Resources
- Identity Use Cases & Scenarios.
- FIDIS Deliverables.
- Identity of Identity.
- Interoperability.
- Profiling.
- D7.2: Descriptive analysis and inventory of profiling practices.
- D7.3: Report on Actual and Possible Profiling Techniques in the Field of Ambient Intelligence.
- D7.4: Implications of profiling practices on democracy.
- D7.6 Workshop on AmI, Profiling and RFID.
- D7.7: RFID, Profiling, and AmI.
- D7.8: Workshop on Ambient Law.
- D7.9: A Vision of Ambient Law.
- D7.10: Multidisciplinary literature selection, with Wiki discussion forum on Profiling, AmI, RFID, Biometrics and Identity.
- D7.11: Kick-off Workshop on biometric behavioural profiling and Transparency Enhancing Technologies.
- Forensic Implications.
- HighTechID.
- Privacy and legal-social content.
- Mobility and Identity.
- Other.
- IDIS Journal.
- FIDIS Interactive.
- Press & Events.
- In-House Journal.
- Booklets
- Identity in a Networked World.
- Identity R/Evolution.
D7.7: RFID, Profiling, and AmI
Data Protection legislation
Eleni Kosta, Michaël Vanfleteren (ICRI, KUL)
Introduction
In the general frame of Ambient Intelligence, RFID tags* present interest from a data protection point of view. RFID tags* can be used in AmI not only as the medium for the collection of personal data, but also as transmitters of the personal data they contain or as tracking devices for the location of natural persons. All the aforementioned functions of RFID tags* can be used for profiling purposes.
The answer to the question, whether we should use the term ‘data protection’ or ‘protection of privacy’ was given by the European Data Protection Supervisor (hereinafter EDPS), when commenting on the Convention of the Council of Europe for the protection of individuals with regard to automatic processing of personal data (Convention No. 108). According to the EDPS “[t]he Convention deals with ‘data protection’ as protection of fundamental rights and freedoms of individuals, in particular their right to privacy, with regard to the processing of personal data relating to them”. This demonstrates that ‘data protection’ is wider than ‘protection of privacy’, since it also relates to other fundamental rights and freedoms of individuals, and at the same time more specific, since it only deals with the processing of personal data. In this context one should realise that many activities in the public or the private sector nowadays generate personal data or use such data as input. The real objective is, for that reason, to protect individual citizens against unjustified collection, storage, use and dissemination of their personal details.”(European Data Protection Supervisor, 2004: 12) Based on this argumentation we decided to focus on the protection of personal data during their collection and processing in AmI.
Although they have sometimes been labelled as the next-generation of bar codes, RFID systems* offer much more in that they can track items in real-time to yield important information about their location and status (ITU, 2005). From the definition of ‘personal data’ it becomes clear that only information relating to an identified or identifiable natural person (data subject) qualifies as personal data and such data will be the main focus of our analysis in AmI environments. Recital 26 of the Data Protection Directive stipulates that “account should be taken of all the means likely reasonably to be used either by the controller or by any other person to identify the said person”. As the Working Party 29 has already pointed out it is essential in the case of data collection through RFID tags* first of all “to determine the extent to which the data processed relates to an individual and [secondly] whether such data concern an individual who is identifiable or identified.”(Art. 29 Data Protection Working Party , 2005: 8).
Therefore, as already noticed in section 2.3, RFID tags* can also be used to identify persons directly or indirectly. More specifically, as a rule of thumb it can be said that the RFID tags* used in an AmI environment contain in most cases personal data. For instance the RFID tags* that are used for the storage of personal information, such as in identification documents, always contain personal data. The same shall apply for RFID tags* that although they don’t contain personal data can easily be linked to a natural person, like RFID tags* included in loyalty cards. In this case the linkage can be completed by simply linking the reference information on the loyalty card with the information in data bases, such as the credit card data of the data subject (Legal IST, 2006, 19ff). A practical example can be found in the Metro case-study presented earlier where the shopping company issued loyalty cards with embedded hidden RFID tags* which allowed personalised profiling on the customers (cp. section 3.2). However, more unclear is the case when an RFID tag* cannot immediately be linked to an individual.
Several issues arise regarding cases when RFID tags* cannot be immediately linked to individuals. The key question will be what are the “means likely reasonably to be used” in order to identify a natural person? How far can we go in our effort to link the data stored on the RFID tag* to a natural person and therefore apply the data protection legislation on them? An additional issue is that the Member States have a different interpretation of the term ‘personal data’. How can we ensure that a uniform pan-European approach will be adopted?
Collection and processing of data
In an AmI environment vast amounts of personal data are collected from RFID tags* and are further processed for various purposes. Therefore it is essential to differentiate between legitimate and non legitimate collection and processing of such data. While during legitimate collection and/or processing of personal data the legal requirements set out in the European legal framework on data protection need to be respected, in the case of unauthorised collection and/or processing of such data, additional countermeasures need to be deployed.
