Lifshitz_rfidpaper

RFID Technology: Current Business and Legal Considerations Lisa R. Lifshitz∗ and Blair McKechnie**

*

Lisa R. Lifshitz, B.A., M.A., B.C.L., LL.B. is a Partner in the Toronto office of Gowling Lafleur Henderson LLP specalizing in business and technology law. She can be reached at [email protected]. ** Blair McKechnie, B. Com., LL.B., is a student-at-law in the Toronto office of Gowling Lafleur Henderson LLP. This paper was prepared for the Ontario Bar Association’s conference Technology in Bloom 2006: New Developments in Technology Law, March 27, 2006.

TABLE OF CONTENTS Page

1.

INTRODUCTION ............................................................................................................. 1

2.

WHAT IS RFID? ............................................................................................................... 1

3.

USES OF RFID TECHNOLOGY ..................................................................................... 5 3.1 3.2 3.3 3.4

Potential Uses of RFID Technology ...................................................................... 6 Canada.................................................................................................................... 6 International ........................................................................................................... 8 Emerging Uses ..................................................................................................... 11

4.

IMPLEMENTATION ISSUES ....................................................................................... 13

5.

LEGAL CONCERNS SURROUNDING RFID.............................................................. 17 5.1 5.2 5.3 5.4

6.

IMPLEMENTING RFID ................................................................................................. 33 6.1 6.2 6.3 6.4

7.

Privacy ................................................................................................................. 17 Privacy Law as it Applies to RFID ...................................................................... 24 Intellectual Property Infringement....................................................................... 30 Licensing.............................................................................................................. 32

Business Objectives ............................................................................................. 33 Patents .................................................................................................................. 36 Privacy ................................................................................................................. 36 Internal Policies ................................................................................................... 38

CONCLUSION................................................................................................................ 39

-i-

1.

Introduction

Radio Frequency Identification technology (“RFID”) has become a hot-button issue recently as much has been written about the potential privacy implications of widespread implementation of this technology. While the privacy implications of this technology are certainly important considerations, there are a number of other important legal and business issues that must be taken into account by any organization thinking about implementing an RFID system. This paper will begin by describing RFID, what it is, how it works and where it is being used, and will then proceed to discuss the various business and legal issues that must be considered by any organization looking to implement RFID. 2.

What is RFID?

The term “RFID” has become a general term used to describe sensory technology that uses radio waves to scan and identify separate and distinct items.1 This type of sensory technology has been around since World War II, where transponders were installed in Allied forces fighter planes. Allied forces could read the radio waves transmitted by these transponders attached to the planes in order to distinguish Allied aircraft from enemy aircraft.2 This technology is now a basic component of all aircraft, both military and civilian, and following the war, was used in a variety of other military applications.3

1

Information and Privacy Commissioner/Ontario, Tag, You’re It: Privacy Implications of Radio Frequency Identification (RFID) Technology by Ann Cavoukian, Ph.D. (Toronto: Information and Privacy Commissioner/Ontario, 2004) at 3. 2 Ibid. 3 Ibid.

-2-

Today, RFID technology is being heralded as the replacement for bar code technology. Bar codes are a generic product identification technology.4 By contrast, one advantage of an RFID system over bar code technology, is that each specific individual item will have its own specific individual “code”.5 As a result, information can be gathered about each individual item and each individual item can be tracked. As well, as RFID systems are powered by electromagnetic fields, the information can be collected and transmitted in harsh environmental conditions and across long distances, instead of having to be directly scanned, as with bar codes.6 For example, in grocery stores, each brand of detergent has one code which, at the check-out counter, must be passed across the scanner at a particular angle in order for the data stored on the bar code to be read. With an RFID system, each box of detergent, will have a different code and just bringing the item past a certain point in the store or through an exit, will be sufficient for the data to be captured. Further, depending on the design of the RFID system, data can be stored and altered throughout a manufacturing process or a product life cycle.7 There are various types of RFID systems but all are comprised of two basic components: a tag, which gathers and stores the information, and a reader, which scans the tag and captures the information.8 The tag itself is composed of three parts: an antenna, a wireless transducer which can also be linked to a single silicon microchip which functions as the tag’s memory, and some type of encapsulating material.9 The readers, which may be portable handheld devices or fixed

4

Dr. Patrick Van Eecke & Georgia Skouma, “RFID and privacy: a difficult marriage?” Communications Law, vol. 10, no. 3 (2005) at 84. 5 Supra note 1 at 8. 6 Ibid. 7 Ibid. 8 Ibid. at 4. 9 Ibid.

