Steps Toward a Policy Framework for RFID in Europe
RFID Law Journal
Newsletter No. 44
March 16, 2007
The Commission of the European Communities announced its much anticipated communication on steps toward a policy framework for radio frequency identification in Europe. You can read the complete file at the following link:
http://ec.europa.eu/information_society/policy/rfid/doc/rfid_en.pdf
In its view, RFID is a “gateway to a new phase of development of the Information Society.” The Commission recognized that the phase of wide commercial and public sector deployment is approaching, and with such wider usage, it felt obligated to examine the legal framework under which RFID takes place to ensure safeguards for fundamental “values, health, data protection and privacy.” As a result, the Commission carried on a public dialogue during 2006 with early adopters and concerned citizens with respect to its tracking applications. The goal is taking in the perceived large social benefits of RFID while simultaneously incorporating privacy, health and environmental safeguards.
The Commission noted that Europeans are leading the way with innovative applications of RFID, smart sensors and RFID-enabled actuators and intelligent networks, and it is generally believed that RFID could “further strengthen the role of information and communication technologies in driving innovation and promoting economic growth.” According to the Commission, while the European market for RFID systems is growing at approximately 45% annually, it is lagging a global growth rate close to 60%.
One of the major factors holding back growth is the absence of a “clear and predictable legal and policy framework” making this new technology “acceptable to users,” including clarity on ethical implications, privacy and security protection, governance of RFID identity databases, the availability of radio spectrum, harmonized international standards and concerns over health and environmental implications. The Commission launched a wide public consultation to address these issues in 2006 with thousands of participants contributing to the study. During the study phase, the Commission noted emergence of concerns over privacy and data protection, finding that “RFID will only be able to deliver its numerous economic and societal benefits if effective guarantees are in place on data protection, privacy and the associated ethical dimensions that lie at the heart of the debate on the public acceptance of RFID.” The Commission noted that EC’s strong tradition in support of data protection (the regulations are substantially more stringent than US regulations). Indeed, the Data Protection Directive is broad, and in the view of the Commission, applicable to all technologies, including RFID.
The Commission noted that a “one-size fits all” approach to RFID would not be appropriate, given that security and privacy risks depend, in large part, upon the nature of the RFID application. A CBA of specific security and privacy-related risks prior to selection of RFID systems and deployment of applications is necessary according to the Commission. In view of limited information available to the public at this stage of deployment, the Commission felt that awareness and information campaigns would be an important part of RFID policy response.
The Commission noted that most respondents were concerned that the registration and naming of identities in the “Internet of Things” be interoperable, open and non-discriminatory, and it believes that the policy principles developed in the context of the World Summit on the Information Society will be relevant to the emerging policy debate.
Easy mobility and low costs of RFID systems depend, in part, upon the availability of radio spectrum and harmonization of spectrum usage conditions. The Commission opined that the allocation of RFID frequencies in the UHF band will be sufficient for the purposes of the next 3-10 years, but noted that it will be necessary to monitor demand as usage of RFID increases.
The Commission discusses both environmental and health impacts implied by widespread usage of RFID. Noting that the electromagnetic fields related to RFID applications are generally low in power, the Commission stated that “exposure of the general public and workers to RFID-related EMF is expected to be well below the current standard limits.”
Over the coming two years, the Commission is expected to continue to analyze the options and respond to concerns expressed by stakeholders. The Commission will work with the US and Asian counterparts to strive toward global interoperability on the basis of “open, fair and transparent” international standards.
The Commission advocates “security and privacy-by-design,” i.e., privacy and security built into systems prior to their widespread deployment. The Commission supports the development of codes of conduct and best practices by experts representing all stakeholders along the lines of the strategy for a Secure Information Society set out in COM (2006) 251. By year-end, the Commission is expected to establish principles for public authorities and other stakeholders applying to RFID usage.
