Resources
Identity Use Cases & Scenarios.- FIDIS Deliverables.
- Identity of Identity.
- Interoperability.
- Profiling.
- Forensic Implications.
- HighTechID.
- D3.1: Overview on IMS.
- D3.2: A study on PKI and biometrics.
- D3.3: Study on Mobile Identity Management.
- D3.5: Workshop on ID-Documents.
- D3.6: Study on ID Documents.
- D3.7: A Structured Collection on RFID Literature.
- D3.8: Study on protocols with respect to identity and identification – an insight on network protocols and privacy-aware communication.
- D3.9: Study on the Impact of Trusted Computing on Identity and Identity Management.
- D3.10: Biometrics in identity management.
- D3.11: Report on the Maintenance of the IMS Database.
- D3.15: Report on the Maintenance of the ISM Database.
- D3.17: Identity Management Systems – recent developments.
- D12.1: Integrated Workshop on Emerging AmI Technologies.
- D12.2: Study on Emerging AmI Technologies.
- D12.3: A Holistic Privacy Framework for RFID Applications.
- D12.4: Integrated Workshop on Emerging AmI.
- D12.5: Use cases and scenarios of emerging technologies.
- D12.6: A Study on ICT Implants.
- D12.7: Identity-related Crime in Europe – Big Problem or Big Hype?.
- D12.10: Normality Mining: Results from a Tracking Study.
- Privacy and legal-social content.
- Mobility and Identity.
- Other.
- IDIS Journal.
- FIDIS Interactive.
- Press & Events.
- In-House Journal.
- Booklets
- Identity in a Networked World.
- Identity R/Evolution.
 |
Title: LEGAL ISSUES RELEVANT WITH RFID APPLICATIONS IN DATA PROTECTION |
 |
Data controller in RFID applications
According to Article 2 (d) data protection directive ‘controller’ shall mean ‘the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data […]’. Determining who the data controller is, is a crucial point in order to specify the natural or legal person that needs to ensure the respect of the principles related to lawful processing of data.
Security measures in RFID applications
According to Article 17 of the data protection directive the data controller must ‘implement appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all unlawful forms of processing’. With regard to RFID technology there is a need to define what such measures are. The possibilities are various: killing of the tag, its physical shielding, encryption etc (see section ) The directive does not include a detailed list of the criteria that define the technical and organisational measures as appropriate with respect to the proportionality principle, however, would dictate that the measures to be taken shall be stricter, when the data processed are more sensitive. In the ‘Enhanced proximity card’ scenario (S2) the reader is authenticating itself with a relatively simple reader number to the card. Could this measure be considered as ‘appropriate’, under article 17 of the data protection directive? Some scholars question if the deactivation and removal of the tags could be considered as a technical measure for data security and is an actual obligation of the controller. In the ‘RFID at the CVS Corporation’ (S6) tags are removed in the shops for privacy reasons.
RFID applications in law enforcement sector
RFID tags are also used for law enforcement; RFID armbands are already used by convicts in several European countries. The field of public and state security falls outside the scope of the data protection directive (of course this might not be the case in all Member States depending on the way the data protection directive has been implemented into their national legislation). In these cases we would need to ensure that the level of protection described in article 8 of the European Convention for Human Rights is guaranteed (necessary, proportional and does not violate human dignity). The danger of leaving personal data that fall outside the scope of the data protection directive completely unprotected has been raised at a European level and there is a draft (at this moment) framework decision about protection of personal data processed in the framework of police and judicial co-operation in criminal matters.
| |
   |
|
| 17 / 38 |
