RFID Tags: An Unlawful, or Just Unwanted, Invasion of Privacy?

January 1, 2004

Three years ago the Home Office allocated £5.5 million to the development of what was then called the Chipping of Goods Initiative. The initiative aimed to prevent property crime through the insertion of electronic tags into retail products giving police and retailers the ability to track goods throughout the retail supply chain. The technology has since been implemented by retailers, such as Tesco, in an effort to combat shoplifting. However the use of Radio Frequency Identification (RFID) tags has become the subject of consumer alarm and impending parliamentary debate.


This article looks at the concerns relating to the use of RFID tags and describes the legislation that governs the use of any data collected as a result of their use.


Consumer Concern


RFID tags are tiny microchips attached to an antenna that receive and transmit location information by means of radio waves. Retailers and manufacturers see RFID tags as a form of sophisticated barcode technology enabling retailers to manage the supply chain more efficiently and acting as a deterrent to would-be thieves. But these tags differ significantly from barcodes and it is precisely how these tags differ from the barcode that raises privacy concerns.


The crime fighting potential of the tags lies in the fact that, much like a barcode, they assign a unique serial number to each object. However, these tags do much more than that, they create a particular identity for an individual product. Thus, whereas a barcode marks a packet of razors as being a packet of brand A razors, the RFID tag marks the packet of razors as being packet number 100 of brand A razors. Therefore retailers and/or police can trace the movements of that individual packet and identify where that packet of razors was manufactured, where they were shipped to and in which store they were sold.


In addition, these tags can be read from a distance so that if there are enough sites outside the shop capable of reading the signals given off by the RFID tags, retailers and manufacturers (as well as third parties to whom they might make the data available) would be able to track the location of the RFID tag as the consumer carried the product from place to place. It is perhaps this aspect that has caused most concern. In particular campaigners are understandably concerned about the use of RFID tags within clothing since that then opens up the possibility of retailers and manufacturers being able to track the movements of consumers.


Personal Data


The scenarios outlined above highlight the ways that RFID technology can be used as a means of tracking the RFID tags but, unless they combine the RFID data with other data, retailers, advertisers and even the police can do nothing more than track the movements of the tags themselves. Even if a retailer could track the shirt that you bought, they may not necessarily know your name or address or much else about you.


So, from a legal analysis perspective, our first question has to be does RFID data even constitute “personal data”, the processing of which will be subject to the Data Protection Act 1998? To answer this we have to look at the definition of personal data in the DPA which refers to:


data which relates to a living individual who can be identified:


(a) from those data; or


(b) from those data and other information which is in the possession of, or is likely to come into the possession of the data controller”.


RFID data is certainly capable of falling within the second limb of the definition if it is combined with other data (such as credit card or loyalty card information for instance) that enables the retailer to identify the individual. However, perhaps more surprising is that it is likely that RFID data falls within the first limb and therefore on its own constitutes personal data. The Information Commissioner’s guidance to the DPA states that an individual may be “identified” without necessarily knowing the name and address of the individual. It is sufficient if the data are capable of being processed by the data controller to enable the data controller to distinguish the data subject from another individual. It is this approach that has led the Information Commissioner to classify data obtained from cookies as personal data and there seems no reason why RFID data should be classified in a different manner.


Data Protection Principles


Whilst the prospect of retailers being able to track the location of items that they have sold has caused concern amongst privacy campaigners, there is no reason why RFID tags cannot be used in a perfectly legitimate manner. In order to do so, retailers and manufacturers will have to ensure that the RFID data is processed in accordance with the eight Data Protection Principles set out in the DPA.


In order to comply with the requirements contained in the first principle, any RFID data must have been obtained in a fair and lawful manner and then subsequently dealt with in a fair and lawful manner. One of the key requirements of this principle is that there must exist one of the statutory justifications for processing the personal data set out in sch 2 to the DPA and the two justifications that seem most relevant are that either the individual has consented to the processing of the personal data made up of RFID data or that the processing of such data is necessary for the purposes of the retailer’s legitimate interests.


Dealing first with the “legitimate interests” justification, the question is whether the legitimacy of the interests pursued by the retailer, for example, are warranted in the light of any prejudice that may be caused to the rights, freedoms or legitimate interests of the data subject. If one looks at the primary usage of RFID tags, the processing of personal data in order to prevent shoplifting or to manage the supply chain would seem to constitute a legitimate interest (although in the case of the latter it seems unlikely that personal data would be processed). Also, an argument could be made out that the processing of RFID data for marketing purposes is in the legitimate interests of the retailer. However, in the context of the use of the RFID data to track product location for marketing purposes, the retailer would seem to assume a fair risk that the Information Commissioner would regard any related processing of personal data as being unnecessarily prejudicial to the rights and freedoms of the individual.



It therefore seems that the safest route is to obtain the individual’s consent to the processing of RFID data. For a retailer this is perhaps not as onerous as it at first sounds. Whilst it is the case that consent must be informed and positively given by the individual, the retailer should be able to achieve this by clearly notifying to the consumer that RFID tags will be used and therefore personal data will be processed. Also, as part of this process, the retailer will need to notify the consumer of the purposes for which the RFID data will be processed. All this information could be presented on the packaging of the goods or on a sign next to the goods. The consumer then faces a simple choice: either buy the goods and thereby consent to the processing of RFID data or don’t buy the goods.


