Sunday, 14 February 2010

Data protection rights for everything with RFID tags?

A new technology has emerged since the creation of the Data Protection Directive in 1995, and the eurocrats have developed a special legal instrument which is designed to take account of the particular challenges of this technology.

The technology concerns RFID tags – devices which either produce a radio signal themselves, or reflect and modulate a carrier signal received from a reader or writer. One is embedded in the plastic card I use to pay for my lunch (and coffee and crisps and chocolate) at work. Lots of people in and around London carry one, as they are also embedded in oyster travel cards. They can be as small as a grain of sand.

The cost of these RFID tags is continually falling, so soon it may be possible for retailers to replace all the current barcode labels on merchandise with a tag instead. Wouldn’t it be so much more convenient to arrive at the checkout till with your goodies already packed away in your bag, and for someone just to run a scanner over our stuff (or perhaps we could walk through an RFID sniffing arch) to instantly assess what we had taken and know how much we needed to pay? Marvellous. Can’t wait.

Last May, the European Commission quietly issued a Recommendation on the implementation of data protection and privacy principles for RFID tags. Those that need to will be able to find it when they search under the snappy reference “Brussels, 12.5.2009 C(2009) 3200 final”. A Recommendation is not as binding as a Directive. Member states can effectively ignore Recommendations and get away with it. They can’t be subject to infringement proceedings, which is what occurs when they fail to implement Directives properly.

Crucially, within three years from the publication of the Recommendation in the Official Journal of the European Union, the Commission is to provide a report on its implementation, effectiveness and impact on operators and consumers, in particular as regards the measures recommended in points 9 to 14. Again, I can’t wait.

Points 9 to 14 concern cases when an RFID tag is used by the retail trade. A common RFID sign is to be developed, to warn consumers of the presence of a tag. Privacy impact assessments are to be carried out to determine whether the presence of a tag will threaten an individual’s privacy or their personal data. And if they do threaten an individual’s privacy or personal data, the tags are to be deactivated at point of sale by the operators, immediately and free of charge, unless consumers have given their consent to keeping the tags operational.

I must admit that at first glance I am struggling to understand what safeguards this Recommendation provides to consumers that add to those already contained in the 1995 Data Protection Directive. The only really new safeguard appears to be set out in point 5, which is an obligation on the part of the operator to carry out a privacy impact assessment of the RFID application, and make it available to the competent authority six weeks before it is deployed. But most sensible operators already carry out privacy impact assessments when new applications are planned to be introduced, anyway.

I like the phrase make it available to the competent authority. It does not appear to require the assessment to be formally notified to the competent authority, merely, perhaps, that a copy should be published on an operator’s website. If the competent authority is not aware of its existence, then that’s not necessarily an issue for the operator. The onus appears to be on the competent authority to crawl through websites to see if any changes have been made recently. That’s what I find I need to do occasionally, to see if any of the guidance documents currently available on the ICO's website have been quietly changed. I've just noticed, for example, the slightly revised guidance on notifying security breaches to the Commissioner's Office, which was posted earlier this week (version 2 of the guidance is dated 9 February 2010). Have many other people noticed this change? The ICO publishes lots of information, and lots of it is very helpful. It's sometimes just hard to keep abreast of all the changes, though. Quid pro quo.

My mind began to spin though as I wondered who the competent authority would be if, following the privacy impact assessment, no personal data was actually at risk. If an operator is just adding RFID tags to cans of custard to track them through the supply chain, from the manufacturer right up to the door of the corner shop, to whom should the assessment be made available? It doesn’t concern the Information Commissioner. Should there be, say, a Commissioner for Custard? Doesn’t make sense.

So, the Recommendation can make sense only if it is to apply to information which eventually becomes “personal data” – but surely those issues are already addressed in sufficient detail by the Data Protection Directive (and by the national implementing laws).

I don’t see any reason why life needs to become ever more complicated by the creation of sectoral Directives and Recommendations. Life is full and complicated enough as it is. Let’s just have the 1995 Directive and try to make the most of it, at least until a new one replaces it.

Do we need to wait until May 2012 before telling the Commission that the Recommendation hasn’t really had, and probably won’t have, much effect (as the existing legal safeguards for securing personal data are perfectly adequate), or should we send the response on a postcard now?

You decide.