'Smart (RFID) Tags': Safeguards Applying to Their Use ' March 9, 2005 
[doc. web n. 1121107]
[ doc. web n. 1109493]
"Smart (RFID) Tags": Safeguards Applying to Their Use – March 9, 2005
THE GARANTE PER LA PROTEZIONE DEI DATI PERSONALI
Having convened today, in the presence of Prof. Stefano Rodotà, President, Prof. Giuseppe Santaniello, Vice-President, Prof. Gaetano Rasi and Mr. Mauro Paissan, Members, and Mr. Giovanni Buttarelli, Secretary-General;
HAVING REGARD to Articles 3, 7 and 8 of the Charter of Fundamental Rights of the EU;
HAVING REGARD to the personal data protection Code (legislative decree no. 196 of June 30, 2003);
WHEREAS it is necessary to set forth measures aimed at bringing the processing of personal data within the framework of Radio Frequency Identification systems into line with the legislation in force, also in respect of the human dignity principle (as per Article 1 of the Charter of Fundamental Rights of the EU, and Sections 2 and 154(1), letter c), of the personal data protection Code);
HAVING REGARD to the comments and considerations received further to the public consultation undertaken by the Garante concerning Radio Frequency Identification technology;
HAVING REGARD to official records as well as to the considerations made by the Secretary General in pursuance of Section 15 of Regulations no. 1/2000;
ACTING on the report submitted by Prof. Stefano Rodotà;
Radio Frequency Identification (RFID) technology is rapidly spreading through various sectors.
The use of this technology can be helpful, for instance, to ensure that company products are managed more effectively, to perform commercial operations more expeditiously with beneficial effects to consumers, keep track of highly sensitive products, monitor the access to restricted areas, as well as for other purposes in the employment sector.
However, some instances of implementation of RFID technology may give rise to violations of the right to personal data protection (Section 1 of the Code) and produce major effects on personal dignity and integrity – partly because personal data can be processed via RFID technologies unbeknownst to the data subject, given the small size and the location of the so-called "smart tags" and the respective readers.
In particular, as also highlighted by the European data protection working party (see the Working Document adopted on 19 January 2005 by the Article 29 Working Party, in http://europa.eu.int...), the use of RFID technologies by both private and public entities may give rise to forms of control over individuals by restricting their freedom. For instance, the use of RFID technologies might allow collecting unlimited information on the data subject´s habits for profiling purposes, tracing the routes he or she has followed, or else verifying what products – clothing, accessories, medicine, valuables – a data subject is wearing and/or carrying.
In some cases, RFID devices may be used exclusively to track products in order to enhance the effectiveness of industrial production processes; in particular, if these systems are used by producers and/or distributors exclusively within the distribution chain, the information contained in each product tag may represent a personal data – either in itself, or because of the links with additional information such as preservation status, manufacturing plant, presence of defects, inclusion in a flawed lot, etc. – relating exclusively to said producers and/or distributors.
This type of data processing does not raise specific issues in terms of lawfulness and/or safeguards applying to data subjects.
Conversely, in other cases using RFID systems may entail the processing of personal data relating to third parties – natural and/or legal persons, bodies, associations, etc. (see Section 4(1), letters a) and b), of the Code).
Indeed, the "tags" themselves might contain personal data, or else be used in such a way as to allow identifying data subjects by means of the matching with other information.
The information systems they relate to may also allow identifying the geographic location of any entity in the possession of the tag and/or the tagged object – which would impact remarkably on freedom of movement.
Additionally, RFID technology may be used for subcutaneous chip implants also in humans; the subcutaneous implantation of microchips carries very sensitive implications for personal rights and requires the adoption of specific safeguards.
Further dangers to data subjects may also result – in particular in the light of future standardisation – from the possibility for unauthorised third parties to "read" the tag contents and/or tamper with them (for instance, by re-writing on them). In this regard, one should consider that technological development may bring about increased potentialities for RFID systems, which might ultimately allow reading tags from ever increasing distances; at the same time, the stepwise reduction in production costs is bound to enhance the implementation of RFID devices for identification purposes.
