Surveillance is becoming much easier thanks to radio frequency identification (RFID) technology - a fact not lost on well-informed consumers and the privacy and data protection community.
There is growing recognition that the same RFID application which is employed ostensibly to prevent counterfeiting or the theft of cash or goods could also be used to track an individual’s spending habits, preferences and even physical movements. This information could be used for a host of unauthorised and unsolicited activities such as targeted marketing and dynamic pricing.
The potential for RFID to be used to target individuals - not just to check stock levels or ensure baggage does not get lost in transit - is made more serious by the issue of access. Not only will the deployer of an RFID tag, such as a retailer, be able to access the information contained in a tag, but anyone with the right equipment will also be able to do so.
From a privacy standpoint, the current simplicity of the tag’s response, which does not differentiate between requests based on origin or identity, is a flaw. Thieves could use the tags to locate the whereabouts of valuables and interested persons could obtain access to another’s medical records or passport details, or trace another’s spending habits or physical movements.
The implications are therefore extensive but, at present, many concerns about RFID are largely theoretical. This is due to the fact that most RFID applications are not yet widely deployed because they are being trialled or because of cost.
However, in anticipation of their pervasive use in future, it is not surprising that the potential effect on individuals and the adequacy of the legal framework are being considered now by consumers and interest groups.
For example, the Article 29 Data Protection Working Party, an independent advisory committee set up to consider data protection and privacy issues, has published its working paper on RFID and privacy. The working paper provides guidance to RFID deployers and standardisation bodies on how data protection principles will govern the use of RFID.
It also suggests technical measures that will need to be taken by manufacturers to ensure compliance with the law. Such measures include modifying tags that contain personal data so that they are not vulnerable to unauthorised access. Another suggestion is that tag disablers be developed. This is particularly important given that tags are relatively sturdy and could exist for years.
Protection by law
In terms of protection of data and privacy, the current EU data protection laws provide some comfort. If an application involves the processing of personal data, which can be used directly or indirectly to identify an individual, that application will be subject to certain core data protection principles contained in the Data Protection Directive (95/46).
These principles include requirements of fair and lawful processing, retention of personal data for only as long as necessary and collection of data which is relevant and not excessive for the purposes it has been collected.
A further requirement is informed consent, which means in many circumstances the details of how the information in a RFID tag will be used will need to be made clear at the outset.
In addition, the requirement of fair and lawful processing is broad and means that manufacturers and deployers of RFID tags would need to label those products containing tags, provide information on how to disable or remove the tags and inform consumers when RFID readers are within range.
Although some protection is afforded by EU data protection law, the dynamic nature of RFID means it is impossible to conceive of all future applications, some of which might not fall neatly within the ambit of existing law.
As RFID develops and becomes more mainstream, it will need to be monitored from a legal standpoint and the benefits of certain applications weighed against the sometimes competing interest of maintaining privacy.
The risks and conflicts of RFID may be addressed in the future through legislation, but for the time being it seems the issue will remain the subject of debate.
Quentin Archer is a partner and Gisèle Salazar a lawyer with international law firm Lovells
For more on the Article 29 Working Party, see the EU’s website