EN 16571: 2014 Information technology - RFID privacy impact assessment process defines the need for RFID vendors to provide privacy capability statements of their products. These are quite simply RFID product features described from a privacy perspective. They enable RFID operators to undertake their privacy impact assessments with accurate information.
Why is this important? For many years the European Commission (EC) has been concerned about RFID privacy while at the same time promoting the take-up of the technology. At the major technology show, CeBIT 2006, European Commissioner Viviane Reding announced the launch of a Europe-wide public consultation on RFID. The following year the EC established an RFID Expert Group with members from end-user communities, privacy organisations, users from different application sectors, RFID system providers and standardisation bodies. This resulted in an EC mandate to the European Standards Organisations to carry out research and develop appropriate standards. EN 16571 was one of the standards.
In parallel to all of this work, steps were being taken to revise the Data Protection Directive of 1995 and replace it with a more robust 21st century approach to the privacy and data protection for EU citizens. This resulted in the publication of the General Data Protection Regulation, which has to be implemented in all EU Member States by 25 May 2018. While the GDPR officially only applies in total to the European Union, lawyers and privacy experts claim that 90% is relevant on a universal basis.
As RFID technology is common globally, the privacy impact assessment specified in EN 16571 and the requirement for privacy capability statements is relevant beyond Europe.
Each RFID product should have its specific privacy capability statement (PCS) form to address the privacy capabilities of the RFID integrated circuit (the chip), or the tag, or the interrogator (tag reader). The RFID operator needs this to better assess what countermeasures are present in the product to reduce the privacy risks of the application. This can be done by using the information in the PCS forms for the RFID products that constitute the hardware components of an RFID system. Some of the privacy capabilities are fixed in a product, others comply with a particular edition of a protocol standard but need to be invoked as part of the application, while others have been added by the product manufacturer as propriety enhancements for use in applications.
Many of the privacy capability features on the form are linked to the command codes specified in the RFID standards. As examples, for the ISO/IEC 18000-63:
|Feature||Protocol Command Code||Product|
|Kill||0x0C||RFID chip & RFID reader|
|Verification using a password||0xC6||RFID chip & RFID reader|
|Verification using the unique Tag ID||0xC2||RFID chip & RFID reader|
|Read protect||proprietary||RFID chip & some RFID readers|
|Destruction mechanism of the antenna using some product feature||resonably common||RFID tag|
Not only is the PCS vital to the RFID operator in undertaking the privacy impact assessment, it can also be useful to the systems integrator in designing an RFID application. A systems integrator that really wants to improve the privacy of RFID applications can also create the PCS forms from data sheets and submit them for general use.
To address the potential hundreds of PCS forms EN 16571 required a Registration Authority to be established. This is CNRFID, the French National RFID Center, whose experts were deeply involved with the development of the standard. To make it as easy as possible for a vendor to complete a PCS form for a product, blank forms can be downloaded and many features just completed with a simple . It could not be easier for someone with product knowledge.
The EN 16571 Registration Authority publishes the PCS forms for any RFID operator or systems integrator to freely download.
This why the GDPR is relevant for RFID applications.