The Challenge of RFID Technology - Presentation by Professor Francesco Pizzetti at the Spring Conference of European Data Protection Authorities - Budapest -  24 April 2006

European Data Protection Spring Conference 2006 – Budapest, 24-25 April 2006

The issues related to use and development of RFID technology have long been the focus of attention by the European data protection authorities.

In its Opinion of 19 January 2005, the Article 29 Working Party provided some initial guidance in order to clarify: a) the application of Directive 95/46 to the data collected and processed by means of RFID technology, and b) how to ensure that this technology is implemented in a manner that is compatible with personal data protection requirements.

The WP29´s Opinion was quite detailed and rich in prescriptions and warnings, mostly addressing specific applications of the RFID technology and/or possible uses of the data collected via such technology.

From both viewpoints, a major feature of the Opinion consists in its being expressly meant as a "provisional" instrument.

Indeed, as for the limitations on and mechanisms for application of Directive 95/46 to the data collected and processed by means of RFID technology, the Working Party clarified from the start that it would be necessary to probe deeper into the concept of personal data as such.

More specifically, the Working Party has highlighted that application of the Directive to the data collected and processed via RFID devices depends in many cases on the possibility to relate the data to identifiable individuals. This warrants, in turn, considering the very concept of "identifiability" of an individual and the possibility of relating a data to an identifiable individual. There are two main scenarios to be considered from this viewpoint: either the data as such identifies a given individual, therefore it accounts for that individual´s identifiability (e.g. if an RFID tag contains identifying personal data, or else biometric data), or the data as such only identifies an object and the latter may be related to an identifiable individual exclusively on the basis of additional elements (e.g. in the case of an RFID tag placed on clothesware purchased by a customer via his credit card, or else if a customer purchasing a tagged product has used a fidelity card that allows the entity processing both the data on the purchased product and the information on use of the fidelity card to identify the customer as the purchaser).

Faced with this multiple cases, the Article 29 Working Party has chosen a concrete, pragmatic approach.

On the one hand, certain specific applications were considered in respect of the data that may be acquired by means of RFID technology, where such data may be related to an individual that is identifiable irrespective of the relevant mechanisms. Here the WP29 affirmed the applicability of the provisions set forth in Directive 95/46/EC and laid down ad-hoc rules and prescriptions. On the other hand, as for the possibility to relate a given data to an individual who cannot be identified on the basis of such data, however may become identifiable by associating the latter data with another piece of information – or else on the basis of a sort of "legal presumption" consisting in the possession of the tagged object –, the WP29 stressed its intention to probe deeper into the interpretation of the Directive with particular regard to the wording of Article 2, letter a) also in the light of Recital 26 of the Directive, as well as in respect of Article 3 of the said Directive.

Additionally, the WP29 Opinion refers to the awareness that this technology is under development and it is currently impossible to foresee all possible applications, not to mention regulating all possible uses. This is why the WP29 reserved the right to reconsider RFID-related issues in future also in the light of the supervening developments and the resulting innovative applications.

It should be pointed out that the WP29 stated its intention of also providing manufacturers of RFID devices with some guidance in order for them to take such guidance into account both in research and development activities and in producing RFID devices. That is to say, the opinion by the WP29 was not meant to hamper technological development, but rather to foster – as much as possible – technological evolution by respecting citizens´ rights and, in particular, their dignity and self-determination in using personal data.

The underlying assumption is that privacy and technological development must not be in conflict; indeed, the full-fledged respect for privacy can be, and is already, an asset for technological development, because it can support citizens´ and consumers´ trust in new technologies.

Thus, Opinion no. 105/2005 of the Article 29 Working Party is grounded on a "dynamic" concept of the relationship between technology and privacy. This concept entails, in turn, two main preconditions – firstly, that the respect for the right to privacy as set out in Article 1 of Directive 95/46, and subsequently enshrined in Article 8 of the Charter of Fundamental Rights of the EU, can and must be binding on any technology ever since its initial design by preventing unlawful applications; secondly, that privacy-oriented technological design and innovation can make it lawful and admissible to collect and process data in accordance with mechanisms that otherwise would have to be prohibited.

Further to the preparatory work for the WP29´s Opinion, Member States´ data protection authorities have been focusing on the implications resulting from the application of this technology.

In particular, the Italian data protection authority adopted a provision (on 9 March 2005) which took up and developed the contents of the WP29´s opinion by adapting it to the Italian legal system and  stressing some grounds for concern and prohibitions. Reference should be made, in this regard, to the prohibition against underskin RFID chips, which should only be deployed in exceptional cases on proven grounds related to protection of the individual´s health as well as by fully complying with the proportionality principle.

