23.4.2008   

EN

Official Journal of the European Union

C 101/1

1.

On 15 March 2007, the Commission adopted a Communication on Radio Frequency Identification (RFID) in Europe: steps towards a policy framework (1) (further: ‘the Communication’). Under Article 41 of Regulation (EC) No 45/2001, the EDPS is responsible for advising Community institutions and bodies on all matters concerning the processing of personal data. In accordance with this Article, the EDPS presents this opinion.

2.

This opinion must be seen as a reaction of the EDPS on the Communication, as well as on other actions in the area of RFID that have taken place since the adoption of the Communication. These other relevant actions that have been taken into account in this opinion include:

3.

The EDPS welcomes the Commission's Communication on RFID as it tackles the main issues arising in the context of the deployment of RFID technology without neglecting the determinant ones related to privacy and data protection. This communication has benefited from consistent and rigorous preparatory works. Indeed, five thematic workshops as well as an online public consultation (9) commissioned by the Commission have preceded this communication.

4.

The EDPS agrees with the view that RFID systems could play a key role in the development of the Information Society usually referred to as the ‘Internet of things’ and he also fully shares the concerns mentioned in paragraph 3.2 of the Communication that RFID systems may threaten individual's privacy and data protection rights. Indeed, in his Annual Report 2005, the EDPS identified RFID together with biometrics, ambient intelligence environments and Identity Management Systems, as technological developments that are expected to have a major impact on data protection.

5.

According to the EDPS, the domestication of RFID technologies and their wide acceptance will not only be reached by their attractive convenience or the new services they offer, but will also be facilitated by the benefits of well-tailored and consistent data protection safeguards.

6.

In short: the EDPS qualifies RFID as a fundamentally new technological development, rightly referred to in the Commission's Communication as the gateway to a new phase of development of the Information Society.

7.

This development raises important questions in different areas, one of which is the area of data protection and privacy. This opinion of the EDPS is limited to this area.

8.

This opinion is in particular focused on the possible consequences of these developments for data protection and privacy. These consequences are at the moment uncertain, also due to the fact that the development of RFID-systems and their domestication are in full progress and that it is in no way clear where these developments will end.

9.

In this perspective, the EDPS takes the following approach:

10.

By taking this approach, the EDPS aims to promote that the development of RFID-systems and their domestication will take account of justified data protection and privacy concerns.

11.

Despite the fact that — as said — the developments are in full progress and the outcome is uncertain, it is very well possible to describe the main characteristics of these developments with a view to their consequences for data protection.

12.

In assessing the potential data protection and privacy aspects of RFID technology, it is highly relevant to not only consider RFID tags alone, but the overall RFID infrastructure: the tag, the reader, the network, the reference database and the database where the data produced by the association tag/reader are stored. As is briefly underlined in the introduction of the Communication, RFIDs are not just ‘electronic tags’ and therefore data protection issues will not be exclusively limited to tags, but extend to all parts of the overall RFID infrastructure. Indeed, each of these elements has a role in contributing to the implementation of the European data protection legal framework when it is required. They will be fuelled by the main trends within the developing Information Society, such as an almost unlimited bandwidth, ubiquitous network connections and an endless storage capacity.

13.

Notwithstanding the need for a wider approach as emphasised in the preceding paragraph, various reasons justify focussing first on the use of RFID in item level tagging in consumer products like the retail sector. The obvious one is its foreseen increased use, which seems to be moving towards its widespread application. As opposed to other RFID applications with narrow or limited use, item level tagging has the potential to become a mass market application. Already now many consumer products are equipped with a RFID tag. Linked to this is the fact that such use will affect a huge number of individuals whose personal data are likely to be processed each time they acquire a product in which a RFID tag is embedded.

14.

Specific attention should be given to the consequences of RFID tagging for the owners of items. RFID systems might stretch out the relationship between an item and its owner. Once this relationship is stretched out, the owner can be scanned and classified as ‘low budget’ or ‘attractive target’ for future transactions; excessive one-to-one attribution (10) might be conducive to automatic ‘punishment’ of certain behaviour (recycling obligation, waste, etc.). Individuals should not be subject to the process of adverse automated decisions. Catalysed by this RFID ability, the risk increases that the Information Society moves closer to a situation where automated decisions will be taken and where technology will be abused in order to regulate the human behaviour.

15.

The data stored in or produced by an RFID tag, can be personal data as defined in Article 2 of the Data Protection Directive. For example, smartcards used for travel may contain identification information as well as information about the holder's recent journeys. If an unscrupulous individual wanted to track individuals, it would be sufficient to strategically place readers which would provide information about the movements of card holders, thus violating their privacy and personal information.

16.

Similar privacy threats could happen even if the information stored in the RFID tag would not include names of individuals. RFID tags contain unique IDs attached to consumer products: if each tag has a unique ID, such identification can be used for surveillance purposes. For example, if someone wears a watch that carries an RFID tag containing an ID number, this could also serve as a unique identifier for the wearer of the watch, even if his identity is not known. Depending on the way the information is used — and put in relation with the watch itself or the individual — the Directive could apply or not. It would apply, for instance, if information is generated about the whereabouts of individuals that is likely to be used to monitor their behaviour, or for example for price differentiation, denying access, or unwanted exposure to publicity.

17.

In this context, it is necessary to ensure that RFID applications are deployed with the necessary technological measures to minimise the risk of unwilling disclosure of information. Such measures may include the requirement to design the RFID infrastructure, particularly RFID tags, in a way that prevents such an outcome. For example, RFID tags can be deployed with a ‘kill command’ allowing their deactivation. This option will be further discussed in Chapter IV of this Opinion.

18.

By offering the possibility to track products after the point of sale, RFID systems introduce new issues in the privacy debate. Indeed, two elements will have to be taken into account in the analysis of their impact: how personal the item is considered to be, and the mobility of the item (11).

19.

The life cycle of an object might also complement the required risk analysis and contribute to the quantitative assessment of the potential threats regarding privacy. Considering the fact that a tag may not be deactivated, an end-user product with a long life cycle will be able to gather more related data from the owner of the product and build a more accurate profile. On the other hand, a short life cycle of an item like a can of soda from its production until its recycling step might present fewer risks and could request therefore lighter measures than a product with a much longer life cycle.

20.

In order to better understand the consequences of RFID-systems for privacy and data protection, five basic privacy and security issues can be distinguished.

21.

