The PIA guidelines are based on the RFID PIA Framework, a kind of co-regulation instrument that was signed by Vice President of the European Commission Neelie Kroes and industry representatives earlier this year. The goal of the guidelines is to explain the PIA Framework and to provide RFID application operators with an in-depth understanding of the framework terminology and proposed procedures. The methodology outlined in the document is understood to be a concretion of the generic process outlined in the PIA framework.
The PIA guidelines will help European RFID operators to ensure a high level of data protection, which can be seen as an important aspect of quality and a unique selling proposition for European companies, said Professor Sarah Spiekermann, Head of the Institute for Management Information Systems. The PIA guidelines are available from the symposium website. PIA case studies for three different sectors will soon be published by BSI.
In his presentation at the symposium the German Federal Commissioner for Data Protection and Freedom of Information, Peter Schaar, explained that, while Data Protection Authorities (DPAs) might not be able to check each and every PIA report, in future, the results of privacy impact assessments and the implementation of their results will be important aspects in data protection inspections. He therefore asked, that PIA reports and the data protection goals identified in the course of the PIA process should be made transparent to DPAs and individuals.
Furthermore, Mr. Schaar called for PIA frameworks being defined on the European level and for the establishment of a European data protection competence centre, which should work on technical means and measures for data protection.
The European Data Protection Supervisor, Peter Hustinx, stressed in his contribution the need to reduce the unhelpful diversity in EU member states' data protection legislation. While there is no need to reinvent data protection, it is necessary to make the current principles work better, to improve the definition of responsibilities and to ensure a better compliance, he said. With regard to privacy impact assessments, Mr. Hustinx envisaged that these could be optional in some cases while being compulsory in others.
A coherent European approach to the implementation of the RFID Privacy Impact Assessment Framework will be in the centre of a conference organised by the European Commission on 8 February 2012 in Brussels, where experiences with the PIA Framework and the future of the European Commission's RFID Recommendation will be discussed.
As EDRi already expressed earlier, the success of RFID Privacy Impact Assessments will, to a large extend, depend on the quality of the assessment. In particular, it will be crucial to address and eliminate risks that stem from third parties and are not directly related with the RFID applications operated by a given company, but facilitate the RFID tags disseminated by the company.
Expert Symposium on RFID Privacy Impact Assessments, 25.11.2011, Austrian Embassy Berlin
RFID Privacy Impact Assessment Guidelines
Federal Office for Security in Information technology - RFID PIA (only in German)
EDRi-gram: EU supports RFID with proper protection of consumers' privacy (20.05.2009)
EDRi-gram: RFID Privacy Impact Assessment Framework formally adopted (06.04.2011)
EDRi-gram: ENDitorial: RFID PIA: Check against delivery
European Commission Conference: 08.02.2012: Implementation of the RFID Privacy Impact Assessment (PIA) Framework
(Contribution by Andreas Krisch - EDRi)
Legal-Socioecon mailing list