Convergent Software has ceased trading.

The site will be available until 14 August 2019.

Do you know about GDPR “blacklists” and RFID applications?

To quote one of the catchphrases of the UK actor, Michael Caine: “Not a lot of people know that”. So let’s unravel this a bit.

A GDPR blacklist sounds scary, and the term has no official status in the GDPR. However, Article 35(1) of the GDPR does require organisations to conduct a Data Protection Impact Assessment under certain circumstances.

Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data. A single assessment may address a set of similar processing operations that present similar high risks.

Article 35(4) states that a Data Protection Authority “shall establish and make public a list of the kind of processing operations which are subject to the requirement for a data protection impact assessment pursuant to paragraph 1”.

Germany is a federation made of different states (Länder), each of which has its own data protection authority and rules. So it was good news when the relevant federal committee (Datenschutzkonferenz, “DSK”) published a common mandatory blacklist of applications [1] requiring a DPIAs to apply to the private sector, or more precisely the ‘non-public’ sector.

The DSK considers these factors:

  • Relevant description of the processing activity
  • Typical fields of application
  • Example(s)

Below we take a closer look at the applications where the DSK explicitly cites RFID, or where RFID applications can be used for similar processes. We use the definition of RFID from the European Commission’s RFID Recommendation C(2009) 3200 final[2].

“use of electromagnetic radiating waves or reactive field coupling in the radio frequency portion of the spectrum to communicate to or from a tag through a variety of modulation and encoding schemes to read from or write to an RFID tag.”

As such it not only covers what are commonly known as RFID, but also all forms of cards, including payment cards and NFC that use an air interface protocol to read or write to the device.

Below we have abstracted parts of the DSK document using quotation marks. We have added examples that have a similar processing activity as those defined in the DSK document. These additional examples are based on real applications that have been implemented somewhere in the world. It can also be argued that some of the applications can be associated with more than one of the DSK’s processing activities.

Unauthorised reading

Processing activity:“Collection of personal data via interfaces of personal electronic devices which are not protected against unauthorized readout, which the persons concerned cannot recognize”
Application:“Use of RFID/NFC through apps or cards”
Example:“A bank uses NFC technology for money cards to facilitate payment transactions”

This is quite a significant class of application that goes well beyond the simple example of NFC for payment transactions. The vast majority of RFID tags have no off switch, so when an item with an RFID tag or a card with an embedded chip is carried in public it is not protected against unauthorized readout. A challenge for any Data Protection Officer responsible for assessing the risk of unauthorised reading is having enough knowledge about RFID technology to know whether an RFID tag or card has any protection against unauthorised readout in a public space. Fortunately the European Commission tasked the relevant standards bodies to prepare for this situation. EN 16571 and other supporting documents not only provide sound technical details of the risk factors but also the means to mitigate these risks. There is more on this later in this document.

Tracking – where the individual is unaware of the process

Processing activity:“Not as intended use of sensors of a mobile radio device in the possession of the persons concerned or of radio signals transmitted by such devices to determine the whereabouts or movement of persons over a substantial period of time”
Application:“Offline tracking of customer movements in department stores, shopping centres, etc.”
Example:“A company processes the WLAN, Bluetooth or mobile phone signals of passers-by and customers in order to be able to track the routes and shopping behaviour.”

Although not explicitly cited by DSK, here are some similar real RFID examples:

  • The use of RFID in a shopping mall to track the position of tagged retail products to create a profile map of customer movement
  • Tracking airline baggage with an RFID tag within and beyond an airport. The RFID tag and other data can identify the passenger

Tracking – where the individual is aware of some aspects of the process, but probably not the details

Processing activity:“Mobile optical-electronic recording of personal data in public areas, provided that the data from one or more recording systems are centrally consolidated on a large scale”
Application:“Vehicle data processing”
Example:“A company collects personal data that vehicles generate about their environment and uses this data, for example, to determine free parking spaces”

Although not explicitly cited by DSK, here are some similar real RFID examples:

  • RFID tags used on toll roads and bridges, overtly to reduce delay times, but linked to time of travel or speed between two data capture points.
  • RFID tags applied to vehicle registration plates to enable extensive tracking of individual vehicles.
  • Public transportation cards assigned to registered individuals, i.e. not anonymously, used to track a person’s journey combined with other factors like time and place and frequency of the location.