The first issue is identification of the data subject. More than sixty years ago, the purpose of the RFID tag was to ‘Identify the Friend or Foe’ coming. Today RFID systems can not only identify general elements of an object but can also ultimately lead to the identification of an individual and need therefore to do it in a data protection friendly way.

22.

The second issue is identification of the controller(s). In the case of RFID systems, the identification of the controller as defined in Article 2(d) of the Data Protection Directive, might be more difficult and therefore needs closer examination. However, identifying the controller remains a critical step in establishing the responsibilities of each of the relevant actors who will have to comply with the data protection legal framework. During the lifecycle of the tag, the controller who processes the data could change several times based on the additional services which can be provided in relation to the tagged object.

23.

The third issue is the decreased meaning of the traditional distinction between the personal and the public sphere. Although the distinction between private and public spaces has also in the past not always been clear-cut, most people are aware of the boundaries between them (and of the grey zones) and take informed or intuitive decisions on how to act accordingly. According to Hall (12), personal space is usually translated into physical distance from others. Privacy management can also be considered as a dynamic boundary regulation process (13). It is therefore not surprising that the wireless nature of the tag communication as well as its outside of line-of-sight reading capability, raise privacy concerns by blurring these traditional borders and their management. Indeed, there are fears that the individual may lose some or all control on distance management that he/she has enjoyed until now. Accordingly, the reading range of the first implementations of RFID systems has been targeted equally by their promoters and detractors.

24.

The fourth issue has to deal with the size and the physical properties of RFID-tags. Because the tag needs to be basically small and cheap, the security measures which could be deployed on this part of the RFID system will be by definition limited. However, the wireless aspect of the communication also adds a layer of risks compared to a wired communication and therefore additional security requirements are needed.

25.

The fifth issue is the lack of transparency of the processing. RFID systems may lead to unnoticed gathering and processing of information capable of being used for profiling an individual. This consequence may very well be illustrated by comparing RFID-systems to the mobile phone, a comparison that is made more often. On the one hand, the mobile phone benefited of a very high level of technology acceptance independently of potentially intrusive privacy risks. One could conclude that RFID will be accepted in the same manner. On the other hand, it has to be underlined that a mobile phone is a visible object which is still under the control of the end user as it can be switched off. This is not the case with RFID.

26.

Although unnoticed gathering and processing of information as mentioned above may be legitimate, it is also possible and under various circumstances even quite likely that illegitimate collection and processing of such data occurs.

27.

The clarifications of this chapter justify the following conclusion. The wide use of RFID-technology is fundamentally new and may have a fundamental impact on our society and on the protection of fundamental rights in our society, such as privacy and data protection. RFID may bring about a qualitative change.

28.

This chapter will mainly focus on the impact of RFID on the protection of fundamental rights in our society, such as privacy and data protection. This will be specified in two steps, the first step being a short description of the way in which these fundamental rights are protected under the present legal framework. As a second step, the EDPS will elaborate on the possibilities to fully use the present legal framework. This aspiration has been introduced in the Opinion on the Communication on the Data Protection Directive as ‘the full implementation of the present provisions of the Directive’.

29.

The point of departure is as follows: new technological developments such as RFID systems, have a clear impact on the requirements for an effective legal framework for data protection. Also, the need for effective protection of the personal data of an individual can impose limitations on the use of these new technologies. Interaction is thus two-sided: the technology influences the legislation and the legislation influences the technology (14).

30.

The protection of the fundamental rights to privacy and data protection within the European Union is in the first place guaranteed by a legislative framework, which is needed since we deal with rights that are recognised in Article 8 of the European Convention of Human Rights and Fundamental Freedoms and in Article 7 and Article 8 of the Charter of Fundamental Rights of the Union. The relevant legislative framework for data protection and RFID basically consists of the Data Protection Directive 95/46/EC and the ePrivacy Directive 2002/58/EC (15).

31.

The general legislative framework for data protection as laid down in Directive 95/46/EC applies to RFID, as far as data processed by RFID systems fall within the definition of personal data. Whereas in certain cases RFID applications clearly process personal data and undoubtedly fall within the scope of the Data Protection Directive, there are also applications where the applicability of the Data Protection Directive may not be so obvious. The Article 29 Data Protection Working Party's Opinion No 4/2007 on the concept of personal data aims to contribute to a clearer and commonly recognised understanding of the concept of personal data and, by doing so, mitigate this uncertainty (16).

32.

As far as the ePrivacy Directive is concerned, the situation is as follows. Until now, it is not clear whether this Directive applies to RFID applications. For this reason, the Commission Proposal of 13 November 2007 for amendment of the Directive contains a provision aiming to specify that the Directive indeed applies to certain RFID applications. However, other RFID-applications might not be covered because of the limitation of this Directive to the processing of personal data in connection with the provision of publicly available electronic communications services in public communications networks.

33.

The protection of personal data can be complemented by a range of self-regulatory instruments (non-legislative framework). The use of those instruments is actively promoted in both directives, in particular in Article 27 of the Data Protection Directive that provides that the Member States and the Commission shall encourage the drawing up of codes of conduct intended to contribute to the proper implementation of the Directive. Moreover, self-regulatory instruments could efficiently contribute to the implementation of the security measures requested by Article 17 of the Data Protection Directive and Article 14 of the ePrivacy Directive.

34.

The Opinion on the Communication on the Data Protection Directive lists a number of tools available for a better implementation of the Directive. Most of the non binding tools of that opinion are relevant to RFID, such as interpretative communications or other communications, promotion of best practices, the use of privacy seals and third-party privacy audits. The possibility of adopting specific rules for RFID will be discussed in Chapter V. But improvements are possible also within the current framework.

35.

The EDPS agrees with the Commission that in a first phase it is appropriate to leave room for self-regulation, enabling stakeholders to create quickly a legally compliant environment and thus contributing to create a more secure legal environment.

36.

The Commission, in consultation with the RFID-Stakeholders Group, is expected to stimulate and to steer this process of self-regulation. In this context, the EDPS welcomes the Recommendation announced in the Communication which is expected to contain specific guidelines setting up ‘the principles that public authorities and other stakeholders should apply in respect of RFID usage’.

37.

The Communication foresees that self-regulation takes the form of a code of conduct or a code of good practice. According to the EDPS, independently of whatever form the self-regulation takes, it should:

38.

