The number of applications in which chips are used is growing by the day. RFID (radio frequency identification) uses radio waves to read and store data without the need for any contact or line of sight. Although there are certain areas where the use of RFID chips does not raise any data protection concerns, there are others which pose considerable risks for the private sphere of the population at large. It is therefore important that whenever this technology is used, measures are taken to prevent the unlawful processing of personal data.
One use of RFID technology that many people are familiar with is the alarm systems found in department stores. At the exits, it is usual to see reading devices which send and receive radio signals. A label containing an RFID chip (known as transponders or tags) is placed on articles offered for sale. Once the goods have been paid for, the transponder is deactivated. Going past the reader with an article containing a non-deactivated transponder will trigger an alarm.
The transponder usually consists of a chip, an aerial and a housing. Typically, transponders are placed in glass cylinders, plastic disks and cards (debit cards for example), but they may also be embedded in a layer of foil. They can be placed on, or affixed to, any kind of object. In RFID technology, a distinction is made between active transponders which have their own energy source (i.e. a battery), and passive transponders that obtain the energy they need from the radio signals emitted from a read/write device. Thanks to this energy, passive transponders are able to transmit the data they contain.
Logistics companies use RFID technology to track goods from the source to the point of delivery, e.g. for parcel services, baggage tracing and identification, palette labelling, warehouse systems and inventory control. It is also used for security applications - that is for the identification of persons, animals, vehicles, access control, goods surveillance, vehicle immobilisers and door locking systems, as well as for transport systems and ticketing (including tickets for public transport, major events, ski passes).
It is highly probable that EPC (electronic product code) based on RFID technology will soon be widely used in department stores. EPC is an extension of today's barcode (the so-called EAN, or European Article Number). The introduction of EPC will allow each article to be provided with a unique global identification number. Customers who purchase goods and identify themselves with a credit or customer card may find that the unique article numbers may be associated with them for a long, if not indefinite, period of time. There is also some discussion about whether RFID chips should be embedded in banknotes.
From a data protection perspective, the use of RFID technology creates a risk. The problem is that radio waves allow data to be processed over a given distance without any need for a direct line-of-sight link with the chip and without the data subject having to take an active part in the process. In other words, data processing can take place without the knowledge of the data subject. Any data on RFID transponders that have not been destroyed or deleted can be read by (invisible) readers. If these are linked with data from other sources, there is a risk that someone may be able to build up a purchasing or movement profile.
Even adding RFID chips to banknotes could be highly problematic from a data protection perspective. We believe that it should not be possible to determine which banknotes were withdrawn by whom from which automatic teller machine, nor where those banknotes were then used to buy certain products or services. The Data Protection Act only authorises the processing of personal data if data subjects consent to their data being processed, unless justified by a superior public or private interest or if there is a legal basis for the data to be processed. Consent is only valid if the purpose, place and manner of the data processing have been specified. The principle of good faith presupposes that data subjects are informed in a transparent manner.
We recommend that the manufacturers and operators of RFID applications and systems take the necessary steps to ensure that RFID technology is used in conformity with data protection requirements. The following points are of particular relevance:
- The processing of personal data should be avoided as far as possible. Where it is unavoidable, the data subject must be informed clearly about the purpose of the data processing and about the information system. Furthermore, the data subject must be told what data will be collected, where it will be collected, how it will be processed (e.g. will the data be transferred to third parties) and when it will be deleted. In order to fulfil the transparency requirement, customers' attention must be drawn to the articles that are fitted with RFID transponders.
- The data collected may only be used for the purpose originally specified.
- Data subjects' information rights must be guaranteed.
- Depending on the application in question, transponders must be destroyed, deactivated, or at least have any information they contain deleted. Persons who acquire radio chips as a result of their buying or being given an article must have the possibility of deleting or having the data deleted, either in whole or in part, so that such data cannot be reconstituted. Furthermore, they must have the possibility of destroying the chip or having it destroyed. Any articles that may be loaned (e.g. books from a library) should have their transponders deactivated during the time of the loan so that they may not be read for the entire period during which they are in the user's possession. The transponder should only be reactivated when the goods or articles are returned.
- Information security must be guaranteed at all times. Security must be hard-wired into the systems so as to maintain data confidentiality, availability and integrity. Information contained in transponders must be protected (e.g. by means of encryption) so that they can only be used for the application intended. The owners of a reader or a recording device should not be able to read information stored on an unprotected RFID transponder. It would be particularly worrying if a reader were able to determine how much money someone was carrying on them.
[July 2005]