Finally, increased risks to citizens´ private lives may arise if RFID devices are integrated within network infrastructures – telephony, Internet, etc. .
It is therefore necessary for RFID technology to be implemented and used, if the processing of personal data is involved, in compliance with the principles laid down in the Code and, in particular, with data subjects´ fundamental rights and dignity (Section 2(1) of the Code).
In order to safeguard data subjects as well as in line with the provision set out in the Code, the Garante is laying down hereby some initial measures that have be taken by any entity that, for whatever purpose, avails itself of RFID-related technologies; such measures are also intended to allow practitioners and producers to design and market devices that are compliant with personal data protection legislation.
The said measures apply whenever the implementation of RFID systems brings about the processing of personal data relating to identified and/or identifiable third parties (Section 4(1), letter b), of the Code); conversely, they do not apply in those cases – which do not raise specific problems in terms of data protection – where RFID technology does not entail the aforementioned processing and is used, for instance, in a corporate distribution chain exclusively to achieve enhanced efficiency of production processes.
This Authority reserves the right to issue such additional provisions as might be found to be necessary in connection with specific processing operations concerning personal data that are carried out by means of RFID devices – also in the light of the quick, unrelenting evolution that is a feature of this sector.
The use of RFID devices may condition and limit data subjects, which is why it is necessary to ensure that all principles set out in the Code are complied with stringently. In particular, reference can be made herein to the following:
• Data Minimisation Principle (Section 3 of the Code)
RFID systems must be configured in such a way as to avoid using personal data or else identifying data subjects, as the case may be, if this is not absolutely necessary in connection with the purpose(s) to be achieved.
This assessment shall have to be made by taking account that in most cases, e.g. in product distribution, there is no need for processing personal data related to third parties.
• Lawfulness (Section 11(1), letter a), of the Code)
Processing of data via RFID technology is only lawful if it rests on the legal grounds set forth in the Code as regards public bodies – discharge of public tasks, Sections 18 to 22 – and private entities and/or profit-seeking public bodies, respectively – e.g. compliance with legal obligations, or freely given, explicit consent provided by the data subjects, Sections 23 to 27.
The use of RFID technology should also be in line with such other laws and regulations as may be relevant to the specific sector. In the employment sector, it shall be necessary in particular to abide by the prohibition against distance monitoring of employees set out in Section 4 of Act no. 300/1970 as well as in Section 114 of the Code.
• Purposes and Data Quality (Section 11(1), letters b), c), d), and e) of the Code)
Data controllers (Section 4(1), letter f)) may only process personal data for specific, explicit, and lawful purposes (Section 11(1), letter b).
The data may only be used in a manner that is compatible with the purpose(s) for which they were initially collected; they shall have to kept for no longer than is absolutely necessary in order to achieve said purpose(s), and shall have to be either erased or anonymised thereafter (Section 11(1), letters b) and e) of the Code).
Data controllers are also required to ensure that the personal data are relevant, not excessive, accurate, and updated (Section 11(1), letters c) and d) of the Code).
• Proportionality (Section 11(1), letter d), of the Code)
Data controllers must verify that the proportionality principle is abided by throughout the processing steps.
The processed data as well as the relevant processing mechanisms must not be disproportionate compared with the purposes to be achieved, by having also regard to the features of the network infrastructure that is implemented.
It shall not be justified, as a rule, to carry out processing operations that entail the functioning of tags placed on products purchased by a data subject also outside the given shop/department store, unless this is necessary in order to deliver a service that has been specifically and freely requested by said data subject.
