Radio-Identification

Radio-identification (RFId) technology has become an essential economic stake including in distribution and transport applications. Because of their massive circulation, the individual nature of the identifiers of each tagged object, their invisible nature and the profiling risks, the CNIL considers that RFIds are personal identifiers in the meaning of the 6th January 1978 Act.

Radio-identification appears as miniature chips (a few millimetres at most, made up of a microprocessor and an aerial) called RFId, smart tag, transponder or radio-tags. These smart tags are passive by nature and without batteries; in a variable magnetic flow, they emit, according to specific radio frequencies, a simple fixed alphanumerical sequence used to identify the tagged object. The range of the radio broadcast is variable depending on the chosen technical standard and to the context  : a few centimetres to a few metres at most. Lastly, some tags can receive and record information.

Though radio-identification is already part of our lives through contact-less transport cards (including Navigo for the RATP) or many car keys, the most significant future is in the distribution area, as a radio bar code. Radio bar codes are the subject of plans and standardisation around the world. Beyond scale effects impacting the production costs of RFIds (less than 20 cents to date), the nature of the identifiers allows differentiation between two items of the same product as from their manufacturing.

The CNIL commissioner Mr. Philippe Lemoine, in the address dated October 30th on radio-identification, identifies 4 traps that help reduce the risk resulting from that technology in terms of personal data and privacy protection : the apparent insignificance of the data, the priority given to objects (apparently still relative to people), the globalisation logic (technology standardisation based on the American concept of « privacy » not taking into account the European privacy protection principles), and the risk of individual « non vigilance » (presence and activation are invisible).

Radio-identification technologies can be used for well-defined legitimate purposes. However, because the dense meshing of thousands of objects surrounding a person can permanently be analysed (the radiation potential of an RFId has no time limit, as no battery is required), and thus allowing for potential individual profiling, they result in a specific risk to individuals.

For those reasons, the Commission considers that RFIds are personal data in the meaning of both the 6th January 1978 Act and the 95/46 Directive.

Among the guarantees provided by the privacy principles, the right of access raises an unprecedented problem : indeed the only solution consists in definitively or temporarily disabling the chip, which is difficult as long as the objects are in individuals’ possession. Technical devices guaranteeing the disabling of RFIds should be incorporated when the products are manufactured. Theoretical solutions already exist but research still has to progress in order to find practical ways of implementing such solution.