EU’s Digital Agenda Passes Union-Wide RFID Standards

The Digital Agenda for Europe is now implementing EU-wide technical standards and “data protection impact assessments” to encourage RFID use. The most notable aspect of this standardization is the introduction of a new logo that will make it immediately obvious when an RFID tag is in use.

EU RFID logo

A recent press release detailed the new standards for developers and retailers alike.

These standards follow eight years of European Commission policy work on data protection and digital security. The Digital Agenda acknowledged that increased RFID use, with all of its potential in several industries, brings with it heightened security concerns.

Neelie Kroes, VP of the European Commission, added “smart tags and systems are part of everyday life now, they simplify systems and boost our economy. But it is important to have standards in place which ensure those benefits do not come at a cost to data protection and security of personal data.”

RFID tags, also called “smart tags,” transmit data via radio frequency and do not require physical scanning as long as an RFID reader is at an appropriate distance. According to the Digital Agenda press release, “the global market for RFID applications is expected to grow to $9.2 billion in 2014.” It is currently used in ticketing, healthcare, retail, banking, and identification (such as e-passports).

Both the EU and the US have been working to ensure security keeps pace with its heightened use. In the US, approximately 20 states have data protection and privacy laws regarding RFID tags, while the European Commission has been implementing and refining policy since 2006.


Neelie Kroes, head of the EU’s Digital Agenda Photo: Sebastiaan ter Burg / Flickr

In 2011, the Digital Agenda signed the Privacy and Data Protection Impact Assessment Framework for RFID Applications, the first of its kind in Europe. Its Privacy Impact Assessment (PIA) framework set a standard by which developers and retailers could ensure compliance with up-to-date security measures. The policy defines a PIA as “a process whereby a conscious and systematic effort is made to assess the privacy and data protection impacts of a specific RFID Application with the view of taking appropriate actions to prevent or at least minimize those impacts.”

The paper outlined methodologies for the framework, reports, and industry- and application-based templates for these PIAs. At the time, Commissioner Neelie Kroes issued a press release saying “this PIA Framework for RFID Applications constitutes an interesting model that could be used for other similar situations or areas, such as smart metering and online behavioural advertising.”

The 2014 technical standards will create a unified framework for RFID identification, assessment, and risk management. An EU-wide logo will identify all RFID tags and readers to make them easily identifiable and to help ensure consumers are aware they are being used. In addition, they also provide refined rules regarding consumer information and consent to mitigate public concerns about unknowingly using or possessing items with smart tags. The new rules provide retailers with a set of guidelines to ensure they are always in compliance with PIA standards.

In 2012, the Commission published RFID Tags Privacy Threats and Countermeasures. The report outlines business context in which RFID-tagged products could potentially be used to gather customer information after point of sale and established guidelines for tag deactivation.

Although mainstream products such as credit cards and cell phones have already been implementing higher security standards, the increased use of RFID technology in other devices has led to concerns that not all manufacturers are in compliance with these security measures. Standardization is an attempt to curb those concerns.

The 2011 PIA methods for addressing these risks include industry-specific PIA framework templates. For instance, the deactivation policy for a library book, which will be returned to a library multiple times, should be different than for a bookstore. RFID applications are categorized into “levels” based on the sensitivity of the data stored on the tags. “Data protection by design,” reinforced in the new technical standards, requires risk assessment at the beginning of the development phase to proactively mitigate potential privacy and security risks.