Hurrah, chipping isn’t just for parolees. We can soon all be chipped to avoid the heavy burden of carrying a swipe or NFT lanyard in the office! Last week my favourite BBC reporter, Rory Cellan Jones, was chipped at Epicentre, a new office in Stockholm pioneering under the skin RFID chipping for office environments.
It is possible to operate radio frequency ID chips and similar (let’s call this ‘skintech’) with sub-cutaneous buttons, LED, touch ‘skin screen’ and Bluetooth and even recharge chips wirelessly (phew!) But what of data protection and security? Knowingly or unwittingly, we already grant access to huge amounts of data via our phones, but add real-time, tracked biometric data and ‘personal data’ enters a whole new level.
In most people’s minds there is some divide between ‘good’ personal data that they are happy to share freely and ‘bad’ personal data they would really rather not reveal without some form of reassurance about its use, processing and storage. The law doesn’t attempt to address this via the Data Protection Act of course, it just defines ‘personal data’ as ‘data identifying a living individual’ which covers the whole gamut of information. It does address issues around sensitive data, but skintech has the ability to move seamlessly between ‘banal’, ‘average’ and ‘sensitive data’ with every action we perform and every breath we take. In those circumstances, is such a basic differentiation still adequate?
Licensing is another issue that will need reimagining by lawyers if skintech gains traction. Who owns the output data? What about territorial limits to where a download can occur and support is offered? Local laws may not be adequate to protect personal data even if a local comms system is used for convenience to process that data. Surely greater harmonisation of security and data protection regulations will be necessary before users can be reassured that their skintech will work and their data will be safe and secured.
And if we have to reimagine licensing, we are going to need to rewrite consumer protection law for skintech. Skintech is a physical device controlled and updated remotely, but will it be governed by physical sale of goods rules or remote download regulations? When it is implanted, will it be subject to click/shrinkwrap terms which are deemed accepted and will it be returnable only in cases of malfunction (in which case who pays for the cost of removal)? Will consumer protection law need to impose strict service levels for data breaches, false readings and fault fixing and strict liability penalties for non-compliance?
Indemnity terms will have to be tightly drafted to protect users if physical harm results from use, and obviously providers would hold some responsibility for security, but where does the liability lie if the chip is maliciously hacked or an ‘identity’ stolen? We can work around these issues for now and fit our legal principles into these new fields, but will consumer protection, data protection and the tort of privacy really be adequate in the long term?
We all have skin in the game as technology lawyers, so let’s start thinking this through now, you never know when Rory Cellan Jones might need us!
Joanne Frears is Director, IP, Innovation, Technology for Jeffrey Green Russell Limited