EPCglobal Response to EU RFID Online Consultation "Your Voice in Europe"

Transcription

1 EPCglobal Response to EU RFID Online Consultation "Your Voice in Europe" Brussels, September 2006

2 2 EPCglobal RESPONSE TO EU RFID ONLINE CONSULTATION Brussels, 27 September 2006 Section 1: Respondent details EPCglobal is a joint venture of the Uniform Code Council Inc (UCC) and GS1 (the latter was formerly known as EAN International, a global, Brussels-based not-for-profit organisation which played a key role in the adoption of the bar code in Europe and around the world). This parentage provides EPCglobal with an unmatched background in the development of user-driven standards. EPCglobal has the task of driving global adoption of EPC/RFID technology by establishing open, voluntary standards for the EPCglobal Network. EPCglobal develops a global standards system that combines RFID (radio frequency identification) technology, existing communications network infrastructure and the Electronic Product Code ( EPC - a number for uniquely identifying an item) to enable immediate and automatic identification and tracking of an item through the whole supply chain globally, resulting in improved efficiency and visibility of the supply chain. More than a 100 GS1 Local organizations worldwide out of which more than 39 European, are involved in the local implementation of EPCglobal standards. This document has been drafted by EPCglobal s Public Policy Steering Committee European Working Group (PPSC EWG) and the 25 GS1 organizations based in the EU. For more information: Section 2: General Questions Question 9: There is sufficient information available for interested citizens to come to an informed judgment of RFID pros and cons. Please tick the box that best reflects your view. (Compulsory) Strongly agree Agree Neutral Disagree Strongly disagree Don't know As far as EPCglobal-related RFID applications are concerned, EPCglobal considers that the information available for interested citizens to come to an informed judgement is sufficient. Dissemination of information will be a critical element especially as of when item level tagging commences to be a widespread reality. EPCglobal believes that ongoing provision of consumer information is essential. RFID technology offers great benefits to consumers, which should nevertheless be balanced against potential risks or concerns. EPCglobal also acknowledges that most consumer concerns and fears in relation to RFID technology s real risks and actual benefits are in the majority of cases due to inaccurate or

3 3 insufficient information and education as well as poor communication. Therefore, it is important that a concerted effort is made to ensure that consumers feel well informed about RFID technology and its applications. To this end and to the limited extent that Electronic Product Code (EPC) tags are used at the consumer level (on the product or on the packaging of the product), EPCglobal has developed Consumer Guidelines that are adopted by its members: 1. Consumer notice and choice. Ensure that consumers are aware of the use of RFID technology as well as are informed about the choices that are available to discard, remove or in the future disable EPC tags from the products (or from the packaging of these products) they buy. 2. Consumer information: a. Cooperating in appropriate ways to familiarise consumers with the EPC logo, and what it implies, and to help consumers understand the technology and its benefits b. Educating consumers about the advances of the technology by providing easily accessible and clear information. 3. Record use, retention & security. The Electronic Product Code does not contain, collect or store any personally identifiable information. As with conventional barcode technology, data which is associated with the EPC will be collected, used, maintained, stored and protected by the EPCglobal member companies in compliance with applicable laws. Companies will publish, in compliance with all applicable laws, information on their policies regarding the retention, use and protection of any personally identifiable information associated with EPC use. EPCglobal is fully committed to consumer education & information through its member companies but this is an area where the Commission, the Member States and all relevant stakeholders can play a helpful role as well. There are many applications of RFID other than EPC-related applications. Some of these might not currently be accurately or fairly represented to the public; in connection with the responsible use of the technology; this is an area where the EU, national governments and their agencies should also join forces, in order to have a multi channel approach to information dissemination. Question 10: The application of RFID offers great potential for improving the life of European citizens. Please tick the box that best reflects your view. (Compulsory) Strongly agree Agree Neutral Disagree Strongly disagree Don't know There are numerous RFID applications that have already improved the life of European citizens, ranging from quicker passage through motorway tolls or ski lifts, to car security systems. The technology in itself is not new, but there is a wider emerging usage driven by advances in semiconductor and antenna technologies, as well as by the emergence of standards. As a result, broader consumer applications are relatively new. In the future, RFID technology will offer even more benefits to European citizens, some of which will derive from the specific application of RFID on the basis of the Electronic Product Codes (EPC).

4 4 The benefits from the use of EPC for European consumers and citizens at large would include the following: Authentication & safety: o o Improvement in food and drug safety from enhanced pre- and after-sales product traceability facilitating prompt removal and identification of any recalled products. Enhanced patient safety: improved drug pedigree and prescribing accuracy, leading to reduced patient risk Reduction in medication errors Validation of the five healthcare rights (right patient, medicine, time, dose and route) by validation at point of administration could eliminate more than one third of these errors. Patient compliance with medication regimes could be enhanced The use of RFID on temperature sensitive products such haemophilia treating products, vaccines etc. would result in significant improvements in safety and efficiency. o Enhanced confidence in product authenticity as counterfeiting is made more difficult and product sources can be more easily identified. Less waste o Less waste from improved stocking efficiency, which also means improved customer service o Management of recycling operations e.g. through automation of used package sorting and acceleration of flows. o Improved supply chain operations will also result in a reduction of unwanted transport, reducing road congestion and energy consumption Less theft through systematic control of deliveries and easier identification of ownership Improved lifecycle repair & service tracking, safety and security in repair and maintenance services Enhancement of the shopping experience through e.g.: o Efficiency of after-sales service, e.g. improved after-sales operations and planning for example by better administration of guarantees, also resulting in better customer service. o Improved demand-driven availability of goods, for example through the increase of on shelf availability of products o Availability of fresher goods that keep for longer Question 11: A number of forums have developed guidelines on the protection of privacy and, specifically, criteria and standards for promoting respect for consumer privacy in the growing use of RFID technology in commercial applications. Such forums include the Organisation for Economic Cooperation and Development (OECD) and various institutions (ISO, EPCglobal, ETSI, CDT, etc.), most of which are open to participation. Are you aware of these efforts to develop "fair information principles" and RFID best practices? (Compulsory) Yes No EPCglobal is an international not-for-profit user-driven standards organisation whose members are active in various sectors (e.g. Fast Moving Consumer Goods, Logistics and Transportation,

