4 APRIL, 2005

Robert Bond of Faegre & Benson LLP addresses the privacy and information security issues associated with electronic product codes

Marketing plus or privacy negative?

Many businesses are realising that, from a marketing and advertising perspective, the use of EPC provides a tremendous opportunity to “know your customer” and to provide a personalised marketing. By using tags on a wide variety of products, it is possible to logically link the data derived from the purchaser of one product, to other purchases that they make within a supermarket or a shopping mall and to harness that data for the benefit of more targeted marketing and advertising, whether on the basis of the data simply collected from the tags or, from a combination of that data with further information gathered on loyalty/credit cards used to make such purchases and the like.

Unlike barcodes, however, EPC tags do not require direct line of sight to be read and have the capability to identify not only the brand and model of the product but the unique item of that brand and product. This, for example, is an essential improvement for food traceability that can identify potential health issues from the feed lot to the packaged product. This traceability also permits more effective product recall and targeted consumer health and safety alerts. EPC systems may allow businesses to explore new ways to meet consumer needs, reduce costs and maintain inventory.

Apart from the use of tags to improve efficiencies and competition in the supply and distribution chain, there are numerous benefits to consumers including identification of counterfeit products, faster product recall, enhanced product availability, improve warranty service and potentially faster check-outs. On the other hand, rather than providing “personalised marketing” it is perhaps more appropriate to describe the use of this technology as providing “personal marketing”. In other words, whilst there are distinct marketing and advertising advantages in the use of EPC there is also the potential to infringe personal data rights and privacy.

The technology
The simple barcode on products is gradually being replaced by smart tags that use wireless technology, such as WI-FI, RFID, Bluetooth, Global Positioning System Technology and General Packet Radio Service.

Product coding or tagging in the past, was generally restricted to bar coding which was a relatively passive form of tagging since it required the use of bar code readers to interpret data and the data itself revealed little more than the identity of the product.

More innovative product tagging, such as RFID has, until recently, been expensive to implement (and indeed is still relatively expensive) but this more sophisticated product coding technology now allows for, not only identification of the product itself but specific confirmation of the precise batch that a product came from and using wireless technology, the ability to track the movement of that product.

RFID tags can be either active or passive. Passive RFID tags do not have their own power supply because the minute electronic current induced in the antenna as a result of the incoming radio frequency scan will provide enough power for the tag to send a response. Consequently, the lack of power means that the amount of information that can be managed in a passive RFID may be limited to an ID number only. Passive RFID tags can be extremely small but have limited transmission ranges from 10mm up to about 5m.

On the other hand, active RFID tags require a power source but have longer ranges and larger memories than passive tags.

Although RFID tags are assumed to be a relatively recent innovation they were, in fact, in use during World War II when, in the form of transponders, they were fitted to allied aircraft and known in the forces as IFF (Identification Friend or Foe).

Implementation
Global companies such as Gillette, Phillips, Procter & Gamble, Wal-Mart and others see huge savings to be made from the use of EPC and there are numerous pilot projects underway for which are indicating savings to be made in supply chains as well as the ability to add value to both product owner, product reseller and customer.

Whilst RFID technology and the like will make savings in the supply chain, they may also produce a range of smart solutions, such as refrigerators or waste bins that automatically create shopping lists, products tagged for store returns, reduction of the risk of fraud and theft and smart travel tickets that indicate your location in airports, stations and so on. However, privacy groups and consumer associations have expressed concern that the same technology may have invasive features since, if the technology can track the product, then the same technology can track the product purchaser.

Several of the companies named above, such as the Gillette Company, Procter & Gamble and Wal-Mart have joined together with other well-known companies such as Hewlett Packard and Johnson & Johnson to create International standards for the use of RFID tags and EPC in general and many of the same companies are also actively involved in the International Chamber of Commerce (ICC) Task Force on EPC which recently published its own guidelines for the responsible deployment and operation of EPC.