Additionally, the Italian data protection authority re-affirmed that its authorisation will be necessary whenever use of RFID technology entails the processing of sensitive data. RFID devices intended for underskin implants will require the Authority´s prior checking and authorisation, as it can be assumed that they entail as such specific risks for the data subjects´ rights, fundamental freedoms, and dignity.

In spite of the short time span since their adoption, both the WP29´s Opinion and the Italian authority´s provision have already been commented upon by their addressees as well as by scholars in general.

It should be recalled that after adopting its opinion, the WP29 launched a public consultation exercise that received contributions from several consumer protection associations, universities, think tanks, businesses, and trade union representatives. Most contributions actually came from entities operating in the EU, and about 10% from entities established in Canada and the USA.

The comments provided showed that several entities believed that it might be necessary to amend the data protection Directive in order to fully apply privacy principles to RFID technology, i.e. by adding specific RFID-related provisions. Other contributors challenged the interpretation provided in the WP29´s Opinion with regard to the concept of personal data as any data related to an identifiable individual and raised the point that the Opinion contains guidelines applying to data processing operations that would not appear to fall within the scope of the Directive. This objection was raised with particular regard to the application of EPC Global Standards by several industry sectors.

Following the outcome of the public consultation, the WP29 set up a working group in charge of analysing the concept of "personal data". Additionally, the WP29 included the interpretation of the personal data concept as the first item on its 2006 agenda and made the drafting of a new opinion on RFID technology one of its five top targets for the current year.

The Opinion by the Italian data protection authority has also been the subject of interesting studies and researches, especially in the academic world.

In particular, reference should be made to a post-graduate thesis in management engineering presented at the Milan Polytechnics Institute, concerning "RFID Technologies and Their Impact on Consumer Privacy: An Overview of the Situation Following the Provision by the Italian Garante". This post-graduate thesis – by Simone Bricola and Lorenzo Nardi, working at the RFID Observatory of the Milan Polytechnics under the guidance of Prof. Giovanni Miragliotta – contains interesting clues. Some concrete applications of RFID technology in Italy are considered and assessed on the basis of a methodological benchmark termed "Privacy System", which was developed exactly in the light of the provision issued by the Italian data protection authority.

The results of this analysis show that it was difficult to timely comply with the guidance contained in the said provision also in Italy, which partly mirrors the issues highlighted following the European consultation.

The above considerations as well as the stance recently taken by the WP29 clearly show that the debate on RFID technology is far from being over.

In fact, it should be pointed out that research and investments related to RFID technology – after a slump due to cost-abatement difficulties – have been gaining pace of late, in particular because of the growing applications to logistics, distribution and automation of the whole supply chain as supported by initiatives such as the EPC Global System.

Indeed, the European Commissioner for Information Society and Media, Ms. Viviane Reading, recently stated – in a lecture held at the International CeBIT Summit of Hannover, in March 2006 – that the Commission plans to present, by the end of 2006, a Communication on the use and development of RFID within the EU, which might also specify the legislative and harmonisation measures to be adopted. Commissioner Reading also set a timetable of the activities aimed at developing and presenting the Commission´s Communication, in particular the organisation of ad-hoc workshops between March and June of this year in view of an ad-hoc online consultation.

During the First European Congress of Data Protection Authorities in Madrid, Director General Francisco Fonseca said that the Commission, and anyway the JLS Directorate and the Secretariat, expect national data protection authorities and the Article 29 WP to actively participate in the discussion and implementation of the Communication to be presented by the Commission on these issues as well as on the issues related to Internet use.

Thus, there will be no dearth of opportunities and stimuli for data protection authorities to ensure that their voices are heard in respect of the applications of this new technology, and I am sure that we will have to shortly tackle all the relevant issues.

This is why I consider that the Work Programme developed by the WP29 at its latest meeting of 4 April 2006 is of the utmost importance; indeed, I regard the challenge raised by this new technology as a veritable testing ground for our authorities. This applies not only to the concrete application of the provisions contained in the Working Document of 19 January 2005 by the WP (as well as of the provision adopted by the Italian DPA on 9 March 2005); indeed, it is related to two different issues as well: on the one hand, clarifying when a data may be defined as a personal data; on the other hand, what challenges are raised by the unrelenting technological development. Here I will be addressing only the latter issue.

Addressing the data protection implications of RFID technology actually means facing the unrelenting development of this technology.

RFID applications are bound to increase exponentially as costs are abated, wireless systems become less sensitive to physical hindrances, and the reading distance between RFID tags and readers is increased.

