Out-Law / Your Daily Need-To-Know

Technical standards for 'smart tags' developed with data protection in mind

Out-Law News | 31 Jul 2014 | 4:55 pm | 2 min. read

Businesses making use of 'radio frequency identification' (RFID) chips will be able to comply with EU data protection laws if they adhere to new standards for the chips that have been finalised, according to the European Commission.

The new RFID standards, which also include new privacy impact assessment standards developed specifically for RFID developers, account for many different uses that RFID chips may be put to use for in future in light of the increasing connectivity of devices, a spokesman for Commission vice president Neelie Kroes told Out-Law.com.

Adherence to the standards is voluntary although businesses deploying RFID can ensure their compliance with their data obligations by implementing them, the spokesman said. The standards are also "future proof" as they should still be applicable when the proposed reforms to EU data protection laws are introduced, he added.

RFID chips are read by readers when they get within a few feet of them, meaning that organisations can learn not just what is on a chip but where the chip is. Chips are used by supermarkets to track stock, for example, but can also be used to store personal information. The Commission said that the global market for RFID applications is estimated to grow to $9.2 billion in 2014.

The Commission warned that RFID chips must not be used as tools of surveillance on individuals and should be "deactivated by default immediately and free-of-charge at the point of sale". However, Kroes' spokesman said that the use of RFID chips with user consent is envisaged under the standards where businesses can convince consumers of the benefits they can derive from allowing companies to use RFID technology to monitor their activities.

The standards also allow retailers to prevent theft by tracking stock stolen from their stores in a way which accords with data protection rules, the Commission said. Kroes' spokesman cited a further example where RFID chips deployed in line with the standards developed could allow libraries to track the location of books loaned out which are overdue for return in a way which complies with data protection law.

The Commission called on companies using RFID chips to present consumers with "clear and simple information" on how they intend to use their personal data and on what type of data they will collect through the chips and for what purpose. Businesses should also ensure that devices capable of reading information stored on RFID chips are clearly labelled, and consumers should be presented with contact details they can use to obtain further information about the devices, it said.

The Commission also said that organisations using RFID chips should undertake privacy and data protection impact assessments before using smart chips and that the assessments should be subject to review by national data protection authorities. A common European sign to identify products containing RFID chips can be used by retail bodies to promote consumer awareness, it said.

"Smart tags and systems are part of everyday life now, they simplify systems and boost our economy," European Commission vice president Neelie Kroes said. "But it is important to have standards in place which ensure those benefits do not come at a cost to data protection and security of personal data."