The EDPS points at one issue where self-regulation will be specifically useful. For those RFID applications that entail the processing of personal data, the Data Protection Directive imposes upon data controllers various obligations, in particular under Article 17 (security of processing) and under Article 7 (the need to process data only with the appropriate legal grounds). Pursuant to these provisions, data controllers must on the one hand set up measures against the unauthorised disclosure of the data. On the other hand, data controllers must ensure that the processing, such as disclosure of information through the readers, where appropriate, only occurs with the informed consent of the individual to whom the data refers.

39.

These provisions of the Data Protection Directive can be interpreted as requiring that RFID applications are deployed with the necessary technical solutions to prevent or minimise the risks of unwanted disclosure and ensure that the processing or transfer of data only happens with informed consent, where appropriate. In the EDPS's view, the existence of such an obligation (i.e. to apply necessary technical solutions to prevent or minimise the risks of unwanted disclosure) and its binding nature upon deployers of RFID applications, will be even stronger and clearer if this requirement is taken up in the forthcoming code of conduct or code of good practice mentioned above. For these reasons, the EDPS strongly advises that the Commission's Recommendation includes such an interpretation of the Data Protection Directive, underlining the existence of an obligation to deploy RFID applications with the necessary technological measures to prevent the unwanted collection or disclosure of information.

40.

The EDPS recommends that the Commission, in close cooperation with the RFID Expert Group, will produce one or more documents giving clear guidance how to apply the current legal framework to the RFID environment. The guidance should foresee practical ways how the principles set out in the Data Protection Directive and the ePrivacy Directive are complied with. As for the overall approach of the guidance and its concrete content, the EDPS has the following suggestions.

41.

The guidance setting out the principles that apply in respect of RFID usage should be sufficiently focussed and adopt a sector specific approach. A ‘one size fits all’ approach will not fulfil the purposes sought of ensuring a clear and coherent framework. Instead, the scope of the guidance must be limited to well-defined RFID sectoral applications.

42.

Furthermore, the guidelines should propose practical and efficient methods for developing techniques and standards which could contribute to the RFID systems' compliance with the data protection legal framework and which will entail the use of ‘privacy by design’ technology.

43.

In applying the current legal framework to the RFID environment, particular attention must be paid to the application of the data protection principles and obligations that apply to data controllers of RFID applications. Particularly relevant are the following obligations and principles:

44.

As far as the right to information is concerned, the guidance should establish that individuals must be provided with information regarding the processing of their personal data. In particular they should be alerted, among others, of (i) the presence of readers and the presence of activated RFID tags on products or their packaging; (ii) the consequences of such presence in terms of information gathering; and (iii) the purposes for which the information collected is intended to be used.

45.

The use of logos may be suitable as a measure to provide information. Logos may be used to alert of the presence of readers and RFID tags which are supposed to remain active. However, the use of logos alone will not be sufficient to ensure the fair processing of information which requires the information to be provided to data subjects in a clear and comprehensible manner. The use of logos should be considered as a measure to supplement the provision of more detailed information.

46.

For all relevant RFID-applications, solutions should respect and implement as a prerequisite, an opt-in principle at the point of sale. Enabling the RFID tags to continue transmitting information after the point of sale would be unlawful unless the data controller had appropriate legal grounds. Appropriate legal grounds would normally only be (a) the consent of the data subject or (b) if such disclosure was necessary in order to deliver a service, a specific and free request by the said individual (18). Both legal grounds would then qualify as ‘opt in’.

47.

Under the opt-in principle, tags should be deactivated at the point of sale unless the individual who bought the product to which the tag is attached wanted to leave it active. By exercising the right to leave it active, the individual would be consenting to the further processing of his or her data, for example, to the transmission of the data to the reader at his or her next visit to the data controller.

48.

In order to cope with the growing diversity of RFID applications and to facilitate the development of new innovative business models, the EDPS stresses the importance of a flexible approach. Flexibility has to be provided as to the implementation of the opt-in principle.

49.

The options to implement the opt-in principle are multiple. For example, as an alternative to the removal of the tag, it could be envisaged that the tag would be blocked, temporarily disabled or following a security policy model called resurrecting duckling model (19), locked to a specific user. In the case of tag with a short life cycle, the address of the tag which pinpoints to information stored in a database could also be erased from the reference database avoiding further processing of additional data collected by the tag.

50.

To conclude, although the EDPS argues that the ‘opt-in-principle’ at the point of sale is a legal obligation that already exists under the Data Protection Directive in most situations, there are good reasons to specify this obligation in self-regulatory instruments, also in order to ensure that the principle will be implemented in the most appropriate way. Specific implementation is in any event needed for those RFID applications that fall outside of the scope of the Data Protection Directive.

51.

In order to minimise privacy and data protection threats, the Commission's Communication endorses in part 3.2, page 6, the idea of the specification and adoption of early design criteria. The EDPS welcomes this approach. Indeed, the adoption of specifications and design criteria, otherwise referred to as Best Available Techniques (‘BATs’), will efficiently contribute to data protection regulation and security requirements. This identification of technological and organisational criteria, if frequently reviewed, will strengthen the symbiosis model of privacy and security requirements the European Union is developing.

52.

The proper definition of privacy and security BATs for RFID systems will also be decisive for building a trustworthy environment which will reinforce their wide acceptance by end users, as well as for the European industry's competitiveness.

53.

The process of selecting BATs for RFID systems should be fuelled by privacy and security impact assessments for which efforts still need to be invested. The EDPS considers that the European Network and Information Security Agency (ENISA) together with the Joint Research Centres of the European Commission associated with the relevant industry stakeholders can contribute to the identification of these best practices and to the development of such methodologies. By launching recently the project ‘technical Guidelines RFID’, the German Federal Office for Information Security (BSI) gave a proper illustrative example (20) of BATs which should be developed now at the European level.

54.

Standards can also play a decisive role in the early adoption of the privacy-by-design principle. The Commission should therefore contribute to the adoption of privacy and data protection safeguards in the development of international RFID standards. The Article 29 Working Party in its working document (21) on RFID clearly illustrated the possibility for standards to contribute to the privacy friendly development of RFID systems.

55.

Furthermore, the EDPS welcomes the position adopted by the Commission regarding research and development of RFID technologies and the need to mitigate privacy risks. Indeed, the privacy-by-design principle needs to be introduced at the earliest stage of the development of technologies which will better contribute to their compliance with the data protection legal framework. The EDPS, as briefly presented in his Annual Report 2006 will associate himself to this effort by providing, on a case-by-case basis, opinions and advices to projects of the 7th Framework Programme (2007-2013).

