The European Commission has published in May 2009 a recommendation "on the implementation of privacy and data protection principles in applications supported by radio-frequency identification", which is designed to provide "guidance to Member States on the design and operation of RFID applications in a lawful, ethical and socially and politically acceptable way, respecting the right to privacy and ensuring protection of personal data." This recommendation requires RFID operators to conduct a "Privacy and Data Protection Impact Assessment" before an RFID application is deployed, and make its results available to the competent authority. The RFID recommendation is also designed to promote "information and transparency on RFID use", in particular through the development of "a common European sign developed by European Standardisation Organisations, with the support of concerned stakeholders", designed "to inform individuals of the presence of readers". The RFID PIA (Privacy and Impact Asssessment) process aims to reach several objectives: * to favour "privacy by design" by helping data controllers to address privacy and data protection before a product or service is deployed, * to help data controllers to address privacy and data protection risks in a comprehensive manner. an opportunity to reduce legal uncertainty and avoid loss of trust from consumers, * to help data controllers and data protection authorities to gain more insight into the privacy and data protection aspects of RFID applications. The industry has proposed a RFID PIA framework which classifies a RFID application into 4 possible levels: Level 0 applications, which essentially cover RFID applications that do not process personal data and where tags are only manipulated by users, and which are rightly excluded from conducting a PIA. Level 1 applications cover applications where no personal data is processed, yet tags are carried by individuals. Level 2 applications process personal data but where tags themselves do not contain personal data. Level 3 applications where tags contain personal data. If the RFID application level is determined to be 1 or above, the RFID operator is then required to conduct a four part analysis of the application, with a level of detail that is proportionate to identified privacy and data protection implications. The first part is used to describe the RFID application. The second part allows highlighting control and security measures. The third part addresses user information and rights. The final part of the proposed PIA framework requires the RFID operator to conclude whether or not the RFID application is ready for deployment. As a result of the PIA process, the RFID operator will produce a PIA report that will be made available to the competent authority. For the industry, only levels 2 and 3 are to be submitted to a PIA because it considers that information contained in a tag at level 1 are not personal. However level 1 arises concerns of Article 29 Working Party because tagged items carried by a person contain unique identifiers that could be read remotely. In turn, these unique identifiers could be used to recognize that particular person through time. It raises the possibility that a person will be tracked without his knowledge by a third party. When a unique identifier is associated to a person, it falls in the definition of personal data set forth in Directive 95/46/EC, regardless of the fact that the "social identity" (name, address, etc.) of the person remains unknown (i.e. he is "identifiable" but not necessarily "identified"). Additionally, the unique number contained in a tag can also serve as a means to remotely identify the nature of items carried by a person, which in turn may reveal information about social status, health, or more. Thus, even in those cases where a tag contains solely a number that is unique within a particular context, and no additional personal data, care must be taken to address potential privacy and security issues if this tag is going to be carried by persons. The Working Party has urged the industry to fully address this issue, by clearly mentioning it in the framework as part of a revised risk assessment approach for level 1. This chapter will address the issue of protecting privacy of RFID tag carriers in a privacy by design model which puts them in a position to decide if they accept or not to be tracked at level 1. In case of a negative decision, tags have to be deactivated. Security measures have also to be taken to protect personal information on RFID tags against information leak which could lead to identity theft.