Papers 201 iglezakis-presentation-en-v001
0 likes273 views
The document discusses regulation models addressing data protection issues concerning RFID technology in the EU. It describes RFID technology and its infrastructure. It also outlines privacy risks from RFID systems, such as enabling user profiling and covert monitoring. Current EU directives on data protection and privacy are examined, but self-regulation is deemed insufficient given RFID privacy risks. The document argues for making privacy impact assessments mandatory for high-risk RFID systems or introducing specific data protection rules and technical standards.
Papers 201 iglezakis-presentation-en-v001
- 1. Regulation models addressing data protection issues in the EU concerning RFID technology Ioannis Iglezakis Assistant Professor in Computers & Law Faculty of Law, Aristotle University of Thessaloniki
- 2. RFID Radio frequency identification (RFID) is a new technology which uses radio waves for the automatic identification of individual items and thus, it allows the processing of data over short distances RFID systems are considered the next generation of bar codes 4TH INTERNATIONAL CONFERENCE ON INFORMATION LAW THESSALONIKI –MAY 20-21, 2011 2
- 3. RFID Infrastructure Tags The tag consists of an electronic circuit that stores data and an antenna which transmits the data 4TH INTERNATIONAL CONFERENCE ON INFORMATION LAW THESSALONIKI –MAY 20-21, 2011 3
- 4. RFID Infrastructure RFID reader It has an antenna which receives the data and a demodulator. The RFID reader sends and receives back signals from the tags via one or more antennas and transmits the data to databases or software applications. 4TH INTERNATIONAL CONFERENCE ON INFORMATION LAW THESSALONIKI –MAY 20-21, 2011 4
- 5. Taxonomy of Tags passive tags have no own power supply and receive energy from the reader antenna 4TH INTERNATIONAL CONFERENCE ON INFORMATION LAW THESSALONIKI –MAY 20-21, 2011 5
- 6. Taxonomy of Tags active tags have their own power supply. 4TH INTERNATIONAL CONFERENCE ON INFORMATION LAW THESSALONIKI –MAY 20-21, 2011 6
- 7. RFID systems applications Retail Sector Transportation Logistics Healthcare Security & access control Aviation Libraries Schools Leisure 4TH INTERNATIONAL CONFERENCE ON INFORMATION LAW THESSALONIKI –MAY 20-21, 2011 7
- 8. Risks of RFID systems to privacy RFID technology enables identification and profiling of a person; it may also lead to covert monitoring of individuals, which infringes informational privacy 4TH INTERNATIONAL CONFERENCE ON INFORMATION LAW THESSALONIKI –MAY 20-21, 2011 8
- 9. Risks of RFID systems to privacy where RFID systems are implemented in order to collect information directly or indirectly linked to personal data, so e.g., where products from a store are tagged with unique product codes which the retailer combines with customer names collected upon payment with credit cards and link them with the customer database. also, where personal data is stored in RFID tags, so, e.g. in transport ticketing 4TH INTERNATIONAL CONFERENCE ON INFORMATION LAW THESSALONIKI –MAY 20-21, 2011 9
- 10. Risks of RFID systems to privacy Even if the customer is not directly identified by means of the tagged card, he can be identified each time he visits the same shop as the holder of the card. Similarly, an individual can be tracked by shops which scan tagged products of customers. And further, third parties may use readers to detect tagged items of by passers, violating in that way their privacy 4TH INTERNATIONAL CONFERENCE ON INFORMATION LAW THESSALONIKI –MAY 20-21, 2011 10
- 11. Risks of RFID systems to privacy RFID tags can be read without line-of-sight and from a distance without being noticed and therefore, they are prone for application by retailers for customer profiling, as well as for monitoring for other purposes, e.g., for law enforcement purposes, etc. 4TH INTERNATIONAL CONFERENCE ON INFORMATION LAW THESSALONIKI –MAY 20-21, 2011 11
- 12. Legal requirements of data protection with regard to RFID Directive 1995/46 Data quality principles Legitimacy Right to information Right of Access Data Security 4TH INTERNATIONAL CONFERENCE ON INFORMATION LAW THESSALONIKI –MAY 20-21, 2011 12
- 13. Legal requirements of data protection with regard to RFID Directive 2002/58 on privacy in electronic communications It applies “to the processing of personal data in connection with the provision of publicly available electronic communications services in public communications networks in the Community, including public communications networks supporting data collection and identification devices”. 4TH INTERNATIONAL CONFERENCE ON INFORMATION LAW THESSALONIKI –MAY 20-21, 2011 13
- 14. Legal requirements of data protection with regard to RFID EU Commission Recommendation of May 12, 2009on the implementation of privacy and data protection principles in applications supported by radio- frequency identification 4TH INTERNATIONAL CONFERENCE ON INFORMATION LAW THESSALONIKI –MAY 20-21, 2011 14
- 15. Regulation vs Self-Regulation The PIA Framework that was endorsed by the Article 29 Working Party is an important instrument However, the recommendation on which it was based is not mandatory, but it is drafted to provide guidance to EU Member States on the design and operation of RFID applications. 4TH INTERNATIONAL CONFERENCE ON INFORMATION LAW THESSALONIKI –MAY 20-21, 2011 15
- 16. Regulation vs Self-Regulation To effectively address the data protection issues posed by RFID technology requires making the PIA process mandatory, providing also for the notification of its results to the competent data protection authorities, which should have the right to prior checking of RFID systems posing significant privacy risks. 4TH INTERNATIONAL CONFERENCE ON INFORMATION LAW THESSALONIKI –MAY 20-21, 2011 16
- 17. Regulation vs Self-Regulation Alternatively, the data protection legislation could introduce specific rules for RFID systems and more particularly, rules establishing technical solutions, since it is difficult to achieve privacy by design by self-regulation 4TH INTERNATIONAL CONFERENCE ON INFORMATION LAW THESSALONIKI –MAY 20-21, 2011 17