The RFID agenda of the European Commission. Florent Frederix European Commission Directorate General Information Society and Media

Transcription

1 The RFID agenda of the European Commission RFID i Danmark 2011 May 3, 2011, IT-University in Copenhagen Florent Frederix European Commission Directorate General Information Society and Media This document does not necessarily reflect any official position of the Commission

2 Recommendation on RFID to member countries International cooperation on RFID and IoT The Privacy Impact Assessment Security of RFID applications RFID signage and emblem EU norm

3 The international dimension Share best practices/conferences OECD (2005, 2009) RFID/USN South Korea (October 2007) Exchanges with China (MOST2006, CESI 2009) FTC / DoC / DoD conferences ( ) Exchanges with Japan (METI ) Enhanced co-operation EU-US RFID lighthouse project (2008) Co-operation agreement with METI Japan Partnership of standards organisations under GRIFS project (EU / US / Japan / China / South Korea / )

4 Recommendation on RFID Small chips with big potential Recommendation on the implementation of privacy and data protection principles in applications supported by radiofrequency identification 12 th May 2009 (2009) 585

5 RFID Policy Mix Charter of Fundamentals Right E-Privacy Directive Data Protection Directive Recommendation Self-regulation Codes of Conduct R&TTE Directive Standardization

6 OBJECTIVE Promote: a wider take-up of RFID under lawful, ethical, socially and politically acceptable conditions the Internal Market

7 History (references) WG 29 Working document on data protection issues related to RFID technology Communication: Radio Frequency Identification (RFID) in Europe:steps towards a policy framework The Commission Decision setting up the RFID Expert Group Opinion of the European Economic and Social Committee on Radio Frequency Identification Results of the public online consultation on future RFID Technology Policy European Data Protection Supervisor adopted an opinion Recommendation on the privacy and data protection principles in applications supported by RFID

8 Operators RFID Recommendation: operator Similarity Data Protection Directive controller Difference

9 Application RFID Recommendation: application

10 PIA PIA from the UK Information Commissioner s Privacy Impact Assessment is usefully defined as a process whereby a project's potential privacy issues and risks are identified and examined from the perspectives of all stakeholders, and a search is undertaken for ways to avoid or minimise privacy concerns. Src.: The Information Commissioner's Office (UK)

11 who what what who why Information Security RFID applications with implications for the general public, are especially critical with regard to information security and privacy and therefore require specific attention. Member States Identify the applications that might raise information security threats with implications for the general public. Operators Develop new schemes i.e. certification. ENISA study on Airport applications (2010)

12 who what why Information and Transparency on RFID if the processing of data is to be fair, the data subject must be in a position to learn of the existence of a processing operation and, where data are collected from him, must be given accurate and full information Operators Src.: Data Protection Directive Develop and publish information policy for each of their application Use European sign: identity and a point of contact

13 Information and Transparency on RFID (emblem and signage standard) RFID Information Policy the identity and address of the operators the purpose of the application what data will be processed by the identity of the the application? operator(s) will personal data be processed? will the location of tags be + monitored? a summary of the PIA a point of contact for the likely privacy risks (if any) more information the measures that individuals can take to mitigate these risks

14 how who what why RFID in retail (I) Use of a European Sign if the processing of data is to be fair, the data subject must be in a position to learn of the existence of a processing operation and, where data are collected from him, must be given accurate and full information Src.: Data Protection Directive Retailers Inform individuals of the presence of tags in the products Not specified!

15 Examples in retail

16 how who what why RFID in retail (II) Tag deactivation RFID tags contain unique IDs attached to consumer products: if each tag has a unique ID, such identification can be used for surveillance purposes... Src.: EDPS opinion Retailers Deactivate or remove at the point of sale the tag unless consumer give their consent. Free of charge Immediately Consumer can verify

17 what RFID in retail (III) Tag deactivation Deactivation of the tags should be understood as any process that stops those interactions of a tag with its environment which do not require the active involvement of the consumer

18 how who what why RFID in retail (IV) Tag deactivation Some PIA will conclude that the application doesn t represent a likely threat to privacy or the protection of personal data Retailers Don t deactivate but make available an easy means to deactivate or remove the tags Free of charge Immediately & later

19 retailers are not operators what if what what RFID in retail (V) Tag deactivation Retailers Default No threat to privacy Opt-in Opt-out Retailer has no obligation Operator should determine whether tagged products sold to consumers through retailers who are not operators represent a likely threat to privacy or the protection of personal data, etc

20 what who why Awareness raising action and R&D Awareness RFID technology among the public and SME and spread the trust in this technology All stakeholders Inform and raise awareness among: Citizens SMEs Support security and privacy by design

21 Summary of follow up actions Privacy Impact Assessment Security applications Information policy, including signs/logos Retail specific provisions Awareness Raising Research and Development

22 RFID recommendation Follow-up what Develop PIA Framework who leads? Industry Security applications Development of signs Awareness Raising Members States Standardisation Organisations Member States Research and Development Member States Inform on actions taken Member States

23 RFID Follow-up Commission s role what Develop PIA Framework Security applications Development of signs report Follow-up Standards Support Closely Continue Member monitor with mandate Member funding States the is implementation States, research already to development innovation carry including the adopted activities work. of of through such and this the Recommendation, the development includes framework as i2010 the the RACE Committee development thematic through efforts and its effectiveness the through of regular network such Article signs meetings FP7 and (and 29 upcoming and Working FP8) inviting its impact Party all pilot interested projects on operators parties and to consumers report progress made Awareness Raising Research and Development Inform on actions taken Report on Recommendation

24 Standards (the standardisation mandate) - ensure compliance to recommendation - Interoperability - Economies of scale - Lowering entry barriers - Operational costs RFID standardisation mandate

25 For more information on IOT and RFID visit the policy pages of the European Commission: Access to an extensive library, events, links and news section