the need to restrict use to ensure safety, e.g., pharmaceuticals or critical components of airliners. The dangers of abuses of data were also cited.

7. Security, Privacy and Data Protection, and Safety

Of the 2014 respondents that answered question No. 18, 70% believe that technical solutions to disable RFID tags were the best way to reduce security, data protection and privacy concerns. This was closely followed by support for awareness-raising campaigns to educate consumers (67%), and legislation regulating RFID (55%). A minority (15%) mention a preference for self regulation and best practices based on "fair information principles".

[pic]

Of 1984 respondents to question No. 19, two-thirds thought that RFID product tags in supermarkets should be automatically de-activated at the point of sale. Other solutions, i.e. a removable sticker attached to the product itself and a "proximity tag" with a very short reading distance – are favoured by 51% and 44% of respondents, respectively. One quarter of all respondents preferred the RFID tag to be part of the product's packaging.

[pic]

The open question No. 20 concerning the maximum reading distance, which could be considered as acceptable for "proximity tags", received answers from 1342 respondents (60%). About 10% do not consider the concept of "proximity tags" as a valuable solution to preserve privacy. A variety of arguments are brought forward, e.g., "inappropriate for certain applications"; "useless because of the discrepancies between specified and real reading ranges"; "difficult to enforce", "consumers should be notified".

About half found that a single fixed distance for all RFID application domains was a valid (complementary) solution to preserve privacy. Suggestions for non-privacy invasive reading distances range from "less than 0.1cm" up to "above 10 metres". But the strong majority consider a generic reading distance of up to 10cm as acceptable for such proximity tags.

Over a third consider proximity tags to be a valid (complementary) solution to preserve privacy only if different reading ranges are observed. Personal data (e.g., e-passports) are placed in the shortest reading range, whereby a large majority proposes reading ranges close to contact (from less than 1cm to 10cm).

Regarding compulsory question No. 21 on how the RFID application provider should treat security, data protection and privacy issues, three options gather strong support from the respondents:

- Selecting RFID systems that provide appropriate security and privacy mechanisms (68%);

- Managing security and privacy properly throughout the whole RFID-enabled business process (59%);

- Conducting a risk assessment prior to the technology deployment (51%).

[pic]

[pic]

A majority (74%) say they feel concerned about the right of employers to undertake RFID-enabled monitoring of their workforce (question No. 22). They seem to fear that RFID potentially offers employers the opportunity to track them throughout, and even beyond, the working day (e.g., with RFID tags placed in uniforms or labels).

[pic]

More than half of 1989 respondents who answered question No. 23 believe that privacy-enhancing technologies should be made mandatory in RFID applications. Such positions were supported by several experts during the workshops that privacy should be part of the design of an RFID system.

[pic]

Regarding notification techniques (question No. 24), 56% prefer third party certification while 44% would prefer direct notification by the RFID user.

8. Standardisation and Interoperability

On compulsory question No. 25, two-thirds of the respondents strongly agree (41%) or agree (27%) that the European Commission should stimulate and support initiatives that lead to global harmonisation of RFID standards. Only 17% disagree, 12% are neutral and 3% "don't know".

[pic]

Of the 1624 responses to question No. 26 78% think that the European Commission should take a more active role in setting RFID standards. Among the options proposed (question No. 27), there was a clear preference for assessing whether standards are in compliance with European cultures and values (61%), followed by "support to the development of certification services" and "mandate standards" (about 38% each). 25% say that EU standards should be aligned with those of other regions of the world.

[pic]

[pic]

9. Radio Spectrum

Of the 1531 respondents answering question No. 29 concerning the proposed EC Decision on UHF spectrum harmonisation, 64% say that this regulatory action is sufficient to provide a favourable environment for the initial deployment of UHF RFIDs. Among those, 42% believe that industry can operate reasonably on this basis for between three and five years (question No. 30). And a further 30% saw the period as five to ten years. Only 28% consider that the risk of congestion might appear in less than three years.

[pic]

[pic]

Around two thirds think that additional UHF spectrum will eventually be needed as RFID becomes ubiquitous (question No. 31).

[pic]

There were 327 responses to the subsequent question No. 32 on the best candidate spectrum bands for extension when UHF becomes saturated and the level of global compatibility/coordination required. 18% said that spectrum allocation can only be decided on the basis of the situation when congestion occurs. Others felt that power levels could be reduced to reduce congestion.

