[Image: Ann Cavoukian, Ph.D.]

Ann Cavoukian, Ph.D.

Information & Privacy Commissioner

Ontario, Canada

What people are saying

  • A privacy by design approach can be mandated (or otherwise encouraged)

    ... read more

  • The end structure of the new systems was very strongly informed by the PbD

    ... read more
  • Robert Cook: Chief Information Officer, University of Toronto

  • As a PbD Ambassador, I’m a fervent supporter of its Principles and

    ... read more
  • Claudiu Popa: Founder and Principal Risk Advisor, Informatica Corporation

  • Congratulations to you (on the PbD Resolution)! You are such a tremendous

    ... read more
  • Dr. Ilse Treurnicht: CEO of the MaRS Discovery District

  • I want to congratulate you on the incredible achievement of what I would call

    ... read more
  • Terry McQuay: President, Nymity Inc.

  • Privacy By Design is a set of seven high-level concepts, created by

    ... read more

  • Intel views Privacy by Design as a necessary component of our accountability

    ... read more
  • David A. Hoffman: Director of Security Policy and Global Privacy Officer, Intel Corporation.

  • A long-time advocate of privacy technologies, Ann coined the term Privacy by

    ... read more
  • Dr. Stefan Brands: Principal Architect, Identity & Security Division, Microsoft Corporation.

  • Ann Cavoukian is a rare breed — a government official working with privacy

    ... read more
  • Jared Kaprove:  

  • “This is amazing. Every time I see something like this, it makes me sad that

    ... read more
  • Christopher Soghoian: Berkman Centre for Internet & Society, Harvard University

Join Our Mailing List

  • Share
  • |

RFID PIA

The EU RFID Privacy and Data Protection Impact Assessment (PIA) Framework is a landmark Privacy by Design document that proactively addresses concerns about ubiquitous embedded RFID tags in the emerging “Internet of Things” in a positive-sum, win-win manner. The Framework is notable for being one of the world’s first sectoral PIA guidance documents developed by industry and, upon implementation, will be recognized by EU regulatory authorities as evidence of compliance with EU privacy law, with global reach.

Dedicated EU RFID PIA

EU Press Release on occasion of signing ceremony with industry, civil society. Apr 6, 2011.

EABC Welcomes EU RFID PIA Framework

GS1 welcomes European Commission endorsement of new industry privacy framework

Statement of Gerald Santucci on RFID PIA and the Digital Agenda. Apr 8, 2011.

ARTICLE 29 DATA PROTECTION WORKING PARTY
00327/11/EN | WP 180
Opinion 9/2011 on the revised Industry Proposal for a Privacy and Data Protection Impact Assessment Framework for RFID Applications
Adopted on Feb 11, 2011

Specific Citation: Page 7 (of the pdf document)
3 Conclusion

The Working Party endorses the Revised Framework submitted on January 12, 2011. This framework shall take effect no later than 6 months after the publication of this opinion. A PIA is a tool designed to promote privacy by design, better information to individuals as well as transparency and dialogue with competent authorities. Consequently, since some RFID Applications will be implemented in several member states, it is important that PIA reports are translated and made available to competent authorities in their national language.

» Return to RFID PIA

Jan 12, 2011
Privacy and Data Protection Impact Assessment Framework for RFID Applications

Specific citation (page 3 of pdf document): The benefits of conducting PIAs for RFID Applications are numerous. These include helping the RFID Application Operator:

to establish and maintain compliance with privacy and data protection laws and regulations;
to manage risks to its organisation and to users of the RFID Application (both privacy and data protection compliance-related and from the standpoint of public perception and consumer confidence); and
to provide public benefits of RFID Applications while evaluating the success of privacy by design efforts at the early stages of the specification or development process.