-3-

at strategic points in a store or warehouse facility, read the tag and then transmit the information to a host computer for storage and analysis.10 One feature which distinguishes types of RFID is whether the tags are active or passive.11 Active tags have their own power source and an active transmitter.12 Because of this individual power source, these active tags can be read across greater distances.13 As a result, they perform better but generally have a shorter life cycle, are larger and more expensive then the passive tags.14 Active tags are good for tracking components, such as in a supply chain management system,15 or, because of the expense associated with these tags, with products where the tags can be re-used. In RFID systems that use active tags, the tags may periodically transmit a signal so that the data stored on the tag may be read by multiple readers located throughout a facility.16 Passive tags, on the other hand, do not have a power source nor an individual transmitter on the tags themselves.17 Because of this, the tags are dependent on readers for their power18 and therefore, have less range and the ability of the readers to capture of the information stored on the tags is more susceptible to environmental conditions.19 Passive tags are less expensive and are better suited then active tags to mass single-use applications, such as to be used to replace the bar codes on individual consumer items.20

10

Ibid. at 7. Ibid. at 5. 12 Ibid. 13 Ibid. 14 Ibid. 15 Ibid. 16 Ibid. 17 Ibid. 18 Ibid. at 7. 19 Ibid. at 5. 20 Ibid. 11

-4-

Tags may also contain an integrated circuit chip, which enables the data to be stored on the tag and transmitted to the readers.21 Even small tags with integrated circuit chips can store 96-bits of data, as opposed to tags without chips, which, while less expensive to manufacture, can generally only store up to 24-bits of data.22 “Chipless” tags usually have sufficient memory for internal applications, such as tracking items within a manufacturing facility.23 However, “chip” tags will likely be required for use in a retail setting. This is because in a large retail setting the tags will be required to have enough memory to store a large identification number so that each individual item can be uniquely identified by any one of a number of readers located throughout a store.24 96-bits of data is reportedly enough to store the name of the item and of the manufacturer, and an individual product code assigned to the item from a trillion possible different combinations.25 For a company’s internal use, such as along an assembly line, less information will likely be required to be stored on a tag in order for that item to be uniquely identified and tracked within the warehouse. Another distinction in the design of tags in RFID systems is whether the tags are inductively or conductively coupled.26 As mentioned above, passive tags are powered by an electromagnetic field produced by the readers. In an inductively coupled tag, the tag’s antenna is made from a copper or aluminium coil, and this antenna receives the electromagnetic energy produced by the reader and then, through its transducer, uses that energy to retrieve or send its data back to the reader.27 Tags which are conductively coupled employ conductive ink, eliminating the need for

21

Ibid. Ibid. 23 Ibid. 24 Ibid. 25 Ibid. 26 Ibid. at 6. 27 Ibid. 22

-5-

an antenna.28 These tags can still transmit data to the reader but only within a very limited range.29 However, without the antenna, these tags are much more durable and less expensive to manufacture then their inductively coupled counterparts.30 The final feature of a tag is that it can either be read-only or can have the ability to be written to as well. Read-only tags have a memory chip with the product’s identification code imprinted on it, either at the time the tag is manufactured or when a tag is allocated to the specific item.31 Read-only tags are less expensive to make and are usually used in passive tags.32 On the other hand, tags that can be written to have the capacity to have their memory changed many times, and as a result, these types of tags are more versatile but are also more expensive to manufacture.33 With the variety of types of RFID tags available, the uses for an RFID system are almost limitless and it is possible that a tag could be imbedded into almost any “thing”, from a dress to a dollar bill to a person. 3.

Uses of RFID Technology

Replacing bar codes in grocery stores is only one of the many uses for RFID technology. While RFID technology has recently been garnering much attention, this technology has been in use, in various forms, throughout the Canada and the rest of the commercial world for a number of years.

28

Ibid. Ibid. 30 Ibid. 31 Ibid. 32 Ibid. 33 Ibid. 29

-6-

3.1

Potential Uses of RFID Technology

Plainly put, the potential use for RFID technology is enormous, and many public and private sector organizations are either using or planning to use RFID technology for the following purposes: (a)

Supply Chain Management – i.e. monitoring and controlling the flow of goods from raw materials through to finished products, from manufacturer;

(b)

Product Integrity – i.e. ensuring that products, such as pharmaceuticals, are authentic and have not been altered in any way;

(c)

Warranty Services – i.e. marking durable goods with a tag incorporating a product registration code to facilitate warranty services;

(d)

ID, Travel and Ticketing – i.e. providing a means to verify the identity of the traveler and to ensure that the documents are genuine;

(e)

Baggage Tracking – i.e. monitoring and controlling the movement of baggage from check-in to loading on an airplane; and

(f)

Patient Care and Management – i.e. providing a means to rapidly and accurately verify information concerning patient allergies, prescription history, etc. to prevent surgical errors.34

3.2

Canada

One of the most widely-used implementations of RFID systems in Canada are “easy-pay” systems. Gas companies, like Shell and Imperial Oil, use RFID tags in their easy-pay systems, eliminating the need for cash or credit cards at the gas pumps.35 The “Dexit” fast pay system36

34 35

Office of the Privacy Commissioner of Canada, Fact Sheet, “RFID Technology” (5 March 2006) at 2. Supra note 1 at 12.

-7-

used in a number of food courts in the financial district in Toronto is another example of an easypay system. The tags (which are often referred to as “fobs”) store information about the consumer and hold a balance of money. The readers, located at the cash registers, read the tags and automatically deduct the price of the purchased item from the balance on the tag. Another common use for RFID systems is in workplace access cards.37 The cards can generally be read through pockets and wallets, illustrating the strength and range capabilities of this technology. Another example of RFID technology being used in Canada is the technology used to charge users of the Highway 407 toll road in Ontario.38 The tag is the pass drivers place on their dashboards or hang from their rear-view mirrors and readers are placed at every on and off-ramp to the toll road.