However the retailer justifies the processing of the RFID data it will have to supply certain basic information to consumers about the use of such data. In addition to supplying the identity of the party who intends to process the RFID data and outlining the purposes for which the data will be processed, the retailer should give notice of any further information that is necessary to enable the processing to be fair, taking into account the specific circumstances in which the data are to be processed. In order to comply with the DPA therefore, retailers should probably inform the consumers that the RFID data (which may constitute personal data) may be used to track the location of the product or even the consumer both within and outside the shop and may even be combined with other personal data such as credit card or loyalty card details in order to build up a profile of the consumer. The retailer should also inform the consumer of the purposes for which that profile may be used, such as for the purposes of targeting marketing material at the consumer.


Location Data


Directive 2002/58/EC (on the processing of personal data and the protection of privacy in the electronic communications sector) recently addressed the issue of the processing of “location data” ie personal data which is capable of being used by companies to track the position of individuals. However, the Directive and the Privacy and Electronic Communications (EC Directive) Regulations 2003, which implement the Directive, both make it clear that the provisions relating to location data relate to location data processed in connection with telecommunications networks. The definition of “location data” in the Regulations puts this beyond doubt:


“Location data” means any data processed in an electronic communications network “[defined in section 32 of the Communications Act 2003] indicating the geographic location of the terminal equipment of a user of a public electronic communications service [also defined in section 32 of the Communications Act 2003] …”


This makes it clear that the location data the processing of which is governed by the Directive and the Regulations is only that which is generated by terminal equipment (ie the mobile handset) in an electronic communications network. Even if the RFID data could be said to be processed in an electronic communications network (which may well be unlikely), RFID tags are not terminal equipment in a public electronic communications network. So, RFID data cannot constitute location data for the purposes of the Directive and the Regulations. As a result, the data generated by RFID tags will not be subject to the rules applicable to the processing of location data even though the concerns of the EU Commission which led to the location data provisions being included in the Directive could, in some respects, be equally applicable to RFID tags. It is interesting to note, therefore, that this legislation, which recognised the fast changing technological landscape and was therefore drafted in a manner which aimed to be technology neutral, has already encountered an instance where new technology does not fall squarely within its provisions.


Consumer Action


So, we have seen that it is possible for retailers and manufacturers to make use of RFID tags in a manner that is consistent with the UK‘s privacy laws. In doing this individuals must be given information about the use of RFID tags and so arguably the choice lies with the consumer. If the practice of tracking of a product’s location so offends the general public then, if they are aware of the use of RFID tags in connection with that product, they have the option to purchase a rival product or visit a different retailer that does not use RFID technology. Perhaps therefore consumer pressure will have a more restrictive effect on the use of RFID technology than the law. For example, the Boycott Benetton campaign (see http://boycottbenetton.org/) may have influenced Benetton in withdrawing from its plan to place RFID tags in their clothing.


However, whilst Benetton’s decision may have been based on a concern that use of RFID tags may hit consumer demand, the decision may equally have been merely delayed until the use of RFID tags becomes more prevalent (indeed the Benetton press release indicates that they continue to evaluate the technology). Consumer pressure may, after all, only be a short-term concern if the use of RFID tags becomes the norm and therefore consumers are left without the ability to switch to a rival brand.


Enforcement


It is, however, worth keeping the concerns arising out of the use of RFID data in perspective. The objections raised are perhaps no more serious than those raised when people first realised the data processing potential of cookies and Web bugs. RFID tags will probably therefore join such data processing tools as common means of processing of personal data – all of which is capable of being done in accordance with the law.


However, we need to consider whether consumers would have any redress against unscrupulous retailers or advertisers intent on tracking the tags and monitoring a consumer’s shopping habits in an unlawful manner, perhaps without their knowledge (and thereby not complying with the DPA principles set out above). If a retailer or advertiser were to commit a breach of the DPA by using RFID tags without making it clear to the consumers that they were being used, the first question one should consider is whether the breach will actually be detected. Despite recent increases in the staffing at the Office of the Information Commissioner, enforcement of the DPA remains a primarily complaints-driven process. Since RFID tags will be difficult for consumers to detect, there is no obvious processing of personal data to attract complaints. Enforcement of the DPA against unscrupulous users of RFID tags seems likely to occur only where the Information Commissioner spots unlawful processing of RFID data as part of an “own initiative” investigation or where the use of RFID data in an unlawful manner is otherwise exposed.


If non-compliance with the DPA is found, it could ultimately lead to the issuing of an Enforcement Notice. Non-compliance with that would constitute a criminal offence. However it seems likely that the majority of retailers utilising RFID technology would be extremely keen not to attract the negative publicity that such a procedure would involve. Finally, retailers and manufacturers should bear in mind the individual’s right to claim compensation for damage or damage and distress, although cases where damage can be made out may be rare.


Alexander Brown is a solicitor in the IT & Telecoms Practice at Simmons & Simmons.




This article first appeared in the Privacy Law & Business Newsletter.