Many of the problems in applying European Data Protection Law on-line arise from uncertainty over whether the law covers labels that allow an individual to be recognised (i.e. “same person as last time”) but not – unless you are the issuer of the label – identified (i.e. “Andrew again”). The Article 29 Working Party have recently been considering one particular label, RFID tags, and conclude that recognition is sufficient (Opinions 5/2010 and 9/2011). However they seem not to have spotted the problem that this creates for international transfers.
Each RFID tag contains a unique number that can be read at a distance by a suitable radio transmitter/receiver. Attached to items in a shop they can be used for all kinds of stock control and inventory purposes; however the Working Party’s main concern is what happens to them when they leave the shop. If a tag attached to a garment is not de-activated then it could be used to recognise the person wearing it, since the person will now be attached to the RFID tag number. However without access to the shop’s purchase records, the number alone cannot be used to identify that person whether by name, address or even credit card number. The release of the information linking purchase to purchaser is, of course, covered by data protection law. However the Working Party have concluded that merely allowing someone to leave the shop with an active RFID tag must also be subject to data protection law since the built-in identifier might allow a third party to (illegally) recognise and track the wearer. The Working Party’s opinion is therefore that the shop must assess the risk to privacy and only leave tags active if that risk is sufficiently low.
A risk-based approach fits with the law’s requirements on protecting personal data from unauthorised processing within Europe. However the law on exporting personal data from Europe seems to be absolute, not risk-based. Article 25 of the Data Protection Directive says: “Where the Commission finds … that a third country does not ensure an adequate level of protection …, Member States shall take the measures necessary to prevent any transfer of data of the same type to the third country in question” (my emphasis). Indeed the UK Information Commissioner’s tentative steps to allowing data exporters to do their own risk-based assessments of adequacy appear to be one of the things causing concern over whether the UK has actually implemented EU law correctly. I can’t imagine that the Working Party intend shops to ask their customers whether they will be wearing their new clothes to the USA, but this seems to be the result under current law!
RFID tags may not seem terribly relevant to networks, but they have very similar privacy characteristics to the IP addresses of laptops and PDAs. Hence my continuing requests to the Commission and the UK Government to fix this bug in the law.