27.10.2007   

EN

Official Journal of the European Union

C 256/66

1.1

Radio Frequency Identification (RFID) is a significant technology which will become very important over time. Its present and future applications have the potential to positively improve a wide range of business processes in both the public and private sector and to bring significant benefits to both individuals and enterprises. It also has the potential to stimulate a massive development in internet applications, making possible what a UN Agency has described as the ‘Internet of Things’. However, unless RFID is very carefully controlled, it also has the potential to violate personal privacy, destroy civil liberties and threaten the security of individuals and enterprises.

1.2

The full title of this Communication is ‘Radio Frequency Identification in Europe: steps towards a policy framework’. The Commission has already held a wide ranging consultation which provided the basis for the Communication. The EESC is now invited to provide an exploratory Opinion. On the basis of the responses to the Communication the Commission will make a Recommendation to Member States at the end of the year. Any legislation, which would take longer, will come later. In effect then, this Opinion should focus on the content of that Recommendation.

1.3

To help with the formulation of its Recommendations the Commission has decided to establish a Stakeholders Group as a sounding board. The EESC would welcome an opportunity to present this Opinion to the Stakeholders Group.

1.4

The EESC endorses the actions proposed by the Commission in the domains of Radio Spectrum, Standards, Health, Safety and the Environment. We highlight the urgency of establishing an effective industrial contribution to the Standards forum.

1.5

Since the Commission will be publishing its Recommendations to Member States at the end of this year it is reasonable to suppose that it will accept the data security and privacy infrastructure as it is today. In particular, this suggests that the Data Protection bodies which already exist in each Member State will become the responsible Authority for RFID privacy and data protection issues. These issues are the focus of this Opinion.

1.6

The threats to privacy and civil liberties posed by RFID are profound:

1.7

The implications of these threats are as follows:

1.8

How these principles should be put into practice is a moot point. Ideally, any business involved in business-to-consumer transactions, such as retail, ticketing, access controls or transport services would give customers a form of guarantee that these principles will be followed, a type of customer charter. Conceptually such a charter could incorporate all the data protection principles of good practice detailed in paragraph 4.5. In addition, the EESC proposes the following guidelines:

1.9

Certain exceptions to the above guidelines may be contemplated when:

Any such exceptions should be notified to the responsible authority.

1.10

RFID is not a mature technology so we do not yet understand its full potential. On one hand it may deliver inconceivable benefits to our technological civilisation, on the other hand it may be the greatest technological threat yet to privacy and liberty. The EESC believes that applications of RFID should be developed according to a strict code of ethics in respect of privacy, liberty and data security but that, given the necessary safeguards, application development should continue.

1.11

In conclusion, where RFID applications are permitted, the implementation should be fully transparent to everyone involved. Applications to improve the handling of goods are generally acceptable. Applications involving the tagging of people are generally not acceptable except in transient environments. Applications which link people to goods may be acceptable for marketing purposes. Applications which identify people via the goods they have purchased are generally unacceptable. Moreover, some applications are inappropriate in a free society and should never be permitted. The imperative need to preserve privacy and anonymity must be the core of the Recommendation by the Commission to the Member States.

2.1

RFID is a technology that allows automatic identification and data capture by using radio frequencies. The salient features of this technology are that they permit the attachment of a unique identifier and other information — using an electronic tag — to any object, animal or even a person, and to read this information through a wireless device.

2.2

The tags themselves consist of an electronic circuit which stores data, and an antenna which communicates the data via radio waves. A RFID reader interrogates the tags to obtain the information stored. When the reader broadcasts radio waves, all the tags within range will communicate. Software is required to control the reader and collect and filter the information.

2.3

There are different types of RFID systems available. Tags can be either active or passive. Active tags contain an on board battery to drive the internal circuitry and to generate radio waves, they can broadcast even in the absence of a RFID reader. Passive tags are powered using the energy of the radio wave transmitted by the reader and do not have their own power supply. Tags may be ‘read-only’ or ‘read-write’. Read-only tags are cheaper to produce and are used in most current applications.

2.4

The range of an RFID system depends on the radio frequency, the power of the reader and the material between the tag and the reader. It can be up to a few meters for passive systems but in excess of 100 meters for active systems.

