Title: PROCESSING OF PERSONAL DATA IN RFID APPLICATIONS AND SYSTEMS

This section provides an overview to the main legal provisions according to the EU Directives that have to be taken into consideration when RFID applications processing personal data are designed and operated.  

Obligations for making data processing legitimate

The processing of personal data is allowed only under the grounds mentioned in article 7 data protection directive and shall be respected when the processing of personal data is taking place in RFID applications. This means that for each processing of personal data - collection, recording, storage, adaptation, alteration, retrieval, consultation, disclosure, dissemination, etc. - the controller has to verify if the processing falls under one of the criteria for making data processing legitimate. These grounds can be coded according to article 7 data protection directive as follows:  

1. 1. the data subject has unambiguously given his consent; or 

   2. processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; or 

   3. processing is necessary for compliance with a legal obligation to which the controller is subject; or 

   4. processing is necessary in order to protect the vital interests of the data subject; or  

   5. processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller or in a third party to whom the data are disclosed; or  

   6. processing is necessary for the purposes of the legitimate interests pursued by the controller or by the third party or parties to whom the data are disclosed, except where such interests are overridden by the interests for fundamental rights and freedoms of the data subject. 

The processing of personal data in relation to RFID technology has to be based on one of the aforementioned grounds and be compliant with the principles that are set out in Article 6 of the data protection directive. 

One basic principle for the processing of personal data is that the data shall be processed fairly and lawfully (Art. 6(a) data protection directive). In the ‘Metro Future Store in Rheinberg’ scenario (S4) the processing of personal data is based on the consent of the consumers, which is given when they apply for their loyalty card. Although consent is a legitimate ground for the processing of personal data, it has to be freely given, specific and informed in order to be valid. In the declaration of consent for the loyalty card, the users were not informed about the use of RFID tags in the cards and corresponding readers in the store, although it was stated that “adjustment of offers to the wishes and needs of the customers is one of the purposes for which this card is used”. In this case the customer was not properly informed about the purposes for which his data would be processed and the given consent is not valid. Furthermore the intelligent shopping trolleys in conjunction with the RFID enabled loyalty cards enable customer profiling.  

The data controller shall also ensure that the collected data are ‘adequate, relevant and not excessive in relation to the purposes for which they are collected and/or further processed’ (Art. 6(c) data protection directive). The procedure followed for the collection of data shall be transparent for the additional reason that in this way the criteria used for choosing the specific data as appropriate can be easily checked. The data shall be kept in a form, which permits identification of data subjects for no longer than is necessary for the purposes for which the data were collected or for which they are further processed (Art. 6(e) data protection directive). Furthermore, the data shall be “accurate and, where necessary, kept up to date” (Art. 6(d) data protection directive).

The European data protection legislation distinguishes between the data controller and the data processor. The controller is defined as a person (natural or legal) which alone or jointly with others “determines the purposes and means of the processing of personal data” (Art. 2(d) data protection directive), while the processor is a third party who simply processes personal data on behalf of the data controller without controlling the contents or use of the data (Art. 2(e) data protection directive). This distinction is of great importance in the processing of personal data within RFID applications for several reasons. The data controller (and not the data processor) is the one who will carry the obligations described in the data protection directive and is the one to define the details of the data processing. As a rule of thumb it can be said that the data controller is liable for violations of the data protection legislation, while the role of the data processor is reduced [, p. 62]. However, RFID technology enables the unnoticed collection of personal data and therefore, questions arise as to how the users can be informed about the identity of the data controller in order to exercise their rights.

Information to be given to the data subject and his privacy rights

1. Information to be given to the data subject 

When data are collected from the data subject, the data controller must provide him with some information relating to the processing of his personal data. Such information includes the identity of the controller and of his representative, if any, and the purposes of processing. Additional information may be also necessary, such as the recipients or categories of recipients of the data, whether replies to the questions are obligatory or voluntary, as well as the possible consequences of failure to reply. Furthermore the controller should inform the data subject about the existence of the right of access to and the right to rectify the data, in so far as such information further information is necessary (Art. 10 data protection directive).  

In cases of providing Location Based Services through RFID technology the controller must, before obtaining the consent, provide additionally the individual with specific information regarding the type of location data that will be processed, of the purposes and the duration of the processing and whether the data will be transmitted to a third party for the purpose of providing the Location Based Service (Art. 9(1) ePrivacy dir.). Furthermore the use shall be given the opportunity to withdraw his consent for the processing of location data at any time.  

