New legislation may be required to regulate the widespread use of RFID (radio frequency identification) tags, the European Commission said Thursday, announcing the beginning of a public inquiry to identify citizens' concerns about the technology.
"RFID is very important to businesses and it is very important to citizens, but it also raises concerns about trust," said Viviane Reding, European Commissioner for Information Society and Media, in a press briefing at the Cebit trade show in Hanover, Germany. "If we don't remove the trust problem, well then the business won't fly."
As part of the inquiry, which the Commission calls a consultation, it will also talk with governments and industry groups around the world to try to reach an accord on interoperable standards for RFID equipment, Reding said.
RFID tags are increasingly being used to track inventory in supermarkets or to authenticate information in national identity documents. Each tag contains a unique serial number that can be read by an electronic device. By associating the serial number with information contained in databases, the tags can provide personal information on the bearer of an identity document, or the manufacturing and shipping history of a consumer product, perhaps even including who bought it and when.
Reding stopped short of saying that consumer privacy is being compromised by RFID. But she said that sufficient doubt exists in the public mind to warrant a full study.
The Commission will hold a series of workshops in Brussels between now and June to canvas opinion from the public and industry on the subject. The results will be incorporated into a consultation document to be published in September.
Reding declined to say what prompted the timing of the Commission's study, but it was likely tied to growing public awareness that RFID systems could compromise privacy, according to a consultant specializing in identity management.
"Obviously she's been reading the newspapers," said Tim Cole, a senior partner with the analyst group Kuppinger Cole and Partner.
He was skeptical that the Commission's inquiry will do much to protect individuals' privacy. Businesses have already been introducing RFID systems "through the back door," he said, without much regulation or public debate. That's likely to continue and the Commission may be too slow to have an impact, he said.
Still, businesses themselves are reacting to public concern, Cole said, "not out of social responsibility but because it's bad for business if customers are worried." Vendors at Cebit, for example, are showing RFID tags that become disabled when a person leaves a shop with a product.
Protection of personal information in electronic form is already the subject of a European law, the e-Privacy Directive. If the Commission identifies new threats to European Union citizens' privacy from RFID and determines that new legislation is required to protect them, then it will consider revising that directive, it said.
RFID is also a European issue for other reasons. Laws allowing for the free movement of goods around the E.U. would be worthless if tags on packaged foods from Poland, say, were unreadable by scanners in Portugal, as supermarkets would not be able to track their inventory. The Commission is also considering legislation on technology standards and radio spectrum allocation to ensure the harmonization of tag technology across the E.U.
RFID is a fast-growing technology. The market is worth about €2.4 billion ($2.9 billion) today, with 600 million tags sold in 2005, Reding said. That number will increase six-fold in seven years, she predicted, to 3.6 billion tags sold in 2013.
"Citizens have to be sure they are in control of their data, and to have this control we must have worldwide legal certainty," she said. "There is a lot of work to be done in the coming weeks and months."