5 5 Healthcare Fashion Apparel, and in the near future, Automotive and Aerospace) and participate at all levels of the supply chain (from manufacturer, to retail and logistic provider etc) originating from all over the world (nearly 1000 member companies at the end of September 2006). EPCglobal member companies are the drivers of the standardisation process and also benefit from participation in the future EPCglobal network. EPCglobal works closely with other international standards organisations, such as ISO, to ensure that the standards it develops are recognised by public institutions and governments across the world. Notably, in 2005, EPCglobal adopted simple Guidelines on EPC for Consumer Products that represent a set of fundamental commitments to consumers. The EPCglobal Guidelines provide clear consumer information about the use of EPC/RFID technology, educating consumers on the evolving applications of the technology and ensuring that consumers are informed about their choices, adequately addressing privacy and security concerns. EPCglobal is responsible for frequently revising and updating the Guidelines as the technology and its applications evolve. EPCglobal also monitors proper implementation of the Guidelines by the member companies. To this end, EPCglobal is committed to acting as a forum for both companies and consumer organisations to learn of and address any uses of EPC technology in a manner inconsistent with the EPCglobal Guidelines. EPCglobal is also aware of other efforts, such as the OECD s principles of fair information practice, and takes all of these into account when reviewing its own guidelines. For more information please see EPCglobal Consumer Guidelines Information. Question 12: Do you think that current European Union data protection and privacy legislation is adequate to deal with privacy and/or security concerns about RFID? If not, what do you think should be done (e.g., modification of existing law, self-regulation)? (Optional) Yes. For all EPCglobal applications, EPCglobal believes that existing EU legislation adequately addresses privacy and security concerns about RFID. This view is based on the technical features of EPCglobal tag and reader technology, as well as how data are used and protected in the EPCglobal network, all of which is explained in the Annex in a little more detail. Our conclusion from this is that, although there should be no automatic assumption that potentially identifiable information would become personal data, in cases where privacy and security issues arise in relation to EPCglobal RFID applications, the existing principles and provisions of EU data privacy and protection legislation would of course apply. As regards, for instance, the collection of personal data, current legislation outlines the legitimate processing cases, the obligation to obtain prior consent, the further processing of the data which must not be incompatible with the purpose for which it has been collected, the obligation to guarantee access and assure the right to rectification. There are also commercial considerations that must be taken into account in this context as regards the feasibility of the collection of personal data, such as the impact on a store s reputation and attractiveness to customers if they were to find out that they were being surreptitiously profiled, the cost of tags and readers themselves and of the installation of readers, the limitations of RFID technology and standards (e.g. in relation to the not yet harmonised frequency bands and standards, the physical limitations with the technology due to its size and performance) as well as the significant IT infrastructure that would need to be put in place and the resources that would be needed to collect, filter, store and use such data. EPCglobal develops standards for the identification numbering schemes (EPC code) and the standards for the RFID tag (EPC tag) ( It is important to make a distinction between the ID number and the tag, which is just a carrier. For more information on the EPC tag standard, please see the Annex. For related information to this Question, please also see responses to Question

6 6 Section 3: RFID Use Question 13: Do you consider that the European Commission should stimulate the implementation of RFID technology in the following application areas (please select your top three or tick last answer): (compulsory) Healthcare Pharmaceuticals Agriculture Government - Asset management Government - immigration/border control/customs Government - Defence and National Security Government - Hazardous Materials Management Lifestyle and Leisure (skiing, ticketing, museums) Retail Public Transport Logistics & Goods Transport Supply Chain Management Manufacturing and Processing The European Commission should not stimulate the take-up Library Systems RFID can improve the life of European citizens in all sectors mentioned and can provide great benefits that should be balanced against potential risks and concerns. There are numerous existing and potential RFID applications as this is an emerging and constantly evolving technology. EPCglobal works with its member companies in multi-sectoral work groups in the areas of Fast Moving Consumer Goods (FMCG), Transport and Logistics (TLS), Health and Life Science (HLS), Fashion, Footwear and Apparel (AFF). Soon EPCglobal will have in place working groups from additional sectors, namely Consumer Electronics, Automation and Aerospace. The creation of interface standards in a particular business sector is based on the assessment of the business conditions and requirements that EPCglobal subscribers provide. With this view, EPCglobal believes that the European Commission should stimulate take up of the technology in any application areas by ensuring that the regulatory framework encourages innovation and entrepreneurship in this area as much as possible. The evolving needs of industry, consumers and our society as a whole as well as the potential of the evolving technology should provide the necessary criteria for the take-up of the technology in the various sectors. Question 14: In healthcare environments (hospitals, elderly care and home care institutions), there is evidence showing that some processes are not always running effectively (wrong medication or treatments, missing surgical equipment, inadequate disinfection...). The European Commission should promote the use of RFID-based solutions in such environments in order to increase patient safety and potentially reduce costs (thanks to improved logistics and management). Please tick the box that best reflects your view: (compulsory) Strongly agree Agree Disagree Strongly disagree