2.5

RFID is the bottom rung of the wireless technology hierarchy. Ranked by the distance that the signals travel, the top position is held by satellite communication systems such as GPS. This is followed by wide-area mobile phone technologies such as GSM and GPRS, then shorter range signals within buildings such as Wi-Fi, then personal networks such as Bluetooth and, finally, RFID. Each of these technologies is discrete and self contained so that, for example, there is no risk of satellite systems reading RFID tags. Even so, data can be transferred between the various systems by devices such as cellular phones.

2.6

The following are some examples of the potential benefits of RFID applications:

2.7

Many aspects of RFID use are illustrated by its application to the life cycle of books. The sheer number of books in print creates a logistical nightmare for publishers, distributors, libraries and retailers. Apart from the supply chain logistics, there is a need to track books once they have been shelved so that they can be both located and replaced. In addition, libraries need to control the loan cycle while purchasers may have difficulty keeping track of their own books. RFID tags on books provide a solution to all these problems. The control of lending library loans will have an analog in any other application where items are recycled or rented.

2.8

To illustrate the nature of the threats inherent in this technology, here is the abstract of an IBM patent application (20020615758) from November 2002. It concerns the identification and tracking of persons using RFID tagged items.

‘A method and system for identifying and tracking persons using RFID-tagged items carried on the persons. Previous purchases records for each person who shops at a retail store are collected by point of sale terminals and stored in a transaction data base. When a person carrying or wearing items having RFID tags enters the store or other designated area, an RFID tag scanner located therein scans the RFID tags on that person and reads the RFID tag information. The RFID tag information collected is correlated with transaction records stored in the transaction data base according to known correlation algorithms. Based on the results of the correlation, the exact identity of the person or certain characteristics about that person can be determined. This information is used to monitor the movement of the person through the store or other areas.’

American Express patent application number 20050038718 is along similar lines.

2.9

RFID is clearly much more than an electronic bar code. In the patent application abstract quoted above the key differences are that:

2.10

Whether a tag should stay alive beyond the retail checkout is a matter for debate. On the one hand, it is a threat to privacy. On the other hand, it could benefit the purchaser. For example, the possibility of RFID readers in the home could help the organisation of wine cellars, refrigerators, wardrobes and libraries. Logically, therefore, the choice should rest with the individual, but the technology and the application must present him or her with that choice.

2.11

RFID has many more applications than retail product identification. The EESC identity key card is an RFID device. The London underground system uses RFID cards extensively for payment and access. Credit cards will soon incorporate an RFID device for handling low value transactions without a pin code. RFID plaques are used for road tolling and driver identification applications. Access to ski lifts at some European ski resorts is controlled by RFID plaques carried in a pocket of the ski suit. Your rapporteur carries three RFID cards and one RFID plaque on a daily basis. His dog is identified by a sub-cutaneous RFID chip. Such chips are coming into widespread use world-wide for animal tagging to provide traceability in the food chain. It could be just a small step to tagging criminals and problem patients just like dogs.

2.12

The identity card as used by the EESC is a benign RFID application. Identity becomes a far more significant challenge when RFID tags are incorporated into working clothes or uniforms so that the movements of the uniformed person can be continually tracked by scanners located at all key points on the premises. Nevertheless, it must be acknowledged that this can be in certain cases desirable, e.g. for safety purposes. In any case, tracking the location of an individual, if not accompanied by proper safeguards, would be a major invasion of privacy which needs substantial justification and very careful control.

2.13

As a bizarre harbinger of future applications The Economist reports that at the Baja Beach Club in Barcelona the entry ticket into the VIP area is a microchip implanted in the patron's arm. Slightly larger than a grain of rice and enrobed in glass and silicone, the chip is used to identify people when they enter and pay for drinks. It is injected by a nurse under a local anaesthetic. In essence, it is an RFID tag.

3.1

RFID is of policy concern because of its potential to become a new motor of growth and jobs, and thus a powerful contributor to the Lisbon strategy, if the barriers to innovation can be overcome.

3.2

The Commission carried out a public consultation on RFID in 2006, which highlighted the expectations of the technology based on the results of the early adopters but also revealed the concerns of citizens about RFID applications that involve identification and or tracking of persons.

3.3

Further development and widespread RFID deployment could further strengthen the role of information and communications technologies in driving innovation and promoting economic growth.

