[GSDI Legal Socioecon] EDRI - New Guidelines to RFID Privacy Impact Assessments

Roger Longhorn ral at alum.mit.edu
Thu Dec 1 07:30:08 EST 2011 

FYI

EDRi-gram - biweekly newsletter about digital civil rights in Europe - 
Number 9.23, 30 November 2011

============================================================
9. New Guidelines to RFID Privacy Impact Assessments
============================================================

On 25 November 2011 the German Federal Office for Information Security 
(BSI) and the Institute for Management Information Systems of the Vienna 
University of Economics and Business (WU) held an expert symposium on 
RFID Privacy Impact Assessments in Berlin and presented their BSI 
Privacy Impact Assessment (PIA) Guidelines.

The PIA guidelines are based on the RFID PIA Framework, a kind of 
co-regulation instrument that was signed by Vice President of the 
European Commission Neelie Kroes and industry representatives earlier 
this year. The goal of the guidelines is to explain the PIA Framework 
and to provide RFID application operators with an  in-depth 
understanding of the framework terminology and proposed procedures. The 
methodology outlined in the document is understood to be a concretion of 
the generic process outlined in the PIA framework.

The PIA guidelines will help European RFID operators to ensure a high 
level of data protection, which can be seen as an important aspect of 
quality and a unique selling proposition for European companies, said 
Professor Sarah Spiekermann, Head of the Institute for Management 
Information Systems. The PIA guidelines are available from the symposium 
website. PIA case studies for three different sectors will soon be 
published by BSI.

In his presentation at the symposium the German Federal Commissioner for 
Data Protection and Freedom of Information, Peter Schaar, explained 
that, while Data Protection Authorities (DPAs) might not be able to 
check each and every PIA report, in future, the results of privacy 
impact assessments and the implementation of their results will be 
important aspects in data protection inspections. He therefore asked, 
that PIA reports and the data protection goals identified in the course 
of the PIA process should be made transparent to DPAs and individuals.

Furthermore, Mr. Schaar called for PIA frameworks being defined on the 
European level and for the establishment of a European data protection 
competence centre, which should work on technical means and measures for 
data protection.

The European Data Protection Supervisor, Peter Hustinx, stressed in his 
contribution the need to reduce the unhelpful diversity in EU member 
states' data protection legislation. While there is no need to reinvent 
data protection, it is necessary to make the current principles work 
better, to improve the definition of responsibilities and to ensure a 
better compliance, he said. With regard to privacy impact assessments, 
Mr. Hustinx envisaged that these could be optional in some cases while 
being compulsory in others.

A coherent European approach to the implementation of the RFID Privacy 
Impact Assessment Framework will be in the centre of a conference 
organised by the European Commission on 8 February 2012 in Brussels, 
where experiences with the PIA Framework and the future of the European 
Commission's RFID Recommendation will be discussed.

As EDRi already expressed earlier, the success of RFID Privacy Impact 
Assessments will, to a large extend, depend on the quality of the 
assessment. In particular, it will be crucial to address and eliminate 
risks that stem from third parties and are not directly related with the 
RFID applications operated by a given company, but facilitate the RFID 
tags disseminated by the company.

[Links]

Expert Symposium on RFID Privacy Impact Assessments, 25.11.2011, 
Austrian Embassy Berlin
http://www.wu.ac.at/ec/events/piasymposium

RFID Privacy Impact Assessment Guidelines
http://www.wu.ac.at/ec/events/pia_guideline

Federal Office for Security in Information technology - RFID PIA (only 
in German)
https://www.bsi.bund.de/DE/Themen/ElektronischeAusweise/RadioFrequencyIdentification/PIA/pia_node.html

EDRi-gram: EU supports RFID with proper protection of consumers' privacy 
(20.05.2009)
http://www.edri.org/edri-gram/number7.10/rfid-european-commission-recommandation

EDRi-gram: RFID Privacy Impact Assessment Framework formally adopted 
(06.04.2011)
http://www.edri.org/edrigram/number9.7/rfid-pia-adopted-eu

EDRi-gram: ENDitorial: RFID PIA: Check against delivery
http://www.edri.org/edrigram/number9.10/rfid-pia-check-against-delivery

European Commission Conference: 08.02.2012: Implementation of the RFID 
Privacy Impact Assessment (PIA) Framework
Invitation:
http://ec.europa.eu/information_society/policy/rfid/documents/piaconferenceinvitation.pdf
Programme:
http://ec.europa.eu/information_society/policy/rfid/documents/piaconferenceprogramme.pdf

(Contribution by Andreas Krisch - EDRi)
<ends>

Kind regards

Roger Longhorn
ral at alum.mit.edu

More information about the Legal-Socioecon mailing list