56.

Self-regulation may not be enough as a means for full implementation of the existing framework for data protection and privacy. Even if the self-regulation fulfils the requirements mentioned above, its application is voluntary and its non-compliance can not always be effectively sanctioned. Additionally, binding legislative measures may still be needed, in order to ensure the protection of individuals' rights to privacy and data protection. This is all the more needed in case of failure of the self-regulated approach.

57.

A key question is the determination of the legal instruments necessary to ensure that RFID applications are effectively deployed with the necessary technical solutions to prevent or minimise the risks for data protection and privacy, and that responsible controllers take adequate measures to comply with their obligations under existing legal frameworks. This raises some additional questions:

58.

This chapter will address the possibilities of issuing binding legislative measures within the existing legal framework, whereas Chapter VI will discuss, because it is a separate issue, the need for a new legislative instrument.

59.

In the first place, specific attention should be given to the provisions of Article 17 of Directive 95/46/EC, Article 14(3) of Directive 2002/58/EC and Article 3(3)(c) of Directive 1999/5/EC. Article 14(3) allows Member States to adopt measures to ensure that terminal equipment is constructed in a way that is compatible with the right of users to protect and control the use of their personal data, in accordance with Directive 1999/5/EC (22). Directive 1999/5/EC provides in its Article 3(3)(c) that the Commission may decide — with a comitology procedure — that apparatus within certain equipment classes or apparatus of particular types shall be so constructed that they incorporate safeguards to ensure that the personal data and privacy of the user and of the subscriber are protected. Article 3(3)(c) of Directive 1999/5/EC has not been used until now.

60.

These provisions give the legislator — on the national and on the Community level — the power to prescribe that privacy and data protection safeguards must be included in the manufacturing of RFID systems, a concept that is known as ‘privacy by design’ (23). It calls also for the use of Best Available Techniques.

61.

In order to make the use of the concept of ‘privacy by design’ compulsory, the EDPS recommends that the Commission uses the mechanism of Article 3(3)(c) of Directive 1999/5/EC, in consultation with the RFID Expert Group.

62.

In the second place, it is possible to specify the application of the existing legislative framework to RFID, by modifications of the directives themselves. As said, the Commission has just presented a proposal for amending the ePrivacy Directive which contains a new provision with this perspective. The EDPS welcomes this first confirmation of the applicability of the Directive to RFID applications. The EDPS will deal with specific issues raised by the relation between the ePrivacy Directive and RFID in his opinion on the proposal for amendment, which will be issued early in 2008.

63.

Taking into account that the Commission does not foresee any modification of the Data Protection Directive in the near future (24), the possibilities for specification relating to the application of the existing legislative framework to RFID are limited.

64.

The Communication (25) emphasises the importance of security and privacy-by-design. It also requires involvement of all stakeholders. The main result of the activities of the Commission will be ‘a Recommendation to set out the principles that public authorities and other stakeholders should apply in respect of RFID usage’. The Recommendation will probably be adopted in spring 2008. The legislative ambitions mentioned in the Communication contain two steps. The Commission will:

65.

Following this policy, it can be expected that the Commission does not envisage — at least not on a short term — proposing new specific legislation to safeguard data protection and privacy in the area of RFID.

66.

In his Opinion on the Communication on the Data Protection Directive, the EDPS listed some outlines for legislative activities relating to the processing of personal data which can be summarized as follows:

67.

As a next step it is useful to specify the expectations the legislator has to face in the area of RFID:

68.

To the EDPS, it is clear that not all technological developments should lead to reactions by the European legislator. Technological developments can go fast, whereas the adoption and entry into force of legislation takes time and should take time. Legislation should be the result of balancing all the interests at stake. When the instrument of a directive is chosen, even more time is needed, since directives must be fully implemented in the legal systems of the Member States.

69.

However, RFID is not just another technological development as has been underlined in several parts of this opinion. The Communication refers to RFID as the gateway to a new phase of development of the Information Society, often referred to as the ‘internet of things’ and RFID tags will constitute key elements of the ‘ambient intelligent’ environments. These environments are also important steps in the development of what is often called the ‘Surveillance Society’ (29). Against this background, legislative action in the area of RFID can be justified. RFID may bring about a qualitative change.

70.

In this perspective, the EDPS recommends considering the adoption of (a proposal for) Community legislation regulating the main issues of RFID-usage in relevant sectors, in case the proper implementation of the existing legal framework would fail. After it enters into force, such a legislative measure must be considered as a lex specialis vis-à-vis the general data protection framework.

71.

Adoption of such a legislative instrument would have the following advantages:

72.

To make it more practical, the Commission could be asked to prepare a consultation document on the pros and cons of specific legislation, and of the main elements of such legislation. Of course, the stakeholders could be asked to give input to this consultation. Likewise, the Article 29 Working Party could be involved.

73.

The intervention of the legislator could provide for a tailor made legal framework, which consists of a mix of regulatory tools which specify and complement the existing legal framework. This tailor made legal framework should be based on the known principles of data protection and should focus on the division of responsibilities and on the effectiveness of control mechanisms.

74.

A specific reason for which such tailor made legislation might be needed relates to the fact that not all RFID applications entail the processing of personal data. In other words, if RFID applications do not entail the processing of personal data, parties involved in the manufacturing and selling of RFID enabled products are not legally bound to implement any technological measures that would prevent eavesdropping or the setting up of readers without proper notice to individuals. Yet, as demonstrated, privacy risks derived from the possible surveillance of individuals also exist for such RFID applications, thus demanding the same type of privacy safeguards. Precisely, this may be the case for item level tagging in consumer products before the point of sale. In sum, RFID applications that do not process personal data may still threaten individuals' privacy by enabling surreptitious surveillance and the use of the information for unacceptable purposes.

75.

The EDPS considers that this unfortunate outcome should be avoided. Because current legislation partially — at least for RFID applications that do not process personal data — fails to counter this privacy threat, and taking into account the shortcomings of soft law solutions, it seems necessary to use compulsory legislative measures to ensure a satisfactory result.

76.

Such measures should in any event:

77.