7 7 Neutral Don't know RFID technology can be of enormous benefit in the healthcare environment. It offers the chance to support the creation of real-time and more accurate critical data exchange between the key stakeholders (patients, medical care providing personnel) by forming a comprehensive medical network capable of delivering accurate medical care while facilitating knowledge exchange and enhancing safety and efficiency in the entire medical chain. The introduction of RFID into hospitals would see significant improvement in a number of areas, including: Patient management systems ensuring that the right patient receives the right medicine and or treatment, for example, in surgery and emergency room operations; Instrument and medicine management: o RFID can provide real-time positioning of instruments and equipment in a medical institution o RFID can be used to assist in gathering data about maintenance records of the medical equipment used as well as ensuring enhanced quality of data and information management in treatment rooms (calibration data, instructions on use, etc.) Medical waste management system - an RFID solution will remove doubt often existing over whether waste is handled in compliance with any work contract or local legislation by providing proof-of-delivery and receipt, as well as location tracking and activity records that ensure the integrity of a hospital s waste disposal activities. Detection of illicit medication or equipment that might have entered the licit supply chain and end-up in a healthcare environment. Please also see answer to Question 13. Question 15: Do you think that the European Commission should encourage the use of RFID technology for the purpose of identification and tracing in the following areas: (you can tick more than one option) (compulsory) Light weapons and other dangerous products? Pharmaceutical products (to reduce the risk of counterfeit)? Products that require a high reliability (e.g., airplane spare parts)? Electronic Vehicle Identification? None of the above? Don't know Food safety? Please see answer to Question 13. Question 16: Do you think harmonisation of one or more of the following areas should be pursued through concerted efforts at European level? (Optional) The identification and tracking requirements of pharmaceutical products in different EU Toll collection systems?

8 8 Member States? Transportation ticketing solutions (train, metro, bus)? Interoperable electronic number plates that can be used in, for instance, theft preventing systems? Intermodal transport systems, container and shipment tracking systems? EPCglobal would like to see harmonised standards at European level that will be user-driven and will adequately take into account global efforts. In our experience of e-business standards (GS1 accounts for more than 30 years of success in global e-business user driven standards), global harmonisation is critical for the success of global interoperable standards and is the only effective way to proceed. Some of the listed examples can indeed only be made possible in an efficient and economic way, through concerted efforts at European (and global) level. Please also see answer to Question 13. Question 17: Counterfeiting today accounts for 10% of world trade, affects all economic sectors (pharmaceuticals, luxury goods, mechanical products, textiles, etc.) and results in loss of jobs per year in Europe. The World Health organisation (WHO) estimated that counterfeit drugs account for 8% to 10% of all pharmaceuticals. Do you think that the European Commission should encourage Member States to define legal, technical and organisational framework dedicated to the prevention and dissuasion of counterfeiting? If yes, please specify how this goal could be achieved. As is widely acknowledged, the problem of counterfeiting seriously hampers the competitiveness of numerous industry sectors and consequently has a significant negative impact on growth and jobs in Europe and beyond and in several cases poses a threat to the health & safety of its citizens. This is a problem that needs to be tackled throughout Europe. The use of RFID technology in securing the integrity of the supply chain can be part of a set of strong solutions in the context of a comprehensive, robust fight against counterfeit. The public health benefit of reduced risk from counterfeit drugs and medicines through use of unique identifiers is clear. RFID technology on the basis of EPC is one of the enablers that can help in the fight against counterfeiting in so far as the authenticity of a product can be established through its unique identification along the supply chain. The key for this worldwide disjunctive and unique identification of each item is the EPC identity number. Enhancing the integrity of the supply chain can be a way to eliminate product counterfeiting by hampering adulteration, diversion and mislabelling. RFID enhances the transparency in the supply chain and therefore contributes to significantly decreasing the odds of not intercepting fake products. For instance, the 96 bit EPC has enough capacity to uniquely identify 200 billion different products. The ability to tag products (and documents) using an interoperable global standard is an essential condition for some manufacturers of critical sensitive goods produced in different parts of the world. In this sense, we encourage national governments and regional administrations to engage in a dialogue with stakeholders in order to find global solutions, also in the area of RFID use to prevent counterfeit in areas such as healthcare, automotive, aircraft spare parts etc. Another factor that should be taken into account when developing a framework for the prevention of counterfeiting is the need for an education process and for materials to be available for training of the supply chain workforce and law enforcement agencies (i.e. Taxation & Customs). This can

