Bond of Faegre &
Benson LLP addresses the privacy and information security issues associated
with electronic product codes
plus or privacy negative?
businesses are realising that, from a marketing and advertising perspective,
the use of EPC provides a tremendous opportunity to “know your customer”
and to provide a personalised marketing. By using tags on a wide variety
of products, it is possible to logically link the data derived from the
purchaser of one product, to other purchases that they make within a supermarket
or a shopping mall and to harness that data for the benefit of more targeted
marketing and advertising, whether on the basis of the data simply collected
from the tags or, from a combination of that data with further information
gathered on loyalty/credit cards used to make such purchases and the like.
however, EPC tags do not require direct line of sight to be read and have
the capability to identify not only the brand and model of the product
but the unique item of that brand and product. This, for example, is an
essential improvement for food traceability that can identify potential
health issues from the feed lot to the packaged product. This traceability
also permits more effective product recall and targeted consumer health
and safety alerts. EPC systems may allow businesses to explore new ways
to meet consumer needs, reduce costs and maintain inventory.
the use of tags to improve efficiencies and competition in the supply
and distribution chain, there are numerous benefits to consumers including
identification of counterfeit products, faster product recall, enhanced
product availability, improve warranty service and potentially faster
check-outs. On the other hand, rather than providing “personalised
marketing” it is perhaps more appropriate to describe the use of
this technology as providing “personal marketing”. In other
words, whilst there are distinct marketing and advertising advantages
in the use of EPC there is also the potential to infringe personal data
rights and privacy.
The simple barcode on products is gradually being replaced by smart tags
that use wireless technology, such as WI-FI, RFID, Bluetooth, Global Positioning
System Technology and General Packet Radio Service.
or tagging in the past, was generally restricted to bar coding which was
a relatively passive form of tagging since it required the use of bar
code readers to interpret data and the data itself revealed little more
than the identity of the product.
product tagging, such as RFID has, until recently, been expensive to implement
(and indeed is still relatively expensive) but this more sophisticated
product coding technology now allows for, not only identification of the
product itself but specific confirmation of the precise batch that a product
came from and using wireless technology, the ability to track the movement
of that product.
can be either active or passive. Passive RFID tags do not have their own
power supply because the minute electronic current induced in the antenna
as a result of the incoming radio frequency scan will provide enough power
for the tag to send a response. Consequently, the lack of power means
that the amount of information that can be managed in a passive RFID may
be limited to an ID number only. Passive RFID tags can be extremely small
but have limited transmission ranges from 10mm up to about 5m.
On the other
hand, active RFID tags require a power source but have longer ranges and
larger memories than passive tags.
RFID tags are assumed to be a relatively recent innovation they were,
in fact, in use during World War II when, in the form of transponders,
they were fitted to allied aircraft and known in the forces as IFF (Identification
Friend or Foe).
Global companies such as Gillette, Phillips, Procter & Gamble, Wal-Mart
and others see huge savings to be made from the use of EPC and there are
numerous pilot projects underway for which are indicating savings to be
made in supply chains as well as the ability to add value to both product
owner, product reseller and customer.
technology and the like will make savings in the supply chain, they may
also produce a range of smart solutions, such as refrigerators or waste
bins that automatically create shopping lists, products tagged for store
returns, reduction of the risk of fraud and theft and smart travel tickets
that indicate your location in airports, stations and so on. However,
privacy groups and consumer associations have expressed concern that the
same technology may have invasive features since, if the technology can
track the product, then the same technology can track the product purchaser.
the companies named above, such as the Gillette Company, Procter &
Gamble and Wal-Mart have joined together with other well-known companies
such as Hewlett Packard and Johnson & Johnson to create International
standards for the use of RFID tags and EPC in general and many of the
same companies are also actively involved in the International Chamber
of Commerce (ICC) Task Force on EPC which recently published its own guidelines
for the responsible deployment and operation of EPC.
currently a number of the new tagging technologies can only be read over
short distances there are suggestions that if there are connected sites
with suitable readers, it is feasible that the purchaser of an RFID tagged
product could be tracked from the points that the product is put into
a shopping trolley to the point of payment and indeed beyond. Such tracking
enables retailers to build up sophisticated profiles on purchasers but
at the same time may, potentially, breach human rights and in particular
the Data Protection Act 1998. Companies which see commercial and marketing
value in the use of electronic product codes may dismiss issues like data
protection on the basis that EPC technology utilises information about
products and not people and contains no personally identifiable information.