The electromagnetic field generated by the readers captures the driver’s

information stored on the tag as the car enters onto and exits from the highway. This system works in fog, rain and snow, illustrating the effectiveness of this technology for use in harsh environmental conditions and in situations where the readers are required to be located at significant distances from where the tags will pass. Following the “mad cow” crisis in Western Canada, the Canadian Cattlemen’s Identification Association has recently begun to require all U.S. cattle that graze on Canadian feedlots to be tagged with an RFID chip that stores the location of each individual cow’s place of birth. All Canadian cattle were already required to be tagged. The goal of the program is to be able to

36

Michael Burns, “Retailers discover venerable radio technology” The Bottom Line 20:15 (November 2004) (QL). “Privacy in the Workplace: Case Studies on the Use of Radio Frequency Identification in Access Cards” RAND Corporation research brief series, 2005, online: RAND Corporation . 38 Supra note 1 at 12. 37

-8-

react more quickly to any mad cow scare by being able to quickly identify the origin of the animal.39 Bell Canada is also currently working with a group of suppliers and retailers, called the “Supply Chain Network Project” to implement a RFID-enabled supply chain. The project is the first of its kind in Canada and will help retailers and suppliers better understand how RFID technology can improve efficiency and decrease costs all the way along the supply chain.40 Interestingly, Canada opened its first “RFID Centre” in Markham, Ontario on September 21, 2005. Formed by several partner organizations (including the Canadian Council of Grocery Distributors, the Canadian Federation of Independent Grocers, the Canadian Marketing Association, EPCglobal Canada (GS1 Canada), Food and Consumer Products Canada, IBM Canada, Intermec Technologies Corp., Symbol Technologies Inc. and Agriculture and Agri-Food Canada), the Centre was created to enable the Canadian industry to “better understand, experience, experiment with and test the latest RFID technologies and demonstrate the potential business case for tracking products”.41 Additionally, the Centre is the first in North America to demonstrate use of Generation 2 technology which increases RFID applicability and stability to operate in many different industries and environments. 3.3

International

RFID systems likely have a bright future in retail, where the technology can be used to better manage the supply chain and keep accurate accounts of inventory levels. Wal-Mart, Albertson’s,

39

Laurie Sullivan, “Canada Expands RFID Policy to Stave Off Mad-Cow Disease” InformationWeek (21 July 2005), online: InformationWeek . 40 “Bell selected for EPC RFID pilot” CRN Canada (16 October 2005), online: CRN Canada . 41 “New RFID Centre Opens in Canada” (Press Release) online: < http://www.intermec.com> at 1.

-9-

Tesco, Procter & Gamble, Johnson & Johnson, Gillette and Hewlett-Packard have all begun testing the use of RFID systems to assist with supply chain management.42

Gillette, in

conjunction with retailers Wal-Mart and Tesco in Great Britain, planned to test RFID-embedded shelves in the stores to assist with better inventory tracking.43 Essentially, the shelves functioned as the readers that read the tags imbedded in Gillette products placed on the shelves,44 keeping more accurate and timely accounts of inventory levels. The U.S. Department of Defense has also been running pilot projects, which would require all of its suppliers to implement this technology in order to better manage and track its supply orders.45 Wal-Mart has indicated that the use of RFID technology in their supply chain results in customers being less likely to find items out-of-stock and significantly decreases the time it takes to re-stock a sold-out item in a store.46 Wal-Mart is one of the biggest proponents of the technology in the retail sector. Wal-Mart began running pilot projects a number of years ago and in the fall of 2005 it had more than 130 suppliers imbedding RFID tags in the products shipped to its distribution centres.47

The retailing giant aims to have implemented the technology

throughout its operations in North America and the United Kingdom by 2007.48

42

See e.g. supra note 1 at 12-13; Alorie Gilbert, “Static over RFID” CNET News.com (13 September 2004), online: CNET News.com (“CNET News”); Cliona Reeves, “I.D. For Food: Radio-Frequency Identification (RFID)” Guelph Food Technology Centre (October 2005), online: GFTC (“GFTC”). 43 Supra note 1 at 12-13. 44 Ibid. Public opposition to the program after it became public that Gillette was taking photographs of customers at the shelves resulted in Wal-Mart cancelling the test project with Gillette and announcing that it would limit the use of the technology to its supply chain. 45 Ibid. See also supra note 36. 46 Gene J. Koprowski, “Retailers Using RFID for Better Holiday Customer Service” CRMBuyer (4 November 2005), online: CRMBuyer . 47 Keith Axline, “RFID Fleece Blue-Collar Dollars” Wired News (27 October 2005) online: Wired . 48 GFTC, supra note 42.