There were few (49) responses to the range of future bandwidth needs. Half expect an extension of the current UHF band will offer the best option. 22% expect a future in the 2.4GHz spectrum domain, and 16% see a future in the high frequency band (13 – 27MHz). In any case about 65% were convinced that worldwide spectrum harmonisation should be promoted.

[pic]

[pic]

Question No. 33 about further macro-economic and societal impact assessments of RFID applications for deriving associated spectrum requirements was answered by 59% (1294 respondents). Of these, 65% preferred a combination of all three options (i.e. research project, study, industrial cooperation).

10. Research

About 60% answered the questions about research. Three-quarters of respondents to question No. 34 (i.e. 1242 replies) believe that the European Commission should prioritise the development of privacy-enhancing technologies such as encryption and authentication. The next preferred option is the development of innovative applications and services (40%).

[pic]

Question No. 35 about small and medium-sized enterprises (SMEs) was answered by 75% of respondents. More than half of those either agreed (32%) or strongly agreed (22%) that the European Commission should support SMEs by investing in awareness-raising campaigns, in establishing vendor-independent competence and training centres, and/or in promoting the development of RFID applications based on identified best practices.

[pic]

83% answered question No. 36 on the governance model of the emerging "Internet of Things". 86% of these strongly agree (61%) or agree (25%) that such a governance model should be built on transparent, fair and non-discriminatory international principles, free of commercial interest.

[pic]

11. How the consultation has been perceived

The final open question No. 37 “Do you have comments on any other aspects which are not covered in the above questionnaire” generated 538 answers.

On the societal implications, few have high expectations about the benefits of RFID for European industry and citizens. Rather, the large majority feel that the large-scale deployment of RFID technology will result in “excessive surveillance and massive privacy violation”, “collection of data about consumers in order to control their purchasing patterns”, and “a big brother society”.

Overall, the majority were in favour of continuing the public discussion on privacy and security issues, feeling that insufficient time has been allocated to this discussion before moving ahead to use RFID in sensitive applications. For example, several respondents complain that the deployment of RFID technology is going too fast, e.g., “ The Dutch government has decided to make an RFID card mandatory in public transport along with putting it in our passports ”).

In the same way, some felt that the majority of questionnaire was biased toward certain answers, in particular, to speed up the roll out of RFID technology without seriously addressing the security and privacy issues.

A number of issues of public interest were proposed for further study and debate:

- Governance (e.g., “The primary naming system should use the DNS system without any intermediate entity or database for central tracking and surveillance”),

- Health (e.g., “The EU should promote the development of studies to determine and ensure levels of safe use of RF systems”),

- The environment (e.g., "Please take a look at recycling / environmentally safe disposal of RFID tags and devices"),

- Implants (e.g., “It should not be legally allowed to implant RFID tags in living humans”).

On industrial and technical matters: some argue that RFID technology provides an important new way to allow software to be ‘aware’ of the real world, which implies major challenges for software engineering. Others stress the need to stimulate real large-scale pilots to test and demonstrate the technology.

Other issues raised by the respondents include:

- Intellectual Property Rights (e.g., “If IHF is promoted in EU, European companies have to pay a lot of royalties”),

- Open source (e.g., “The EU should support open source/free software implementations of readers in order to ensure more transparency in the RFID world”).

- The need for support to bi frequency HF/UHF systems and questioning of the “Listen Before Talk” technique for managing spectrum use, which is seen to unduly limit some applications.

Perception of the questionnaire was generally good (question No. 38), within a response rate of 83% (1826 replies). 65% had their expectations met, with reservations mainly regarding specific challenges of RFID use (e.g., privacy, use in the workplace, health effects of electro-magnetic fields).

[pic]

Among the 33% (732 replies) who stated why their expectations were not met (question No. 39), one third consider that the questionnaire was either irrelevant in content, too difficult to understand (33%) or too general (32%). The option "irrelevance in content" was highly correlated to strong opponents of RFID.

12. Additional comments

In addition to multiple-choice questions, respondents also had the chance to answer freely. This possibility was given in different specific questions, e.g., " If yes, would you say that the European Commission should … " as well as to the whole questionnaire (" Do you have comments on any other aspects which are not covered in the above questions and which you consider to be important "). The available space in the questionnaire was limited, but the respondents had also the possibility to e-mail further comments – which some did.

