Title: INFORMATION IN RFID TAGS THAT QUALIFY AS PERSONAL DATA

The provisions of the European legal framework on data protection do not apply de facto to all information stored on an RFID tag. The collection and processing of data via RFID technology is covered by the provisions of the data protection directive only when the information stored in the RFID tag refers to an identified or identifiable natural person – thus qualifying as personal data – or when this information can be linked to other personal data (Art. 2 (a) data protection directive).

Besides the obvious cases of having an RFID tag implanted in the body of a natural person, it will be examined if and under what conditions an RFID tagged object or the information stored in an RFID tag can be considered as personal data. Vaguer are the cases when the information on the RFID tag can not be directly linked to a natural person, or at least some effort is needed. How easy shall the identification be? Recital 26 of the data protection directive reads that in deciding whether data could be used to identify a particular person “account should be taken of all the means likely reasonably to be used either by the controller or by any other person to identify the said person” (emphasis added). Thus the recital sets two criteria for identifiability: the probability and the difficulty that tend to be interlinked. In any case it is supported that the term ‘personal data’ should include all data about a person (including economic, professional etc. data) and not only data about the person’s personal life . This breadth of the conception of personal data means that data are usually presumed to be ‘personal’, unless it can be clearly shown that it would be impossible to tie them to an identifiable person (that is, unless the data are truly anonymous). The interpretation of the Member States regarding the ease of identification differs significantly between them. The data protection laws of France, Germany and Sweden for instance talk about “means for identification which are reasonably capable (as opposed to likely) of being put to use” , p. 44].

In order to achieve a common approach towards RFID technology at European level, a common notion of what is perceived as personal data and what entails their processing is necessary. The directive applies without question, when information about an individual, such as his name, age, nationality etc., is directly stored on an RFID tag. Some RFID tags however may contain information that seems anonymous at a first glance. This information might nevertheless be easily associated to an individual, by linking it to information stored in a back-end database for instance and therefore its processing falls under the scope of application of the data protection directive . Such cases that are rather common in relation to RFID technology shall be handled in a common way from the Member States.

As the Article 29 Data Protection Working Party has already pointed out, it is essential in the case of data collection through RFID tags first of all ‘to determine the extent to which the data processed relates to an individual and [secondly] whether such data concern an individual who is identifiable or identified.’. In various applications biometrics are stored on an RFID tag. Although in most of the cases the legal framework on data protection applies, as biometric data from their nature reveal information about a specific natural person, Article 29 Working Party has already pointed out in its “Working document on biometrics” that “most biometric data imply the processing of personal data”(emphasis added). The Article 29 Working Party has recently adopted an opinion on the concept of personal data , attempting to clarify the notion of identifiability. The Working Party admitted that when it comes to “directly” identified or identifiable persons, the name of the person is indeed the most common identifier and in practice the notion of “identified person” implies most often a reference to the person’s name . However “identifiability” can be interpreted in a very broad way, depending on the circumstances of the case. Therefore in the context of RFID application, when the use of RFID allows the identification of a natural person with high degree of certainty, then the data protection legislation will apply.

In the ‘Metro Future Store in Rheinberg’ (S4) scenario the personal information about the customers is stored in the customer loyalty cards with hidden RFID tags. The data refer to an identified customer and their processing consists processing of personal data. However, not only the loyalty cards, but also the products were RFID tagged. The Metro Future Store had the possibility by means of hidden RFID readers to combine the products the customers were buying with the information on their loyalty cards in order to do personalised profiling. The customers should be informed that their personal data are being processed and the privacy principles set out in the European data protection legislation (that will be further analysed) shall be respected. In general it is to be mentioned that even if an RFID tagged product does not qualify as such as personal data, when it is linked to an identified or identifiable natural person through the payment via a credit card, an invoice or a loyalty card (as in the aforementioned example), then there is processing of personal data [, p. 24].

It is important to note that even if a customer is not identifiable via a credit card, he may be profiled on the basis of his behaviour in the shop and be confronted with refined types of price-discrimination (offers made on the display of his trolley). It is presently unclear whether this turns the data into personal data, and one may doubt whether the profile or the profiling techniques would be accessible as they may be protected by means of intellectual property, or simply be considered a trade secret. In this case the supermarket does not know the customer by name and the RFID technology does not involve the use of other explicit identifiers. According to the Article 29 Working Party (as commented at the end of scenario S4), in our example when a customer can be linked to a unique code on a tag (e.g. his watch) and a profile linked to this unique code can be set up, the supermarket is processing personal data and data protection law will apply (, p. 7). However opposite opinions can also be supported. The Dutch Ministry of Justice for instance in its Guidelines for personal data processors states with regard to the issue of identifiability: “A person is identifiable if the person’s identity can be established reasonably, without disproportionate effort (emphasis added). In other words, you must be able somehow to establish a connection between the data and the person. […] If actual identification is reasonably excluded because of encryption of the data and/or agreements about the access to the data, the person can not be identifiable. The actual situation is always the determining factor” (, p. 13, 14). If this approach is followed, then the example of setting up a profile on the basis of a unique product code on a tag (e.g. the watch of a customer) is not enough to justify processing of personal data, if the identity of the person cannot be established reasonably. [, p. 24], , p.14]. So it would not be easy to create access, even if art. 12 or 15 of the Directive would apply. The Working Party in its Opinion makes the judgement whether the processing of particular data concerns personal data dependant upon both the purpose and the context where they appear, while even allowing the same data to count as “personal data” with regard to one data controller while not counting as “personal data” with regard to another . The Opinion did not shed cleat light on the questions regarding the use of information in RFID applications and when they qualify as personal data. If any data that can at some point be related to an identifiable person is considered as a personal data, then in the case of wide-spread use of RFID systems ALL DATA will be personal data because of the possibility to link them. Of course the final decision will be made on a case by case basis, taking into account the specific conditions of every application or system. The Working Party considers that the technological state of the art at the time of the processing, as well as the future technological possibilities during the period for which the data will be processed, have to be considered. Identification may not be possible today with all reasonable means in use. Since technology is developing with great speed, in many cases it will not be possible for the controller to “guess” the means that might be used within some years, let alone after 10 or more years, a fact that raises the question whether we shall apply the data protection legislation in all RFID applications, following a “just-in-case” model.