9 9 play a critical role since the supply chain workforce works closely with law enforcers in order to identify counterfeiters and their distribution channels. Section 4: Security, Privacy and Data Protection, and Safety Question 18: What in your opinion would be the best solution(s) to eliminate or greatly reduce the security, data protection and privacy concerns that may arise from deploying applications of RFID technology? (You can tick more than one option) (Optional) To enact legislation regulating RFID To rely on self regulation and best practices based on the fair information principles To foster the development of technical solutions allowing to disable RFID tags To raise the awareness of consumers through educational campaigns Before answering this question, it is important to underline the evolving nature of RFID technology and what this means for data security and privacy: RFID is an evolving technology, which will be used in a multitude of ways, many of which have not yet been contemplated. Legislative policy responses developed today must be future-proof in three ways: o firstly, contrary to practical implementations of a given legal framework, legislative policy responses must not be application-specific; o secondly, they must not restrict the development of new legitimate applications of RFID technology; and o thirdly, they must be technology neutral. Security and privacy concerns are not the same for each application. Therefore, a single policy framework that will ensure coherence and clarity should be flexible enough to take this parameter into account. Policy responses must be proportionate to the realistic risks of breaches in data security and abuse of data protection rules. Policy should not be made on the basis of scaremongering or worst-case scenarios; this would strangle the development of RFID technology and put Europe at a competitive disadvantage. So, any policy option must strike the right balance between targeting those seeking to abuse RFID technology for illegal purposes and those legitimate businesses that deploy the technology in accordance with the rules and in a responsible manner. Therefore, EPCglobal believes that: There is no need to enact specific legislation regulating RFID. There is already a wellestablished, technology-neutral legislative framework for data protection issues in the EU. Self-regulation and sharing best practices is more effective in some cases. Such solutions are more flexible, allow for application-specific approaches within the wider technology-neutral legislative framework and can more easily be updated to take account of technological advances. As mentioned above, a set of privacy guidelines to be followed when using RFID/EPC tags in the consumer goods supply chain are embedded in the EPCglobal standards (EPCglobal Standards Information) Encouraging the development of technical privacy solutions is laudable, but should not be seen as a panacea. More important is to assess the real risk of personal data being compromised in RFID applications in the supply chain. As explained above, standard EPCglobal tags carry a unique code or identification number. This can be a product identification code, but also a pallet identification code for example. Besides the code, the current Class 1 Generation 2 tags can have additional memory for use when real time access is needed without accessing a

10 10 database over a network (such as best before date). That does not automatically equate to personal data such as name and address. Were tags to be additionally loaded with personal data, then the provisions of the current data protection legislation come into play and the rules about consumer consent, data usage, security and disclosure applied. Consumer awareness is key. EPCglobal Guidelines require companies to inform consumers about the deployment of RFID technology. EPCglobal is also committed to consumer education through its member companies and this is an area where the Commission, the Member States and all relevant stakeholders should join forces.(for more information please see (EPCglobal Consumer Guidelines Information) Question 19: If you are in a supermarket, would you prefer a RFID tag related to a product to be: (you can tick more than one option) (optional) A removable sticker attached to the product itself? Automatically de-activated at the point of sale? Part of the product's package box? A proximity tag with a very short reading distance of less than 5 cm? There are cases where potential benefits for the industry and consumers are lost, unless the tags remain active after the point of sale, such as: o improved traceability of products (a subset of which is improved product recall capacity), o intelligent recycling o better administration of product guarantees, service and repairs It is therefore important to balance the benefits of the technology in both retail and after-sales environments against possible privacy concerns. In our view, it is possible both to realise the significant and wide benefits offered by this technology, while at the same time safeguarding the privacy rights of individuals. EPCglobal Consumer Guidelines commit member companies to informing customers of the options available to them for removing, disabling or discarding tags. In any case, it is anticipated that for most products, the EPC tags would be part of disposable packaging or would be otherwise disposable- although, as shown above, this may not always be desirable. EPCglobal is further committed to finding additional efficient, cost effective and reliable alternatives to further enable customer choice. Please also see answer to Question 10. Question 20: Which maximum reading distance in your opinion could be considered as acceptable for "proximity tags" (i.e. tags which may be read only at short range - less than a few inches or centimetres)? Please specify the application domain (e.g., product tagging) and provide options for maximum reading distance (1cm, 5cm, 10cm, 25cm, 50cm, etc.) (Optional) This question is difficult to answer because any given tag can be read over different distances depending on the environment in which it is being used. These environmental variables include: the substance of the product or packaging which has been tagged (e.g. metal, liquid, glass, foil ), the reading environment, the number of tags in proximity of the reader, the response frequency range of the tag, the available reader spectrum and power levels, the speed with which the tag passes the reader, the type and make of tag, the design and orientation of the antenna, etc.

