The fight for digital privacy in Europe

Duration 2009–2019

Institute Institute for Information Systems and Society Department Department of Economics Additional WU Sushant Agarwal, Marie Oetzel

External European Commission, partners European Industry Consortium (incl. auto-ID industry, Bitcom, BSI, Gerry Weber)

Every year, about 16 billion radio-frequency identification (RFID) tags are sold all over the world. RFID tags are tiny computer chips that give objects “names” and are the core technology involved in the Internet of Things. RFID tags are gradually replacing bar codes in many industries and are used in all sorts of consumer goods, such as clothing, ski tickets, and hotel keycards. As more and more privately owned objects are tagged with RFID technology, the question arises of how to best protect the privacy of consumers when they carry home a multitude of RFID chips every day that could potentially be scanned without anyone noticing the intrusion.

The developed privacy impact assessment method helps companies see where their technologies create privacy issues and improve their information-processing activities to safeguard this important human right.

Sarah Spiekermann began by working with Metro AG’s Future Store Team. Hundreds of consumers were interviewed on how they would feel if they found out they were being digitally tracked through RFID tags in the store. The majority reported feeling powerless when faced with this kind of corporate surveillance, followed by anger at the companies exposing them to this intrusion of privacy. Customers said they would accept the technology, but it made them feel uncomfortable. Based on these initial findings, the research project then focused on developing a method that would enable companies to recognize and tackle the privacy and emotional risks inherent in their IT architecture and help them mitigate these risks as much as possible. Researchers used existing risk assessment procedures – which typically identify threats, damage potentials, and control strategies – as the basis for a unique method of assessing the privacy impacts of RFID technology. This method closely aligns with the European General Data Protection Regulation (GDPR) and shows companies where they might be unwittingly breaching the high European standards for privacy protection. It was also designed to highlight how companies could even go further than the law requires by envisioning the extremely secure and agreeable digital surroundings their customers preferred and embracing a privacy-by-design approach for RFID-enabled premises.

The first privacy regulations signed by the EU Commission and EU and US industry, entitled the “Privacy and Data Protection Impact Assessment Framework for RFID Applications”.

The research resulted in the first privacy impact assessment (PIA) method that was recognized by industry and the European Commission. Today, privacy impact assessments are an integral part of European data protection regulations, but in 2011 no one yet had a concept of what a PIA might look like and whether it could be recognized as a legal principle. WU’s “PIA for RFID” showed the way. In early 2011, then head of the European Comission’s DG Connect Neelie Kroes and representatives from the German automotive industry, the US retail industry, the international auto-ID industry association, Germany’s Bitkom association (IT Industry), and the GS1 international barcode association signed an agreement that all RFID technologies that used personal information would henceforth need to pass the stipulated risk assessment procedure before actual deployment. In these ways, the research contributes to SDG 9 “Industry, Innovation and Infrastructure,” SDG 16 “Peace, Justice, and Strong Institutions,” and SDG 17 “Partnerships for the Goals.” At WU, the PIA framework also led to additional projects. In late 2011, the PIA for RFID method was adapted for use by the German BSI (Federal Office for Information Security) in areas like designing new passports (which use RFID). The PIA process also led to SERAMIS, a large-scale EU project at WU (in cooperation with other European universities) on the use of RFID in retail outlets. Completed in 2017, SERAMIS resulted in the PriWUcy software that start-ups and other businesses can use to identify their privacy risks online and which is accessible on the Institute for Information Systems and Society website.

Consumer studies on RFID and perceptions of privacy in retail

Method for assessing the privacy impact of RFID

Adoption of the method by the EU Commission and industry for use before technology deployment and recognition of its potential in the European GDPR