Specialist Task Force
Response to Phase 1 of EC mandate M/436 (RFID) - SA/ETSI/ENTR/436/2009-02
Who we are:
|Voluntary team members:
Why we do it:
Mandate M/436 is a European Commission request, backed by the member states,
that the European Standards Organizations (ESOs) deliver a coordinated response
on the subject of Radio Frequency Identification Devices (RFID) in relation to
data protection, information security and privacy. This STF is composed of
experts from the 3 ESOs (CEN, CENELEC and ETSI) who have come together with a
view to developing, promoting, and delivering the coordinated response of the
ESOs to Phase 1 of the mandate.
The aim of M/436 is to identify and provide adequate relevant standards as a
solid foundation to consistent and rigorous compliance and enforcement of the
Recommendation (adopted by the EC on the 11th May 2009) across Europe that has
laid out a number of principles for protecting privacy and data protection in
the use of RFID devices such as those below aimed at the retail industry:
Consumers should be in
control whether products they buy in shops use smart chips or not. When
consumers buy products with smart chips, these should be deactivated
automatically, immediately and free of charge at the point of sale, unless the
consumer explicitly opts-in by asking to keep the chip operational. Exceptions
can be granted to avoid an unnecessary burden on retailers, for example, but
only after an assessment of the chip's impact on privacy.
Companies or public
authorities using smart chips should give consumers clear and simple information
so that they understand if their personal data will be used, the type of
collected data (such as name, address and date of birth) and for what purpose.
They should also provide clear labelling to identify the devices that read the
information stored in smart chips, and provide a contact point for citizens to
obtain more information.
Retail associations and
organizations should promote consumer awareness on products containing smart
chips through a common European sign to indicate whenever a smart chip is used
by a product.
Companies and public
authorities should conduct privacy and data protection impact assessments before
using smart chips. These assessments, reviewed by national data protection
authorities, should ensure that personal data is secure and well protected.
With over two billion RFID tags sold worldwide in 2008 and growth in the market
this is thought to be an increasingly important element of market and consumer
acceptance of the technology. In the wider context RFID devices will be seen as
a contributing technology in the Internet of Things so will move beyond the
retail and logistics sectors into a set of new sectors in banking, identity,
authorisation and so on. It is possible therefore that closed vertical market
use of RFID will be replaced by a new matrix form of technology penetration and
thus greater need to look beyond the RF for matters of privacy and security. The
aim of the STF and the ESO response to the mandate is to ensure that when and if
such a world evolves that standards will be there to secure it.
For more details, see our
Terms of Reference
How we do it:
In common with the general STF model at ETSI, STF396 is comprised of a group of
domain and field experts that together have the necessary capabilities of
addressing the issues specified in the Terms of Reference. The STF applies a
number of working methods, including brainstorming, scenario building, analysis,
and testing, to produce the relevant standards and contribution to
standardization. These contributions and standards text are then verified as
being acceptable through a formal approval procedure including all affected
technical bodies and additional open meetings with stakeholders. For STF396 the
affected technical bodies are: ETSI TC TISPAN, ETSI TC M2M, ETSI TC ERM TG34
(and other sub groups of ERM), CEN TC225, the Workshop on Data Protection and
Privacy (WS/DPP) (and other working groups in CEN) and the CENELEC TC106 x
(electromagnetic fields in the human environment). The formal procedure
concludes with a contribution that is ready to be endorsed as a published
response by the 3 ESOs together.
The STF will build on the work done in the GRIFS and CASAGRAS projects that ETSI
the ESOs have contributed to in 2008 through to the present.
Furthermore, the STF and its members will link to
international standardization groups including ISO/IEC JTC1 SC31.
Time plan for the work:
work is to start in March 2010 and to complete as soon as possible thereafter.
Realistically the STF will complete its activity towards the end of Q3-2010.
How to contact us:
This information is based upon STF working assumptions.
The views expressed do not necessarily represent the position of ETSI in this
Last updated: 2013-04-13 17:33:05