11 11 In addition, it is also important to differentiate between what is technically possible and the circumstances in which it would be feasible (for example, the circumstances in a laboratory and in a real environment, like a store, are different and significantly influence what can and cannot be done), and what is legally possible or even what is acceptable from a business practice perspective. Furthermore, the question gives the impression that the shorter the reading range, the more the risk of a breach of data privacy and security can be reduced. While legitimate business users will conform to the regulatory and safety requirements, criminals may attempt to use excessive, unregulated power levels altering a tag s intended read range. Good practice in data protection and privacy include proper application of the existing laws, directives and regulations to which EPCglobal is committed. Therefore EPCglobal is concerned that there are too many imponderables that do not allow the development of a satisfactory framework for any policy instrument that aims at specifying reading distances. Indeed, given the constantly evolving nature of the technology and its applications, such policy measures could quickly become obsolete. Consequently, it may be more effective to encourage the responsible use of RFID technology across the supply chain rather than specify reading distances. Question 21: How in your opinion should the RFID application provider treat security, data protection and privacy issues? (You can tick more than one option) (Compulsory) Conduct a risk assessment prior to the technology deployment Select RFID systems that provide appropriate security and privacy mechanisms Leave these issues to the endusers There is no need to address these issues Manage security and privacy properly throughout the whole RFIDenabled business process EPCglobal recognises that there is a clear need to address these issues and adequately respond to consumers relevant concerns. EPCglobal member companies are committed to deploying RFID responsibly and legitimately. Therefore, conducting a risk assessment, selecting RFID-systems that provide appropriate security and privacy mechanisms commensurate with the risks posed as well as managing security and privacy properly are obvious steps for any responsible company on the basis of existing legislation. Question 22: RFID can be used for employee tracking, typically by attaching RFID tags to name badges or security passes. Data capture from RFID tags may sometimes be integrated with personnel files (e.g., linked to employee time sheets, pay records, or health records), thus modifying the traditional balance of personal convenience, workplace safety and security, and individual privacy. In accordance with the current EU laws, employees should always be made aware that personal data is being collected and of how it is used and distributed. Do you feel concerned about the extent of the right of employers to undertake RFID-enabled monitoring of their workforce? (Please tick the box that best reflects your view) (Compulsory) Very strongly Fairly strongly Not very strongly Don't know

12 12 Existing legislation sets out specific rules as to how companies should treat their employees data whether these are obtained from RFID tags or not. It is imperative that the existing legislation is properly enforced irrespective of the technology involved. EPCglobal condemns any unlawful use of RFID or any other technology. Question 23: Do you think that privacy enhancing technologies in RFID applications should: (optional) X be promoted at European level? X be left to the market? be made mandatory (e.g., "privacy by design" rule)? EPCglobal acknowledges that privacy enhancing technologies (PETs) may provide some additional reassurance for consumers as RFID applications become more widespread. But again at this early point in RFID deployments, EPCglobal recalls that a balance must be struck between any genuine advantages they bring, the comfort factor they provide and potential disadvantages such as losing post-point of sale uses or increasing cost and complexity which can further downgrade benefits. Therefore, PETs should not be made mandatory as this would lead to RFID deployment depending on the development of affordable PETs solutions. PETs may well prove to be expensive and, furthermore, mandating certain kinds of PETs may favour one company s product over another, thus undermining a broad market approach to the development of PETs. Nevertheless, EPCglobal believes that support for the development of PETs at the European level may well be useful in terms of bringing together research and development capabilities. Also Commission-administered research funding programmes can be instrumental in this area. Finally, it should be noted that continued consumer trust and confidence are paramount to companies since consumer acceptance of business practices adds a competitive advantage over others. High or enhanced consumer safeguards - irrespectively of whether they are enshrined or not in law - are today a tool to gain the competitive advantage that business require and need for the good functioning of their businesses. Question 24: How do you think the end-user should be informed that RFID applications are being used? (Compulsory) Notification by the RFID user (e.g., labels for compliance with best practices or independently set standards) Notification under third party certification (e.g., labels for compliance with best practices or independently set standards) As mentioned previously, EPCglobal strongly believes that notification to end-users regarding the use of RFID technology is fundamental. This is why the EPCglobal Guidelines are built on the principles of industry responsibility for consumer information and choice, also enshrined in the current international and regional data protection regimes. The EPCglobal Guidelines have been drafted by the EPCglobal Public Policy Steering Committee and endorsed by the EPCglobal Board of Governors, with representation of all sectors involved in the standard setting process (retail, manufacturing, logistics etc). EPCglobal member companies as actors along the supply chain are the best placed under the principle of shared responsibility to notify consumers and provide the necessary information in the clearest and most effective way possible. In this sector, RFID users interact with the end-consumers on a daily basis and have developed an expertise in effectively reaching all consumer target groups with the best-tailored messages.

13 13 On the contrary, mandated third party certification can be costly and bureaucratic. It also eliminates the competitive edge between companies that will compete on their responsible strategies also in the framework of their marketing strategies. Section 5: Standardisation and Interoperability Question 25: Do you think that the European Commission should stimulate and support initiatives that lead to global harmonisation of RFID standards? Please tick the box that best reflects your view (compulsory) Strongly agree Agree Neutral Disagree Strongly disagree Don't know In a world where supply chains are global, EPCglobal strongly believes that the adoption of global standards is vital for: enabling global standard numbering schemes (within a single framework) enabling global standard(s) for reader communication with tags (air protocol) as logistics units and cases travel over different industry players and continents defining the basic nature of network services and definition so that everyone in the global supply chain interprets the strings of data in the same way. Without global standards, it cannot be guaranteed that players at all points in the supply chain will be able to read, interpret and use the product information. In other words, global technical standards ensure universal applicability and optimal functionality. Without such standards, there would be a high risk of diverse, incompatible systems being created, to the detriment of industry collaboration. A clear example of the merits of using one common language for the exchange of goods and information between companies can already be found in the market today. For example, company requirements from a variety of sectors have already led GS1 identification and communication standards to be applied by more than companies in Europe and over 1 million companies worldwide. In order to be able to build on this basis when implementing RFID, standards should be interoperable. EPCglobal works closely with International Standards Organisations such as ISO and European bodies such as ETSI as well as individual Member states through the GS1 local organisations. Also, the EPCglobal UHF Gen 2 protocol interface protocol has recently been incorporated into ISO C. Question 26: Do you think that the European Commission should take a more active role in setting RFID standards? (Optional) Yes No Question 27: If yes, would you say that the European Commission should: (optional) bring together stakeholders in standard setting activities? support the development of certification services?