Although currently a number of the new tagging technologies can only be read over short distances there are suggestions that if there are connected sites with suitable readers, it is feasible that the purchaser of an RFID tagged product could be tracked from the points that the product is put into a shopping trolley to the point of payment and indeed beyond. Such tracking enables retailers to build up sophisticated profiles on purchasers but at the same time may, potentially, breach human rights and in particular the Data Protection Act 1998. Companies which see commercial and marketing value in the use of electronic product codes may dismiss issues like data protection on the basis that EPC technology utilises information about products and not people and contains no personally identifiable information. This view is not necessarily shared by the regulatory authorities in Europe.

The Data Protection Act 1998 defines personal data as “data which relates to a living individual who can be identified either from that data or from that data and other information which is in the possession or is likely to come into the possession of the data controller.” So data from an RFID tagged product, when read in conjunction with the purchaser's loyalty card, swiped at the point of payment, produces a record of product purchase to purchaser and in conjunction with other products purchased at the same time builds a profile. If those tagged products are readable outside a store it is possible that yet more data can be gathered to track and profile the purchasing style of that individual within a locality.

However, it is not the tagging in itself that is potentially a breach of data protection laws but the subsequent collection processing of data derived from the tagged product that causes the problem.

Examples of conflict between the technology and the law
On the 15 July 2004 Peter Schaar, in his capacity as the Chairman of the Article 29 Data Protection Working Party created in the European Union under the general Data Protection Directive, gave an opinion to Howard Beales, Director of the Bureau of Consumer Protection of the Federal Trade Commission in relation to the above issues. In his letter Mr Schaar provides some useful examples of cases where RFID technology clearly uses personal data and says “as a first example, consider where a manufacturer of pharmaceutical products puts tags on a series of medicines which are sold under presentation of a prescription. When the consumer buys the medicine, the information regarding the individual, the type of medicine bought, the time of day, are entered into a database. If the individual returns for a refill, the retailer reader immediately identifies him/her. The information about the refill is logged and his/her behaviour is monitored.

As a second example, consider where a conference organiser decides to tag conference badges which are delivered to delegates upon arrival and registration for a conference. RFID readers are placed in different parts of the conference premises. This allows the conference organiser to collect data regarding the location and movement of the conference participants. The data is linked to each participant and entered into a database.

In both the above scenarios, the provisions of the Data Protection Directive would apply.”

Other real-life examples, include the inclusion of an RFID within an implantable cardioverter defibrillator, in order to enable the device manufacturer the patient and the surgeon to monitor performance of the device and to give a more efficient and timely aftercare service to the patient.

Data protection issues
The data protection legislation in the UK requires that individuals are notified of data processing activities and are given sufficient information about the way which such data will be stored and used to be able to give informed consent.

Apart from notifying individuals of their rights under the Data Protection Act 1998 and obtaining their consent to the use of their data through an electronic product code system it is equally important to consider information security issues. The 7th principle of the Data Protection Act 1998 states that “appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of data as well as against accidental loss, destruction or damage to such data”. In many cases the EPC system will comprise of the tag itself, the communications network over which data may be transferred and other systems in which the data may be stored and processed. Furthermore, aspects of the system may well be outsourced to third parties including network operators and data processing operators.

Any business that collects personal data through an EPC system primarily remains responsible for management and security of personal data and therefore may be at risk where the processing of that data is carried out through third parties.

The 8th principle of the Data Protection Act 1998 makes it clear that personal data cannot be transferred outside the European Economic Area (the 25 member states plus Iceland, Lichtenstein and Norway) to any other country in the world that is not deemed, by the European Commission, to have adequate data protection laws. Very few countries, so far, come up to the standards set by the European Commission and yet in the case of multinationals it is highly likely that any personal data obtained using EPC will be shared on a global basis. This, again, is a compliance issue which needs addressing.

Conclusion
It is important that any business that intends to utilise EPC technologies considers the following practical steps:

• Ensure that, in general, the business is in compliance with the applicable laws including data protection laws;
• Guarantee that the business has in place adequate information security and asset management policies and procedures to keep personal data secure;
• Notify individuals of when and how their data may be collected and processed through the use of EPC;
• Put in place contractual controls where personal data is being processed by third parties;
• Allow individuals to have the right to disenable tags if they so choose.