Client Alert. Radio Frequency Identification RFID Technology Implications for Privacy in Europe. Privacy & Data Protection.

Transcription

1 Radio Frequency Identification RFID Technology Implications for Privacy in Europe by Tim Wright, Ashley P. Winton, Cynthia Fairweather Privacy & Data Protection While radio frequency identification ( RFID ) looks set to revolutionise logistics, supply chain management and retail payments, it may also permit surreptitious collection of personal data, consumer behaviour, details about the clothes people wear and even the medicines they take. Developers and deployers of such technology need to ensure that they don t fall foul of data protection and privacy laws. Introduction RFID is an automatic identification technology, which permits computers to read" products fitting with tags. While RFID has been used in military applications for decades, it is only now becoming popular in the retail, transport and aviation industries. The Technology Put simply, RFID allows data to be read through radio waves emitted from a tag embedded in or attached to a product. The tags generally contain a microchip attached to an antenna, which picks up signals from and sends signals to a reader. The reader, or interrogator, sends out a radio frequency signal and tags within range respond. Intelligent readers can filter data, execute commands and perform functions similar to a PC. Depending of the type of tag (passive, semipassive or active), a reader can detect signals over 300 feet (100 metres) away. RFID tags come in three basic types: a passive tag does not have its own power source or transmitter and is only turned on when a reader is within range; a battery-assisted tag or semi-passive tag also reflects information back to a reader but has a longer read range because of the power source embedded in it; and active tags have a power source and transmitters to send information to readers. Memory enabled RFID tags can store a vast quantity of information, including date of manufacture; time spent in transit; location of distribution centre holding the item; name of last person to handle the item; amount for which the item was sold; payment method used in buying the item; expiration date; last date of service; and warranty period; as well as the profile of the consumer who purchased the product. RFID has the potential to generate huge volumes of very useful data across the whole product lifecycle. Some RFID tags also have the ability to retain such information for 10 years or more.

2 Page 2 Implementing RFID There are many situations in which RFID can deliver real benefits, such as the following examples: Gillette and Wal-Mart have run trials using specially designed shelves to permit real-time tracking of inventory levels. The European Central Bank is reviewing the tagging of Euro banknotes, which would allow information about each transaction in which a banknote is involved to be recorded. A Singapore hospital has begun rolling out a tracking system for its A&E department following a Severe Acute Respiratory Syndrome (SARS) alarm. The hospital issues all patients, staff and visitors with a card containing a RFID chip, so that should anyone be diagnosed with SARS, it then has a record of all individuals with whom the infected individual may have had contact. The US Food & Drug Administration has authorised the injection under a person s skin of an RFID tag giving the medical file index of a patient usable in emergency situations. Retailers in particular are leading the roll out of RFID. It is being used on sale merchandise (tagging goods for sale, cases containing the items, and/or pallets in which goods are transported); on the retailer s own property such as shopping trolleys, computers and other movable items; on wireless telecommunications devices such as mobile phones; and even to track people (customers and employees) by tagging loyalty cards, staff name badges and uniforms. Privacy Concerns While some uses of RFID technology do not give rise to data protection and privacy concerns, many do. In addition to such concerns RFID technology may be open to abuse due to its relative low cost and availability to third parties. By collecting and processing data companies could create profiles on individual consumers detailing income, buying habits, health, travel patterns and lifestyle, which are not only of use to themselves but also to third parties. Data protection and privacy implications for RFID technology arise in four areas: the collection of information linked to personal data (e.g., retailers linking sales data from tagged products to a loyalty card or bank card database); monitoring consumer purchases and, by association, the individual (e.g., tagging shopping carts to monitor buying patterns and habits); storing personal data on tags (e.g. rail tickets or airline baggage) which can then be scanned by any person with a suitable reader; and surreptitious and unauthorised scanning of RFID tags (e.g., using a reader to find out the nationality of a person on the street from their RFID enabled passport or how much cash they are carrying).

3 Page 3 Data Protection Application of the European data protection directive 1 ( DPD ) to RFID technology depends on whether personal data will be collected and processed after an item is tagged. Thus, each of the four scenarios above may trigger application of the DPD. The DPD broadly defines personal data as data relating to a living individual identifiable from that data or from other information available to the data controller: including expressions of opinion about the individual or another in respect of the individual. 2 The DPD applies wherever personal data is processed. Arguably personal data can be processed on the RFID tag, and this means that deployers of RFID systems need to consider the data protection laws in each country in which their tags could be used. Where RFID tags are used in connection with personal data, the DPD will require the deployer to display prominent notices describing that RFID tags are being used. In most cases, the deployers of RFID technology must also obtain the consent of individuals whose personal data is being collected and processed from the RFID tag. In certain instances, notice and consent may be insufficient without the deployer also informing an individual about how to discard, disable or remove the tag, or even how to access the information. In addition, deployers will have to assess whether the collecting or processing of personal data is necessary to their legitimate business interests, which cannot unfairly prejudice an individual s interests. Deployers must also identify the minimum amount of information required to fulfil that purpose. The DPD also requires that personal data must be kept secure and must not be kept for longer than necessary. One of the significant risks/or benefits of RFID technology may be for a deployer in retail premises to determine what items a customer has within their shopping bag that have been purchased elsewhere. Such information has a significant commercial value but will be a breach of the DPD unless the individual s consent is obtained or the data is separated from the point of sale data and made truly anonymous. Further under the DPD, deployers are required to keep personal data no longer than reasonably necessary. RFID tags, however, can have a lifespan of 10 years or longer and once out of range of a reader, some tags are not able to delete the data they contain. Deployers must ensure that this issue is considered carefully as part of their implementation. 1 Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free moment of such data. 2 Article 2 (a). Personal data shall mean any information relating to an identified or identifiable natural person [being one] who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical;, physiological, mental, economic, cultural or social identity.

