Convergent Software works closely with RFID-related standards and develops data encoding and privacy compliance software to support and encourage the correct use of RFID.

Why RFID Applications Matter for the GDPR

Introduction

Enter “General Data Protection Regulation” into a search engine and you will get between 6 million and 22 million results in less than a second. Scan through a few entries and many are about the fact that there is a deadline for compliance by 25 May 2018. What many people forget is that the GDPR had a long development process . Following a formal opinion by Mr Peter Hustinx (the European Data Protection Supervisor at that time), in January 2012 the European Commission proposed a comprehensive reform of the EU's 1995 data protection rules to strengthen online privacy rights and boost Europe's digital economy. It took a further four years for the final version of the GDPR to be signed off by the Commission, the Council of Ministers and the European Parliament.

As Recital 30 of the GDPR correctly implies, there can be one or more unique identifiers in an RFID tag. This is in addition to other encoded data that can create a profile of the individual carrying the tag or smart card. Most RFID tags are always on, having no off switch. This means that a tag can be read whenever it is within reading range of an interrogator (reading device). This can be a legitimate device that picks up data accidently; a common example of this is known as card clash when someone holds more than one smart card. Because there are so few RFID air interface protocols (the means of communication between interrogator and tag) reading devices are readily available to anyone, including those intent on malicious use. The holder of the RFID tag or card has no way of knowing that a read process has taken place. This is a real privacy risk for RFID operators (data controllers) that implement RFID applications.

EN 16571 defines a privacy impact assessment process that has strong parallels with the data protection impact assessment process called for in the GDPR. Specifically it:

  • identifies different types of personal identifier
  • identifies 39 known threats that can impact the privacy and sometimes the security of an RFID application. Exploitation of such a threat can lead to a breach of data protection as defined in the GDPR
  • calculates the risk of a given RFID application, based on the data on the tag, threats inherent with the protocol and devices being used and the countermeasures that are applied to mitigate risks
  • considers risks of the technology for children who are unable to give consent
  • enables a continual process of risk reduction in line with Article 25 “Data protection by design and by default”

For over 10 years RFID and privacy have been on the radar of the European Commission.

The rest of this page shows parts of the GDPR that are relevant to RFID plus a brief history of the development of RFID privacy concerns in the European Commission. Click each heading to expand the content.

Recital 30 of the GDPR states:

Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.

Recital 76 of the GDPR states:

The likelihood and severity of the risk to the rights and freedoms of the data subject should be determined by reference to the nature, scope, context and purposes of the processing. Risk should be evaluated on the basis of an objective assessment, by which it is established whether data processing operations involve a risk or a high risk.

Article 35 Paragraph 1 of the GDPR states:

Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data. A single assessment may address a set of similar processing operations that present similar high risks.

Article 4 Paragraph 2 states:

‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

RFID data capture is processing by automated means. Because there is no ‘off switch’ disclosure by transmission is open to anyone with the relevant reader, like any one of millions of smart phones. All RFID tags have a unique identifier, which is more permanent than an IP address or data encoded on the tag, as such it leaves traces which ... may be used to create profiles.

EN 16571 is the only source of a technology-based objective risk assessment for any RFID applications covering protocols from low frequency (LF) to ultra-high frequency (UHF). The EN 16571 evaluation process takes into account the type of data, the vulnerabilities inherent in RFID and the specific products being used and countermeasures that may be applied to mitigate risks.

There are a number of RFID applications that involve children carrying RFID tags. Examples include where RFID is used in libraries, for retail products, for travel cards, for air transportation, in leisure parks, and in hospitals. The list is not exhaustive.

Recital 38 of the GDPR states:

Children merit specific protection with regard to their personal data, as they may be less aware of the risks consequences and safeguards concerned and their rights in relation to the processing of personal data. Such specific protection should, in particular, apply to the use of personal data of children for the purposes of marketing or creating personality or user profiles and the collection of personal data with regard to children when using services offered directly to a child. The consent of the holder of parental responsibility should not be necessary in the context of preventive or counselling services offered directly to a child.

Paragraphs 1 and 2 of Article 8 of the GDPR state:

1. Where point (a) of Article 6(1) applies, in relation to the offer of information society services directly to a child, the processing of the personal data of a child shall be lawful where the child is at least 16 years old. Where the child is below the age of 16 years, such processing shall be lawful only if and to the extent that consent is given or authorised by the holder of parental responsibility over the child. Member States may provide by law for a lower age for those purposes provided that such lower age is not below 13 years. 2. The controller shall make reasonable efforts to verify in such cases that consent is given or authorised by the holder of parental responsibility over the child, taking into consideration available technology.

For many RFID applications it is not possible to discriminate between products and services being offered to children from those being offered to the adult population. In some applications it is not possible to obtain parental consent. EN 16571 can be used to identify mechanisms and procedures that can reduce the risk to children carrying or wearing RFID tags.

Recital 78 of the GDPR states:

The protection of the rights and freedoms of natural persons with regard to the processing of personal data require that appropriate technical and organisational measures be taken to ensure that the requirements of this Regulation are met. In order to be able to demonstrate compliance with this Regulation, the controller should adopt internal policies and implement measures which meet in particular the principles of data protection by design and data protection by default. Such measures could consist, inter alia, of minimising the processing of personal data, pseudonymising personal data as soon as possible, transparency with regard to the functions and processing of personal data, enabling the data subject to monitor the data processing, enabling the controller to create and improve security features. When developing, designing, selecting and using applications, services and products that are based on the processing of personal data or process personal data to fulfil their task, producers of the products, services and applications should be encouraged to take into account the right to data protection when developing and designing such products, services and applications and, with due regard to the state of the art, to make sure that controllers and processors are able to fulfil their data protection obligations. The principles of data protection by design and by default should also be taken into consideration in the context of public tenders.

Paragraphs 1 and 2 of Article 25 of the GDPR state:

1. Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing, the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures, such as pseudonymisation, which are designed to implement data protection principles, such as data minimisation, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects. 2. The controller shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed. That obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility. In particular, such measures shall ensure that by default personal data are not made accessible without the individual's intervention to an indefinite number of natural persons.

As EN 16571 provides details of countermeasures, it provides a basis for a both a progressive enhancements and privacy by design.

The Commission’s concerns about RFID and privacy go back over 10 years. Here is a brief timeline:

  • In March 2006 at CeBIT, Commissioner Viviane Reding announced the launch of a Europe-wide public consultation on RFID
  • The consultation took place later that year resulting in...
  • The formation of the EU RFID Expert Group in May 2007, with members from end-user communities, privacy organisations, users from different application sectors, RFID system providers and standardisation bodies. There were observers from Member States and Data Protection Authorities.
  • The Commission issued Mandate M436 in September 2008 to address data protection, privacy and information security aspects of RFID. The Mandate complements the existing legal framework but does not substitute it.
  • The objective of the first phase, which started in February 2010, was to prepare a complete framework for the development of future RFID standards.
  • The second phase started in April 2012 and resulted in the publication by 33 European National Standards Bodies (e.g. AFNOR [France], BSI [United Kingdom, DIN [Germany]) of a number of documents including these two standards:
    • EN 16570:2014 Information technology - Notification of RFID - The information sign and additional information to be provided by operators of RFID application systems
    • EN 16571: 2014 Information technology - RFID privacy impact assessment process

We offer software to assist with completion of RFID privacy impact assessment, in line with EN 16571. If you just want to learn more, we provide a free support service.

Share this page on:

Instant SSL