Coverage:
EU Commission publishes voluntary guidelines on RFID and privacy
OUT-LAW News, Apr 7, 2011
http://out-law.com/page-11856

» Return to RFID PIA

ARTICLE 29 DATA PROTECTION WORKING PARTY
00066/10/EN | WP 175
Opinion 5/2010 on the Industry Proposal for a Privacy and Data Protection Impact Assessment Framework for RFID Applications
Adopted on July 13, 2010

Specific Citation:
1.3 Objectives of the PIA framework
With the RFID Recommendation, the European Commission created a PIA process that aims to achieve
several benefits:

First, a PIA should favour “Privacy by Design” by helping data controllers to address privacy and data protection before a product or service is deployed. (p. 5)

While the PIA Framework envisioned in the Recommendation is intended to promote “Security and privacy by design” by targeting RFID Applications before their deployment, there are already many existing deployed RFID Applications. (p. 6)

The Framework should also provide RFID operators with guidance regarding the most appropriate time and conditions to conduct a PIA in the development cycle of a RFID product, in order to truly encourage “security and privacy by design” as supported by the Recommendation. (p. 10)

» Return to RFID PIA

COMMISSION OF THE EUROPEAN COMMUNITIES
Brussels, May 12, 2009 | C(2009) 3200 final
COMMISSION RECOMMENDATION of May 12, 2009 on the implementation of privacy and data protection principles in applications supported by radio-frequency identification
{SEC(2009) 585} {SEC(2009) 586}

Specific Citation:
(6) Because of its potential to be both ubiquitous and practically invisible, particular attention to privacy and data protection issues is required in the deployment of RFID. Consequently, privacy and information security features should be built into RFID applications before their widespread use (principle of ‘security and privacy-by-design’ ). (p. 4)

Research and Development 17. Member States should cooperate with industry, relevant civil society stakeholders and the Commission to stimulate and support the introduction of the ‘security and privacy by design’ principle at an early stage in the development of RFID applications. (p.9)

» Return to RFID PIA

OPINION OF THE EUROPEAN DATA PROTECTION SUPERVISOR
Opinion of the European Data Protection Supervisor on the communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions on ‘Radio Frequency Identification (RFID) in Europe: steps towards a policy framework’ COM(2007) 96
(2008/C 101/01)

Specific Citation(s):

42. Furthermore, the guidelines should propose practical and efficient methods for developing techniques and standards which could contribute to the RFID systems‘ compliance with the data protection legal framework and which will entail the use of ‘privacy by design’ technology. (p. 6)

The need for ‘privacy by design’
54. Standards can also play a decisive role in the early adoption of the privacy-by-design principle. (p. 7)

55. Furthermore, the EDPS welcomes the position adopted by the Commission regarding research and development of RFID technologies and the need to mitigate privacy risks. Indeed, the privacy-by-design principle needs to be introduced at the earliest stage of the development of technologies which will better contribute to their compliance with the data protection legal framework. (p.8)

60. These provisions give the legislator — on the national and on the Community level — the power to prescribe that privacy and data protection safeguards must be included in the manufacturing of RFID systems, a concept that is known as ‘privacy by design‘ (p.8)

61. In order to make the use of the concept of ‘privacy by design’ compulsory, the EDPS recommends that the
Commission uses the mechanism of Article 3(3)(c) of Directive 1999/5/EC, in consultation with the RFID Expert Group. (p.8)

64. The Communication (4) emphasizes the importance of security and privacy-by-design. It also requires involvement of all stakeholders. (p.8)

76. Such measures should in any event:… ensure the mandatory deployment of RFID applications with the appropriate technical features or ‘privacy by design’. (p. 10)

88. The guidance setting out the principles that apply in respect of RFID usage should be sufficiently focused and adopt a sector specific approach. It should propose practical and efficient methods for developing techniques and standards which could contribute to the RFID systems’ compliance with the data protection legal framework and which will entail the use of ‘privacy by design’ technology. (p. 11)

89. The EDPS welcomes the approach in the Commission’ Communication to endorse the idea of the specification and adoption of early design criteria. (p. 11)

91. In order to make the use of the concept of ‘privacy by design’ compulsory, the EDPS recommends that the Commission uses the mechanism of Article 3(3)(c) of Directive 1999/5/EC, in consultation with the RFID Expert Group. (p. 11)

94. The intervention of the legislator could provide for a tailor made legal framework, which consists of a mix of regulatory tools which specify and complement the existing legal framework. Measures should in any event: … ensure the mandatory deployment of RFID applications with the appropriate technical features or ‘privacy by design’. (p. 12)

Done at Brussels, 20 December 2007.

» Return to RFID PIA


Feb 11, 2011Jan 12, 2011July 13, 2010Mar 31, 2010May 12, 2009Dec 20, 2007