3.4

A clear and predictable legal and policy framework is needed to make this new technology acceptable to users. As RFID technology is inherently trans-border, this framework should ensure consistency within the internal market.

3.5.1

There are serious concerns that this pervasive and enabling technology might endanger privacy: RFID technology may be used to collect information that is directly or indirectly linked to an identified or identifiable person and is therefore deemed to be personal data; RFID tags may store personal data; RFID technology could be used to track or trace people's movements or to profile people's behaviour. RFID has the potential to be an intrusive technology. Concerns have been raised about infringement of fundamental values, privacy and greater surveillance, especially in the work place, resulting in discrimination, exclusion, victimisation and possible job loss.

3.5.2

It is clear that the application of RFID must be socially and politically acceptable, ethically admissible and legally allowable. RFID will only be able to deliver its numerous economic and societal benefits if effective guarantees are in place on data protection, privacy and the associated ethical dimensions that lie at the heart of the debate on the public acceptance of RFID.

3.5.3

The Community legislation framework on data protection and privacy in Europe was designed to be robust in the face of innovation. The protection of personal data is covered by the general Data Protection Directive (1) which is applicable to all technologies including RFID. The general Data Protection Directive is complemented by the ePrivacy Directive (2). Pursuant to these directives, public authorities in Member States will have to ensure that the introduction of RFID applications complies with privacy and data protection legislation. It may therefore be necessary to provide detailed guidance on the practical implementation of RFID applications and to draw up associated codes of conduct.

3.5.4

Concerning security, a joint effort of industry, Member States and the Commission will be made to deepen the understanding of the systemic issues and related security threats potentially associated with the massive deployment of RFID technologies and systems. An important aspect of the response to the above challenges will be the specification and adoption of design criteria that avoid risks to privacy and security, not only at the technological but also at the organisational and business process levels. Therefore a close examination of the cost and benefits of specific security and privacy-related risks is needed prior to the selection of RFID systems and the deployment of RFID applications.

3.5.5

There are concerns about the openness and neutrality of the data bases that will register the unique identifiers that lie at the heart of the RFID system, the storage and handling of the collected data and its use by third parties. This is an important issue since RFID will create a new wave of internet development which will eventually interconnect billions of smart devices and sophisticated sensor technologies into a global networked communication infrastructure. This new phase of internet development is the ‘Internet of Things’.

3.5.6

The system for registering and naming of identities in this future ‘Internet of Things’ should guard against breakdown or unintended use that could cause havoc. It should not fall into the hands of particular interests that could use these data bases and systems for their own ends. Security, ethics and privacy requirements should be safeguarded for all stakeholders, whether individuals or companies, whose sensitive commercial information is contained in the RFID enabled business processes.

3.5.7

The requirements of both the parties actively involved in setting up the RFID information system (for example business organisations, public administrations, hospitals) and the end users that are subjected to the system (citizens, consumers, patients, employees)must be considered during the design of the system. As end users typically are not involved at the design stage, the Commission will support the development of a set of application specific guidelines (code of conduct, good practices) by a core group of experts representing all parties. By the end of 2007, the Commission will issue a Recommendation to set out the principles that public authorities and other stakeholders should apply in respect of RFID usage.

3.5.8

The Commission will also consider including appropriate provisions in the forthcoming proposal for the amendment of the ePrivacy Directive and will, in parallel, take into account input from the forthcoming RFID Stakeholder Group, the Article 29 Data Protection Working Party and other relevant initiatives such as the European Group on Ethics in Science and New Technologies. On this basis the Commission will assess the need for further legislative steps to safeguard data protection and privacy.

3.5.9

The Commission will closely monitor the move towards the ‘Internet of Things’ of which RFID is expected to be an important element. At the end of 2008 the Commission will publish a Communication analysing the nature and the effects of these developments, with particular attention to the issues of privacy, trust and governance. It will assess policy options, including the possibility of further legislative steps to both safeguard data protection and privacy and address other public policy objectives.

3.5.10

Observations on the issues of Security, Privacy and Ethics are given in section 4 of the Opinion.

3.6.1

Apart from the whole field of security, privacy and ethics, the other policy issues raised by RFID involve the radio spectrum, standards, health, safety and environmental issues.