- 10 -

Correctional facilities in the U.S. are also reported to be implementing a high-tech head counting system using RFID. In these participating facilities, both inmates and corrections officers wear wristbands imbedded with RFID tags that transmit the location of each inmate and guard every two seconds.49 In Singapore, RFID technology is being used in libraries to replace bar code technology50 as well as in hospitals to track cases of Severe Acute Respiratory Syndrome (“SARS”). Alexandra Hospital in Singapore began issuing cards imbedded with an RFID chip, similar to workplace access cards, to visitors to the hospital so that a record of whom a patient came into contact with could be easily produced should that person later come down with SARS.51 Australia is using RFID chips to confirm whether imported pork products have stayed within specified temperature ranges during shipment.52 In 2004, the Food and Drug Administration in the U.S. approved the VeriChip Personal Identification System, which includes a tag that can be implanted beneath the skin of humans for medical purposes.53 The “VeriChip” can be imprinted with an individual’s name, blood type and details of any medical conditions. While no hospitals have reportedly ordered these chips, the hope of the manufacturer, Applied Digital Solutions Inc., is that individuals who suffer from diseases requiring complicated courses of treatment, such as cancer or diabetes, and patients suffering from deteriorative diseases like Alzheimer’s disease, will implant these chips under the

49

Alan D. Gold, “Tech Developments” Collection of Criminal Law Articles (19 September 2005) (QL). CNET News, supra note 42. 51 Supra note 1 at 14. 52 CNET News, supra note 42. 53 Kim Zetter, “RFID: To Tag or Not to Tag” Wired News (9 August 2005) online: Wired . 50

- 11 -

skin on their arms, giving doctors with compatible readers immediate access to the patient’s medical records.54 3.4

Emerging Uses

RFID technology has a number of advantages over current bar code systems, including that RFID tags are very small and can be imbedded in almost any product. RFID tags can also be read from significant distances and in a variety of environmental conditions.

Researchers

working in the field of RFID technology are developing systems that are becoming increasingly small while at the same time becoming more effective and able to capture data across increasing distances. Researchers at Corning have recently developed tiny RFID-encoded beads that can be imbedded in inks to tag currency and other documents or can be added to paints, such as automobile paint.55

The imbedded paint could be used to track the automobiles throughout the

manufacturing stages or even after the car is driven off of the lot. RFID-tagged currency could track every transaction in which a particular bill is used. Governments claim that this technology could be a major break through in fighting money-laundering. In fact, the European Central Bank is reportedly working on plans to imbed tiny RFID “threads” in high denomination Euro notes.56

54

“FDA Approves Subdermal RFID VeriChip” RFID Gazette (14 October 2004). Supra note 1 at 9. 56 Supra note 1 at 13. See also Oliver M. Habel, “Legal Issues raised by the RFID Technology in data protection and privacy” CLA 2005 World Computer & Internet Law Congress, Computer Law Association Held May 4 & 5, 2005 at 2 (“Habel”). 55

- 12 -

Researchers at the University of California in Berkley are working on developing “smart dust”, which would be an active, read-write RFID system, all within a cubic millimetre.57 The tiny tags would each have their own power supply, programmable microprocessor and optical communication link.58 Another group of researchers are developing what they call “TinyOS”, which is a complete software operating system comprised of a number of tiny sensors and requiring very little hardware in order to be operational.59 A company in the United Kingdom is developing a system that will allow a network of fixed and portable readers to identify tags imbedded in license plates from distances of up to 300 feet.60 This use of RFID technology, and its use in currency and passports, could make this technology very valuable in the areas of law enforcement and national security. The healthcare industry is another sector where RFID could be implemented in a number of ways. As discussed above, RFID systems are already in use in Singapore hospitals to track cases of SARS. A hospital in California is using RFID tags to prevent newborn babies from being kidnapped.61 RFID also has the potential to be used to track pharmaceuticals and prevent tampering with the packaging. A 2004 report issued by the Food and Drug Administration in the United States encouraged pharmaceutical companies to use RFID tags as a means of tracking drugs all the way along the supply chain, from the manufacturing facility to the point of purchase

57

Supra note 1 at 9. Ibid. 59 Ibid. 60 Mark Baard, “Brit License Plates Get Chipped” Wired News (9 August 2005) online: Wired . 61 Vawn Himmelsbach, “Panel explores the untapped possibilities for RFID” Computing Canada, vol. 31, no. 15 (28 October 2005) online: itbusiness.ca . 58

- 13 -

as a means of reducing tampering and counterfeiting.62 Pfizer Inc. began using RFID tags in all shipments of Viagra in the United States on December 15, 2005 in an effort to detect counterfeit pills.63 RFID tracking systems are also considered by governments to be very useful in national security. The U.S. is planning on introducing RFID-enabled passports;64 an idea that is also being considered in Europe and Asia.65 In fact, reports indicate that the U.S. could require all countries whose citizens do not require visas to enter the United States to begin issuing RFID-enabled passports by the fall of 2006.66 This would mean that Canada would also likely be required to begin looking into these developments. 4.

Implementation Issues

While there have been great advances in RFID technology over the last number of years, the costs of implementing the technology is still prohibitive to most organizations, especially for use in a mass retail setting. RFID tags currently cost anywhere from $0.20 to $1.00 per tag versus just pennies for bar codes.67 As well, the readers are also expensive, often priced upwards of $1000.68 Readers that have been developed in conjunction with the VeriChip cost $650 a piece and the high expense is being cited as one of the major reasons for the lack of implementation of

62

Jerry Brito, “Relax Don’t Do It: Why RFID Privacy Concerns are Exaggerated and Legislation is Premature” (2004) UCLA J. L. Tech. 5. 63 Javad Heydary, ed., “To Fight Counterfeits Pfizer Inserts RFID Tags in Viagra Packages” Laws of .Com: EBusiness, Privacy & Technology Law Journal, vol. IV, issue 1 (12 January 2006), online: Laws of .Com . 64 Bruce Schneier, “Fatal Flaw Weakens RFID Passports” Wired News (3 November 2005) online: Wired . 65 Supra note 61. 66 Ryan Singel, “Airline Tests RFID on the Fly” Wired News (9 August 2005) online: Wired . 67 Supra note 1 at 10. 68 Supra note 36.