Even if the legislation is meant to be technology neutral, some legal provisions are quite difficult to be fulfilled in the field of RFID technology. For instance a major issue is how the user will be informed about the collection of his personal data and how is the information to be given to him, in the absence of screens or via the minimal user interfaces of some RFID applications .

1. Transparency 

One basic and simple but still necessary measure towards a holistic privacy framework for RFID is therefore the demand for transparency. Each RFID reader and RFID tag must be clearly labelled. The main reason for this is to raise the awareness for the RFID technology (and the potential threats to privacy) among the European citizens. As stated in the introduction the awareness at the moment is at a very low level. And the physical appearance of RFID tags and RFID readers will not have a positive impact on the awareness as both of them are mostly invisible or “undetectable” by human beings. 

The proposed labelling is already a well established and accepted preliminary in other privacy related areas (like in case of surveillance cameras) or areas with potential threats to human beings (like the labelling of bioengineered food). Nevertheless in the area of RFID analogical laws and regulations need to be adopted. Regarding the enforceability of such rules the RFID technology has the advantage (e.g. compared to surveillance cameras) that the existence of RFID readers (or more precise the attempt of an RFID reader to actually access an RFID tag) could be easily detected due to the fact that the communication uses radio waves. Although detecting an RFID tag is somewhat harder, research has shown that with little investments devices could be built which at least can detect the existence of standard compliant RFID tags (e.g. ISO-14443 RFID tags). Therefore it seems feasible that at least the authorities can check if a producer (or retailer etc.) embeds RFID tags without labelling the affected products correctly.  

Note that there exist some kind of paradox: On the one side it is one goal of PETs for RFID that the RFID tag only communicates with authorised readers (to circumvent all kinds of threats like eavesdropping of the communication, tracking etc.) on the other side this privacy measure hinders the detection of hidden tags. It seems that at least the authorities need some “backdoor” to allow them to communicate even with privacy enhanced tags just to detect them. But history teaches (like in the crypto regulation related key escrow debate) that the weakening of a PET (or security) technology by purpose will often lead to unintentional side effects. How this problem could be solved is an open research question. Nevertheless, as the main privacy threats arise from reading the tags (and not just from their very existence), laws and regulations which oblige to label RFID tags and RFID readers are still meaningful and enforceable. 

1. Rights of the data subject in RFID applications 

The data controller shall also ensure that the rights of the data subject are respected. The Scenario on ‘An Identity Manager for RFID tags’ (S3) illustrates the ‘data track’ log file that allows the users to get information who accessed the tag and for what reason. However in RFID scenarios it is not always easy to safeguard the rights of the data subject to get information about his data that are processed, the right to access and right of rectification or deletion of data, when necessary. In the field of RFID applications, the data subjects shall be informed about the presence of both RFID readers and RFID tags on products, which is not the case in the ‘Metro Future Store in Rheinberg’ scenario (S4). In this case for instance pictograms should inform the customers of the presence of both RFID readers and RFID tags on the products. In the “Usage of RFID Technology in Educational Settings” scenario (S5) labels should also inform the users about the use of RFID tags and readers in the exhibits, RFID token given to the visitor at the beginning of the visit.

When personal data are collected, the data subject has the right to be informed by the data controller in a clear and intelligible way about the form of the data undergoing processing, as well as about the means and precautions the data controller has taken to adhere to the data protection principles. Furthermore, in cases of automatic processing of the data, the data subject is entitled to know the logic involved in this. In the ‘Metro Future Store in Rheinberg’ scenario (S4), the RFID tags in the customer loyalty cards were used to activate advertisement displays. The user was however not informed about the procedure and the logic followed for this.

The European data protection legislation grants the data subject some rights that have to be safeguarded by the data controller. The data subject has the right to be informed whether his personal data are being processed. In positive case he has the right to know the purposes of the processing, the categories of data concerned and the recipients to whom the data are disclosed. The information shall be given to him in an intelligible way. Moreover, in cases of automatic processing of the data, the data subject is entitled to know the logic involved in this (Art. 12(a) data protection directive). In the ‘Metro Future Store in Rheinberg’ scenario (S4), the RFID tags in the customer loyalty cards were used to activate advertisement displays. The user was however not informed about the procedure and the logic followed for this. 

