What You Should Know About the EU’s New “Internet of Things” Privacy Framework

To many, “The Internet of Things,” a predicted, transformative moment in time when nearly all “things” in the physical world will be interconnected, wirelessly, with communication capabilities linking the physical and virtual worlds for a variety of cooperative applications, is a distant point in the future.  To others, the internet of things is now.

RFID “Smart Tags” Connecting

Physical Things to Virtual Things


Radio-frequency identification technology (RFID), a technology that uses “smart tags”, tags with microchips, to provide information to a virtual network, is considered to be a primary technology in advancing “the internet of things.”  In 2011, RFID revenue is expected to exceed $6 billion, with more than 750 million so-called “item-level” RFID tags used in global apparel markets alone.  In Europe, about one billion “smart tags” are expected to be used in 2011, linking many “things” to the virtual world.

The European Union (EU), representing twenty-seven member states, has expressed grave concerns about the privacy implications of an unregulated internet and unchecked technology.

Responding to the privacy concerns it perceived as being presented by the “the Internet of Things”, the EU, in 2009, adopted a fourteen-point strategic plan of action:

EU’s 2009 Internet of Things:

14-point Strategic Action Plan

1.  Governance. The Commission will work on the definition of a set of principles underlying the governance of the Internet of Things and the design of an architecture endowed with a sufficient level of decentralised management.

2.  Privacy and data protection. The Commission will observe carefully the application of data protection legislation to the Internet of Things.

3.  The right to the “silence of the chips”. The Commission will launch a debate about whether individuals should be able to disconnect from their networked environment at any moment. Citizens should be able to read basic RFID (Radio Frequency Identification Devices) tags – and destroy them too – to preserve their privacy. Such rights are likely to become more important as RFID and other wireless technologies become small enough to be invisible.

4.  Emerging risks. The Commission will take effective action to enable the Internet of Things to meet challenges related to trust, acceptance and security.

5.  Vital resource. In connection with its activities on the protection of critical information infrastructures, the Commission will closely follow the development of the Internet of Things into a vital resource for Europe.

6.  Standardisation. The Commission will, if necessary, launch additional standardisation mandates related to the Internet of Things.

7.  Research. The Commission will continue to finance collaborative research projects in the area of the Internet of Things through the 7 th Framework Programme.

8.  Public Private Partnership. The Commission will integrate, as adequate, the Internet of Things in the four research and development public-private partnerships that are being prepared.

9.  Innovation. The Commission will launch pilot projects to promote the readiness of EU organisations to effectively deploy marketable, interoperable, secure and privacy-aware Internet of Things applications.

10.  Institutional awareness. The Commission will regularly inform the European Parliament and the Council about Internet of Things developments.

11.  International dialogue. The Commission will intensify the dialogue on the Internet of Things with its international partners to share information and good practices and agree on relevant joint actions.

12.  Environment. The Commission will assess the difficulties of recycling RFID tags as well as the benefits that the presence of these tags can have on the recycling of objects.

13.  Statistics. Eurostat will start publishing statistics on the use of RFID technologies in December 2009

14.  Evolution. The Commission will gather a representative set of European stakeholders to monitor the evolution of the Internet of Things.

The “Internet of Things” Privacy Framework

Completing the promise of their earlier action plan, the EU and private stakeholders, with a simple, two-page press release and signing ceremony in Brussels, on April 6, 2011, announced that they had established of a voluntary Privacy and Data Protection Impact Assessment Framework for RFID Applications“, dubbed the “Internet of Things Privacy Framework” by the New York Times.  Specifically, the framework establishes “guidelines for all companies in Europe to address the data protection implications of smart tags (Radio Frequency Identification Devices – RFID) prior to placing them on the market.”

At the signing ceremony, one industry representative observed, “Data protection authorities sometimes seem to be one-track minded and force compliance with data protection rules….Today, we have overcome this very unfruitful deadlock….” Despite the fanfare of many signatures, the framework is voluntary, with no express auditing mechanisms, though record-keeping procedures are outlined, and no defined penalties for non-compliance.

Coincidentally, the announcement of the EU’s voluntary framework came within one week of the release of a report by Carnegie Mellon University showing “lagging compliance” with U.S. industry self-regulation in online behavioral advertising.

Four-step Privacy Impact Assessment (PIA)

Under the Commission’s framework, RFID operators would be required to complete a four-step Privacy Impact Assessment (PIA) process prior to introducing a new RFID application into the market:
1. Describe the RFID Application;

2. Identify and list how the RFID Application under review could threaten privacy and estimate the magnitude and likelihood of those risks;
3. Document current and proposed technical and organisational controls to mitigate identified risks; and
4. Document the resolution (results of the analysis) regarding the Application.

Let the Internet of Things Begin!

So what is the most significant impact of the framework? Privacy? Perhaps not. Instead, the real significance of the framework may have been captured in an observation made in the official press release from the signing, namely, that the framework will give the business sector the “legal certainty that the use of their tags is compatible with European privacy legislation.” In other words, the framework gives private stakeholders the green light to continue full-steam ahead with their already massive investment in RFID technologies and the “internet of things” it heralds.

Why might industry leaders have been concerned about limitations on RFID technologies? The EU has also just reaffirmed its commitment to “Privacy by Default” as the core of its data protection laws.  So Europeans are now given “the right to be forgotten” online and the right to be remembered in real life…

The Internet of Things?

The EU Commission website provides an example to illuminate the “internet of things”:

Take one example: a suitcase itself can indicate which plane it should be sent to. This is possible thanks to Radio Frequency Identification (RFID). With RFID, more and more objects communicate with each other, slowly creating a network of information, a so-called ‘internet of things”.

This network could potentially make our lives much easier…No need to worry about your suitcase being sent to the wrong plane anymore! But we must also be careful how we use it, and avoid certain pitfalls.

Thanks! Your pants just told us where you are.

Worried that your smart phone is broadcasting your whereabouts?
Your pants may be doing the same.
What sort of privacy concerns are raised by RFID tags?

According to the commission, one concern the new Framework seeks to address is “the possibility of a third party accessing your personal data (e.g., concerning your location) without your permission.” How could that happen? Well, the pants you just bought might come with a small, RFID tag that has an “electronic memory that is readable and perhaps writable, and antennae.”

The U.S. Approach

Ever lagging behind the EU’s privacy initiatives, the U.S., in a staff report from the Federal Trade Commission (FTC) concluded:

The FTC staff also agrees with the EC that there is a need to raise consumer awareness about RFID technology, in order to enhance consumer trust and to give consumers the tools to protect themselves from the risk of misuse of their information. Given the current stage of deployment of consumer-facing RFID applications, however, the FTC believes that mandating or encouraging specific technological tools for protecting consumer privacy is premature.
How Will the Internet of Things Be Social?

The New York Marathon provides a great example of how the “internet of things” will interact with the virtual world and integrate with social:

What are your thoughts? Please let me know!

Glen Gilmore

Please join me on Twitter:  @GlenGilmore and @SocialMediaLaw1