- 14 -

the system by hospitals. The manufacturer has donated 200 readers to trauma centres and emergency rooms throughout the U.S. in hopes of “jump-starting” the market for their technology.69 Related to the expense of the tags and readers themselves, is the cost associated with replacing, updating and/or integrating an RFID system with a company’s current information system.70 Replacing the bar code on every consumer item in a store with a RFID tag is only one step. In order for RFID to be beneficial to an organization, the information being captured must be capable of analysis and producing results useful to the company’s business.71 The company’s information system for tracking, collecting and analyzing product or consumer data may have to be upgraded or replaced with RFID integration software. Additionally, a company’s supply chain management system is often times connected with the information systems of its suppliers or business partners. Implementing a RFID system can thus be costly and can have significant impacts on current information systems infrastructure for both the company and any organization linked to that company’s system.72 Proponents of RFID argue that these costs can be offset by RFID through a better streamlined supply chain and general improvements in business processes and access to consumer and product information.73 Another issue preventing widespread implementation of this technology was, until recently, a lack of industry standards to be used in the creation of RFID-enabled software. Experts reported that the main problem was that a variety of different protocols were governing the

69

“FDA Approves Subdermal RFID VeriChip”, RFID Gazette (14 October 2004), online: RFID Gazette: . See also Rob Stein, “Implantable Medical ID Approved by FDA” The Washington Post (14 October 2004), online: The Washington Post . 70 John S. Webster, “Hope & Hesitation” ComputerWorld (2 January 2006) at 35. 71 Ibid. 72 Ibid. 73 Ibid.

- 15 -

electromagnetic communication between the tags and the readers.74 Developing one standard protocol will result in any reader utilizing the standard being able to recognize and read any tag using the standard, regardless of its manufacturer.75 Instead of the readers being designed so that they can be programmed to match any number of tags, which requires new software upgrades every time a new tag is introduced into the market, all tags and readers will be compatible internationally.76

In September of 2003, the Electronic Product Code (the “EPC”) was

introduced and was touted as “creating an Internet of things”.77 This standard went far beyond the Universal Product Code (the “UPC”) commonly used in bar codes.78

A number of

organizations have been working to create standards. The Massachusetts Institute of Technology Auto-ID Center, which was financed by a number of corporate partners, was formed to develop a RFID tag suitable and appropriately priced for use in a mass retail setting.79 It was this lab that was responsible for the early development of the technology and was working towards the creation of the royalty-free EPC standard.80 This code can link an object to a person and can uniquely identify one object from another: two of the most significant advantages of RFID as compared to standard bar code technology.81 Recently, EPCglobal Inc., the New Jersey-based RFID standards-setting body (“EPCglobal”) connected with the Uniform Code Council, which took over the standards development project

74

CNET News, supra note 42. Ibid. 76 Ibid. 77 Supra note 1 at 11. 78 Ibid. 79 Ibid. 80 CNET News, supra note 42. 81 Supra note 1 at 11. 75

- 16 -

from the MIT Auto-ID Center in 2003,82 implemented the Generation 2 RFID standard (the “Gen 2 standard”). This standard was ratified in December of 2004 and mandates RFID systems to have a 96-bit memory, better encryption and an ability for the tags to be permanently deactivated.83

EPCglobal continues to work towards devising standards in order to

commercialize the technology.84 Additionally, the use of open source code is an important component in the development of most new technology and RFID is no exception.

Unfortunately, disputes over patents that are

considered “essential” to the creation of an RFID solution utilizing the Gen 2 standard may continue to stall widespread implementation of this technology. The RadioActive Foundation is in the design phase of three open source projects.85 One of the most significant issues facing the implementation of RFID relates to privacy. Many consumers and privacy advocates are wary of the ability of the technology to link a specific product to a specific individual without that individual’s knowledge or consent and for the tracking of the product to continue beyond the supply chain. In fact, consumer protests about this issue have been effective in preventing a number of companies from even implementing pilot RFID projects.86

82

Harold E. Davis & Michael S. Leuhlfing, “Technology: Radio Frequency Identification: The Wave of the Future” (2004) 11-04 J.A. 43 at 48-49. 83 Joanna Glasner, “RFID: The Future is in the Chips” Wired News (16 August 2005) online: Wired . 84 CNET News, supra note 42. 85 Supra note 61. 86 See e.g. supra note 1 at 15. As discussed earlier, public outcry resulted in Wal-Mart cancelling its “smart shelf” trials with Gillette. Consumer opposition also caused the Benetton Group to cancel plans to imbed RFID tags into its clothing.

- 17 -

5.

