The European Commission should clarify the application of existing data protection rules to Radio Frequency Identification (RFID) technologies to avoid “big social dangers”, European Data Protection Supervisor Peter Hustinx told EURACTIV in an interview.
Peter Hustinx is the European data protection supervisor. His role is to ensure that the European institutions guarantee that privacy is respected when they deal with citizens’ personal data. He also cooperates with the Article 29 Working Party, the body which brings together national data protection authorities. He chaired the working party between 1996 and 2000.
What are the main privacy challenges of RFID?
RFID is likely to be used to collect information, not only on objects but also on the people who are using these objects. By doing this, they are likely to enter the private sphere of the individual. There is a trend which suggests that more and more objects will become intelligent in the near future. We do not know exactly when, but that is the general trend. And then eventually we will have intelligence around us, ambient intelligence, for many more objects: our clothes, our shoes, our food and our refrigerators will all become intelligent and will be online and will be exchanging data.
You said RFID could be used to track people. But we already have technologies like mobile phones and GPS capable of tracking people. With current technology, we can already see where a person is with precision. What does RFID add?
What it adds is the creation of capacity where it does not yet exist. GPS already allows localisation. And also mobile telephones, which are becoming a building block of the Internet of the future. If you combine all of this, possibilities to track a person will increase exponentially. We have to look at the context. Not at single technologies.
To tackle potential privacy and security-related concerns, in November the Commission will publish a recommendation on RFID. I presume you have already looked at it. It will be about increasing awareness among citizens by using logos to identify RFID, and it will also request the automatic deactivation of tags at the point of sale. What do you think (EURACTIV 06/10/08)?
I hope that the automatic deactivation will be part of it. And I expect it will. The Commission and everybody in the field expect great economic and social advantages from RFID. But they also see that this new technology may not take off if we do not solve the privacy issue.
So they have been working on solutions, and we are now close to a number of recommendations. For my part, it could be more than a recommendation in order to give an incentive to industry to invest in the solutions which are recommended. In the end, it is just about applying the existing legal framework. If you collect data, today you need to inform the person concerned. With RFID it should be the same.
For industry, recommending and perhaps in future obliging retailers to deactivate tags at the point of sale would represent an added cost. This would, according to them, block the roll-out of RFID and prevent them from offering important services like recalling dangerous products or recycling.
I do not think it is true. I think they are quite eager to get all of this solved. I stress that the recommendation, to a very large extent, simply makes visible what already applies. We are not adding anything. I think that in the context of the Internet of the future, there is a great need to highlight who is responsible for the use of personal information. In the end, the citizen, the consumer, the patient, the employee, whoever, will find it very difficult to hold someone responsible. That is a very, very big social danger. I also think that we need to invest in awareness, but also in information to clients. It is part of a good service to give choice and notice to data subjects. That is a principle of European data protection law.
If we want RFID, and a real Internet of Things, we need to change the protocol we use to identify single objects. We have to switch from the so-called IPv4 to the IPv6 protocol. Since the IPv6 protocol has the potential to offer almost an infinite number of addresses, the possible consequence is that every object and then also every computer might have always the same IP address, which is not the case now. Therefore, with IPv6, will the IP address become personal data?
That is a very good point. It is certain that in this new environment, the traceability of individuals, the computers of individuals and the objects of individuals will increase. In many cases, today there is already enough information available to relate data to an identifiable person. And it is true that the capacity for identification and profiling will increase. This is exactly why we need to ensure that in these new environments, the rules still apply (EURACTIV 08/10/08).
At the moment, the IP address is not considered personal data in Europe.
I do not think that is a correct summary. As of today there is some uncertainty, and this is why we will probably see a study from the Commission to shed light on this. But the common view of the data protection specialists is that in many situations IP addresses are personal data. Therefore websites, Internet Service Providers and other parties should ensure data protection compliance. This is an important thing to emphasise.
And what about cookies?
Cookies exist in different forms, and some of them are legitimate, some are not legitimate. If they are considered personal data, there is also a question of jurisdiction. Then there is the complex question of whether we can make a law effective versus a company using cookies on the other side of the world.
Some cookies are unavoidable, such as session cookies. Then there are the tracking and tracing cookies, which allow identification. We are having a discussion right now with Google about what it could do in terms of retaining cookies or data on search behaviour of persons of which they know their IP address. The very fact that we are having this discussion has triggered Google, and other companies, by the way, to define limits. Google has now announced it will reduce this time to nine months, and we are not done with this discussion yet (EURACTIV 10/09/08).