Privacy and Data Protection Impact Assessment (PIA) Framework for RFID Applications (PDF), intended to safeguard consumer privacy and offer assurances to citizens that RFID [Radio Frequency Identification] and connected devices are safe for industry to develop. The agreement creates a four-step process for assessment of new tracking applications, basically requiring that risks, mitigation strategies and remaining costs in terms of privacy all be articulated explicitly whenever a new system that tracks a previously unconnected object or device is brought to market.The executive body of the European Union signed an agreement today titled
ReadWriteWeb has covered developments in the Internet of Things space for several years, in the belief that sensors and connected devices will join the tidal wave of data produced by online social networks to create a large pool of information resources available for development of new software, services and analysis. Perhaps even more than with social networks, however, tracking of objects and devices will require serious consideration of user, consumer and citizen privacy.
Europe has far more stringent data privacy laws than the United States when it comes to Personally Identifiable Information online, so it's not a surprise to see the EU leading the conversation regarding privacy and the Internet of Things.
"In certain respects, Europe has led the way in RFID adoption," writes Mary Catherine O'Connor at RFIDJournal today.
"The technology is used by postal systems, transportation agencies, libraries and, increasingly, retailers across the European Union. And this strong adoption rate has been matched by coordinated efforts to ensure that the use of RFID does not erode Europeans' personal privacy, or the protection of personally identifiable information.
"According to the European Commission, an estimated 2.8 billion RFID tags are expected to be sold this year--a third of those in Europe."
The Framework document says there's a big difference between tracking applications that do or do not contain Personally Identifiable Information. "The PIA process is designed to help RFID Application Operators uncover the privacy risks associated with an RFID Application, assess their likelihood, and document the steps taken to address those risks. These impacts (if any) could vary significantly, depending on the presence or lack of personal information processing by the RFID Application."
Harriet Pearson, Chief Privacy Officer at IBM (a big Internet of Things participant), articulated well the tension between technology innovation and privacy in January.
"Getting data privacy 'right' is an economic and social imperative. Trust and confidence in the security and privacy of the critical systems of our planet - especially the digital version of its central nervous system, the Internet - is foundational to individuals' continued engagement and reliance on such things as online commerce, e-health and smart grids. If individual consumers don't feel that their privacy and security are protected, they will not support modernization efforts, even though the capabilities of technology advancements are proven and the potential benefits to society are extensive.
"Here's an example of the tensions we face: The ability of smart grids to conserve resources relies on the ability of, and commitment from, consumers to monitor and modify their individual usage. An individual using a smart meter understands the difference in the cost of using electricity at peak versus non-peak hours and could opt to lower their usage during more costly time periods. At the same time, data from the meters can reveal sensitive information such as work habits, shower schedules, use of medical devices such as dialysis, and whether or not a house is occupied."
"I don't worry that the technology will have a negative impact on consumer privacy," wrote Mark Roberti, founder of RFID Journal in a June overview of the state of the RFID market where privacy is concerned. "Instead, I worry that ignorant legislators trying to score points with uninformed voters will pass laws that limit the many benefits RFID can deliver--and that is a much bigger threat to consumers."
Today's agreement in Europe appears not to be the kind of legislation Roberti feared. As a framework focused on self-reporting it may be too little, ultimately, but it's a start.