This view is not necessarily shared by the regulatory authorities in Europe.
Protection Act 1998 defines personal data as “data which relates
to a living individual who can be identified either from that data or
from that data and other information which is in the possession or is
likely to come into the possession of the data controller.” So data
from an RFID tagged product, when read in conjunction with the purchaser's
loyalty card, swiped at the point of payment, produces a record of product
purchase to purchaser and in conjunction with other products purchased
at the same time builds a profile. If those tagged products are readable
outside a store it is possible that yet more data can be gathered to track
and profile the purchasing style of that individual within a locality.
it is not the tagging in itself that is potentially a breach of data protection
laws but the subsequent collection processing of data derived from the
tagged product that causes the problem.
of conflict between the technology and the law
On the 15 July 2004 Peter Schaar, in his capacity as the Chairman of the
Article 29 Data Protection Working Party created in the European Union
under the general Data Protection Directive, gave an opinion to Howard
Beales, Director of the Bureau of Consumer Protection of the Federal Trade
Commission in relation to the above issues. In his letter Mr Schaar provides
some useful examples of cases where RFID technology clearly uses personal
data and says “as a first example, consider where a manufacturer
of pharmaceutical products puts tags on a series of medicines which are
sold under presentation of a prescription. When the consumer buys the
medicine, the information regarding the individual, the type of medicine
bought, the time of day, are entered into a database. If the individual
returns for a refill, the retailer reader immediately identifies him/her.
The information about the refill is logged and his/her behaviour is monitored.
As a second
example, consider where a conference organiser decides to tag conference
badges which are delivered to delegates upon arrival and registration
for a conference. RFID readers are placed in different parts of the conference
premises. This allows the conference organiser to collect data regarding
the location and movement of the conference participants. The data is
linked to each participant and entered into a database.
In both the
above scenarios, the provisions of the Data Protection Directive would
examples, include the inclusion of an RFID within an implantable cardioverter
defibrillator, in order to enable the device manufacturer the patient
and the surgeon to monitor performance of the device and to give a more
efficient and timely aftercare service to the patient.
The data protection legislation in the UK requires that individuals are
notified of data processing activities and are given sufficient information
about the way which such data will be stored and used to be able to give
notifying individuals of their rights under the Data Protection Act 1998
and obtaining their consent to the use of their data through an electronic
product code system it is equally important to consider information security
issues. The 7th principle of the Data Protection Act 1998 states that
“appropriate technical and organisational measures shall be taken
against unauthorised or unlawful processing of data as well as against
accidental loss, destruction or damage to such data”. In many cases
the EPC system will comprise of the tag itself, the communications network
over which data may be transferred and other systems in which the data
may be stored and processed. Furthermore, aspects of the system may well
be outsourced to third parties including network operators and data processing
that collects personal data through an EPC system primarily remains responsible
for management and security of personal data and therefore may be at risk
where the processing of that data is carried out through third parties.
The 8th principle
of the Data Protection Act 1998 makes it clear that personal data cannot
be transferred outside the European Economic Area (the 25 member states
plus Iceland, Lichtenstein and Norway) to any other country in the world
that is not deemed, by the European Commission, to have adequate data
protection laws. Very few countries, so far, come up to the standards
set by the European Commission and yet in the case of multinationals it
is highly likely that any personal data obtained using EPC will be shared
on a global basis. This, again, is a compliance issue which needs addressing.
It is important that any business that intends to utilise EPC technologies
considers the following practical steps:
Ensure that, in general, the business is in compliance with the applicable
laws including data protection laws;
Guarantee that the business has in place adequate information security
and asset management policies and procedures to keep personal data secure;
Notify individuals of when and how their data may be collected and processed
through the use of EPC;
Put in place contractual controls where personal data is being processed
by third parties;
Allow individuals to have the right to disenable tags if they so choose.