Although the ‘inherently trans-border’ dimension of RFID systems is seen in the Communication only within the Internal Market, the EDPS considers that this dimension has to be tackled at a more international level. In a shop, RFID systems are already ‘trans-border’ as the activity of the tag might not stop at the point of sale. At the level of the overall RFID system, these technologies also become ‘trans-border’ when transfer of personal data to a third country might take place as the producer of the tagged item, which is part of the RFID system, is based outside the European Union (31).

78.

From a more prospective point of view, the governance of RFID identity reference databases also represents a critical dimension for appropriate enforcement of the European data protection legal framework. The EDPS urges for a solution to be found as further erosion of this framework would not be acceptable.

79.

The EDPS foresees the RFID governance issue as a major challenge which will request considerable investments. The right forum of negotiation as well as the most appropriate management infrastructure will have to be found in order to ensure that data protection rights are adequately respected in these international environments.

80.

In this perspective, the EDPS invites the Commission to present its views on the issue of governance, possibly in consultation with the RFID-Stakeholders Group.

81.

The EDPS welcomes the Commission's Communication on RFID as it tackles the main issues arising in the context of the deployment of RFID technology without neglecting the determinant ones related to privacy and data protection. He agrees with the view that RFID systems could play a key role in the development of the Information Society usually referred to as the ‘Internet of things’.

82.

The wide use of RFID-technology is fundamentally new and may have a fundamental impact on our society and on the protection of fundamental rights in our society, such as privacy and data protection. RFID may bring about a qualitative change.

83.

Five basic privacy and security issues can be distinguished:

84.

The general legislative framework for data protection as laid down in Directive 95/46/EC applies to RFID, as far as data processed by RFID systems fall within the definition of personal data.

85.

As far as the ePrivacy Directive is concerned: the Commission Proposal of 13 November 2007 for amendment of the Directive contains a provision aiming to specify that the Directive indeed applies to certain RFID applications. However, other certain RFID-applications might not be covered because of the limitation of this Directive to the processing of personal data in connection with the provision of publicly available electronic communications services in public communications networks.

86.

The protection of personal data can be complemented by a range of self-regulatory instruments. It is appropriate to leave room for such self-regulation, provided that:

87.

The EDPS recommends that the Commission, in close cooperation with the RFID Expert Group, will produce one or more documents giving clear guidance how to apply the current legal framework to the RFID environment.

88.

The guidance setting out the principles that apply in respect of RFID usage should be sufficiently focussed and adopt a sector specific approach. It should propose practical and efficient methods for developing techniques and standards which could contribute to the RFID systems' compliance with the data protection legal framework and which will entail the use of ‘privacy by design’ technology.

89.

The EDPS welcomes the approach in the Commission's Communication to endorse the idea of the specification and adoption of early design criteria.

90.

Although the EDPS considers the ‘opt-in’ principle at the point of sale is a legal obligation that already exists under the Data Protection Directive in most situations, this obligation should be specified in self-regulatory instruments.

91.

In order to make the use of the concept of ‘privacy by design’ compulsory, the EDPS recommends that the Commission uses the mechanism of Article 3(3)(c) of Directive 1999/5/EC, in consultation with the RFID Expert Group.

92.

The EDPS recommends considering the adoption of (a proposal for) Community legislation regulating the main issues of RFID-usage in relevant sectors, in case the proper implementation of the existing legal framework would fail. After it enters into force, such a legislative measure must be considered as a lex specialis vis-à-vis the general data protection framework. This legislative measure should also address the privacy and data protection concerns that arise in certain RFID applications, such as item level tagging before the point of sale, which may not necessarily involve the processing of personal data.

93.

The Commission should prepare a consultation document on the pros and cons of specific legislation, and of the main elements of such legislation.

94.

The intervention of the legislator could provide for a tailor made legal framework, which consists of a mix of regulatory tools which specify and complement the existing legal framework. Measures should in any event:

95.

The EDPS invites the Commission to present its views on the issue of governance, possibly in consultation with the RFID-Stakeholders Group.

23.4.2008   

EN

Official Journal of the European Union

C 101/13

23.4.2008   

EN

Official Journal of the European Union

C 101/17

23.4.2008   

EN

Official Journal of the European Union

C 101/20

Commission of the European Communities

Competition DG

Merger Registry

Rue Joseph II/Jozef II-straat 70

B-1000 Brussels

23.4.2008   

EN

Official Journal of the European Union

C 101/21

—

from the Europa competition website (http://ec.europa.eu/comm/competition/mergers/cases/). This website provides various facilities to help locate individual merger decisions, including company, case number, date and sectoral indexes,

—

in electronic form on the EUR-Lex website under document number 32008M5025. EUR-Lex is the on-line access to European law (http://eur-lex.europa.eu).

23.4.2008   

EN

Official Journal of the European Union

C 101/22

23.4.2008   

EN

Official Journal of the European Union

C 101/23

1.

The Advisory Committee agrees that the proposed concentration by which the undertaking Syniverse Technologies, Inc. acquires control of the wireless business of BSG constitutes a concentration within the meaning of Article 3(1)(b) of the Merger Regulation and that the Commission has become competent to review this concentration following the referral according to Article 4(5) of the Merger Regulation.

2.

The Advisory Committee agrees that there is a relevant product market for GSM roaming data clearing services.

3.

The Advisory Committee agrees that it can be left open for the purposes of the present case whether the relevant geographic market is to be considered EEA wide or global in scope.

4.

The Advisory Committee agrees that the proposed concentration does not lead to concerns with respect to unilateral effects.

5.

The Advisory Committee agrees that the proposed concentration does not lead to concerns with respect to coordinated effects.

6.

The Advisory Committee agrees that the proposed concentration would not significantly impede effective competition in the common market or a substantial part of it and that therefore the proposed concentration can be declared compatible with the common market and the EEA agreement.

23.4.2008   

EN

Official Journal of the European Union

C 101/24

23.4.2008   

EN

Official Journal of the European Union

C 101/25

1.

On 5 June 2007, the Commission received a notification of a proposed concentration pursuant to Article 4 and following a referral pursuant to Article 4(5) of Regulation (EC) No 139/2004 by which the undertaking Syniverse Technologies, Inc. (‘Syniverse’, USA) acquire(s) within the meaning of Article 3(1)(b) of the Council Regulation control of the wireless business of Billing Services Group Limited (‘BSG Target Business’, Bermuda) by way of purchase of shares.

2.