Collection and/or processing of personal data
Personal data can be collected legitimately through RFID tags*, as long as the collection takes place for “specified, explicit and legitimate purposes” and as long as the personal data is “processed fairly and lawfully”. Further processing of the data is allowed only in a way which is compatible with those purposes. When personal data are collected via an RFID enabled loyalty card, such purposes can be the provision of better services, discount prices or personalised offers. In case the processing of personal data that are collected by the RFID tags* is “necessary for the performance of a contract to which the data subject is party”, the consent of the data subject is not needed.
The most common basis for the collection of data, however, remains the provision of the unambiguous consent of the data subject. The consent of the data subject needs to be a freely given, specific and informed indication of the wishes of the data subject, by which he signifies his agreement to a personal data relating to him being processed. In order to have a ‘freely given’ consent of the data subject, it is important to examine how much choice is in fact given to him. Article 29 Working Party (2001; 2002), has for instance considered that the consent given by an employee to the use of his personal data “as a part of an employment contract is not a ‘freely given’ consent” (Jay, Hamilton, 2003: chapter 3 – 39). When it comes to RFID, the data subject should be given the possibility to really choose that he wants to use RFID tags*. In simple words the data subject should have the alternative to choose another way of enjoying the offered service, even if that alternative does not have all the advantages and benefits that come with the RFID tags*. For instance the customers should be given the possibility to chose between tagged and non-tagged products, even if the latter will not offer them the possibility to receive information about discounts on other items related to those put in their cart (Metro Future Store case). Secondly, it should be specific, meaning that the data subject needs to be clearly informed what he is consenting to. Finally the consent of the data subject shall be informed. The data subject shall consent to the collection and processing of his personal data after he is informed by the controller or his representative on the identity of the controller (and of his representative), the purposes of the processing for which the data are intended, as well as about the recipients of the data, about the fact whether replies to questions are obligatory or voluntary and finally about his right to access the data, to ask for their rectification, erasure or blocking and the right to object to the collection of his data. Breach of this legal requirement can be found in the case of the Metro Future Store in Rheinberg. In the declaration of consent within the contract of the customer loyalty card it is mentioned that “adjustment of offers to the wishes and needs of the customers is one of the purposes for which this card is used”. However this clause is not written in a clear way so that it cannot be understood by all the customers and the consent of the customers is not given lawfully.
When personal data are collected via RFID tags* in an AmI environment, the data subject has the right to be informed in a clear and intelligible way about the form of the data undergoing processing as well as about the means and precautions the data controller has taken to adhere to the data protection principles. Furthermore, in cases of automatic processing of the data, the data subject is entitled to know the logic involved in this. In the example of the Metro Future Store for instance the RFID tags* in the customer loyalty cards were used to activate advertisement displays. However, the procedure and the logic followed for this was not known. It goes without saying that the procedure of collecting data shall be transparent for the additional reason that in this way the criteria used for choosing the specific data as appropriate can be easily checked.
In the context of profiling special consideration needs to be given to Art. 15 (1) of the Data Protection Directive. This article gives the right to every individual “not to be subject to a decision which produces legal effects concerning him or significantly affects him and which is based solely on automated processing of data intended to evaluate certain personal aspects relating to him, such as his performance at work, creditworthiness, reliability, conduct, etc.”. Therefore, when profiles are created based on data that are collected via RFID tags*, completely automated processes shall be avoided. However, this prohibition seems at odds with the logic of adaptive autonomic profiling, as discussed in section 2.1, since most decisions will be taken by machines in a process of machine to machine communication. To find out to what extent such M2M decision-making processes contain decisions that effectively ‘produce legal effects concerning a data subject or significantly affect him’, would require a measure of transparency that is not yet available. Adapting an environment presumes a contractual relationship between a service provider and a consumer, which thus has legal effect. Depending on the type of ‘social sorting’ that is produced by autonomic profiling these processes may have a profound impact on the distribution of risks and opportunities, thus significantly affecting a person.
Services based on location data
In an AmI environment, RFID tags* are used mainly as a means for the tracking and tracing of people. When services based on the location of the data subject are offered we need to check whether Article 9 of the e-Privacy directive applies. The sector-specific provisions of the ePrivacy Directive and therefore Article 9 as well apply to publicly available electronic communications services or when the service is offered over a public communications network. It is obvious that the prerequisites of a communication as set down in the definition of the term in Article 2(d) of the e-Privacy directive need to be fulfilled. Otherwise only the more general provisions of the data protection Directive apply.
However, the regular function of RFID tags* neither presupposes a publicly available network nor demands a provider for the provision of the service (Legal IST, 2006: 20). If this is the case, article 9 of the e-Privacy directive does not apply. However, when the RFID tag* enables the provision of a value added service, then the aforementioned article is applicable. In such a case, when location data relating to users or subscribers are processed, they “may only be processed when they are made anonymous, or with the consent of the users or subscribers to the extent and for the duration necessary for the provision of a value added service”. Furthermore, “[t]he service provider must inform the users or subscribers, prior to obtaining their consent, of the type of location data other than traffic data which will be processed, of the purposes and duration of the processing and whether the data will be transmitted to a third party for the purpose of providing the value added service. Users or subscribers shall be given the possibility to withdraw their consent for the processing of location data other than traffic data at any time”.
