The European Commission has issued a recommendation for privacy and data protection with the use radio frequency identification (RFID) technology, which transmits data wirelessly from a chip or tag to a reader. The Commission began a public consultation (IP/06/289) on the use and development of RFID technology (or “smart chips”), which led to the adoption of a Communication in March 2007 (IP/07/332). That Communication explained the need for more investigation into RFID technology. The Commission noted, “2.2 billion RFID tags, such as the ones used at toll booths or to identify shipping containers, were sold worldwide in 2008, roughly a third of these in Europe. The worldwide market value for RFID tags is estimated to be of Euro 4 billion in 2008 and to grow to about Euro 20 billion by 2018.”
In its Recommendation, the European Commission set out the following principles for privacy and data protection in the use of RFID technology:
- Consumers should be in control whether products they buy in shops use smart chips or not. When consumers buy products with smart chips, these should be deactivated automatically, immediately and free-of-charge at the point of sale, unless the consumer explicitly opts-in by asking to keep the chip operational. Exceptions can be granted to avoid unnecessary burden on retailers, for example, but only after an assessment of the chip’s impact on privacy.
- Companies or public authorities using smart chips should give consumers clear and simple information so that they understand if their personal data will be used, the type of collected data (such as name, address or date of birth) and for what purpose. They should also provide clear labelling to identify the devices that ‘read’ the information stored in smart chips, and provide a contact point for citizens to obtain more information.
- Retail associations and organisations should promote consumer awareness on products containing smart chips through a common European sign to indicate whenever a smart chip is used by a product.
- Companies and public authorities should conduct privacy and data protection impact assessments before using smart chips. These assessments, reviewed by national data protection authorities, should ensure that personal data is secure and well protected.
The Commission said, “Member States now have two years to inform the Commission on the steps they intend to take to make sure that the objectives of the Recommendation are met. Within three years, the Commission will report on the Recommendation’s implementation, including an analysis of its impact on companies and public authorities using smart chips as well as its impact on citizens.”