EU Adopts RFID Privacy Recommendations

Library books containing small wireless RFID chips inventory themselves and automatically connect the user's library card, books carried out of the building and the library's checkout database. Toll road sensors communicate with pass cards in commuter vehicles and debit a database of prepaid travelers.

In the future, advocates imagine a worldwide "Internet of Things" in which refrigerators report when food reaches its expiration date, automobiles communicate to avoid accidents or traffic jams. Baggage routes itself within airports, and everyday objects connect, report, and interact.

According to EU Commissioner for Information Society and Media Viviane Reding, the worldwide market for the RFID tags is growing, and will be worth some 20 billion Euros by 2018. But privacy is a growing issue as well, and today the EU adopted RFID privacy recommendations that include the following:

• Consumers should be in control whether products they buy in shops use smart chips or not. When consumers buy products with smart chips, these should be deactivated automatically, immediately and free-of-charge at the point of sale, unless the consumer explicitly opts-in by asking to keep the chip operational. Exceptions can be granted to avoid unnecessary burden on retailers, for example, but only after an assessment of the chip's impact on privacy.
• Companies or public authorities using smart chips should give consumers clear and simple information so that they understand if their personal data will be used, the type of collected data (such as name, address or date of birth) and for what purpose. They should also provide clear labeling to identify the devices that 'read' the information stored in smart chips, and provide a contact point for citizens to obtain more information.
• Retail associations and organisations should promote consumer awareness on products containing smart chips through a common European sign to indicate whenever a smart chip is used by a product.
• Companies and public authorities should conduct privacy and data protection impact assessments before using smart chips. These assessments, reviewed by national data protection authorities, should ensure that personal data is secure and well protected.