Legal Concerns Surrounding RFID

5.1

Privacy (a)

Initial Concerns

Notwithstanding the current status of the implementation of RFID or current practices, certain aspects of the technology have been seen by privacy advocates as posing a threat to individual privacy. While the use of RFID technology purely for internal supply chain management purposes or to track products along the assembly line are generally thought to be harmless propositions, the use of the technology to link a product to an individual consumer and to collect personal information about that consumer has many privacy watch groups very troubled.87 These concerns include: Surreptitious collection of information. Plainly put, RFID tags are so small that they can be embedded into/onto objects and documents without the knowledge of the individual who obtains those items. Moreover, given that radio waves can travel easily and silently through fabrics, plastics and other materials, RFID tags can be sewn into clothing or affixed to objects contained in purses, suitcases, shopping bags, etc. Also, since tags be read from a distance, readers can be incorporated virtually invisibly into environments where people and items congregate, with the net result that it may not be readily apparent that RFID technology is in use, making it virtually impossible for a consumer to know when she/he is being “scanned”.88

87 88

Supra note 1 at 15. See also supra note 83. Supra note 34 at 2.

- 18 -

Tracking an individual’s movements. Privacy advocates worry that individuals can be tracked through tags embedded in clothing and vehicles and a sufficiently dense network of readers, possibly using a combination of RFID and Global Positioning System technology. If the tags can be associated with an individual, then by that association the individual’s movements can be tracked. For example, a tag embedded in an article of clothing could serve as an identifier for the person wearing it, and while the information regarding the tagged item remains generic, identifying the items people wear or carry could associate them, for example, with attendance at particular events such as political protests or rallies.89 Profiling of individuals. Unlike barcodes, where a bottle of soda has the same barcode as all other bottles of soda of that particular brand, RFID technology potentially enables every object to have its own unique ID. The use of the unique ID could lead to the creation of a global item registration system in which every physical object is identified and linked to its purchaser or owner at the point of sale or transfer. Further, if these unique identifiers are then additionally associated with an individual, such as by linking through a credit card number, for example, then a profile of that individual’s purchasing habits can be easily created.90 Secondary use (particularly from the perspective of limiting or controlling such use). There is also great concern that the creation of profiles and the tracking of movement can reveal a great deal of additional information. To name just one example, the linking of a

89 90

Ibid. Ibid.

- 19 -

person’s personal information, such as a medical prescription or personal health history, could have an adverse impact upon the availability of insurance or employment.91 Massive data aggregation. Lastly, RFID deployment requires the creation of massive databases containing unique tag data. These records could be linked with personal identifying data, especially as computer memory and processing expand in capacity and capability. Privacy advocates worry that this, in turn, could facilitate any of the practices listed above.92 Given the above scenarios, privacy groups are also concerned that privacy legislation and the common law lag behind the advancements in the technology.93 Currently, relevant legislation that would apply in this area is as follows: (b)

Privacy Legislation in Canada

Federal government institutions are regulated in their collection, use and disclosure of personal information by the Privacy Act.94 However, the federal Personal Information Protection and Electronic Documents Act95 applies to all federal works, undertakings or businesses and to all private sector organizations regulated by provinces that do not have substantially similar private sector privacy legislation. Only Alberta, British Columbia and Quebec have legislation that has been declared substantially similar to PIPEDA and that legislation governs private sector

91

Ibid. Ibid. 93 Karen Kavanaugh, “Law and Technology Institute keeps the legal community abreast on innovation” The Lawyers Weekly 25:5 (3 June 2005) (QL). See also Chad Kopach, “Radio Frequency Identification Devices: Big Brother is Watching” Ontario Bar Association, Young Lawyers’ Division 12:1 (August 2004). 94 R.S. 1985, c. P-21. 95 2000, c. 5 (hereinafter, “PIPEDA”). 92

- 20 -

organizations regulated under provincial law in those provinces.96 PIPEDA, however, applies to federal works, undertakings or businesses that operate in those provinces. PIPEDA, and the substantially similar provincial legislation, consider “personal information” to be information about an identifiable individual97 and apply to the collection, use and disclosure of personal information in the course of a commercial activity. All four pieces of legislation apply similar principles,98 including: (i) mandating that personal information may only be collected, used or disclosed with the knowledge and consent of the individual; (ii) limiting the collection of personal information to what is necessary for identified purposes; and (iii) mandating that personal information be collected by fair and lawful means.

Additionally,

personal information must be protected by adequate safeguards and individuals must be able to easily access information about an organization’s privacy policies and practices.

RFID

technology which captures information that can be linked to an identifiable individual would trigger an organization’s obligations under these legislative principles. The Privacy Commissioner of Canada (or of British Columbia, Alberta or Quebec, as the case may be) is responsible for overseeing the privacy legislation in his or her jurisdiction and addressing complaints that an individual’s privacy rights, as protected under the legislation, have been violated.99 Where an individual believes that their privacy rights have been violated by a commercial organization, they may complain to the Privacy Commissioner in the appropriate 96

Personal Information Protection Act (Alberta), S.A. 2003, c. P-6.5 (the “Alberta PIPA”), Personal Information Protection Act (British Columbia), S.B.C. 2003, c. 63 (the “B.C. PIPA”), An Act respecting the protection of personal information in the private sector, R.S.Q., c. P-39.1 (the “Quebec PIPA”) (collectively, the “PIPAs”). Please also note that in Ontario, the Personal Health Information Protection Act, 2004, S.O.2004, c. 3 (“PHIPA”) was also declared to be substantially similar to PIPEDA. PHIPA applies to personal health information. 97 Supra note 95 at s. 2; Alberta PIPA, supra note 96 at s. 1; B.C. PIPA, supra note 96 at s.1; Quebec PIPA, supra note 96 at s. 2. 98 See generally supra note 95 and supra note 95. 99 Office of the Privacy Commissioner of Canada, Fact Sheet, “Questions and Answers regarding the application of PIPEDA, Alberta and British Columbia’s Personal Information Protection Acts (PIPAs)” (5 November 2004).

