New EU consultations on RFID technology and digital rights management

04 March 2005

Luke Arbuthnot

The EU Article 29 Data Protection Working Party has recently released two papers for consultation:

Data protection issues related to intellectual property rights

The Paper focuses on digital rights management and copyright enforcement.

The Working Party invites comment on concerns that legitimate protection of intellectual property rights, e.g. requiring users to identify themselves before downloading songs/media etc. could lead to tagging and the effective monitoring of internet users. The Working Party concludes by calling for:

…development of technical tools offering privacy compliant properties, and more generally for a transparent and limited use of unique identifiers, with a choice option for the user.”

The Working Party also raises concerns in response to US and European cases involving requests for ISPs to release personal data of people infringing intellectual property rights. In this regard the Working Party simply asserts:

“…investigations performed by private actors such as copyright holders must be performed in a clear legal framework…”

Data protection issues related to Radio Frequency Identification (RFID) technology

RFID microchips can be embedded in various products, e.g. in identity cards, and emit a radio frequency that can be scanned by a corresponding RFID reader. This Paper deals with the increasing use of RFID systems, the associated risks and offers guidelines for their use.

The Working Party cites three main areas where RFID technology may infringe existing data protection law:

(i) collections of personal data, e.g. shops which build profiles by monitoring consumer behaviour through issue of loyalty cards containing chips

(ii) storage of personal data

(iii) tracking of individuals, e.g. where shops include RFID tags in sold items that can be scanned by other shops

Based on existing data protection law, the Working Party provides a series of principles to be followed when using RFID technology. The principles outlined are intended to prevent the inappropriate use of the technology by stakeholders and also to minimise the risk of third parties “attacking” RFID systems by taking passive readings of data stored on microchips.