• Information Notice (Section 13 of the Code)
When providing data subjects with the required information notice, which should also specify the mechanisms of the processing (Section 13 of the Code), the data controller shall have to refer to the presence of RFID tags and specify that personal data may be collected without the data subjects´ intervention by means of the systems connected with the tags. Similarly, the notice shall have to inform about the existence of readers that can "activate" the tags – readers that may only be deployed insofar as they are absolutely necessary to achieve the purpose(s) of the processing.
The mechanisms whereby tags can be removed and/or deactivated, or the operation of the RFID system can be terminated otherwise, should also be highlighted.
The information might also be provided via ad-hoc notices in the premises where RFID devices are deployed, to be formatted and located in such a manner as to be readily visible.
The presence of such notices does not exempt data controllers from the obligation to place appropriate information notices on objects and/or products bearing "smart tags" if the latter remain active after it has been possible to establish a link between said tags and data related to identifiable and/or identified third parties – in particular once outside the premises (e.g. shops) where RFID technologies are implemented.
• Processing by Private Entities: Consent (Section 23 and following ones of the Code)
In general, use of RFID devices may only be allowed with the data subject´s consent if it entails the processing of personal data by private entities, without prejudice to fulfilment of any other preconditions set out in Section 24 of the Code as regards processing by public entities.
If the processing concerns personal data, consent, where necessary, must comply with the requirements set out in the law (Section 23 of the Code). In particular, consent should be specific and explicit, since the data subject´s conclusive conduct is irrelevant in this respect (Section 23(1) and (3) ).
Furthermore, consent is not valid if it has been obtained by putting pressure on and/or conditioning the data subject (Section 23(3) ). If the data subject does not consent to the processing, he/she shall not have to incur prejudicial consequences and/or restrictions other than those resulting directly from the impossibility to process the data concerning him/her.
If the processing concerns sensitive data (Section 4(1), letter d) ), consent must be given in writing and the processing may only be carried out upon the Garante´s prior authorisation (Section 26 of the Code).
Even if the data subject consents to the processing, or any other prerequisites for the processing are fulfilled, the processing of personal data by RFID must take place in compliance with the aforementioned principles concerning purpose limitation, proportionality, and dignity (Section 2(1), and Section 11(1) ).
Having said this, and in view of the foreseeably widespread use of RFID in various sectors and for different purposes, some specific cases can already be envisaged as regards compliance with consent requirements:
a) if RFID technology is used in shops within the framework of payment mechanisms (e.g. the so-called electronic shopping cart, e-cart), whereby the individual products can in no way be related to identified and/or identifiable customers, there is no need, in principle, for requesting consent from customers under the personal data legislation in force;
b) if RFID technology is associated with customer loyalty cards and/or the processing of data relating to customers for commercial profiling purposes, the data protection principles set forth by the Garante in its provision of February 24, 2005 (www.garanteprivacy.it) are also applicable with particular regard to information notices, consent, data minimisation, and proportionality;
c) whilst it is as a rule unlawful to deploy RFID tags that remain active after leaving checkout in the shop where they are used, this deployment – if found to be lawful – requires the data subject´s prior consent unless any other prerequisites for processing personal data are applicable (Section 24 of the Code);
d) if RFID technology is used to check access to premises, appropriate safeguards should be laid down as regards data subjects´ rights and freedoms. In particular,
d1) if RFID technology is to be used to check access to workplaces, or anyhow in the employment context, it should be considered that the "Workers´ Statute" prohibits the implementation of devices and equipment for the distance monitoring of employees´ activity, and requires certain safeguards to be abided by if such use is found to be necessary for other purposes (Section 4 of Act no. 300 of May 20, 1970; Section 114 of the Code) as well as ensuring compliance with the aforementioned data minimisation, purpose specification, and proportionality principles;
d2) if RFID technology is used to check third parties´ occasional access to premises, mechanisms shall have to be devised whereby a data subject that is unwilling to subject himself/herself to the use of such technology can access the place in question all the same – possibly coupled with the adoption, if necessary, of such precautionary measures as may reasonably be envisaged by the data controller.
