The European Commission has signed a voluntary agreement – “Privacy and Data Protection Impact Assessment (PIA) Framework for RFID Applications” – with industry, civil society, ENISA (European Network and Information Security Agency) and privacy and data protection watchdogs in Europe to establish guidelines for all companies in Europe to address the data protection implications of smart tags (Radio Frequency Identification Devices – RFID) prior to placing them on the market.
The use of smart tags is expanding enormously: around 2.8 billion smart tags are predicted to be sold this year, with about one third of these in Europe. Industry estimates that there could be up to 50 billion connected electronic devices by 2020.
RFID tags in devices such as mobile phones, computers, fridges, e-books and cars bring many potential advantages for businesses, public services and consumer products. Examples include improving product reliability, energy efficiency and recycling processes, paying road tolls without having to stop at toll booths, cutting time spent waiting for luggage at the airport and lowering the environmental footprint of products and services.
RFID tags also raise potential privacy, security and data protection risks. This includes the possibility of a third party accessing personal datas without permission.
PIA’s agreement forms part of the implementation of a Commission Recommendation adopted in 2009 that indicates that when consumers buy products with smart tags, they should be deactivated automatically, immediately and free-of-charge unless the consumer agrees explicitly that they are not.
Under the agreement, companies will carry out a comprehensive assessment of privacy risks and take measures to address the risks identified before a new smart tag application is introduced onto the market. This will include the potential impact on privacy of links between the data collected and transmitted and other data. This is particularly important in the case of sensitive personal data such as biometric, health or identity data.
The PIA Framework establishes for the first time in Europe a clear methodology to assess and mitigate the privacy risks of smart tags that can be applied by all industry sectors that use smart tags (for example, transport, logistics, the retail trade, ticketing, security and health care). In particular, the PIA framework will not only give companies legal certainty that the use of their tags is compatible with European privacy legislation but also offer better protection for European citizens and consumers.