The EU institutions are stepping up their efforts towards stronger protection of personal data on the Internet and in relation to the use of new technologies, such as radio frequency identification (RFID).
- Search engines
On 19 February, EU national privacy regulators in the so-called Article 29 Working Party concluded that the activities of search engines should “fall under the EU Data Protection Directive” which states that “personal data may be processed only if the data subject has unambiguously given his consent”.
If implemented at national level, this move would represent a radical turnaround in comparison to how search engines have so far worked. Since a query is considered to be personal data, Google and Yahoo will be requested to ask the consent of every single user in order to store this information.
Until now, search engines have stored and used this kind of information without limits and without the consent of users, who usually have not even been aware of the fact that a query is private data. Indeed it is, since from a history of queries it is easy to create a detailed profile of an Internet user to be used for commercial purposes.
Regulators also agreed that these provisions apply to search engines based outside EU, provided they “use automated equipment based in one of the member states for the purposes of processing personal data”. A legally binding opinion on this subject is expected in April.
On Thursday 21 February, the European Commission issued a draft recommendation to the operators which use RFID technology, setting up a list of guidelines to be respected in order to avoid privacy breaches. This move has officially started a public consultation on the topic.
Currently acting in a legislative vacuum concerning RFID, the Commission suggests applying the same rules used for data protection in other fields to this new technology. There is an urgent need to update the current legal situation due to the quick takeup of RFID devices, which might soon replace bar codes in retail shops.
Against this background, Brussels proposes the introduction of the so-called ‘opt-in’ principle for RFID, which involves requesting the consent of users when personal data are contained in tags. The principle would be applied in shops where RFID tags are regularly used. Once the shopper leaves the retail space, they would automatically be deactivated “unless the consumer chooses to keep the tag operational”.
At the moment, consumers are generally unaware of the presence of RFID tags, already in use in several products, such as loyalty cards given out by supermarkets or other shops. The chips in the tags can contain personal data, potentially readable by everybody using a relatively cheap tag reader device. This exposes consumers to a series of risks, ranging from financial damages (related to the acquisition of credit card numbers) to identity theft.
To address the widespread lack of awareness among citizens about RFID despite its growing diffusion, the Commission is also requesting operators to “clearly” signal its presence when it is used in public places.