The Commission aims to further stimulate research on the security of RFID systems and privacy-enhancing technologies. In view of the limited experience with the technology, the Commission indicated that it is necessary to carry out in-depth overall evaluations of RFID implementation through large-scale pilots in specific application domains as a precursor to widespread adoption. The Commission also recognized the importance of standardization within Europe and the maintenance of a dialogue with counterparts in US, China, Korea and Japan to ensure cooperation on standards on applications such as the security of containers, counterfeiting, air transportation and pharmaceutical goods. By the end of 2008, the Commission expects to publish a Communication analyzing the nature and effect of developments, in particular with respect to privacy, trust and governance, and at such time, will assess whether it is necessary to propose further legislative steps to safeguard data protection, privacy and other policy issues.
While one could construe the Commission’s statement as a relaxed, wait-and-see approach supportive of RFID adoption (See RFID Update “EU Opts for Hands-Off Approach to RFID Regulation”- http://www.rfidupdate.com/articles/index.php?id=1319),
it is worth noting that the Commission has expressly reserved (and called for) assessment following further experience with the technology. Just like their American counterparts who must actively engage in the dialogue over data protection, privacy and other societal concerns with state (and federal) legislatures and educate the public about RFID, European stakeholders must vigilantly educate their public about the technology and its applications and take steps to proactively address privacy, data protection and other safeguards to ensure that the “helping hand” of government doesn’t hamper the rollout of RFID.
© 2007 – RFID Law Journal, LLC. All rights reserved.
Learn more about RFID legal issues at http://www.rfidlawjournal.com. You may contact our editor about this publication at editor@RFIDLawJournal.com. Usage of this material (and any linked materials provided by third party sites) is subject to the terms and conditions set forth at www.rfidlawjournal.com.
You may not rely upon any material provided herein as legal, financial or other advice. You should consult your own advisor (legal, investment or otherwise) with respect to the advisability or accuracy of any of the material provided in this newsletter or any other material provided by us. We are not responsible for and do not attest to the accuracy of any third party content.
RFID Law Journal
Newsletter No. 44
March 16, 2007
The Commission of the European Communities announced its much anticipated communication on steps toward a policy framework for radio frequency identification in Europe. You can read the complete file at the following link:
http://ec.europa.eu/information_society/policy/rfid/doc/rfid_en.pdf
In its view, RFID is a “gateway to a new phase of development of the Information Society.” The Commission recognized that the phase of wide commercial and public sector deployment is approaching, and with such wider usage, it felt obligated to examine the legal framework under which RFID takes place to ensure safeguards for fundamental “values, health, data protection and privacy.” As a result, the Commission carried on a public dialogue during 2006 with early adopters and concerned citizens with respect to its tracking applications. The goal is taking in the perceived large social benefits of RFID while simultaneously incorporating privacy, health and environmental safeguards.
The Commission noted that Europeans are leading the way with innovative applications of RFID, smart sensors and RFID-enabled actuators and intelligent networks, and it is generally believed that RFID could “further strengthen the role of information and communication technologies in driving innovation and promoting economic growth.” According to the Commission, while the European market for RFID systems is growing at approximately 45% annually, it is lagging a global growth rate close to 60%.
One of the major factors holding back growth is the absence of a “clear and predictable legal and policy framework” making this new technology “acceptable to users,” including clarity on ethical implications, privacy and security protection, governance of RFID identity databases, the availability of radio spectrum, harmonized international standards and concerns over health and environmental implications. The Commission launched a wide public consultation to address these issues in 2006 with thousands of participants contributing to the study. During the study phase, the Commission noted emergence of concerns over privacy and data protection, finding that “RFID will only be able to deliver its numerous economic and societal benefits if effective guarantees are in place on data protection, privacy and the associated ethical dimensions that lie at the heart of the debate on the public acceptance of RFID.” The Commission noted that EC’s strong tradition in support of data protection (the regulations are substantially more stringent than US regulations). Indeed, the Data Protection Directive is broad, and in the view of the Commission, applicable to all technologies, including RFID.
