Enter “General Data Protection Regulation” into a search engine and you will get between 6 million and 22 million results in less than a second. Scan through a few entries and many are about the fact that there is a deadline for compliance by 25 May 2018. What many people forget is that the GDPR had a long development process . Following a formal opinion by Mr Peter Hustinx (the European Data Protection Supervisor at that time), in January 2012 the European Commission proposed a comprehensive reform of the EU's 1995 data protection rules to strengthen online privacy rights and boost Europe's digital economy. It took a further four years for the final version of the GDPR to be signed off by the Commission, the Council of Ministers and the European Parliament.
As Recital 30 of the GDPR correctly implies, there can be one or more unique identifiers in an RFID tag. This is in addition to other encoded data that can create a profile of the individual carrying the tag or smart card. Most RFID tags are always on, having no off switch. This means that a tag can be read whenever it is within reading range of an interrogator (reading device). This can be a legitimate device that picks up data accidently; a common example of this is known as card clash when someone holds more than one smart card. Because there are so few RFID air interface protocols (the means of communication between interrogator and tag) reading devices are readily available to anyone, including those intent on malicious use. The holder of the RFID tag or card has no way of knowing that a read process has taken place. This is a real privacy risk for RFID operators (data controllers) that implement RFID applications.
EN 16571 defines a privacy impact assessment process that has strong parallels with the data protection impact assessment process called for in the GDPR. Specifically it:
For over 10 years RFID and privacy have been on the radar of the European Commission.
The rest of this page shows parts of the GDPR that are relevant to RFID plus a brief history of the development of RFID privacy concerns in the European Commission. Click each heading to expand the content.
Recital 30 of the GDPR states:
Recital 76 of the GDPR states:
Article 35 Paragraph 1 of the GDPR states:
Article 4 Paragraph 2 states:
RFID data capture is processing by automated means. Because there is no ‘off switch’ disclosure by transmission is open to anyone with the relevant reader, like any one of millions of smart phones. All RFID tags have a unique identifier, which is more permanent than an IP address or data encoded on the tag, as such it leaves traces which ... may be used to create profiles.
EN 16571 is the only source of a technology-based objective risk assessment for any RFID applications covering protocols from low frequency (LF) to ultra-high frequency (UHF). The EN 16571 evaluation process takes into account the type of data, the vulnerabilities inherent in RFID and the specific products being used and countermeasures that may be applied to mitigate risks.
There are a number of RFID applications that involve children carrying RFID tags. Examples include where RFID is used in libraries, for retail products, for travel cards, for air transportation, in leisure parks, and in hospitals. The list is not exhaustive.
Recital 38 of the GDPR states:
Paragraphs 1 and 2 of Article 8 of the GDPR state:
For many RFID applications it is not possible to discriminate between products and services being offered to children from those being offered to the adult population. In some applications it is not possible to obtain parental consent. EN 16571 can be used to identify mechanisms and procedures that can reduce the risk to children carrying or wearing RFID tags.
Recital 78 of the GDPR states:
Paragraphs 1 and 2 of Article 25 of the GDPR state:
As EN 16571 provides details of countermeasures, it provides a basis for a both a progressive enhancements and privacy by design.
The Commission’s concerns about RFID and privacy go back over 10 years. Here is a brief timeline: