The EU has expressed concern that the use of RFID (radio frequency identification) technology by businesses and governments could violate human dignity as well as data protection rights and has published guidelines for businesses and agencies intending to use the technology.
The EU's executive body, the European Commission, tapped its advisory body on data protection and privacy, known as the Article 29 Working Party, to conduct its first assessment of data protection issues related to RFID. The technology is a method for storing, receiving and transmitting data via antennas on tags that respond to radio frequency queries.
"The ability to surreptitiously collect a variety of data all related to the same person; track individuals as they walk in public places (airports, train stations, stores); enhance profiles through the monitoring of consumer behavior in stores; read the details of clothes and accessories worn and medicines carried by customers are all examples of uses of RFID technology that give rise to privacy concerns," the group wrote in its report, published 19 January.
The resulting guidelines include gaining unambiguous consent from individuals where RFID is used and providing clear information to the so-called data subjects including the presence and location of RFID tags and trackers, what sort of data is being collected and how it is being processed. The E.U. also wants individuals to be made fully aware that they have the right to gain complete access to any personal data being collected and stored on them as well as the right to check on the accuracy of the data.
The global RFID market is forecast to be worth US$7.26 billion by 2008, according to a study by IDTechEx. The RFID specialist estimates that by 2008, 46.8 billion tags will be sold for the tracking of medicines, baggage, animals, books and tickets while another 15.3 billion tags will be sold for pallets and cases.
Additionally, by 2010, 48 percent of RFID tags by volume will be sold in East Asia, followed by 32 percent to North America, IDTechEx said.
The EU data protection working group said that such widespread use creates a variety of data protection concerns. "The problem is aggravated by the fact that, due to its relative low cost, this technology will not only be available to major actors but also to smaller players and individual citizens," the report said.
The group said it was seeking to provide guidelines not only to those using RFID technology but to manufacturers of RFID tags, readers and applications as well as RFID standardisation bodies. For example, the International Organizations of Standardization has developed some sector-specific standards for the use of RFID tags on freight containers, transport units and animals, while the International Civil Aviation Organisation, which is affiliated with the United Nations, has developed global standards for passports that include RFID chips.
The working group's report urged such standardization bodies to include data protection features in technical specifications. It also called for the use of encryption on tags and applications to prevent unauthorised disclosure of the data collected and stored.
Less likely to be welcomed by businesses is the group's desire to make it easy for individuals to disable RFID tags. "When the individual has a right to withdraw his/her consent or object to the process and the subsequent right to disable the tag, both manufacturers and deployers of RFID technology should ensure that such operation of disabling the tag is easy to carry out," the report said.
The Article 29 Working Party group said it is seeking public consultation until 31 March.