Overall there were many interesting additional contributions, which will be considered in the Commission's further activities. The table below lists those contributions that are available online on the Commission's RFID website (http://www.rfidconsultation.eu).

Organisation | Website |

ASDA | http://www.asda.co.uk/ |

BITKOM | http://www.bitkom.org/ |

Carrefour | (http://www.carrefour.com/ |

European Federation of Pharmaceutical Industries and Associations (EFPIA) | http://www.efpia.org |

European Information, Communications and Consumer Electronics Technology Industry Associations (EICTA) | http://www.eicta.org/ |

EPCglobal | http://www.epcglobalinc.org/ |

European Express Association (EEA) | http://www.euroexpress.org/ |

European Telecommunications Network Operators’ Association (ETNO) | http://www.etno.be/ |

EuroCommerce | http://www.eurocommerce.be/ |

FoeBuD e.V. | http://www.foebud.org/ |

Informationsforum RFID | http://www.info-rfid.de/ |

Intel Corporation | http://www.intel.com/ |

Michelin | http://www.michelin.com/ |

NXP | http://www.nxp.com/ |

Telecom Italia | http://www.telecomitalia.it/ |

U.S. RFID Intra-Government Working Group | http://www.dodrfid.org/intragov/intragov.htm |

The European Commission services, and in particular the Unit "Networked Enterprise and Radio Frequency Identification (RFID)" of the Directorate General Information Society and Media, encourage interested parties to continue contributing to the definition of a RFID policy at EU level. For this purpose please refer to the Commission's RFID website: http://www.rfidconsultation.eu.

Annex: Summary of responses to each question

No. | Topic | Type | # replies |

Compulsory questions |

4 | E-mail address | compulsory | 2190 |

5 | Stakeholder type | compulsory | 2190 |

7 | Country of establishment | compulsory | 2190 |

9 | Sufficiency of information | compulsory | 2190 |

10 | Potential for improving citizens' life | compulsory | 2190 |

11 | Awareness of RFID forums | compulsory | 2190 |

14 | Promoting RFID in healthcare | compulsory | 2190 |

15 | Identification and tracing | compulsory | 2190 |

21 | Security, data protection and privacy from the application provider's perspective | compulsory | 2190 |

22 | RFID use at workplace | compulsory | 2190 |

24 | Informing RFID end-users | compulsory | 2190 |

25 | Global harmonisation of standards | compulsory | 2190 |

Optional questions |

26 | EC setting RFID standards | optional | 2078 |

6 | Age group | optional | 2050 |

18 | Security, data protection and privacy | optional | 2014 |

23 | Privacy Enhancing Technologies | optional | 1989 |

19 | RFID tags in supermarkets | optional | 1984 |

8 | Geographical area of activity | optional | 1895 |

38 | Questionnaire's perception | optional | 1826 |

36 | Governance models for the "Internet of Things" | optional | 1825 |

3 | Gender | optional | 1674 |

34 | Priority research topics | optional | 1667 |

27 | EC's role in setting standards | optional | 1664 |

35 | Supporting SMEs | optional | 1644 |

29 | EC Decision on UHF spectrum harmonisation for RFIDs | optional | 1531 |

16 | European harmonisation | optional | 1351 |

20 | "Proximity tags" | optional | 1342 |

31 | Additional UHF spectrum | optional | 1342 |

33 | Impact assessment of long term spectrum needs | optional | 1294 |

12 | Current EU's privacy protection law | optional | 1244 |

1 | Last name | optional | 1063 |

2 | First name | optional | 1057 |

30 | Sufficiency of current RFID UHF bandwidth | optional | 1018 |

17 | Anti-counterfeiting | optional | 871 |

39 | Expectations | optional | 723 |

28 | Regulatory information on tags | optional | 583 |

37 | Other comments | optional | 538 |

13 | Stimulating implementation | optional | 345 |

32 | Future availability of sufficient spectrum | optional | 331 |

[1] The full title of this directive is Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data.

[2] The Article 29 Working Party is the independent EU Advisory Body on Data Protection and Privacy established by Article 29 of Directive 95/46/EC. Its tasks are laid down in Article 30 of Directive 95/46/EC and in Article 14 of Directive 97/66/EC.