Syniverse Technologies, Inc. (‘Syniverse’, USA) is a wholly owned subsidiary of Syniverse Holdings, Inc. Syniverse is a global provider of technology services to wireless telecommunications companies. Syniverse's customers are based in more than 50 countries all over the world.

3.

The BSG Group is a global provider of payment processing, data clearing, financial settlement and risk management solutions for fixed-line (wireline), wireless and Wi-Fi communication service providers. The BSG Group operates two businesses, namely a wireless business and a wireline business. The proposed transaction only concerns the wireless business (the wireless business hereinafter: ‘BSG’).

4.

The Commission's market investigation has revealed that the proposed concentration will not give raise to any competition concerns as a result of which effective competition would be significantly impeded in the Common Market or in a substantial part of it.

5.

This transaction concerns a part of the billing services market for mobile network operators (‘MNOs’), namely the data and financial clearing services for GSM (2) roaming (3). Data clearing and financial clearing services represent a niche in the billing services function. It enables the processing of records relating to the number and length of wireless calls or message transmission, thus allowing the MNOs both to reconcile their charges with each other and to charge their subscribers for the use of the visited network.

6.

Syniverse offers GSM roaming data clearing services and BSG offers both. The notifying party claims that Syniverse is today the only leading data clearing house which does not have financial clearing capabilities and that this places Syniverse at a competitive disadvantage because many MNOs seek a ‘one-stop’ solution when outsourcing their data and financial clearing needs. The parties cite the acquisition of BSG's financial clearing services as an essential part of the rationale for the transaction.

7.

Roaming allows subscribers to make and receive voice calls, send and receive data, or access other services when they are outside their home network. The subscriber ‘roams’ when he or she uses the visited network. In order for MNOs to be able to provide services across different networks and across different countries, they enter into roaming agreements with each other. These agreements are standard agreements and the entire GSM roaming process is standardised under the auspices of the GSMA.

8.

The data clearing process is the exchange of information between MNOs (acting either as a visited network or as a home network) containing subscriber identifying information, the mobile numbers involved, time and date stamps, call duration, and all other data items needed to generate a charge to the customer. An MNO doing its own data clearing would potentially have to send a package of data to all their roaming partners. Alternatively they could send their visitors' data to a data clearing house who would deal with all their roaming partners. Subsequently, MNOs need to settle the costs of the usage of their respective subscribers: this is the financial clearing process.

9.

As yet, the Commission has not defined these markets. The notifying party proposes that it can be left open whether data clearing and financial clearing are separate markets.

10.

The market investigation clearly confirmed that there are separate markets for data clearing and financial clearing services. The vast majority of respondents considered these to be separate markets (4). Accordingly, the purposes of the two services are considered to be different and do not seem to be substitutable. The market investigation showed that MNOs frequently use a different data clearing service provider and a different financial clearing service provider. Financial clearing services are much more frequently done in-house than data clearing services, as MNOs tend to outsource their data clearing services (only one major MNO in the EEA does it in-house) (5). In contrast to what the notifying party suggests, customers do not require that a service provider provides both data clearing and financial clearing services (6).

11.

Accordingly, data clearing and financial clearing services shall be considered as different product markets. As the parties' activities do not overlap in the market of financial clearing services, the decision only deals with the market for GSM roaming data clearing services.

12.

The Commission has not defined the geographic scope of these markets in previous cases. The notifying party suggests that the geographic market for GSM data clearing services is worldwide in scope. The parties submit, firstly, that roaming data, by its very definition has an international dimension and is not limited to national borders. Secondly, they maintain that global standards apply to the way that roaming data is exchanged and cleared (these are confirmed by the market survey). Thirdly, the notifying party maintains that the geographic location of the customer and of the service provider is irrelevant as the service provider can provide services from any location worldwide. By way of example, the notifying party describes how Syniverse provides its data clearing services to all of its worldwide customers (including all of its customers in Europe) from its headquarters in Tampa, Florida. The market investigation partly confirmed the view of the notifying party that the geographic market could be considered to be global. In reply to the general question on the scope of the market, a majority of the customers who responded considered the market for data clearing to be worldwide. A number of respondents, however, considered the market to be EEA-wide (7).

13.

The market investigation also showed some indications that the market could be limited to the EEA. Requests for proposals by MNOs are addressed internationally, but if a service provider wants to win contracts for servicing MNOs in Europe it is advisable to have a European presence. Half of the respondents (which included some large MNO customers) place a high value on geographic proximity for reasons of data integrity and after sales service. Within the EEA all data clearing competitors (MACH, Syniverse and BSG) have more than one European office.

14.

Nevertheless, the market investigation also showed that although a European presence would be an advantage for servicing EEA customers, the costs for opening up a European presence are limited and one competitor also explained that it would not be absolutely necessary as the data processing server may in any case be operated outside Europe.

15.

The market investigation showed that data processing reliability and data protection issues are of a high relevance. Nevertheless, the market investigation has also revealed that MNOs must address data security in the same manner as any other company in other industries having to transfer personal data outside the EEA, therefore, it can be concluded that data protection issues are not a hindrance with respect to the processing of data outside the EEA and would not as such be an indication that the market is only EEA-wide.

16.

The exact definition of the relevant geographic market may be left open for the purposes of the present case, as the proposed transaction does not significantly impede effective competition in the common market even in the narrowest possible (EEA-wide) geographic market.

17.

Outsourcing of data clearing services started back in the early nineties. From 2004 onwards, the markets witnessed a number of acquisitions. The market leader, Mach is headquartered in Luxembourg and has been doing data clearing since the 1990's. Mach has more than 400 data clearing clients around the world serviced by their 700 employees from offices in the United States, South America, India, Dubai, Singapore, Hong Kong and six other offices in Europe (including Moscow and London).

18.

BSG was created in 2003 from an amalgamation of companies by the private equity fund ABRY Partners. Syniverse started data clearing operations in the United States in 1996 and first established a data clearing European presence in 2003 based upon what it termed a modest investment. There are other competitors such as: Comfone (Switzerland) which sells mobile-related services and training to MNOs worldwide and since 1998 has offered their own data and financial clearing solutions. In 2003, they ceased selling their data clearing product and became a re-seller of BSG's clearing services. The Commission considers that Comfone would be able to re-enter the market for GSM data clearing within the near future.

19.

