EU Privacy Mandate growing teeth? BIC’s response to EN16570 & 16571

The second half of 2014 saw the first signs that its mandate on RFID privacy M436 might be gaining some teeth with the issue of two new standards EN 16570 and EN 16571 – respectively defining the display of warning signs in RFID-enabled establishments and the process by which Privacy Impact Assessments (PIAs) should be completed. The second of these documents, created under the direction of its Project Editor, Paul Chartier, gives details of the process to be followed in creating a Privacy Impact Statement (PIS) to be displayed alongside signs warning that RFID is being used in an establishment – a library for example.

Paul’s company – Convergent Technologies – has been quick to alert librarians and their suppliers of the requirements of EN 16571 and has partnered with the French RFID organisation – CNRFID – to produce software that enables what the standard refers to as “Operators” to complete a PIS. This software can be purchased from either Convergent or CNRFID.

EN 16571 applies to any business using RFID but singles out libraries for special attention its Project Editor having a special interest in the sector having previously been PE for a number of other standards, most notably the somewhat over-engineered ISO 28560. Some of the requirements of EN 16571 would have profound implications for libraries. The need to label every single item that contains an RFID tag for example. Signing up to complete a PIS might therefore commit a library to more expenditure than simply buying the software.

So how should librarians respond to this new challenge? Convergent’s answer would probably be – “show us the money!” and that’s certainly one option. However the standard is not (yet) legally binding and may be enforced – or not – quite differently in different member states. The standard – like ISO 28560 before it – suggests to me that its creators may have been more familiar with the needs of the book supply chain than with running a library service and it is to be hoped that wiser counsels will prevail if it ever becomes the subject of legislation.

Book Industry Communication (BIC) – a charity funded by both the book trade and libraries – is an organisation that seeks to advise and inform its members on issues such as standards adoption. Its various committees and task-oriented working groups are populated by both suppliers and their clients (librarians) working in the sector. It liaises with other concerned parties (like the UK’s Information Commissioner’s Office (ICO)) to try and ensure that legislation is informed by those who work in the library sector rather than by EU experts who may have little experience of the day to day problems of running a library service.

BIC today issued an advisory notice to UK librarians about M436 seeking to reassure them that precipitate action is not necessary and detailing the approach it is taking on behalf of its members (and UK libraries in general). This might be summarised as “Don’t Panic” – but this should not seen as a call for complacency so much as a call to arms for librarians to be aware of the issue.

As a part-time BIC consultant I will be working with them to represent the interests of libraries in these cash-strapped times. I hope I can count on your support?

7 Comments

  • Ian

    Your common sense approach will be a good thing. I work at a university, and like many other universities our campus card uses a version of mifare, which I think would also be affected by these standards. Hence I read this as possibly having institutional consequences, not just for the library….

  • It is interesting that you should run this piece.

    Your argument seems to be that if there is no legal requirement then inertia seems to be the policy to follow. EN 16571 like all standards is adopted on a voluntary basis. Even the ICO’s own PIA guidelines are without the force of law. Generally speaking there are thousands of organisations that have developed a privacy impact assessment process. EN 16571 focuses in RFID and incorporates a risk assessment procedure. The same applies to ISO 27000 series of security standards, with which EN 16571 has some parallels, and is no doubt followed by some library managements and owners.

    Since we sent our newsletter to the library community, the Commission (DG Justice) has called us (CNRFID-CSL) to a meeting to discuss the standard and the software. The Commission is impressed that it follows the RFID PIA Framework, fully supported by the Article 29 Working Party (i.e. all the European Data Protection Authorities). Since that meeting DG Justice has requested that leading privacy lawyers talk to us about the standard and the software. We had our first call yesterday. In a couple of weeks’ time DG justice has arranged for us to present at the leading European data protection and privacy conference. Later this year we will meet the DPAs. So things are hotting up.

    Unfortunately there a few factual errors in your article.

    You said: The standard – like ISO 28560 before it – suggests to me that its creators may have been more familiar with the needs of the book supply chain than with running a library service.