• Exercise of Rights (Sections 7 and 10 of the Code)
The data controller must facilitate exercise by data subjects of the rights referred to in Section 7 of the Code, by simplifying the relevant mechanisms and reducing the response time to applications (Section 10(1) of the Code).
Ever since the project-designing phase, manufacturers of RFID systems should appropriately lay down suitable mechanisms for ensuring that data subjects can easily exercise their rights.
• Tag Deactivation/Removal
Data subjects must be afforded the possibility to have the RFID tags removed and/or deactivated, free of charge and in an easy manner, either at the time of purchasing a product bearing such tags or once use of the RFID devices is over.
Tags must be placed in such a manner as to be easily removable, insofar as this is possible, without affecting and/or limiting functionality of the products/objects bearing them (e.g. by having them placed exclusively on packaging items).
• Subcutaneous Microchip Implants
Subcutaneous microchip implants in humans raise highly sensitive issues, which have already led other supervisory authorities in Europe to consider them unacceptable in terms of data protection.
In the cases where the limited deployment of subcutaneous microchips has been permitted (e.g. by USA´s FDA on October 12, 2004), the potential dangers of these implants have been highlighted as regards both the implanted persons´ health and security of the personal data to be processed.
In principle, subcutaneous microchip implants must be ruled out because they are in conflict with the dignity principle set forth in Section 2 of the Code, without prejudice to other legal provisions safeguarding bodily integrity and inviolability of personal dignity as also contained in the Charter of Fundamental Rights of the EU (Articles 1 and 3 thereof).
Subject to data protection legislation and the provisions laid down herein, subcutaneous microchip implants may therefore be allowed only in exceptional cases further to documented, justified requirements concerning protection of individuals´ health, by strictly complying with the proportionality principle (Section 11 of the Code) and fully respecting the data subjects´ dignity (Section 2(1) ).
Data subjects should be in a position, as a rule, to have the microchips removed, at any time and free of charge, as well as to terminate the processing of data concerning them.
Additionally, data controllers should lay down mechanisms for implanting and using subcutaneous tags such as to ensure confidentiality about presence of the tags in the data subject´s body.
As well as being compliant with the prerequisites and limitations set out in the Code (Sections 2 and 22; Part II, Title V of the Code), the processing of sensitive data requires the Garante´s prior authorisation pursuant to the relevant provisions (Sections 26 and 76).
The Garante reserves the right hereby to order data controllers – also by means of generally applicable provisions - to subject RFID systems intended for subcutaneous implants to the Authority´s prior checking pursuant to Section 17 of the Code, where said systems entail specific risks for data subjects´ rights, fundamental freedoms, and dignity.
• Additional Requirements
In addition to the requirements set out herein, the obligations imposed by the Code on data controllers are left unprejudiced.
This applies, in particular,
a) to the obligation to notify the Garante
- processing operations concerning data on the geographic location of individuals and/or objects by means of electronic communication networks (Section 37(1), letter a));
- processing operations carried out with the help of electronic means in order to define a data subject´s profile or personality, or else analyse his/her habits and choices as regards purchased products (Section 37(1), letter d));
b) to the obligations related to security measures (Sections 31 to 36, and Annex B to the Code) in view of minimising the risk of (accidental) destruction and/or loss of the personal data, unauthorised access to the data, and/or processing operations that are not allowed and/or fail to be compliant with the purposes of data collection;
c) to specifying the entities that are authorised to process data in their capacity as either data processors or persons in charge of the processing, further to the tasks entrusted to them as well as to the instructions received (Sections 29 and 30 of the Code).
BASED ON THE ABOVE PREMISES, THE GARANTE
Pursuant to Section 154(1), letter c), of the Code, orders any and all entities that process personal data by availing themselves of RFID technology, for whatever purposes, to take the necessary and/or appropriate measures set forth herein in order to bring their processing operations into line with the legislation in force.
Done in Rome, this 9th day of March 2005
THE SECRETARY GENERAL