Emirates data Clearing House (‘EDCH’) was founded in 1994 as part of Etisalat, the United Arab Emirates telecommunications company. It has been focusing its activity in the Middle East, but has business in other parts of the world (in the Far East and in Africa). Although EDCH is not active in Europe, it has participated in tender procedures in the EEA and the Commission considers that EDCH may have the incentive to enter an EEA market for GSM data clearing.

20.

VeriSign is a US-based public company, which offers a variety of internet and telecommunications services. As yet it does not provide data clearing services in Europe. However, it does provide related services to its customers through its European offices. On the basis of the market investigation, the Commission considered it likely that VeriSign would have the incentive to enter the market in the EEA, in particular if sponsored by an MNO. VeriSign has almost […] data clearing customers in the Americas.

21.

Another competitor providing data clearing services is ARCH, a subsidiary of China Mobile with offices in Hong Kong and in Shenzhen in the People's Republic of China. ARCH services the world's largest MNO, China Mobile as well as other MNOs. It has no presence in Europe and, although during the market investigation some customers considered ARCH to be a credible bidder, the Commission did not find it likely that ARCH would imminently enter an EEA market for data clearing.

22.

In worldwide market Mach would have an estimated [50-60] % market share and in the EEA [55-65] %. For Syniverse the corresponding market shares are estimated at [15-25] % and [10-20] %, for BSG [10-20] % and [30-40] %, EDCH [0-10] % (worldwide) and VeriSign [0-10] % (worldwide).

23.

Post merger, in a worldwide market, Mach would also remain the clear market leader [50-60] %, the combination of Syniverse and BSG (currently the second and third players respectively) would become the second player in the market [30-40] %. With respect to an EEA-wide market, Mach would still be the market leader in data clearing with a market share of [55-65] %. The combination of BSG & Syniverse (currently number two and three in the market) would come closer with a combined share of [35-45] %. The concentration would therefore reduce the number of competitors from three to two in an EEA-wide market.

24.

According to the notifying parties there is a genuine option for MNOs called ‘self-supplying’ as the MNOs do have the ability and the in-house know-how to switch from outsourcing their data clearing to doing it in-house. However, this has not been confirmed by the market investigation. Firstly, the investigation has revealed that there are no recent examples of an MNO switching from outsourcing to in-house data clearing. Secondly, the MNOs which responded to the Commission's market investigation also indicated that self-supplying was not a realistic option for them.

25.

Data clearing services are typically procured by MNOs using a tender or a bidding process. Negotiations are often done by e-mail. The market investigation has shown that the bidding process is competitive and is also characterized by an absence of price transparency. Prices usually depend on the number of roaming transactions processed and there can also be significant potential follow-on revenues from the provision of other services. However, the net effect of MNO consolidation, according to the parties has been an historical downward spiral of data clearing prices and the resulting commoditisation of the data clearing service. This trend has been confirmed by the market investigation which also showed that the cost of catering for any extra capacity needed for new clients are not significant. Servicing the extra volume of transactions of a new MNO customer has less to do with the total number of subscribers they have and more to do with the number of visiting subscribers they host.

26.

The market investigation has shown that the markets concerned are quickly developing technology markets. As such there are on-going technical developments. Within the next few years the market for data clearing services may appear different with respect to the services provided and even the players involved. On-going technological developments fostered by the GSMA are to do with ‘Near Real-Time Roaming Data Exchange’ technology (‘NRTRDE’) that is designed for fraud detection, but potentially suitable for data clearing; and the ‘Hubs-concept’ (part of what is termed the ‘Open Connectivity project’) that will allow clearing ‘hubs’ to co-ordinate clearing positions between MNOs instead of having a contract with each of the more than 700 MNOs.

27.

The analysis of potential unilateral effects was carried out on the basis of an EEA-wide market as the narrowest conceivable geographic scope of the market. The analysis of the bidding and switching data has shown that Syniverse and BSG do not form particular competitive constraints upon each other and that MACH has exerted a stronger competitive constraint on each of Syniverse and BSG. In addition, the characteristics of the market for data clearing services give suppliers a strong incentive to compete aggressively for every contract that comes up for renewal. Both the parties' and the customers' data on tender participation indicated that each of BSG and Syniverse faced strong competition from MACH. In nearly half of the cases there were only two bidders, but BSG and Syniverse were never the only two bidders in a tender. This means that the MNOs determined that the tender process was sufficiently competitive with two bidders, namely MACH and BSG or MACH and Syniverse. The analysis of the ranking data has shown that Syniverse and BSG were only very rarely both the winner and the runner-up in the same tender.

28.

The results of the analysis indicate that prices offered by BSG are unaffected by whether or not Syniverse participated in a tender, which also implies that Syniverse does not exert a strong competitive pressure on BSG's prices.

29.

Irrespective of the different costs and efforts needed to switch suppliers, the market investigation confirmed that switching can be done and that there are many instances of MNOs switching data clearing suppliers. Costs incurred in switching can be offset by the savings made in switching suppliers. The Commission has found several instances of switching suppliers in Europe occurring between 2004 and 2007. The market investigation has also shown that switching between BSG and Syniverse (or vice versa) is very rare.

30.

The characteristics of the market for data clearing services provide incentives for suppliers to compete intensely, which would make a unilateral price increase by the merged entity unlikely. Firstly, there are no capacity constraints. Secondly, the provision of data clearing services is characterised by low marginal costs for those suppliers providing these services on their own equipment. Suppliers therefore have a strong incentive to compete aggressively for every contract. Finally, data clearing houses face significant potential follow on revenues from other services.

31.

As indicated above, existing data clearing houses operating on a worldwide basis have shown that they have the ability and the incentive to enter the European market for data clearing services. In this regard, the market investigation has shown that several MNOs would clearly consider ARCH, EDCH, VeriSign and Comfone as credible bidders.

32.

The recent consolidation of MNOs as well as a more sophisticated bidding process give MNOs countervailing power. In particular, MNOs may have a strong bargaining position by virtue of their relative financial size and the scale of their operations. Therefore, from the above analysis one can conclude that the proposed operation would not lead to concerns with respect to unilateral effects.

33.

Considering the market shares, the merger would lead to an estimated [80-90] % market share for the two largest competitors in a worldwide market, and an estimated [90-100] % market share in an EEA-wide market for data clearing. Given the market shares of Mach and the merged entity post merger, it was important to study whether the proposed transaction could either facilitate or enable MACH and the merged parties to co-ordinate on prices.

34.

