Papers 201 iglezakis-presentation-en-v001

312 views

Published on

Published in: Business, Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
312
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
6
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Papers 201 iglezakis-presentation-en-v001

  1. 1. Regulation modelsaddressing data protectionissues in the EU concerningRFID technology Ioannis Iglezakis Assistant Professor in Computers & Law Faculty of Law, Aristotle University of Thessaloniki
  2. 2. RFID Radio frequency identification (RFID) is a new technology which uses radio waves for the automatic identification of individual items and thus, it allows the processing of data over short distances RFID systems are considered the next generation of bar codes 4TH INTERNATIONAL CONFERENCE ON INFORMATION LAW THESSALONIKI –MAY 20-21, 2011 2
  3. 3. RFID Infrastructure Tags The tag consists of an electronic circuit that stores data and an antenna which transmits the data 4TH INTERNATIONAL CONFERENCE ON INFORMATION LAW THESSALONIKI –MAY 20-21, 2011 3
  4. 4. RFID Infrastructure RFID reader It has an antenna which receives the data and a demodulator. The RFID reader sends and receives back signals from the tags via one or more antennas and transmits the data to databases or software applications. 4TH INTERNATIONAL CONFERENCE ON INFORMATION LAW THESSALONIKI –MAY 20-21, 2011 4
  5. 5. Taxonomy of Tags passive tags have no own power supply and receive energy from the reader antenna 4TH INTERNATIONAL CONFERENCE ON INFORMATION LAW THESSALONIKI –MAY 20-21, 2011 5
  6. 6. Taxonomy of Tags active tags have their own power supply. 4TH INTERNATIONAL CONFERENCE ON INFORMATION LAW THESSALONIKI –MAY 20-21, 2011 6
  7. 7. RFID systems applications Retail Sector Transportation Logistics Healthcare Security & access control Aviation Libraries Schools Leisure 4TH INTERNATIONAL CONFERENCE ON INFORMATION LAW THESSALONIKI –MAY 20-21, 2011 7
  8. 8. Risks of RFID systems to privacy RFID technology enables identification and profiling of a person; it may also lead to covert monitoring of individuals, which infringes informational privacy 4TH INTERNATIONAL CONFERENCE ON INFORMATION LAW THESSALONIKI –MAY 20-21, 2011 8
  9. 9. Risks of RFID systems to privacy where RFID systems are implemented in order to collect information directly or indirectly linked to personal data,  so e.g., where products from a store are tagged with unique product codes which the retailer combines with customer names collected upon payment with credit cards and link them with the customer database.  also, where personal data is stored in RFID tags, so, e.g. in transport ticketing 4TH INTERNATIONAL CONFERENCE ON INFORMATION LAW THESSALONIKI –MAY 20-21, 2011 9
  10. 10. Risks of RFID systems to privacy Even if the customer is not directly identified by means of the tagged card, he can be identified each time he visits the same shop as the holder of the card. Similarly, an individual can be tracked by shops which scan tagged products of customers. And further, third parties may use readers to detect tagged items of by passers, violating in that way their privacy 4TH INTERNATIONAL CONFERENCE ON INFORMATION LAW THESSALONIKI –MAY 20-21, 2011 10
  11. 11. Risks of RFID systems to privacy RFID tags can be read without line-of-sight and from a distance without being noticed and therefore, they are prone for application by retailers for customer profiling, as well as for monitoring for other purposes, e.g., for law enforcement purposes, etc. 4TH INTERNATIONAL CONFERENCE ON INFORMATION LAW THESSALONIKI –MAY 20-21, 2011 11
  12. 12. Legal requirements of data protectionwith regard to RFID Directive 1995/46  Data quality principles  Legitimacy  Right to information  Right of Access  Data Security 4TH INTERNATIONAL CONFERENCE ON INFORMATION LAW THESSALONIKI –MAY 20-21, 2011 12
  13. 13. Legal requirements of data protectionwith regard to RFID Directive 2002/58 on privacy in electronic communications It applies “to the processing of personal data in connection with the provision of publicly available electronic communications services in public communications networks in the Community, including public communications networks supporting data collection and identification devices”. 4TH INTERNATIONAL CONFERENCE ON INFORMATION LAW THESSALONIKI –MAY 20-21, 2011 13
  14. 14. Legal requirements of dataprotection with regard to RFID EU Commission Recommendation of May 12, 2009on the implementation of privacy and data protection principles in applications supported by radio- frequency identification 4TH INTERNATIONAL CONFERENCE ON INFORMATION LAW THESSALONIKI –MAY 20-21, 2011 14
  15. 15. Regulation vs Self-Regulation The PIA Framework that was endorsed by the Article 29 Working Party is an important instrument However, the recommendation on which it was based is not mandatory, but it is drafted to provide guidance to EU Member States on the design and operation of RFID applications. 4TH INTERNATIONAL CONFERENCE ON INFORMATION LAW THESSALONIKI –MAY 20-21, 2011 15
  16. 16. Regulation vs Self-Regulation To effectively address the data protection issues posed by RFID technology requires making the PIA process mandatory, providing also for the notification of its results to the competent data protection authorities, which should have the right to prior checking of RFID systems posing significant privacy risks. 4TH INTERNATIONAL CONFERENCE ON INFORMATION LAW THESSALONIKI –MAY 20-21, 2011 16
  17. 17. Regulation vs Self-Regulation Alternatively, the data protection legislation could introduce specific rules for RFID systems and more particularly, rules establishing technical solutions, since it is difficult to achieve privacy by design by self-regulation 4TH INTERNATIONAL CONFERENCE ON INFORMATION LAW THESSALONIKI –MAY 20-21, 2011 17

×