Wednesday, April 06, 2011

Digital Agenda: new guidelines to address privacy concerns over use of smart tags

"Privacy and Data Protection Impact Assessment (PIA) Framework for RFID Applications", N.Kroes' speech and EU Comm's press release. From Kroes' speech: "This PIA Framework for RFID Applications constitutes an interesting model that could be used for other similar situations or areas, such as smart metering and online behavioural advertising." Annex III provides a list of possible privacy risks related to the use of the RFID.
These include instances in which (my personal "selection"):

- The purpose of data collection has not been
specified and documented or more data is used
than is required for the specified purpose.
- Data is collected in identifiable form that goes
beyond the extent that has been specified in the
purpose.
- Personal data is combined to an extent that is not
necessary to fulfil the specified purpose.
-Personal data is combined to an extent that is not
necessary to fulfil the specified purpose.
- There is no way for the data subject to initiate a
correction or erasure of his data.
- Processing of personal data is not based on
consent, a contract, legal obligation, etc.
Example: An RFID Operator shares collected
information with a third party without notice or
consent as otherwise legally allowed
- The risk that RFID Tags could be used for
regular profiling and/or tracking of individuals.
Example: Retailer reads all tags that they can
see.