ICT: EU acts on growing privacy concerns

reding4.jpg

The EU institutions are stepping up their efforts towards stronger protection of personal data on the Internet and in relation to the use of new technologies, such as radio frequency identification (RFID).

  • Search engines

On 19 February, EU national privacy regulators in the so-called Article 29 Working Party concluded that the activities of search engines should “fall under the EU Data Protection Directive” which states that “personal data may be processed only if the data subject has unambiguously given his consent”. 

If implemented at national level, this move would represent a radical turnaround in comparison to how search engines have so far worked. Since a query is considered to be personal data, Google and Yahoo will be requested to ask the consent of every single user in order to store this information.

Until now, search engines have stored and used this kind of information without limits and without the consent of users, who usually have not even been aware of the fact that a query is private data. Indeed it is, since from a history of queries it is easy to create a detailed profile of an Internet user to be used for commercial purposes.

Regulators also agreed that these provisions apply to search engines based outside EU, provided they “use automated equipment based in one of the member states for the purposes of processing personal data”. A legally binding opinion on this subject is expected in April.

  • RFID

On Thursday 21 February, the European Commission issued a draft recommendation to the operators which use RFID technology, setting up a list of guidelines to be respected in order to avoid privacy breaches. This move has officially started a public consultation on the topic.

Currently acting in a legislative vacuum concerning RFID, the Commission suggests applying the same rules used for data protection in other fields to this new technology. There is an urgent need to update the current legal situation due to the quick takeup of RFID devices, which might soon replace bar codes in retail shops.

Against this background, Brussels proposes the introduction of the so-called ‘opt-in’ principle for RFID, which involves requesting the consent of users when personal data are contained in tags. The principle would be applied in shops where RFID tags are regularly used. Once the shopper leaves the retail space, they would automatically be deactivated “unless the consumer chooses to keep the tag operational”.

At the moment, consumers are generally unaware of the presence of RFID tags, already in use in several products, such as loyalty cards given out by supermarkets or other shops. The chips in the tags can contain personal data, potentially readable by everybody using a relatively cheap tag reader device. This exposes consumers to a series of risks, ranging from financial damages (related to the acquisition of credit card numbers) to identity theft.

To address the widespread lack of awareness among citizens about RFID despite its growing diffusion, the Commission is also requesting operators to “clearly” signal its presence when it is used in public places.

"From fighting counterfeits to better healthcare, smart RFID chips offer tremendous opportunities for business and society," said Information Society Commissioner Viviane Reding. However, she pointed out that "we should stimulate the use of RFID technology in Europe whilst safeguarding personal data and privacy".

"RFID as an enabling technology is the basis for a large number of applications. Most of these applications do not store or use personal data. Rather, the chips contain number codes used to identify goods or inform about production processes," according to EICTA, the association representing the European digital industry. However, "users must have an opportunity [to decide] whether to give consent to the use of information acquired through RFID devices that require notice. For instance, consumers should, where possible, have the opportunity to choose whether the use of RFID technology is desired after the point of sale and whether the information can be used for customer loyalty programmes," states an EICTA position paper on RFID.

"Radio Frequency Identification (RFID) is already part of our lives: a small tag in/on a product contains information making it possible to track and identify each object individually (information on its origin and date of production, or personal data in the case of a credit card)," commented BEUC, the association representing European consumers. "If the consumer goods you buy are RFID-tagged, information on your buying habits can be collected and stored. This obviously stirs unprecedented challenges to data protection and other consumer fundamental rights," added a BEUC press release.

"Potential risks to privacy are generally important concerns for individuals and organisations. Key characteristics and functionalities of RFID technologies have the potential to offer benefits as well as to foster misperceptions and to impact privacy. RFID systems that collect data related to identified or identifiable individuals raise specific privacy issues that should be considered as a priority challenge to the adoption of the technology in a large number of areas. In most cases, the potential invasion of privacy through the use of RFID depends on both the technology used and the context," reads a report published in January 2008 by the OECD.

A consumer survey published in 2004 by Cap Gemini and Ernst & Young shows ranks privacy as the number one concern among US consumers regarding RFID.

While the growing number of tailored electronic products and services offers increased benefits for consumers, it also relies on the use of personal data. 

Search engines such as Google, Yahoo or MSN collect personal data and store them for years. Private information is used to provide better and usually free services to users, but it is also exploited for commercial purposes.

The side effects of proliferation of private information are being increasingly questioned by the EU institutions.

At the same time, new technologies are appearing, such as Radio Frequency Identification (RFID). RFID chips are small and relatively low-cost circuits capable of communicating with a fixed or portable device, the reader. Such tags can be attached to consumer goods, packaging and other items in order to optimise inventory and retrieval activities (see our Links Dossier on RFID).

They are increasingly used in products destined to final users, often without their awareness, raising doubts on the possible misuse of personal information collected. The Commission proposed a European policy strategy on RFID in March 2007.

Search engines

  • 7 April 2008: Article 29 Working Party meets. A binding opinion on privacy and search engines is expected.

RFID

  • 25 April 2008: End of the public consultation on RFID and privacy. 
  • By summer 2008: Commission intends to issue final recommendation on RFID and privacy.

Subscribe to our newsletters

Subscribe