14 14 mandate standards? assess whether standards are in compliance with European cultures and values (e.g., privacy and data protection, small or medium-sized enterprise requirements)? align European Union standards with those of other regions of the world It is difficult to give a unique general answer to this question as efforts depend very much on the sector concerned. EPCglobal believes that the role of the European Commission should focus on bringing together stakeholders in standard setting activities as long as these respond to established business requirements and demands from the stakeholders. The European Commission should therefore not mandate or impose standards but should rather aim at creating a level playing field for RFID technology providers in Europe in order to ensure a competitive Internal Market. Efforts such as the one that the European Commission is undertaking to assess policies needed to foster the deployment and roll out of RFID applications in the EU should be given as an example in other parts of the world, where stakeholder dialogue might not necessarily be fostered in the same way. Please also see answers to Questions and 26. Question 28: The small size of the tags implies that it is difficult to display regulatory information on them (this includes - but not only specific to- spectrum regulation). Regarding in particular the R&TTE Directive requirements, do you think that mechanisms using the CE mark or its principle, could be adequate? Please specify (optional) EPCglobal believes that it would be more appropriate for any regulatory requirements to be applied to the hardware rather than to the tags themselves. As regards to the R&TTE Directive, EPCtags used for RFID applications are indeed of small size and most generally made of materials such as silicon, aluminum or copper, plastic or paper substrates etc. In supply chain applications, most tags are passive and as such are not capable of initiating any action of their own or create any hazard. Therefore regulatory information to be displayed should be limited to existing requirements. Concerning the marking, the EC Marking Directive foresees that it is possible for the mark to be affixed to the packaging itself when necessary, so this should not be considered as an issue for tags. However at this point, the current class of passive RFID/EPC tags should not be marked, as they are tags which do not contain any power source themselves; RFID/EPC tags will rather use part of the energy emitted by the reader to compute and emit its response. As a result, the return signals are very weak. Therefore, for the moment, it should be considered marking the reader equipment for the tag. This will furthermore ensure compliance with the R&TTE directive. Section 6: Frequency Spectrum Question 29: The European Commission has proposed an EC Decision on UHF spectrum harmonisation for RFIDs ( MHz) in order to accelerate the establishment of a fully functioning internal market for these devices and to provide legal certainty throughout the

15 15 European Union. This proposed EC Decision should be applied into national law by the respective Member States by the end of Do you believe this regulatory action is sufficient to provide a favourable environment for the initial deployment of UHF RFIDs? (optional) Yes No EPCglobal members welcome the technical implementation decision as an accompanying step to the process of adaptation of national frequency plans to accommodate the UHF bands identified for RFIDs. The decision is based on the recommendation by the European Conference of Postal and Telecommunications Administrations (CEPT) and the update of Recommendation on Short Range Devices (in October 2004); it represents an important first step in order to ensure Europewide legal certainty for investors in RFID Technology. EPCglobal also urges Member States to support the EU Commission s efforts to rapidly adopt its Draft Decision on harmonisation of the radio spectrum for radio frequency identification (RFID) devices operating in the UHF band as agreed upon by the Radio Spectrum Committee in June Also in this context, it must be noted that harmonisation of the regulatory environment is an essential condition for a single market for RFID hardware in the EU. Only with a level playing field for technology providers in Europe can the sufficient economies of scale be achieved, that enable those often small and medium sized companies to compete with other competitors from around the world and to be able to contribute to a widespread use of RFID beyond the pilot phase. Nevertheless, it should also be noted that investments to go beyond the currently operated pilot projects and initial roll-outs of the technology are already impeded by the less favourable aspects of the current regulatory environment in Europe, namely the narrow spectrum band available, the limited number of channels and the need to use the listen before talk protocol. Of primary concern is the inherent uncertainty regarding the future availability of enough free channels, at any single point in time at the geographic location of a RFID enabled system, in the light of the prospective wide spread use of other so called Short Range Devices (SRDs). Question 30: If yes, how long do you think can industry reasonably operate within the limitation of the 3 MHz set across the European Union for RFID UHF bandwidth (of which 2 MHz can be used at power level up to 2 watts) without congestion? Please tick the box that best reflects your view. (optional) Less than 3 years Between 3 and 5 years Between 5 and 10 years This question cannot be answered with the choices provided in the questionnaire. It has to be kept in mind that, although there are significant advances in the implementation to be noted, industry currently operates only small scale operation or pilot projects. Such limited RFID operations can at the moment be operated without congestion and might as well do so for the foreseeable future. However, significant investment decisions are needed, particularly since large-scale deployment of RFID technology is required to gain the significant advantages in process management, which in turn will lead to a more competitive Europe. Such future-looking investment decisions depend on the assured expectation that the new RFID enabled processes will work properly - an assurance which cannot be given pending the development of innovative synchronisation techniques and the future availability of sufficient spectrum. Therefore the operation of UHF RFID systems is already hampered today solely by the possible prospect of congestion.