Article 12 further grants the data subject a right to ask for the rectification, erasure or blocking of data the processing of which does not comply with the provisions of the directive, in particular because of the incomplete or inaccurate nature of the data. According to Article 14 of the Directive, Member States should grant the data subject the right to object, on compelling legitimate grounds relating to his particular situation, to the processing of data relating to him. In the ‘An Identity Manager for RFID tags’ scenario (S3) the ‘data track’ log file assists the user in the exercise of his rights, as he gets information who accessed the tag and for what reason.

Among other initiatives, the rights of the consumer relative to RFID applications have been expressed in an RFID Bill of Rights prepared by Simon Garfinkel. According to Garfinkel consumer should have the right to know whether products contain RFID tags, they have the right to have RFID tags removed or deactivated when they purchase products and to use RFID-enabled services without RFID tags, the right to access an RFID tag’s stored data and the right to know when, where and why the tags are being read . These rights correspond to the rights of the data subject that are safeguarded in the European data protection directive.

Obligation to provide appropriate technical and organisational measures

Article 17(1) data protection directive addresses the issue of data security, requiring data controllers to take ‘appropriate technical and organisational measures’ against unauthorised or unlawful processing, and accidental loss, destruction or damage to the data. To the extent that this principle covers the security requirements and robustness of the network itself, this principle overlaps with the security and confidentiality requirements laid down in articles 4 and 5 of the e-Privacy Directive, when there is processing of personal data in connection with the provision of publicly available electronic communications services in public communications networks. Taken as a whole, this principle imposes a statutory obligation on data controllers to ensure that personal data are processed in a secure environment. This means that the data controllers must consider the state of technological development and the cost of the implementation of any security measures. Bearing in mind these factors, the security measures that are adopted by the data controllers must ensure a level of security that is appropriate to both the nature of data to be protected and the likely harm that would result from a breach of this principle [, p.58]. It follows that, the more sensitive the data, the more adverse the consequences of a security breach would be for the data subject, and therefore more stringent security requirements should be put in place. This is specially the case as regards the processing of health-related data. In any case, the data controllers should implement appropriate security measures to ensure that non-authorised personnel are not able to gain access to personal data.

This general obligation for the deployment of technical and organisational measures to ensure the adequate implementation of the data protection principles shall be specified in the field of RFID technology. The use of appropriate privacy enhancing technologies will assist the user to enhance his privacy. Standardisation initiatives regulating the design of RFID tags, RFID readers and RFID applications in general can prove extremely helpful “in minimising the collection and use of personal data and also in preventing any unlawful forms of processing by making it technically impossible for unauthorised persons to access personal data” . In cases when the RFID tag contains personal data, they should be encrypted and in order to prevent unauthorised reading of the tag, the authentication of the reader should be necessary before it can access the data . In the ‘Enhanced proximity card’ scenario the reader is authenticating itself with a relatively simple reader number to the card. It is not clear whether such kind of authentication is appropriate according to Article 17 of the data protection directive.

Privacy principles for system design

Following the discussion above there is a strong need to take privacy principles into consideration already in the design phase of RFID systems. One list of principles or guidelines on how to deal with data so that the application could be regarded as privacy-friendly are according to :

1. Avoidance of data collection and making sparing use of data: Protection of data privacy does not only demand regulation on how data is being stored, processed and passed on, but also on how to avoid certain data being collected in the first place.

2. Intended purpose: The intended purpose for data collection must be explicitly declared.

3. Prohibition of clandestine reading: Clandestine reading of RFID tag data, tracking of persons either directly or indirectly, tags in shared space such as in sales rooms and tags embedded in money, or personal identification documents must be prohibited or otherwise rendered intractable.

4. No additional burden for the citizen: There must be no additional burden on citizens to protect themselves, e.g. the long-winded and yet in-complete deactivation procedure at the Metro Future Store (S4).

5. Privacy must be the default: Privacy should not be an optional extra feature, but the core property to be preserved in any application.

6. Legislation must be forward-looking: Data being collected today even if regarded uncritical may get a different meaning in the future.

The European privacy and identity management project PRIME has elaborated seven very similar principles for designing privacy enhanced (identity management) systems , which should also be applied when designing privacy-enhancing RFID applications:

1. Design must start from maximum privacy; 

2. Explicit privacy rules govern system usage; 

3. Privacy rules must be enforced, not just stated; 

4. Privacy enforcement must be trustworthy; 

5. Users need easy and intuitive abstractions of privacy; 

6. Privacy needs an integrated approach; 

7. Privacy must be integrated with applications.