- 21 -

jurisdiction.100

Generally, the role of the Commissioners is to facilitate the resolution of

complaints through persuasion, negotiation and/or mediation.101 However, the Commissioners have a variety of powers as part of the investigative responsibilities under the applicable privacy legislation, including the power to compel the production of evidence.102 The Commissions may investigate complaints and issue reports. Violations of these private sector privacy laws can result in an organization being ordered to comply with the legislation and/or correct its information management practices.

Additionally, monetary damages and/or fines can be

imposed.103 Under PIPEDA, complainants may bring an action before the Federal Court in relation to a matter addressed in the Commissioner’s report.104 Where the Commissioner in Alberta or British Columbia has found an organization to be in violation of the legislation, its order can be the basis for a civil cause of action against the organization by the complainant.105 In Quebec, orders of the Commissioner can be appealed to the Quebec Superior Court.106 (c)

Other Applicable Canadian Legislation

In addition to the substantially similar provincial PIPAs, each of the provinces and territories in Canada have legislation that governs the collection, use and disclosure of personal information by government organizations and departments.107 Additionally, a number of provinces have

100

Supra note 895 at s. 11; Alberta PIPA, supra note 96 at s. 46(2); B.C. PIPA, supra note 96 at s. 46(2); Quebec PIPA, supra note 96 at s. 42. 101 Canada, Office of the Privacy Commissioner of Canada, Your Privacy Responsibilities: Canada’s Personal Information Protection and Electronic Documents Act (Ottawa, March 2004) at 19. See also supra note 99. 102 Supra note 95 at s. 12(1); Alberta PIPA, supra note 96 at s. 38; B.C. PIPA, supra note 96 at s. 38; Quebec PIPA, supra note 96 at s. 51, 81. 103 Supra note 95 at s. 13, 16; Alberta PIPA, supra note 96 at s. 52, 59; B.C. PIPA, supra note 96 at s. 52, 56; Quebec PIPA, supra note 96 at s. 55, 91. 104 Supra note 95 at s. 14. 105 Alberta PIPA, supra note 96 at s. 60; B.C. PIPA, supra note 96 at s. 57. 106 Quebec PIPA, supra note 96 at s. 61. 107 Office of the Privacy Commissioner of Canada, Fact Sheet, “Privacy Legislation in Canada” (17 December 2004).

- 22 -

legislation dealing with personal health information collected and used by health care providers and related government departments.108 Further, the Bank Act109 regulates the collection, use and disclosure by federally-regulated financial institutions of all personal financial information.

Similarly, most provinces have

legislation governing the collection, use and disclosure of consumer credit information by credit agencies.110 An organization will have to be aware of the requirements under any and all legislation that applies to its particular industry and specific application of RFID technology. (d)

International Privacy Law

The Data Protection Directive of the European Parliament (the “Directive”) has been adopted by 25 member nations111 and, similar to PIPEDA, only applies where personal data is processed.112 Australia’s Privacy Act 1988113 also applies to information collected where the identity of the individual is apparent or can reasonably be ascertained. However, similarly to the Privacy Act114, the U.S. Privacy Act of 1974 applies only to government institutions.115

108

Ibid. S.C. 1991, c. 46. See also supra note 107. 110 Supra note 107. See e.g. infra note 121. 111 See Status of Implementation of Directive 95/46 on the Protection of Individuals with regard to the Processing of Personal Data, online: European Union’s area of freedom, justice and security . 112 Supra note 4 at 85. 113 Privacy Act 1988 (Cth), s. 6(1). 114 Supra note 94. 115 John M. Eden, “When Big Brother Privatizes: Commercial Surveillance, the Privacy Act of 1974, and the Future of RFID” (2005) Duke L. & Tech. Rev. 20. 109

- 23 -

Certain groups are in favour of enacting legislation specifically applicable to RFID technology. Legislation applying specifically to RFID has been proposed in a number of states in the U.S.116 A bill was introduced in California entitled the “California Identity Information Protection Act of 2005”. This bill, which, while referred back to the Committee on Appropriations at the end of June of 2005,117 was believed to be the furthest reaching of its kind,118 and would have prevented the use of RFID chips in any state-issued identification, such as driver’s licenses, health cards and school ID cards, and would have made the unauthorized reading of RFID tags a crime.119 (e)