3.6.2

Harmonisation of spectrum usage conditions is important to allow easy mobility and low costs. The Commission recently adopted a decision (2006/808/EC) for RFID frequencies in the UHF band. This allocation is deemed to be adequate for the three to ten year horizon but if the need for additional spectrum should arise the Commission will act accordingly, using its powers under the Radio Spectrum Decision (676/2002/EC). The EESC accepts this position.

3.6.3

The streamlined adoption of new ISO international standards and the harmonisation of regional standards are essential for the smooth take-up of services. The relevant European standards bodies — CEN and ETSI — are fully involved. The Commission is calling on these bodies, together with industry, to ensure that the developing standards meet European requirements, with particular regard to privacy, security, IPR and licensing issues. Because industry standards and proprietary patents often advance together the EESC urges the Commission to do what it can to push industry and the standards bodies to move fast to prevent European applications of RFID becoming over dependent on expensive intellectual property owned elsewhere.

3.6.4

Regarding the environment, RFID devices are fully covered by the WEEE and RoHS Directives. On health, there is the potential issue of electromagnetic fields (EMF) associated with RFID devices. EMF related to RFID are generally low in power and so the exposure of workers and the general public is expected to be well below the current standard limits Nevertheless, in the context of the general increase in wireless applications, the Commission will keep the legal framework under review. The EESC accepts this position.

4.1

Since the Commission will be publishing its Recommendations to Member States at the end of this year it is reasonable to suppose that it will accept the data security and privacy infrastructure as it is today. In particular, this suggests that the Data Protection bodies which already exist in each Member State will become the responsible Authority for RFID privacy and data protection issues.

4.2

In its communication the Commission has stated that, inter alia, it will establish and consult a new Stakeholders Group. The EESC would like to present this Opinion to that Group.

4.3

The threats to privacy and civil liberties posed by RFID are profound:

4.4

In the 7th R&D Framework programme the Commission has already given guidance on the ethical application of technology as it affects data security and privacy (‘Guide for Applicants’ for collaborative projects, p. 54) (3) RFID is a prime example of the evolving relationship between technology and the legal right to, or the public expectation of privacy in the collection and sharing of data. Privacy problems exist wherever uniquely identifiable data relating to a person or persons are collected and stored, in digital form or otherwise. Improper or non-existent disclosure control can be the root cause for privacy issues. The most common sources of data that are affected by data privacy issues are health, criminal justice, finance, genetics and location. Location is the key issue for RFID.

4.5

In its guidance (4) on how to deal with data protection and privacy the Commission has laid down eight enforceable principles of good practice. These are that data must be:

These guidelines are wholly appropriate to the privacy and data security issues involved with applications of RFID.

4.6

In the opinion of the EESC, the basic principles of good practice are as follows:

4.7

How these principles should be put into practice is a moot point. Ideally, any business involved in business-to-consumer transactions, such as retail, ticketing, access controls or transport services would give customers a form of guarantee that these principles will be followed, a type of customer charter. Conceptually such a charter could incorporate all the data protection principles of good practice detailed in paragraph 4.5. In addition, the EESC proposes the following guidelines:

4.8

Certain exceptions to the above guidelines may be contemplated when

Any such exceptions should be notified to the responsible authority.

4.9

A class of applications which could be given general exemption is the tracking of people or goods in transient environments. In the air transport environment baggage could be tagged at check in to improve the security and certainty of baggage handling while passengers might be tagged to improve and accelerate on time plane movements and faster security processes. Another application could be the tracking of patients after admission to hospital for operations. The key to acceptability for this class of application would be the certain eradication of the tags at the end of the transient experience.

4.10

RFID is not a mature technology so we do not yet understand its full potential. On one hand it may deliver inconceivable benefits to our technological civilization, on the other hand it may be the greatest technological threat yet to privacy and liberty. The EESC believes that applications of RFID should be developed according to a strict code of ethics in respect of privacy, liberty and data security but that, given the necessary safeguards, application development should continue.

4.11

In conclusion, where RFID applications are permitted, the implementation should be fully transparent to everyone involved. Applications to improve the handling of goods are generally acceptable. Applications involving the tagging of people are generally not acceptable except in transient environments. Applications which link people to goods may be acceptable for marketing purposes. Applications which identify people via the goods they have purchased are generally unacceptable. Moreover, some applications are inappropriate in a free society and should never be permitted. The imperative need to preserve privacy and anonymity must be the core of the Recommendation by the Commission to the Member States.