    The facts about ISO 28560:
    Except for me, ALL the members of the committee that developed ISO 28560 (all parts) were either librarians or RFID vendors to the sector. I was there because of my knowledge of RFID standards. The role of the Project Editor is to draft the consensus views of the committee. In turn, the committee’s work has to be reviewed twice by national standards committees and is even subject to public review. There were numerous opportunities for those “running a library service” but not participating in the actual committee to comment on the document before publication. BTW, I was co-Project Editor to get the facts absolutely correct.

    You said: EN 16571 applies to any business using RFID but singles out libraries for special attention.

    The facts:
    No sector is singled out in EN 16571. Have you read the standard? It applies to all sectors and to all RFID technologies. If libraries accept contactless payments, then they will need to consider undertaking a PIA. BTW, there are also security standards that apply to this type of payment. In our newsletter to the library sector we have obviously advised libraries about relevant issues. We shall do the same for other sectors as appropriate.

    You said: Some of the requirements of EN 16571 would have profound implications for libraries. The need to label every single item that contains an RFID tag for example.

    The facts:
    There is NOTHING in EN 16571 about “the need to label every single item that contains an RFID tag”. EN 16571 specifies a PIA process, i.e. a procedure.

    You said: Signing up to complete a PIS (sic) might therefore commit a library to more expenditure than simply buying the software.

    The facts:
    The software costs 800 Euro (see http://rfid-pia-en16571.eu/why-use-the-software/what-does-it-cost/) This page also compares other options. The cost of EN 16571 from BSI is £232. Anyone using the software does not need to buy the standard. We have also offered to work with vendors to further reduce the cost to libraries. Furthermore, the entire PIA process provides RFID operators with a more detailed insight into the privacy aspects of their RFID application. As such it supports the principle of ‘Privacy by Design’ which is already in the draft Regulation.

    Paul Chartier
    Managing Director
    Convergent Software Ltd

  • Hello Paul,

    Thanks as ever for your response.

    No, I am certainly NOT suggesting that inertia is the best policy to follow I’m just trying to reassure people that they’re not breaking the law…yet. That’s the question I’ve been asked most often so, rightly or wrongly, it seemed the most important question to answer.

    I’m glad that CNRFID-CSL is (are? – are you one company or two?) doing well and have the ear of the Commission. That will be a useful conduit for anyone wishing to express concerns over the implications of implementing the standard.

    To address the factual errors:

    The post is really meant to be about EN 16570 and 16571 so it was probably an error to mention ISO 28560 in passing, I apologise.

    I do know that several European librarians were involved in 28560 because, as you know, I was asked to join the Working Group myself (after the standard was published) by two of them. Even before I joined I was asked to write sections of the official site – and I’m not a librarian either. UK librarians, though members, did not play any active role in its preparation – and libraries are different everywhere.

    But whilst I accept that your role was co-Project Editor I still think the standard was over-engineered.

    I have read the standard. I’m a library member so I can consult a library copy – something that librarians might even do to save themselves £232.

    Maybe “singled out” was too strong? I did make the point that it applied to all sectors, I was trying to make sure that librarians didn’t think they might escape attention in the crowd. Libraries ARE specifically mentioned in EN16571.

    You’re right there is absolutely nothing in EN16571 about tagging items. It’s in EN16570 para 6.1:

    “The presence of an RFID transponder of any type, frequency or powering technique placed on or contained in an item shall be notified by the application of the common RFID notification emblem to the tagged item.”

    My apologies.

    I certainly wasn’t taking the PIS (sic) I was trying to explain that if you make a statement that you comply with EN16570 & 16571 you would be agreeing to meeting requirements like that cited above (EN16570 para 6.1)

    €800 may not sound much to you but libraries are operating on very tight budgets and, as I indicated in the previous paragraph, spending €800 may be just the tip of the iceberg. However I did acknowledge that librarians might well elect to do that. Could I however, on their behalf, ask if you will provide free assistance to any of them that find the questions posed by the software difficult to answer?

  • Thanks for posting my comment and your reply. You have raised a few more points that are easy to address. I have tried to address the technical and commercial points that you raised. I would not have used you blog to promote the software, but as in the original piece and your response you seem to be challenging what we are doing, I fell that you have given me the right to respond.