16 16 Question 31: It is likely that additional UHF spectrum will be needed as UHF RFID technology will mature and become virtually ubiquitous in the whole society. Do you agree that this prospect is not so remote? (optional) Yes No Please see answers to previous Questions in this section. Question 32: If yes, when do you think we would run out of the currently allocated spectrum? What could be the best candidate spectrum bands for an extension? What is the level of global compatibility/co-ordination that would be required? (Optional) In relation to Question 30, EPCglobal notes that the future availability of sufficient spectrum is an essential condition for the development of RFID technologies into a reliable tool to make business processes more efficient all over Europe. Nevertheless, EPCglobal believes that the period over which currently allocated spectrum may be sufficient is very difficult to estimate since such an assessment depends on a number of interrelated future developments, such as regulatory developments, synchronisation techniques, SRD uptake, etc. As regards the question of what could be the best candidate spectrum bands for an extension, EPCglobal believes that in general the additional channels need to be located between 860 and 960 MHz in the UHF Band. By considering spectrum allocations for RFID in other parts of the world, bands between 910 MHz and 920 MHz are examples of appropriate areas for an extension. Concerning the level of global compatibility/co-ordination that would be required, it must be noted that today RFID hardware, within technical restrictions, is capable of being tuned to different frequencies. Therefore, in order to allocate additional channels for the use of UHF-RFID, the spectrum allocations in other parts of the world need to be taken into consideration. In addition, reader to tag communication techniques and maximum power levels are important areas of international co-ordination in order to ensure that efficiency gains through RFID technology also facilitate global trade. Question 33: Whenever long-term spectrum needs cannot be identified using straightforward methods, an alternative would be to start by a macro economic and societal impact assessment of the underlying applications and then to derive indirectly the associated spectrum requirements. How in your opinion could such macro economic and societal impact assessment be done? Please tick the box that best reflects your view. (Optional) Study Industrial co-operation Research project A combination of the three options above Please see the answers to the previous Questions in this section. Section 7: Research Question 34: Research and Development in the RFID field covers the elementary technological blocks needed to create the "smart tags" of the future and system integration and delivery of

17 17 "end-to-end systems". Which in your opinion are the research topics which the European Commission should support in priority? Please select up to 3 options (optional) Organic electronics and organic RFID devices The integration of smart sensors and actuators with RFID devices The removal of the technological hurdles of the existing silicon based RFID generation The use of RFID and other identification technologies to provide enterprises with the ability to sense events and to respond in the most adapted manner to their competitive environment thanks to near realtime information and adapted supply chain processes Innovative applications and services such as the use of RFID technology to make road transport safer, to help blind and impaired people on streets and in shops, to enhance the efficiency of logistics and business processes... Privacy enhancing technologies such as encryption and authentication New systems of item identification to connect every day objects and devices to large databases and networks and to the Internet Question 35: The European Commission should support SMEs by investing in awareness raising campaigns, in establishing vendor independent competence and training centres, and/or in promoting the development of RFID applications based on identified best practices (optional) Strongly agree Agree Neutral Disagree Strongly disagree Don't know EPCglobal believes that training and awareness are certainly key for the successful roll-out and implementation of RFID. For instance, The EPC Competence Centers in Germany (EECC) Spain (EPC CC) and France (EPCglobal France) to mention some examples, have their raison d etre in providing support to companies to ensure the successful introduction of RFID/EPC into their operations and to pass on to other organisations the benefits of the experience they have already collected as a result of the extensive involvement with RFID technology. In addition to successfully implementing RFID in their existing processes, companies need appropriate know-how for handling the technology and a number of them have developed their own innovation centres. That is why, for instance, these and other EPC Competence Centers have developed an extensive training programme, including both theoretical instruction and practical sessions. In addition, one of the deliverables of the EU funded integrated Project BRIDGE is to provide consistent robust and comprehensive Small and Medium Enterprise (SME) training in the field of adoption and implementation of RFID based on EPC for SMEs in Europe. Question 36: In the future, technology is expected to allow consumers and citizens to look up on the Internet additional information by entering the RFID number affixed to the product bought (e.g., for warranty purposes, further product and production information, maintenance information). When such an "Internet of Things" comes into widespread use, its governance model should be built on transparent, fair and non discriminatory international principles, free of commercial interest (optional) Strongly agree Disagree

