The Australian Privacy Foundation said the Code was “fundamentally flawed” because it did not protect consumers from RFID (radio frequency ID) technologies being used to track products after they pass the retail point of sale.

In a submission to GS1, the APF also expressed disappointment that GS1 had not taken the “next logical step” in registering the Code with the Office of the Federal Privacy Commissioner, which would make it binding on signatories.

The APF submission welcomed the “timely and well-structured” GS1 initiative in seeking to create a Code of Practice. The foundation said it was particularly pleased that Code had defined the term ‘deactivation’ to mean that RFID tags could not be re-activated “in whole or in part.”

But it is highly critical of the Code putting the responsibility for ensuring deactivation on the consumer rather than the retailer.

“The draft Code of Practice is fundamentally flawed in its opt-out approach to de-activation at point of sale,” the Privacy Foundation submission said. “The default option should be that RFID tags are de-activated at the point of sale, unless the consumer expressly requests that the tag remains active.”

“We are also disappointed that the industry has not taken the next logical step of seeking registration of the Code by the Privacy Commissioner so that it becomes binding on signatories.

The AFP is also critical that the Code does not include the relationship between the retailer and the manufacturer in the way RFID can be used.

“While it is comforting for a consumer to know that the retailer from which a particular item was bought will not abuse the information that can be gathered, such a feeling may be one of false security should the tag be left active, and in the event that the manufacturer of the item or other third parties will be monitoring the tag,” the submission says.