The Commission noted that a “one-size fits all” approach to RFID would not be appropriate, given that security and privacy risks depend, in large part, upon the nature of the RFID application. A CBA of specific security and privacy-related risks prior to selection of RFID systems and deployment of applications is necessary according to the Commission. In view of limited information available to the public at this stage of deployment, the Commission felt that awareness and information campaigns would be an important part of RFID policy response.
The Commission noted that most respondents were concerned that the registration and naming of identities in the “Internet of Things” be interoperable, open and non-discriminatory, and it believes that the policy principles developed in the context of the World Summit on the Information Society will be relevant to the emerging policy debate.
Easy mobility and low costs of RFID systems depend, in part, upon the availability of radio spectrum and harmonization of spectrum usage conditions. The Commission opined that the allocation of RFID frequencies in the UHF band will be sufficient for the purposes of the next 3-10 years, but noted that it will be necessary to monitor demand as usage of RFID increases.
The Commission discusses both environmental and health impacts implied by widespread usage of RFID. Noting that the electromagnetic fields related to RFID applications are generally low in power, the Commission stated that “exposure of the general public and workers to RFID-related EMF is expected to be well below the current standard limits.”
Over the coming two years, the Commission is expected to continue to analyze the options and respond to concerns expressed by stakeholders. The Commission will work with the US and Asian counterparts to strive toward global interoperability on the basis of “open, fair and transparent” international standards.
The Commission advocates “security and privacy-by-design,” i.e., privacy and security built into systems prior to their widespread deployment. The Commission supports the development of codes of conduct and best practices by experts representing all stakeholders along the lines of the strategy for a Secure Information Society set out in COM (2006) 251. By year-end, the Commission is expected to establish principles for public authorities and other stakeholders applying to RFID usage.
The Commission aims to further stimulate research on the security of RFID systems and privacy-enhancing technologies. In view of the limited experience with the technology, the Commission indicated that it is necessary to carry out in-depth overall evaluations of RFID implementation through large-scale pilots in specific application domains as a precursor to widespread adoption. The Commission also recognized the importance of standardization within Europe and the maintenance of a dialogue with counterparts in US, China, Korea and Japan to ensure cooperation on standards on applications such as the security of containers, counterfeiting, air transportation and pharmaceutical goods. By the end of 2008, the Commission expects to publish a Communication analyzing the nature and effect of developments, in particular with respect to privacy, trust and governance, and at such time, will assess whether it is necessary to propose further legislative steps to safeguard data protection, privacy and other policy issues.
While one could construe the Commission’s statement as a relaxed, wait-and-see approach supportive of RFID adoption (See RFID Update “EU Opts for Hands-Off Approach to RFID Regulation”- http://www.rfidupdate.com/articles/index.php?id=1319),
it is worth noting that the Commission has expressly reserved (and called for) assessment following further experience with the technology. Just like their American counterparts who must actively engage in the dialogue over data protection, privacy and other societal concerns with state (and federal) legislatures and educate the public about RFID, European stakeholders must vigilantly educate their public about the technology and its applications and take steps to proactively address privacy, data protection and other safeguards to ensure that the “helping hand” of government doesn’t hamper the rollout of RFID.
© 2007 – RFID Law Journal, LLC. All rights reserved.
Learn more about RFID legal issues at http://www.rfidlawjournal.com. You may contact our editor about this publication at editor@RFIDLawJournal.com. Usage of this material (and any linked materials provided by third party sites) is subject to the terms and conditions set forth at www.rfidlawjournal.com.
You may not rely upon any material provided herein as legal, financial or other advice. You should consult your own advisor (legal, investment or otherwise) with respect to the advisability or accuracy of any of the material provided in this newsletter or any other material provided by us. We are not responsible for and do not attest to the accuracy of any third party content.
posted by RFID Law Journal at 3:32 PM
0 comments