Taking into account the characteristics of the market for data clearing services, it does not seem likely that the proposed merger would lead to co-ordinated effects. A common understanding on prices does not appear to be feasible and given the dynamic nature of the market and the lack of stability in the customers' respective sizes, a customer allocation would be difficult and would need to be reassessed regularly.

35.

Although deviation may be detected easily after a tender has taken place, bidders would not be able to detect deviation during the tender. Retaliation would only be possible by bidding very aggressively for the next contracts. Since tenders for new contracts are relatively infrequent — the contract durations and volumes vary strongly from one MNO to another — such a strategy does not constitute a credible deterrent mechanism. Finally, effective collusion is unlikely to take place as outsiders would most likely jeopardise the outcome of the expected co-ordination. Therefore, as a result, one can conclude that the proposed operation does not lead to concerns with respect to co-ordinated effects.

36.

The Commission concludes in the draft Decision that the proposed concentration will not give raise to any competition concerns as a result of which effective competition would be significantly impeded in the Common Market or in a substantial part of it. Consequently, the Commission intends to declare the concentration compatible with the Common Market and the EEA Agreement, in accordance with Article 8(1) of the Merger Regulation and Article 57 of the EEA Agreement.

23.4.2008   

EN

Official Journal of the European Union

C 101/30

Fjerkræafgiftsfonden

Axeltorv 3

DK-1609 København V

α)

Προϋπολογισμός 2007. Τμήμα Γεωργίας. Άρθρο 120229.04207 — Άλλες Γεωργοκτηνοτροφικές Επιχορηγήσεις με το τίτλο: Προώθηση δημιουργίας και λειτουργίας Συνδέσμων Εκτροφέων Βοοειδών.

β)

Απόφαση Υπουργικού Συμβουλίου Αρ. 64.742, ημερ. 12.12.2006 και Ενημέρωση του Υπουργικού Συμβουλίου για την τροποποίηση της ενίσχυσης με ενημερωτικό σημείωμα το οποίο κατατέθηκε στις 7.11.2007

(a)

CYP 3 000 to cover part of the administrative expenditure incurred in setting up and maintaining the herd book for the animals concerned;

(b)

CYP 21 000 to cover up to 70 % of expenditure on determining the genetic quality or yield of livestock that has been incurred by or for third persons

Τμήμα Γεωργίας, Υπουργείο Γεωργίας

Φυσικών Πόρων και Περιβάλλοντος

Λευκωσία, Κύπρος

Τel. 22 40 85 19, fax 22 78 14 25

e-mail: doagrg@da.moa.gov.cy

Τμήμα Γεωργίας του Υπουργείου Γεωργίας, Φυσικών Πόρων και Περιβάλλοντος

Λεωφόρος Λουκή Ακρίτα

CY-1412 Λευκωσία

23.4.2008   

EN

Official Journal of the European Union

C 101/32

2007: EUR 23 994

2008: EUR 24 700

2009: EUR 25 400

2010: EUR 26 150

2011: EUR 26 950

2012: EUR 27 750

2013: EUR 28 600

—

up to 50 % of eligible costs in less-favoured areas,

—

up to 40 % of eligible costs in other areas,

—

up to 60 % of eligible costs in less-favoured areas, and up to 50 % of eligible costs in other areas, where the investment is made by young farmers within five years of their setting up.

—

up to 100 % of the real costs as regards investment in non-productive features,

—

up to 60 % of the real costs, or 75 % in less-favoured areas, as regards investment in production facilities on farms, provided that the investment does not entail any increase in the production capacity of the farm,

—

additional aid may be granted at a rate of up to 100 % to cover the extra costs incurred by using traditional materials necessary to maintain the cultural heritage features of buildings.

—

up to 100 % of the real costs where the relocation simply consists of the dismantling, removal and re-erection of existing facilities,

—

where the relocation results in the farmer benefiting from more modern facilities, the farmer must contribute at least 60 %, or 50 % in less-favoured areas, of the increase in the value of the facilities concerned after relocation. If the beneficiary is a young farmer, his contribution shall be at least 55 %, or 45 %, respectively,

—

where the relocation entails an increase in production capacity, the contribution from the beneficiary must be at least equal to 60 %, or 50 % in less-favoured areas, of the expenses relating to this increase. If the beneficiary is a young farmer, his contribution shall be at least 55 %, or 45 %, respectively.

—

the amount of municipal co-financing is the difference between the amount of co-financing of insurance premiums from the national budget and up to 50 % of eligible costs of insurance premiums for insuring crops and fruit and insuring livestock against disease.

—

up to 100 % of the real legal and administrative costs.

—

up to 100 % of the real costs incurred; this is to be provided in the form of subsidised services and must not involve direct payments of money to producers.

—

up to 100 % of costs concerning education and training, consultancy services provided by third parties, the organisation of forums, competitions, exhibitions and fairs, publications and websites. The aid is to be granted in the form of subsidised services and must not involve direct payments of money to producers

Občina Polzela

Polzela 8

SLO-3313 Polzela

Provincie Gelderland

Dienst REW/EU Programmasecretariaat

Postbus 9090

6800 GX Arnhem

Nederland

2007: EUR 8 700

2008: EUR 8 874

2009: EUR 9 052

2010: EUR 9 233

2011: EUR 9 417

2012: EUR 9 606

2013: EUR 9 798

—

up to 50 % of eligible costs in less-favoured areas and up to 40 % of eligible costs for investment in other areas.

—

up to 100 % of eligible costs for non-productive features,

—

up to 75 % of eligible costs for investment in production facilities in less-favoured areas, and 60 % in other areas, provided that the investment does not entail an increase in the production capacity of farms in other areas.

—

the amount of municipal co-financing is the difference between the amount of co-financing of insurance premiums from the national budget and up to 50 % of eligible costs of insurance premiums for insuring crops and fruit and insuring livestock against disease.

—

up to 50 % of real legal and administrative costs.

—

up to 100 % of costs concerning education and training for farmers, consultancy services and the organisation of forums, competitions, exhibitions, fairs, publications, catalogues and websites, and the cost of replacement services. The aid is to be granted in the form of subsidised services and must not involve direct payments of money to producers

Občina Preddvor

Dvorski trg 10

SLO-4205 Preddvor

Welsh Assembly Government

Cathays Park

Cardiff CF10 3NQ

United Kingdom

Department for Environment, Food and Rural Affairs

Nobel House

17 Smith Square

London SW1P 3JR

United Kingdom