European Framework & PIA Framework
The European Union is working with citizens, industry and data protection organisations to ensure that your personal privacy is not breached by RFID. To complement the European Directive on Data Protection, the European Union has issued in May 2009 a recommendation on RFID applications and is facilitating the development of the adequate tools that will help safeguard the privacy and data protection of individuals who use the technology.
European Commission Page on RFID
Data Protecetion Directive 95/46/EC
The European Union took early measures to provide a framework for the use of personal information in the new information society. The first basis text in this matter is the Data protection Directive 95/46/EC published in 1995. This Directive lists in a very detailed way how personal information should be collected and processed to respect the privacy and data protection of the individual/data subject. It gives precise guidelines to the Member states to safeguard the privacy of the data subject when their personal information is collected.
The Directive also encourages the Member States to set up a Data Protection Authority at the national level as a concrete tool to follow up on these issues. It also sets up a Working Party, the so called Article 29 Working Party, representing the 27 National Data Protection Authorities and whose role is defined as an independent EU Advisory Body on Data Protection and Privacy.
The Working Party was set up to achieve several primary objectives :
- To provide expert opinion from member state level to the Commission on questions of data protection.
- To promote the uniform application of the general principles of the Directives in all Member States through co-operation between data protection supervisory authorities.
- To advise the Commission on any Community measures affecting the rights and freedoms of natural persons with regard to the processing of personal data and privacy.
- To make recommendations to the public at large, and in particular to Community institutions on matters relating to the protection of persons with regard to the processing of personal data and privacy in the European Community.
Data Protection Directive (Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data)
E-Privacy irective 2002/58 Revised Through Directive 2009/136/EC
This Directive complements the Data Protection Directive 95/46/EC and focuses on privacy and data protection in the electronic communications sector.
The main obligations of this directive are the security of data, the confidentiality of information for users, the limited retention of data, the right for users to receive non-itemised bills, the right to anonymity of calls, as well as limitations for location data and unsolicited marketing communications.
The revision of the Directive with the Directive 2009/136/EC makes a specific reference to RFID, clarifying that RFID devices, when connected to public networks or use electronic communication services, fall under this Directive, especially as regards to the provisions concerning security, traffic and location data and confidentiality.
The revised Directive entered into force in December 2009 and need to be transposed into the national laws of the 27 Member States by May 2011
Directive 2002/58/EC on the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications)
and its revision 2009/136/EC
Recommandation On RFID Privacy Data Protection And Security
The European Union has issued a recommendation on RFID Privacy, Data Protection and Security, in May 2009. This recommendation provides guidelines on ways to process data specifically in the frame of RFID applications and how to assess privacy and data protection issues of an RFID application, notably through Privacy Impact Assessments.
European Commission’s Recommendation on the implementation of privacy and data protection principles in applications supported by radio-frequency identification
The PIA Framework
Among other tools, the industry is developing a Privacy Impact Assessment Framework, which should help companies define whether their application is following the data protection guidelines set by the recommendation.
The PIA process is designed to uncover the privacy risks associated with an RFID Application ("privacy and data protection impacts") and evaluate the steps taken to address those risks. These impacts (if any) could vary significantly, depending on the presence or lack of personal information processing by the RFID Application. The PIA Framework provides guidance to RFID Operators on the measures adequate to mitigate any likely data protection or privacy impact in an efficient, effective and proportionate manner.
The PIA Framework is currently being finalised and the draft can be viewed at the following link
European Data Protection Supervisor
The EDPS is an independent supervisory authority devoted to protecting personal data and privacy and promoting good practice in the EU institutions and bodies. It does so by:
- monitoring the EU administration's processing of personal data;
- advising on policies and legislation that affect privacy; and
- Co-operating with similar authorities to ensure consistent data protection.
Peter Hustinx is the current European Data Protection Supervisor.
The EDPS hears and investigates complaints, conducts inquiries and prior checks, publishes papers on different aspects of data protection relevant to his work and thus aims to promote a 'data protection culture' in EC institutions and bodies. A report of activities is published each year.