In the Metro Future Store ‘the shopping assistant tracks the shoppers’ movement using wireless LAN software and displays location-specific personalized shopping lists, favourites and special offers. The system can offer discounts on items related to those put in the cart. It can also trigger in-store signs. When the customers give their consent to use their loyalty card (given that they are aware of the RFID tags* and readers*) in connection with the shopping assistant, they accept the legitimate processing of their data in order to receive the personalised information. Similar is the case in the Museum scenario, as the user creates his/her own personal profile into the museum’s RFID infrastructure in order to receive more personalised information. In both aforementioned cases the RFID tags* enable the provision of value added services and therefore Article 9 ePrivacy directive shall apply.
Obligations of the data controller
The data controller is the one that “determines the purposes and means of the processing of personal data”. For that reason in each specific case we need to apply this definition in order to determine who is the controller. As a rule of thumb it can be said that the data controller is the ‘tag deployer’ (Legal IST, 2006: 21), the one that decides the purposes for which the RFID tag* is used, which data shall be collected and whether these data will be further processed. In the scenario of the Museum for instance, the responsible department of the museum that decides on the personal data of the visitors (for which purposes they are collected and processed, how this can be achieved etc.) is the data controller and bears the burden of complying with the data protection legislation.
In an AmI eEnvironment it is very important to identify the controller of the data in order to specify the natural or legal person that needs to ensure the respect of the principles related to lawful processing of data. The personal data shall be collected and processed fairly and lawfully. Therefore the collection of data by illegal means violates the fairness principle. Such violation occurs in the Metro Future Store scenario where hidden RFID readers* and hidden RFID tags* on the loyalty cards are used, as well as the unauthorised reading of the RFID tag* of Claire’s blouse by the burglars (Punie et al., 2006). In the former case of the Metro Future Store, specific pictograms or signs should be placed in the store indicating the presence of both RFID tagged products and RFID readers* in the supermarket departments or shelves (Van Eecke, Skouma, 2005: 175).
According to Art. 6 (c) of the Data Protection Directive, the collected data shall be “adequate, relevant and not excessive in relation to the purposes for which they are collected and/or further processed”. In the example of loyalty cards, identification data and contact details are needed for the offering of the commercial benefits to the customers. However, it is quite common in practice that further information regarding the customers as well as their family members is asked, such as their education, profession, preferences etc. (Italian DPA, 2005). Notwithstanding that this practice is broadly used, it comes in opposition to the data minimisation principle as well as the proportionality principle that requires the data controller to collect and processes as few personal data as possible. Furthermore, the data shall be kept in a form, which permits identification of data subjects for no longer than is necessary for the purposes for which the data were collected or for which they are further processed.
Furthermore, the data shall be “accurate and, where necessary, kept up to date”. The processing of wrong information will lead to inadequate profiling and will end up in profiling mismatches. In a ‘worst-case scenario’ processing of inaccurate information can lead to harming a data subject, based on wrong information, such as in the case of Clair.
As already mentioned above, the data controller needs to respect the finality principle, which means that the data shall be collected and processed for specified, explicit and legitimate purposes and further processing of the data is only allowed for purposes compatible with the initial ones.
The data controller shall ensure that the rights of the data subject are respected. In the frame of AmI when the data subject exercises the right to know which of his data are processed, as well as the right to access these data, the controller has a difficult task to carry out. The data are stored in several places (tag, central database etc.) and the data controller must provide information about all the places where data are stored. In this way the data subject will be able to fully exercise his right of rectification or deletion of data, when necessary.
Future of RFID in AmI
The application of the concept of personal data to emerging technologies raises new legal issues, since the meaning of two important elements of the definition of personal data is no longer self-evident. These two elements are ‘relating to’ and ‘identifiable’. The application of these elements is challenged by new forms of processing like web services and by an erosion of the traditional technological barriers (power limitations, limited transmission range, isolated data, etc.). As seen in this report, this is well-illustrated by the growing use of RFID tags* and the massive development of communication networks which, as underlined by the EDPS have the following impact:
All tagged objects become a collector of personal data;
The ‘presence’ of these smart objects as well as individuals who carry them is characterised by its ‘always on’ nature; and
The resulting cascade of data continuously feeds an enormous amount of stored data (European Data Protection Supervisor, 2005).
The core concept in the European data protection legislation is ‘personal data’. However, as indicated in section 2.1 the protection needed as a consequence of profiling technologies in an AmI environment regards the application of group profiles that may have been constructed without the use of personal data (either because the data have been anonymised or because the profile has been constructed without the use of data of the person it is applied to, see FIDIS deliverable 7.2 section 3 on the construction of group profiles). For this reason, next to Identity Management Tools that allow the data subject some kind of control over the leaking of his personal data, the application of group profiles requires new tools to access the knowledge (profiles) constructed by the profiling by data controllers.
Denis Royer | 20 / 43 |