    Your original piece focussed very much on EN 16571, and might have been better balanced if it looked at both standards and addressed the legal issues.

    Like almost all standards there is no legal basis to implement the standard. It is exceptional for any law to call out a standard, simply because the standards are developed and controlled by different bodies. So the RFID PIA, the RFID notification are fundamentally no different than the ISO 27000 series of standards that the IT people of universities and local authorities should be familiar with. They fall part of that set of management called good or best practices.

    Having read the latest draft of the EU General Data Protection Regulation, there is no explicit calling out of any standard. That does not mean that the PIA standard will not be relevant. As with security standards, the issue is not about being ‘legal’ but taking some management decisions on whether to use available tools or not. So your more recent reference to “not breaking the law – yet” is not really relevant. A PIA, the specific RFID PIA process defined in EN 16571, the CNRFID-CSL software might be used by regulators to assess compliance with the Regulation, but the standard itself is never likely to be ‘the law’. Law does not work like that. Many of the data protection disasters of 2014 could have been avoided by the organisation applying a PIA process. The worst ones ended up with some hefty fines, but the data protection laws in Europe don’t call out any standards.

    But there some key points about the difference between the two standards and their implementation. The original Recommendation from the European Commission to the Member States was for the PIA and for notification.

    In the evolution towards the standards, EN 16571 stuck to the basic requirements of developing a PIA process. By the way one of the first PIAs associated with the concept of Privacy by Design – a concept developed by the Information & Privacy Commissioner of Ontario, Canada, Dr. Ann Cavoukian – and RFID PIAs were applied to libraries in that province. Unlike EN 16571, those PIAs did not focus on the risks and countermeasures associated with the technology.

    The development of the notification standard (EN 16570) was intended to apply to all RFID applications, but there was a continual debate about any emblem appearing on on the item itself. It ranged from being applied only to retail products and if you read all of Clause 6 there is still that bias. There was also a big battle about the overlap in function with many other emblems: contactless payment, transport cards (e.g. the emblem on the Oyster card) and even established emblems for retail products. Views became very entrenched and the “it applies to all items” was the result of one organisation arguing that it was exempt and the Commission applying a veto.

    But if it comes down to a choice of following EN 16571 or the specific part of EN 16571 about items, the former will demonstrate privacy management of an RFID application and the latter will not do so. The notification on the site has always been considered the key part of EN 16571. There are also innovative and more cost effective ways to comply with the spirit of notifying each item without incurring the costs. As you said it ain’t law, so is an option. There is at least one retailer that is applying the emblem on products and a leading consumer organisation reported to the Commission that no staff could explain what it meant. This is because the retailer rushed to adopt the emblem, displays no notification sign and has not undertaken a PIA.

    As you now correctly state, libraries were not “singled out”. Library applications were mentioned as example references given the number of libraries using RFID still far exceeds the number of retailers using RFID, although the number of retail outlets (as opposed to operators) is rapidly increasing. To put things into perspective here is a reasonably comprehensive list from EN 16571.

    Examples include, but are not limited to:
    — airline baggage handling;
    — conference and exhibition badges;
    — contactless payment systems;
    — employee access control systems;
    — inventory control and stock taking;
    — libraries using RFID for circulation and other control purposes;
    — retail applications for a particular market sector;
    — RF-based membership cards, for example for leisure centres;
    — RF contactless cards in public transportation systems;
    — RFID apps on mobile phones.
    So the other comment that I saw from Ian about applications in universities and the campus card fits in there somewhere.

    To finish on some commercial points:
    • CNRFID-CSL is a marketing brand and a contractual partnership.
    • Both organisations remain separate legal entities.
    • CNRFID brings to the table a significant amount of RFID expertise.
    • CSL has developed and owns the software to a jointly agreed specification.
    • The software can only be purchased via CNRFID.
    • You mentioned price. The first thing is for the owners of libraries to consider that they might well have wider responsibilities for undertaking an RFID PIA. Ian, the other person who commented on your blog has already alluded to this. The marginal cost of an additional application is small.
    • Any organisation that purchases the software will have full support.
    • Users of the software that have queries will be provided with free advice, either via a private area of the website or in exceptional circumstances on a one-to-one basis. Libraries that have used our 28560-2 planning service and QC service (think of what we had to do to help Exeter University identify what was wrong with their encoding) will be aware of the high level of service we provide.