18 18 Agree Strongly disagree Neutral Systems, networks and architectures need to be flexible, adaptive and secure. The consideration of any governance principles in a context of the future Internet of Things as portrayed in the Question, would also require prior dialogue between the parties involved to assess needs based on existing recognised principles. It is with these principles in mind, that the EPCglobal network, a business to business network for use in supply chains, and not falling within the concept of the Internet of Things as depicted above, is currently being designed. EPCglobal continues to endorse a governance model that is notfor-profit, user-driven, transparent and non discriminatory. EPCglobal is a voluntary community of trading partners that engage in the secured capture, sharing and discovery of EPC related data about objects as they move through the supply chain. By using standards-based, EPCglobal-certified RFID hardware and software components and interfaces, end users are assured that their EPC implementations are built on a standard infrastructure (EPCglobal Network) that is compatible and interoperable with their trading partners, enabling them to capture, store and share EPC related data up and down their supply chains. In other words, the EPCglobal Network is the result of ongoing multiparty transparent processes based on the need to facilitate the exchange of information between trading partners. The thinking around discovering EPC data in a multi-tiered supply chain is just beginning, and EPCglobal is working with industry to develop end user requirements that meet their needs. Authentication and security are critical elements to the EPC Network. Research in this area is therefore a natural step; for instance the EU funded Integrated Project BRIDGE (under the 6th Framework Programme) will focus on research under the EPC Discovery services, as well as other elements relevant to the Network such as: Simple and cost effective software tools targeted to SMEs Serial look up service to enable unique item level product information and retrieval Data management of extreme large amounts of real time data Question 37: Do you have comments on any other aspects which are not covered in the above questions and which you consider to be important? (Please note that such comments should be limited to issues which relate directly to RFID systems) (Optional) Additional comments have been added under each relevant question. Question 38: How did you perceive this questionnaire? (optional) Expectations met Expectations not met Due to the characteristics of a questionnaire intended for a wide and heterogeneous audience, we concluded that some of the questions required further explanatory answers. As a consequence, we have added specific comments and explained our answers to many of the questions above.

19 19 ANNEX THE EPC TAG STANDARD The EPC tag standard: Defines the requirements for memory and commands. In other words, the type and size of data that a tag can or needs to contain, and the commands that a tag need to be able to understand and execute. Put it simply: the way it identifies itself and communicates with compatible readers (the air-protocol) Different classes are identified for current and future use. A class describes the basic capabilities of a tag (write once - read many; write many - read many; memory size, active (battery assisted) or passive, etc.). The current standard is called EPC Class 1 Generation 2. Generation indicates the version within the same class (similar to version in computer software). The design principle of this class (Gen 2) is aimed at delivering industry a very low-cost tag where accuracy, speed and range are balanced for optimal use in the supply chain (from manufacturing to store). Tags & readers are a system. The need to be designed to be able to work with each other. Within EPCglobal this means that both tags and readers need to comply with the EPCglobal standards, otherwise a reader cannot identify nor communicate with a tag, and hence not read the contents contained in its memory. The current class and generation of EPC tags (also called EPC Class 1 Generation 2): These are passive tags operating in the UHF bandwidth. They are designed to be able to operate globally. There are different UHF bands allocated in the world, depending by region or country. The tag has been designed to operate optimally (or near optimally) in most regions based on the UHF bands used in Europe, North America and Japan Class 1 Generation 2 tag standards offer a framework, so that it can be used across multiple industries and applications (although mainly supply chain): o There are the mandatory memory requirements and commands (an example is the EPC code) o There are the optional memory requirements and commands (they are still defined by the standard) o There are the custom memory and command possibilities. A tag manufacturer can add additional free memory or commands if he/she believes there is a market. These need to fit within the overall specification of EPCglobal Tags contain some technical data, but from an end-user perspective the identifier (the EPC code) they contain are worthy of deeper consideration. EPCglobal has developed standards for the identifiers (the EPC codes), which are interoperable with the identification numbers used by GS1 currently in barcodes. There are for example identifiers for items, logistic units (such as pallets, cases ) and assets. From a privacy perspective, only the item identification number seems to raise concern (it is called the SGTIN). The number exists of: 1. A header for technical reasons 2. A company prefix which identifies the organization that issued the number (i.e. Wrote it on the tag) 3. The item reference 4. A serial number Of the above, the company prefix and item references are similar to what one might find on a barcode. Hence they identify all instances of the object to which the tag is attached. To put it simply: the number identifies that the object is A bottle of lemonade. All similar bottles from the same manufacturer sold in a specific market, would have the same company prefix and item reference.

20 20 The SGTIN has an additional serial number, which allows for the identification of a specific instance of an object. Using the same example, it allows for the identification of A SPECIFIC (or THIS ) bottle. However the SGTIN number does not give you information about the life-cycle of the object, in our example it does not give information ABOUT this bottle of lemonade. This would be typical information used in manufacturing, supply chain and trade processes: when and where was it made, when it entered distribution center X, when did it leave it etc. This type of information is extremely useful to optimize the supply chain, ensure that products with a limited shelf life pass through it quickly, for authentication etc. This type of information varies by type of object and application one wants to develop (e.g. the service of airplane parts will require different information than traceability information for prescription drugs).this type of information will be stored in or more databases and access to these is usually restricted. The EPC SGTIN number is a pointer to these databases. Organizations and companies owning these databases might give access based on commercial and/or social needs, within the current regulatory framework on data protection. A third element to consider is the possibility that Gen 2 allows for additional memory. This is not mandatory in the standard, but optional (and write protection measures are foreseen). EPCglobal has created a working group to define what this additional memory can contain. It is intended to contain the data that needs to be accessible even when access to the above databases is not possible, for example due to network failures. Examples would be manufacturing batch number, best-before-use date etc. As the Gen 2 tags need to be low cost for use in the supply chain, the memory size will be strictly limited.