A key role will be played, above all, by the full exploitation of the potential inherent in this technology as resulting from the creation of networks that, based on any one of the different configurations and systems developed and tested over the past few years, will allow using an efficient network for the ubiquitous, global management of billions of tags in the most diverse production and distribution contexts – such as the EPC Global System.

From this viewpoint, we are on the eve of the full implementation of the so-called "Internet of Things", with all the attending consequences in terms of the relationship between physical and virtual world.

RFID technologies have long enabled the dialogue between machines and objects via radiofrequency waves, i.e. via non-line-of-sight approaches. The association of RFID technologies with network technologies has long enabled machines to talk with one another as well as with objects. This has resulted into an "object-machine-object" interaction that can do without, but also place constraints on, man. Indeed, this is where the first as well as the most delicate frontier is found as regards the application of data protection principles to RFID technologies.

In the "object-machine-object" interaction, personal data protection is to be attached increased importance compared with the cases in which a personal data must be safeguarded against processing operations that are carried out by human beings – albeit automated, i.e. availing themselves of machinery and IT skills.

It is one thing to protect man against man, and it is another thing to protect man against machines; it is still another thing to protect man against the infernal interaction between objects and machines and/or machines and objects.

With the help of RFID technologies, an object that belongs and can be traced back to a given  individual can talk with other objects by the agency of a machine without that individual´s active participation and knowledge.

This may give rise to awful scenarios and our imagination can easily conjure up the vision of objects that work against man by using the identifying information they hold on him.

One might argue that this is too far-fetched, maybe that it is science fiction, or even just a scary movie.
Maybe it is so. However, the planning and testing of the possible applications of RFID technology do show that these scenarios are far from being remote.

Nobody can fail to notice that the new RFID technologies, which are capable to identify each object and allow such object to be processed – via EPC standards – without time or space constraints, make available business opportunities and production developments that nobody can really afford to ignore.

Reading the speech by Commissioner Viviane Reading is enough to realize that this is the focus of the Commission´s activities, which are investing time and resources on these technologies also in order to enhance the EU´s competitiveness, speed up economic development, and support the EU in meeting global challenges.

Therefore, we should not imagine that our objection may only be grounded – which would be rightful in itself – on the need to defend man and his dignity.

Indeed, you cannot stop technological development for man´s sake, because man actually tends to see technological benefits more than technological dangers, as he is too often a prey to his nature of homo oeconomicus.

Indeed, even if it were possible to stop technological evolution for the sake of human dignity, one could not argue that, in so doing, one would be really serving man´s best interests.

Blocking technological development means waiving new opportunities: it is tantamount to attempting to stop progress, or to stop future for the sake of the present – often of the past.

Thus, we must be capable to protect man against himself by helping man to use technology insofar as technology can provide something good and useful – and by always helping man to defend himself against the misuse and harm inherent in any technology, from the discovery of fire onwards up to nanotechnologies.

This is where I consider that our data protection authorities can play a "political" role and act politically – that is to say, we are called upon to set forth rules and supervise ongoing developments, for which no specific regulations are in place and which touch upon man´s fundamental right to the protection of his own identity, freedom and dignity.

Before moving on to my conclusions, let me briefly refer to the most advanced frontier we are already approaching when dealing with RFID technologies.

I am referring to the RFID tags that are implanted directly in one´s body.

Both the Article 29 Working Party and the Italian data protection authority have paid special attention to – indeed, the Italian data protection authority has also expressed its marked objection against – the use of underskin chips and, more generally, of any implanted chips by referring to the risk that the human body may be turned into a password.

However, I would like to go one step further.

Indeed, the most concrete risk we are running is that man may be turned into a thing.

An underskin RFID tag may autonomously talk with machines, and through machines it may talk with other things and objects. It can already receive messages, maybe orders – and even more so in future. It may be activated or de-activated following remote commands that are totally beyond the control of the individual on whose body the tag was implanted.

In a not too distant future, it will be able to control the body by conditioning certain muscles or other body parts. It will be able to modify and influence moods and feelings, sensations, thoughts.

And this will take place without the tagged individual´s being always in a position to object, maybe without his being fully aware of what is happening.

Therefore, caution, attention, concern are not enough.

There is much more to ponder, consider, evaluate, foresee when dealing with human applications of RFID technologies. This is especially the case if such technologies can work in an EPC environment and thereby talk with machines and other things or objects.
Still, great care is required because the possible scenarios involve endless complications and ambiguities.

An RFID tag may be implanted in a human body to retain data concerning that individual and fully exploit its potential as a tool to identify and get in-depth knowledge of such individual. In turn, the information retrievable from a tag might allow an individual to apprehend the most intimate features of his own conduct, which maybe he had never realised before. Still, a tag may also play a highly beneficial role if the data it has collected, being read by someone entitled to do so, can provide information that is vital to ensure the individual´s safety.

