Privacy & Information Security Law Blog

On July 7, 2010, the German Federal Office for Information Security, the Bundesamt für Sicherheit in der Informationstechnik (“BSI”), published a basic paper on data security and data protection for radio-frequency identification (“RFID”) applications.  The paper, Technical Guidelines RFID as Templates for the PIA-Framework, describes how to use RFID in compliance with data protection requirements, and explains the relationship between the BSI’s technical guidelines for the secure use of RFIDs and the European Commission’s Privacy Impact Assessment (“PIA”) Framework.

In May 2009, the European Commission published its recommendation on the implementation of privacy and data protection principles in applications supported by RFID.  Specifically, the Commission’s recommendation called for the development of a systematic framework to assess the impact of RFID applications on individuals’ privacy and data protection, to be developed by industry in collaboration with the relevant Member State institutions.  In the meantime, a draft framework document was published by a working group of the European Commission and submitted to the Article 29 Working Party.

In keeping with the Commission’s recommendation regarding the development of a Privacy Impact Assessment, the BSI  prepared its Technical Guidelines on RFID jointly with the German Industry Association for Automatic Identification, Data Collection and Mobile Data Communication.  The new paper explains how German industry can employ the various BSI technical guidelines for RFID applications to efficiently develop a PIA.