Privacy & Information Security Law Blog

On May 12, 2009, the European Commission issued a long-awaited recommendation on the implementation of privacy and data protection principles in applications supported by radio-frequency identification (“RFID”).  The recommendation follows a process initiated in 2006 when the European Commission launched a public consultation on RFID technologies.  Following this public consultation and in order to protect consumers’ privacy and data protection, the European Commission decided to take further steps by preparing a recommendation to regulate the use of RFID.

The recommendation applies the principles of the General Data Protection Directive (Directive 95/46/EC) and of the e-Privacy Directive (Directive 2002/58/EC) to RFID technology.  In summary, the recommendation provides that:

• Operators of RFID immediately must deactivate RFID tags automatically and free-of-charge at the point of sale, unless the consumer explicitly opts in by asking to keep the chip operational.  This principle is, however, subject to exceptions.
• Consumers must be clearly informed of the use of their personal data, the type of data collected and the purpose of the processing.
• The reading device must be clearly identified, and a contact point must be indicated if the consumer would like to receive further information.
• A common European symbol should be developed to indicate whether a product uses a smart chip.
• Companies and public authorities should develop a framework for privacy and data protection impact assessments.  This framework will have to be endorsed by the Article 29 Working Party.  The goal of these privacy impact assessments is to ensure that consumer privacy is protected.

Strictly speaking, this recommendation is not legally binding on European Union Member States and so is not required to be implemented. Its influence, however, should not be underestimated.  The recommendation provides that Member States should take all necessary measures to bring this recommendation to the attention of all stakeholders which are involved in the design and operation of RFID.  Member States should also inform the Commission of action taken in response to the recommendation no later than 24 months following the publication of the recommendation.  Within three years from the publication of the recommendation, the Commission will provide a report on its implementation, its effectiveness and its impact on operators of RFID technology.

The recommendation can be found here and the FAQs on RFID here.