A tag may contain the data required to treat a very rare disease, or maybe one whose treatment requires information that is difficult to obtain via standard family histories. A tag might contain information on an individual´s biological will and thereby do away with all ambiguities as to his willingness to continue living in case he goes into an irreversible coma.

But there is more to this.

A tag might contain personally identifiable information that is useful, or even indispensable, in some cases with a view to increasing an individual´s security or else facilitating that individual´s identification under especially risky circumstances. Only think, for instance, of military or security corps, including civil defence corps, for which it is essential to establish that the relevant instructions have been given lawfully – which can be facilitated if the entity issuing such instructions can be identified unambiguously irrespective of the specific circumstances.

Only think of individuals performing high-risk activities, whereby such risk – whether to them or to others – may be reduced or eliminated if it is possible to promptly and unambiguously identify the individuals in question.

Many other examples could be made; still, those reported here show how difficult, indeed impossible it is to take one-way positions – to say either yes or no, to issue either prohibitions or permissions.

Never as much as in these extreme cases should one reconcile the need for safeguarding human dignity with the equally fundamental need for defending other values at stake such as the right to one´s own life and one´s own and others´ safety and security. The choices to be made may be difficult; still, they do require the provision of specific, carefully thought-out  guidelines as to both the technological measures to be adopted and the data protection and security safeguards to be afforded.

This is not enough, however.

The human body may be commodified not only when you implant a tag on or into it in order to identify it and collect data concerning such body; indeed, this may also happen if you tag a "thing" in order to identify that thing and ensure that it works properly. That "thing", once it has been implanted permanently in a human body, may turn into an item that can identify an individual and turn him or her into, once again, a thing.

Think, for instance, of a tagged prosthesis or pacemaker, and imagine that the RFID tag is aimed basically at monitoring the wear-and-tear of the prosthesis, i.e. it is meant as a security item to ensure that the prosthesis works properly.

It would be difficult to maintain that this is not a useful protective measure – indeed, one might argue that it is so useful that it would be harmful to go without it.

If it is useful and acceptable to have an RFID tag in place to signal that the braking system of a car is malfunctioning, would it not be equally useful and acceptable to have an RFID tag in place that signals when the power in a pacemaker is running out?

Still, can one really fail to appreciate that, in the latter case, there is the risk that a "thing" might turn the individual´s body into a "thing" as well?
Again, it is really difficult to devise the "right" solution, to have rock-solid certainties.

It is unquestionable that the proportionality, data minimisation, and purpose specification principles can be of help. Nevertheless, it would be difficult to deny that ultimately the issue at stake consists in balancing different values and – to a considerable extent – in devising suitable security measures.

Thus, to conclude:

One can already conceive of tags or chips that, once inserted into the human body, are helpful or downright indispensable to monitor a patient´s health and verify the status of body organs that could not be reached otherwise, or maybe could only be reached at an increased risk if other technologies were applied.

However, one is confronted, once again, with a situation in which there are things talking to machines; indeed, these are things that can, perhaps are mostly bound to, receive instructions from machines, which maybe are, in turn, linked by necessity with other things. And this whole machinery works without human intervention – it is beyond human control.

But, is it really possible to prohibit or counter the use of RFID tags as such for the purposes described here?

Which values are at stake? Which balancing should be aimed at? Which mechanisms should be implemented to collect and process the data? Which security measures are required?

Security measures are actually one of the key technological challenges for both RFID experts and industry. To disseminate RFID technologies, RFID chips must be as simple as possible in order to reduce their costs until they become negligible also in respect of unit products – rather than by having regard to the aggregate amount of containers or pallets, as is currently the case. Such simple, inexpensive RFID chips may not be equipped with sophisticated electronic circuits – and experts are concerned by the few logical ports available on each chip; therefore, it will be quite difficult to incorporate the security functions, such as encryption algorhythms, that are the standard fare in state-of-the-art microchips. The ongoing researches are aimed exactly at bringing about the technical conditions to ensure the overall security of these systems.

One of the tasks entrusted to data protection authorities consists in checking, with the utmost care,  that the security measures are suitable for ensuring the protection of processed data. By the same token, it will be up to our authorities to prevent the multiplication of requests coming from police authorities, which – partly thanks to these technologies – are keen to obtain as much information as is available, which might ultimately give rise to a veritable surveillance society.

This is hard work; however, at this time of our history it is also a very important aspect of what makes our activity so fascinating and essential in the age of technology.