Published Monday, 6 February, 2012
Updated Tuesday, 28 October, 2014

— Posted by Gérald Santucci, DG INFSO, Head of unit: Networked Enterprise and Radio Frequency Identification (RFID)

Some 80 people will attend on 8th February the Privacy Impact Assessment (PIA) Conference that will review progress of the implementation of the PIA Framework (PIAF) for RFID Applications, which was developed by industry (January 2011), endorsed by the Article 29 Data Protection Working Party (February 2011) and signed in Brussels on 6th April 2011, in the presence of Vice-President Neelie Kroes.

Since last year, several seminars and workshops have been organised by industry associations in different EU Member States, often with the support of the relevant ministries. In Germany, the Federal Office for Information Security has released Guidelines for the implementation of the RFID PIAF. GS1 has developed a PIA Software Tool to guide its member organisations in preparing PIA reports based on the PIAF. Therefore, one year after its completion, the PIAF confirms that it represents a success of coregulation. Indeed, it was designed, developed and approved by all stakeholders from industry, data protection supervisory authorities, ENISA, and civil society.However, some issues need to be addressed in the near future, which are the purpose of the conference:

  • How to raise awareness of the PIAF in all EU Member States and across industries?
  • How to apply the PIAF in different real market situations by developing sector-, industry- and/or application-specific templates? What role could European Standardisation Organisations (ESOs) play in that respect during the implementation of the RFID Mandate M/436?
  • How to align the PIAF to the Data Protection Impact Assessment (DPIA) that is an important aspect of the EC proposal for a regulation setting out a general EU framework for data protection?
  • Should RFID Application Providers be invited to develop and maintain a registry of their PIA reports? Should PIA summaries be notified to the national data protection supervisory authorities, at least during the two-year period before the assessment of the PIAF implementation, which the Article 29 Data Protection Working Party has invited the EC to elaborate?
  • Should the existing PIAF methodology (i.e. a decision tree on PIA necessity and scope and a PIA risk assessment process) be expanded towards a European methodology for a broader Data Protection Risk Management?
These questions, and others, will be discussed in an open and constructive way among speakers from EU Member State administrations, industry, data protection, ENISA, and the European Commission. The conference will start with two video messages from respectively, Ms Jennifer Stoddart, Privacy Commissioner of Canada, and Jacob Kohnstamm, Chairman of the Article 29 Working Party.

It has been for me a huge privilege to have been entrusted with the leadership in the European Commission for initiating and supporting the PIAF process since 2009.