Purchasing Profiles

Processing activity:“Creation of comprehensive profiles on the movement and purchasing behaviour of those affected”
Application:“Recording the purchasing behaviour of different groups of people for profile building and customer retention with the aid of prices, price discounts and rebates”
Example:“A company uses customer cards that record customers purchasing behavior. ... With the help of the acquired data, the provider creates comprehensive customer profiles.”

Although not explicitly cited by DSK, here are some similar real RFID examples:

  • The use of RFID in retail stores to identify tagged products purchased from other stores
  • Tracking airline baggage that has a permanent RFID tag (and therefore persistently associated with a registered person) that enables a travel profile to be established across airlines, airports and countries
  • A library using RFID to process books checked out and returned resulting in the entire borrowing history of the individual being available on the library’s database, including payment of fines

Monitoring locations

Processing activity:“Extensive processing of personal data about the location of natural persons”
Application:Two cited applications relevant to RFID:
  • “Vehicle Data Processing - Car Sharing / Mobility Services Vehicle data processing”
  • “Offline tracking of customer movements in department stores, shopping centres, etc.”
Example:
  • “A company processes the GPS, Bluetooth and/or mobile phone signals of passers-by and customers in order to be able to track the route and shopping behaviour”
  • “A company offers a car sharing service or other mobility services and processes extensive position and accounting data for this purpose”

The examples cited (above) for tracking can also identify locations by combining the tag with the reader location.

Employee work activity

Processing activity:“Processing of extensive personal data on the conduct of employees, which can be used to evaluate their work activities”
Application:“systems that generate systematic profiles of employees”. “Geolocalization of employees”
Example:“movement profiles of employees created (using RFID, mobile phone tracking or GPS) to secure personnel (security guards, firefighters), to protect valuable property of the employer or a third party (truck with cargo, cash transport) or to coordinate work assignments in the field”

Although not explicitly cited by DSK, here are some other real RFID examples that seem similar:

  • Security guards patrolling cities
  • Factory workers and maintenance workers using RFID to sign onto specific work activities
  • RFID used for piecework payments
  • Miners, fire fighters being monitored for safety and evacuation
  • Although not employees, schools and colleges monitoring students, especially children for attendance and activities


The DSK is one of the first data protection authorities to publish a blacklist of processing activities requiring a DPIA. There is a risk that different authorities will adopt different approaches. For example, the UK-based Information Commissioner’s Office has published a list of examples of processing “likely to result in high risk”[3]. THE ICO goes further by stating that its list is “non-exhaustive”. There is a longer list of examples, some of which are closer to those that we have added as real examples:

  • Automatic number plate recognition
  • Intelligent transport systems
  • Traffic management systems involving monitoring of vehicle/driver behaviour
  • Wi-Fi/Bluetooth/RFID tracking
  • Smart technologies (including wearables)
  • Workplace access systems/identity verification
  • Access control/identity verification for hardware/applications
  • Processing location data of employees
  • Loyalty schemes


Our advice – use EN 16571 to assess the privacy risk of an RFID application

GDPR Article 35(1) is written in a manner, like any regulation is a mixture of prescription “shall... carry out an assessment of the impact” but is deliberately open-ended about the processes that are “likely to result in a high risk to the rights and freedoms of natural persons”

Furthermore, the GDPR says nothing about how the assessment of the impact shall be undertaken. Interestingly the European Commission has had a long term interest in the privacy risks and, in contrast, the benefits of RFID. The RFID Recommendation (see page 2) is the lowest policy measure – a regulation is the highest - defined by Article 288 of the Treaty on the Functioning of the European Union. The RFID Recommendation advised all member states to consider the impact of RFID on privacy 9 years before the GDPR became mandatory.

The European commission did not stop there. It instructed the European Standards Organisations to develop standards and other documents to support European society on achieving a reasonable level of privacy when using RFID technology. As a result, EN 16571 Information technology - RFID privacy impact assessment process was published in June 2014 by the European Committee for Standardization (CEN). It is applicable in 33 European countries

We have two other related documents that address RFID privacy in more detail:

Just as Michael Caine’s “Not a lot of people know that” was intended to share some knowledge, we hope that this document and the linked documents provide you with more understanding of why RFID privacy risks need to be correctly assessed.

References

1 DSK blacklist of Applications

2 European Commission’s RFID Recommendation C(2009) 3200 final

3 GDPR: Examples of processing likely to result in high risk

Multi Domain SSL
Multi Domain SSL