4 Page 4 Deployers of RFID technology must have robust security measures to ensure against unauthorised, use, loss, destruction or damage of the data and may have to invest in various types of blocker tags, which either encrypt or shield data from unauthorised third party use. As RFID technology may be used globally to track a supply chain, deployers of the technology will have to ensure that any processing of data outside the European Economic Area (EEA) has adequate protections. This may causes obstacles for those multinationals that wish to share such data on a global basis, and they may need to seek explicit consent of the individual before they can do so. 3 The Privacy and Electronic (EC Directive) Regulations 2003 were drafted in a technology neutral manner to cover fast changing technologies. Under the Regulations electronic communications traffic data and location data 4 may only be processed where it is made anonymous or with the consent of the individual. Where consent is required, an individual must be provided with information pertaining to the intended use of the location data, including whether the data will be transmitted to a third party and an opportunity to withdraw consent. While the Regulations address direct marketing over telecommunications networks, it applies to cookies or similar devices and may apply to RFID technology should a tag be considered terminal equipment. European Initiatives An influential working party within the European Commission recently considered RFID technology and data protection issues 5. The working party raised concerns that certain uses of RFID technology violates data protection rights and provided businesses and governments the ability to pry into individual s privacy. The Working Party consulted interested parties regarding RFID technology and issued guidance to RFID deployers, manufacturers and international standardisation bodies on the application of the data protection and privacy and electronic communications Directives 6 to RFID. As RFID technology can be used to collect information directly or indirectly linked to a person, the Working Party found that widespread deployment of RFID would cause a boost in the type and number of data processed by a wide variety of data controllers. Additional concern was raised about the storage of personal data in RFID tags, because a standard reader would be able to detect personal data, leading to third parties surreptitiously obtaining information about individuals. This in turn could lead to decisions about an individual s income, health, lifestyle or buying habits being made without that person s informed consent because individuals could be identified at an associative level from the 3 DPD compliance obligations are more onerous for processing sensitive personal data, which includes racial or ethnic origin, political opinions, religious or other beliefs, trade union membership, physical or mental health, sexual orientation, or criminal proceedings or convictions. 4 Under the Regulations, location data is any data processed in an electronic communications network indicating geographic location of a user of a public electronic communications service. 5 Article 29 Data Protection Working Party Working document on data protection issues related to RFID technology (January ). 6 Directive 95/46/EC 24 October 1995 and Directive 2002/58/EC 12 July 2002, respectively.

5 Page 5 quantity of information surrounding or stored about him or her. Both the gathering associative data and direct data are covered by the Directives. The Guidelines address each of the data protection principles and suggest that consent from individuals to the use of RFID technology will be the only legal ground to ensuring compliance with the data protection principles in the Directive. The Guidelines also suggest consent may not always be appropriate for certain uses of RFID technology, such as when a hospital uses RFID technology to eliminate the risk of leaving surgical instruments inside a patient post-surgery, because of the vital interests of the individual. Notice to consumers should include the presence of RFID tags on products, the consequences of the data gathered, the intended use of the data gathered and whether it will be shared with third parties. Individuals must be given the right to check the accuracy of the data and to make corrections. It is incumbent upon manufacturers and deployers of RFID technology to provide and implement appropriate technical and organisation measures to ensure personal data is protected against accidental or unlawful destruction or unauthorised disclosure. Technical measures can include temporal disability, physical removal of the tag, or the overwriting to scrambling of data transmission from the tag or even physical shielding of the tag from readers. Alternatively, consumers should be able to deactivate the tag should they wish to do so, for instance, at the point of sale, enabling the individual to retract his consent by disabling the tag. The difficulties for deployers of RFID comes in administering various security measures, notice and consent as well as ensuring data accuracy and providing individuals with rights of access and the opportunity to correct personal data. Alternatively, deactivation and physical shielding of tags shifts the burden to individuals who then become responsible for prevent the tag from disclosing information. The Working Party found the most secure approach was for RFID deployers to deploy standard authorisation protocols approved by the International Organization of Standardization, e.g., ISO Summary Deployers and manufacturers of RFID technology need to be aware of data protection and privacy implications. That legislation will require deployers to give adequate notice to consumers about the specific and intended uses of any personal data processed. Deployers will also have to ensure a method of allowing individuals to consent to the use of personal data as well as give those individuals rights of access and to correct any errors. Deployers will also have to ensure against the surreptitious reading of tags by third parties. The E-Privacy Regulations may add an additional administrative burden in relation to processing location data. The EU Working Party Guidelines contain useful information on the ways in which certain uses RFID may fall foul of data protection and privacy Directives and suggests various technical and operational methods of protecting personal data read from tags while acknowledging that the global interoperability of RFID technology is positive for industry deployers.

6 Page 6 For further information, please contact: Tim Wright London tim.wright@pillsburylaw.com Ashley P. Winton London ashley.winton@pillsburylaw.com Cynthia Fairweather London cynthia.fairweather@pillsburylaw.com This publication is issued periodically to keep Pillsbury Winthrop Shaw Pittman LLP clients and other interested parties informed of current legal developments that may affect or otherwise be of interest to them. The comments contained herein do not constitute legal opinion and should not be regarded as a substitute for legal advice Pillsbury Winthrop Shaw Pittman LLP. All Rights Reserved.