Deutsche Version

In this text, we want to deal in brief with notable statements and topics that occurred at the “RFID Security, Data Protection & Privacy, Health and Safety Issues” workshop on 16-17 May, 2006. The order is that of occurrence at the workshop.

• Reijo Aarnio recommended, “an Article 29 subgroup should be set up to find a definition of what is personal data”.
  • We believe that the Article 29 subgroup should not only find a broadly understandable definition for “personal data” but also for “data that can be linked to persons” and “data that could potentially be linked to persons”, as we did in an exemplary way in our submission to WP 105. For privacy and data protection, what is crucial is not only data that has been linked at a given time but also, before the act of linking, the data's intended use and its potential of being linked.

• Koen Dupon: “demand to choose actively to buy product with or without RFID”
  • In our view it is a right to be able to choose freely and without extra effort between products with or without RFID.

• Koen Dupon further demanded: “no secret tags and readers: clearly marked”
  • The marking must go beyond the EPC logo, which carries no real message; it must feature a warning or hazard symbol (e.g. black on a yellow triangle)

• Anette Høyrup recalled “sustainability - environmental consequences”
  • The topics of waste and waste disposal were not discussed. How will waste disposal be organised if RFID-equipped products fall under separate legislation (such as German and European regulations on Waste Electrical and Electronic Equipment) and can't be disposed of as household rubbish? Are manufacturers be liable if a citizen won't follow these rules? Will collecting sites be prepared for the ensuing mountain of packaging with embedded RFID tags? Is this a desirable development in terms of the overall economy?

• Sarah Spiekermann conjectured, “we might need several industry-specific guidelines instead of one big one”
  • We demand central, unambiguous standards for data protection. Methods of implementation may well be specific to individual industries. What is important is that the maintenance of privacy is and remains independent of the various implementations.

• John Borking introduces five points, which we agree with. Data protection regulations must become more enforceable than they currently are:
  • privacy risk analysis must be performed
  • 2002/58/EC applicable? No. New legislation needed
  • need for privacy ontologies
  • privacy risk management applications needed
  • high fines for breach of privacy law

• Humberto Moran stipulates that “all privacy related software should be open source”
  • We agree. It is of further importance that devices must identify themselves (also) to individual citizens.

• Yan Le Hegarat explains: “all tags could possibly lead to personal data”
  • This is why we necessitate Privacy Enhancing Technologies and similar strategies in implementations - as a fundamental principle and everywhere. This is also the reason why not only linked personal data but also all data that could potentially be linked to persons must be subject to the law.

• Yan Le Hegarat goes on to warn: “do not forget background processing”
  • This important point was not given enough consideration in presentations or in the discussion. Data linking occurs in the background, therefore (potentially) without information of affected citizens and especially without offering them options of intervention and limitation.

• Anette Høyrup says: “legislation and guidelines on RFID are essential but not enough”
  • We need a dialog involving all affected parties and an independent technology impact assessment as well as suitable laws to protect citizens, but also to protect companies from rival companies and their shareholders.

• Anette Høyrup further demands: “close discussion EU commission with EPC Global”
  • A discussion should not only be conducted with EPC Global but with all affected parties. For a long time international groups dealing with data and privacy protection have called for a round table, see
    http://www.privacyrights.org/ar/RFIDposition.htm and
    http://www.foebud.org/rfid/unsere-forderungen

• Sarah Spiekermann insists: “only opt-in to specific service, otherwise disactivate without transaction costs”
  • We agree: privacy protection must not require extra effort, such as joining a new queue at Metro's deactivator.

• Sarah Spiekermann also calls: “need cheap, easy-to-use privacy”
  • We almost agree: To protect privacy must not only be cheap or good value for money, is must be cost-free.

• Jeroen Terstegge concludes: “CDT paper is good start, but only a start”
  • We have put together a comprehensive criticism of the CDT paper in a separate text. The EU could chair a round table with all affected parties on the European level. Apart from its deficiencies, the CDT paper has the problem that it reflects the US situation, which in our view can't just be imported into Europe.

• Rosa Barcelo in her summary of the session that she led: “strong call for PET, mandated by law” and “call for legislation assuring privacy assessments”
  • We say: yes, Privacy Assessments before introduction, and regular, independent, unannounced privacy audits subsequently, must all be mandated by law.

• The question arose if it would not be possible to define a safe “privacy distance” for tag reading, which could then be required by law.
  • We refute this: Any distance - however small - can be extended by relatively simple means, such as relaying. See
    http://www.eng.tau.ac.il/yash/kw-usenix06/kw-usenix06-forhtml.html and the capabilities of the RFID Guardian under
    http://www.rfidguardian.org/index.html.

• “is surveilling an employee all the time allowable?”
  • We say: no, human rights cannot be given up at the factory gate! Incidentally, the topic of RFID affecting citizens in the workplace has not received enough attention during the consultation.

• “When we update legislation, look at personal and behavioural data”
  • We call for legislation to firmly lay down the principle that human rights override all commercial interests. This specifically includes the human rights of privacy and data protection.

• “not discussed: implants, government applications, public transportation, employee issue in supply chain”
  • These and other topics were not raised. More consultations on these areas seem advisable.