You are here: Resources > FIDIS Deliverables > HighTechID > D12.3: A Holistic Privacy Framework for RFID Applications > 
Information in RFID tags that qualify as personal data  Title:
WHAT LAWS/ DIRECTIVES APPLY?
 Legal issues relevant with RFID applications in data protection

 

What laws/ directives apply?

As already described above, when information stored on the RFID tag or when the RFID tag can be linked to other information that refer to an identified or identifiable natural person, the provisions of the data protection directive regarding the processing of those data apply. When RFID tags are used in a medical environment (where health data are processed), the additional protection foreseen in the data protection directive for sensitive data will apply. This means that the processing of health data is prohibited unless the data subject has given his explicit consent. However these data can be processed when they are required for preventive medicine, medical diagnosis, the provision of care or treatment or the management of health-care services. Therefore when health data are stored in the tag of a hospital patient, it needs to be examined, what are the purposes of the processing of those data. When the health data are processed for one of the aforementioned purposes, then the processing is allowed. However, it is not allowed to store health data in the RFID tag, when it is used only for enhancing the identification procedure in the hospital. In such a case no health data shall be stored in the tag.

The European legal framework for the protection of personal data consists not only of the data protection directive, but also of the ePrivacy directive, which regulates specific issues regarding the processing of personal data in the electronic communications sector. The directive applies to the processing of personal data in connection with the provision of publicly available electronic communications services and public communications networks.  

According to Article 2 (d) of the Framework Directive “public communications network means an electronic communications network used wholly or mainly for the provision of publicly available electronic communications services“. The term ‘communication’ is defined in Article 2(d) ePrivacy directive as “any information exchanged or conveyed between a finite number of parties by means of a publicly available electronic communications service. This does not include any information conveyed as part of a broadcasting service to the public over an electronic communications network except to the extent that the information can be related to the identifiable subscriber or user receiving the information”.

The ePrivacy directive aimed at protecting the personal data and the privacy of the users of publicly available electronic communications services, regardless of the technologies used (Rec. 4 ePrivacy directive). However the rapid development of RFID technology has raised concerns whether the ePrivacy directive applies when personal data are processed in RFID applications. As already highlighted by the European Commission in its Communication on RFID, due to the limitation that the ePrivacy directive applies only to processing of personal data in connection with the provision of publicly available electronic communications services in public communications networks, “many RFID applications fall only under the general data protection directive and are not directly covered by the ePrivacy directive” (, p.6). The amendments that will be proposed to the ePrivacy directive in the course of the review of the electronic communications regulatory framework will take account of RFID applications and mainly of the fact that an RFID system in itself does not require a public communications network or a publicly available electronic communications service in order to work and no provider is necessarily present in such a system . Furthermore by the end of 2007, a Recommendation on how to handle data security and privacy of smart radio tags to Member States and stakeholders will be published. According to an EU press release, “both the data protection directive and the ePrivacy directive set rules for processing personal data which must be respected irrespective of the underlying technologies, and the Recommendation would further clarify their application to RFID” .

Currently the legal scholar needs to examine whether there is processing of personal data within an RFID application in connection with the provision of publicly available electronic communications services and public communications networks in order to decide upon the applicability of the ePrivacy directive. In positive answer and especially when the use of RFID technology enables the provision of Location Based Services by processing location data, Article 9 of the ePrivacy directive will apply. Although the ePrivacy directive does not make use of the term ‘Location Based Services’, article 2(g) of the Directive defines the term ‘value added service’ as “any service which requires the processing of traffic data or location data other than traffic data beyond what is necessary for the transmission of a communication or the billing thereof”. Therefore a Location Based Service could be defined as a value added service which processes location data for purposes other than what is necessary for the transmission of a communication or the billing thereof.

In the ‘Metro Future Store in Rheinberg’ scenario “ (S4) the shopping assistant tracks the shoppers’ movement using wireless LAN software”, displaying also “location-specific personalised shopping lists, favourites and special offers”. It is obvious that for the provision of the location-specific personalised shopping lists, favourites and special offers location data of the customers are being processed. As the hidden RFID reader can read the RFID enabled loyalty cards of the customers, the processing is actually processing of personal data. As already described in the previous paragraph the legal scholar shall at this point examine whether the processing is taking place in relation to a publicly available electronic communications service or a public communications network. When this condition is fulfilled, then there is a Location Based Service offered and the special provisions of Article 9 ePrivacy directive regarding value added services apply. Similar approach shall be taken in the ‘Usage of RFID Technology in Educational Settings’ scenario (S5), where it is mentioned that “the system can track the visitor”. 

 

 

Information in RFID tags that qualify as personal data  fidis-wp12-d12.3_Holistic_Privacy_Framework_for_RFID_Applications.sxw  Legal issues relevant with RFID applications in data protection
16 / 38