    Paul Chartier
    Managing Director
    Convergent Software Ltd

  • Paul

    Thanks for taking the time to respond.

    I’m sorry if you felt I was challenging you, I was merely trying to suggest that people have choices.

    I appreciate that standards are not law – I learned that some years ago at my BSI training sessions – but it’s a relationship that confuses many outside of the standards committees.

    I’m trying to explain to librarians why they need to take account of it and what actions they may, or may not, need to take. You, as the standard’s Project Editor, obviously know it to be a valuable contribution both to protecting the rights of the individual and to the effective operation of RFID but the fact that you also stand to gain financially (however modestly) from software sales places you in an awkward position.

    My concern is not whether CNRFID-CSL are seen by some as being both the promoters and beneficiaries of EN16571 – but with how best libraries can respond to the challenge it presents.

    I am happy, once again, to point out that buying your software is one way of carrying out a PIA. I’m simply pointing out that BIC – an organisation comprising both library suppliers and their clients rather than two that have little direct experience of working in the sector – is seeking to formulate its own advice on the subject.

    That advice could be to buy your software – but I think we owe it to our members to make that determination for themselves.

  • Gerald Santucci

    Thank you ALL for that conversation. As the EC manager who guided the work on the 2009 RFID Recommendation and then on the RFID PIA framework (PIAF) that became a European Standard as a result of a mandate (M/436) managed jointly by DG CONNECT and DG GROW, in association with DG JUST, I am proud that information and arguments are circulating on the merits and flaws (both exist in every human activity) of the EN 16571. I have known Paul for a decade and therefore it is not a surprise that I entirely support his views, but I have also gone through two full years of debates with the wide range of RFID stakeholders – industry, governments, experts, consumers, privacy groups, etc. – and therefore I am well aware that commitment, patience and courage are necessary to make that all stakeholders accept after some time to agree a “point of equilibrium” that wisely meets the common good, not at all selfish or corporate interests. After 2011, the RFID PIA framework triggered and nurtured the reflections of the EC on what will be very soon the Data Protection Impact Assessment (DPIA) provision of the General Data Protection Regulation (a political agreement was found in December 2015, which opens the way to a quick approval by Council and EP). It is clear that the concept of PIA, strengthened by EN 16571 in the specific case of RFID, is in fact legally binding today. I can only recommend that librarians and other RFID users consider already to implement EN 16571 (i.e. the PIAF) – this standard will be used as a model to guide and shape future discussions on how to implement the DPIA provision of the Data Protection law. EN 16571 is easy to use, cheap and effective. My advice: use it, and then share with us – and CNRFID-CSL – your experience regarding its relevance, cost-effectiveness, impact on your policy, etc. Thanks!

  • Simon Edwards

    I have also read EN 16571 and tried to imagine applying a PIA process to a library which is using RFID. Obviously I did not have the benefit of Paul’s software but my repeated efforts led in every case to a high risk result. In fact I cannot conceive how a current RFID-using UK library would not receive a High Risk result. This is because library tags are essentially still live i.e. available to be read, when they leave the library premises. This is seen as a privacy risk. I acknowledge this risk although it seems absolutely minute compared to the risk voluntarily undergone by millions of EU citizens carrying smartphones, credit cards, travel cards, fitbits etc. etc. some of which may also use libraries.
    I understand that the whole point is to move towards a mitigation of the risk in/from libraries by deploying improved technology and maybe that will be possible in future although I am concerned that the benefits of RFID for libraries may be mitigated out of existence by reduced interoperability e.g. the ability to circulate stock between libraries. So I see a tension between the needs of privacy and the benefits of RFID. But for now, it comes down to a simple question. What is the point of every UK library undertaking a test at some considerable cost which it is guaranteed to fail?

Have a view? Please share!

This site uses Akismet to reduce spam. Learn how your comment data is processed.