Canadian Common Law

The common law in Canada has not been particularly responsive to advancements in these types of automatic identification technology.120 While not directly related to RFID, a recent Ontario Superior Court of Justice decision discussed the common law approach in Canada to invasions of privacy. The recent decision in Somwar v. McDonald’s Restaurants of Canada Ltd.121 reviewed a claim for invasion of privacy resulting from the defendant conducting an unauthorized credit check on the plaintiff.122 The court relied on the Ontario Consumer Reporting Act, which governs the collection and release of information relating to consumers’ income, debts, cost of living obligations and assets, in deciding that the plaintiff’s privacy had been invaded.123 The Court rejected the defendant’s Rule 21 motion for determination that the plaintiff’s statement of

116

Supra note 60. California Office of Privacy Protection, Current Privacy Legislation, online: Bill Information . 118 Supra note 62. 119 Kim Zetter, “State Bill to Limit RFID” Wired News (29 April 2005) online: Wired . 120 Supra note 62. 121 [2006] O.J. No. 64 (QL) (“Somwar”). For a review of the decision, see e.g. Javad Heydary, ed., “Does Ontario Law Recognize the Tort of Invasion of Privacy?” Laws of .Com: E-Business, Privacy & Technology Law Journal, vol. IV, issue 3 (9 February 2006), online: Laws of .Com . 122 Somwar, ibid. at para. 3. 123 Ibid. at para. 7. 117

- 24 -

claim contained no reasonable cause of action on the basis that it was not clear that a breach of a statute cannot give rise to liability where the elements of tortious responsibility have been established.124 In its reasons, the Court also explained that the common law is unclear as to whether the tort of invasion of privacy exists in Ontario.125 Other provinces have created a statutory tort of invasion of privacy; however, Ontario has not created such a statutory remedy.126 Further, the Canadian Charter of Rights and Freedoms recognizes an individual’s right to privacy in section 8 in the context of unreasonable search and seizure. 5.2

Privacy Law as it Applies to RFID

Canadian private sector privacy legislation, like PIPEDA, will apply to particular implementations of RFID technology where an individual can be linked to the information captured by the technology for the following reasons: •

chips, which can have personal information written to them, are repositories of personal information;

•

tags with unique identification numbers, which can be associated with an individual, are unique identifiers or proxies for that individual; and

•

information about possessions or purchases, which is captured by an RFID system and then stored in a database that can manipulate or process the information to compile personal profiles of individual consumers, is personal information, whether gathered through multiple

124

Ibid. at para. 41. Ibid. at para. 22. 126 Ibid. at para. 28. 125

- 25 -

visits to a facility or organization, or though access to the database of RFID purchase information.127 In order to comply with any of the applicable privacy legislation in Canada, any organization implementing RFID that collects personal information must ensure transparency in its use of this technology. The organization must inform individuals of the presence of the tags and readers and their locations and whether the tags are active or will become active. The application of privacy legislation to RFID technology depends on whether information about an identifiable individual will be collected or whether the technology is merely going to be used to track products. One reason cited by consumer groups for differentiating between these two applications of RFID systems is that once a tagged product has been purchased and removed from the point of purchase by a consumer, critics of RFID argue that the product becomes the property of the consumer, and a tag that continues to be active (especially if the consumer is not aware of the tag and its functions) could be viewed as an invasion of privacy.128 When a tag is being used within a facility or along the supply chain, the product is still the property of the manufacturer and it is likely not being used to collect information about an identifiable individual consumer. Additional concerns stem from the ability of anyone with a compatible reader to then be able to read a RFID-tagged product.129 The use of RFID in the supply chain provides companies with the ability to better manage their inventory without linking the product to personal information. These uses of the technology will have positive effects for an organization without invading consumers’ informational privacy.

127

Supra note 34 at 3. Supra note 1 at 19. 129 Ibid. at 15. 128

- 26 -

RFID systems, like those used in easy-pay systems, are linked directly to consumers, but, as with any loyalty program, the consumer must register for the program and consent to the collection of his or her personal information,130 thereby complying with the knowledge and consent principle of privacy legislation. Unless the RFID-enabled tracking system has some way of linking the item to the individual, an individual’s privacy will likely not be invaded, even if the tag is still active once the individual removes the product from the store shelves. Protection of personal informational privacy will become more important as the technology becomes smaller, more discrete and able to transmit across greater distances.131 As a result, privacy advocates are concerned with the ability of organizations to embed tags into objects without the knowledge of the purchaser. As readers do not require a line of sight in order to be able to capture the information stored on the tags, the tags could be read from a distance through clothing or other material.132 The concern is that, as a result, individuals could be tracked without their knowledge.

As more and more consumer products and personal items, like

passports and money, are imbedded with RFID tags, the more possible it is that anyone with a reader, not just the organization that manufactured or sold the product, will be able to capture information stored on any one of these numerous tags.133 However, regardless of the number of products that are imbedded with RFID chips, there has to be a system in place capable of linking the information to an individual and compiling and analyzing that data. Companies will have to inform consumers, who themselves will have to be vigilant about staying informed, about the products that contain tags, the location of the tags and readers, and the

130

Supra note 62. Supra note 1 at 16. 132 Supra note 34. 133 Supra note 1 at 15. 131

- 27 -

purpose of any RFID systems being used. Efforts at devising standards for the development of RFID, which, as mentioned above, includes features such as the ability of a tag to be permanently deactivated after use, as in the Gen 2 standard, demonstrates a commitment to the continued development of this technology with the protection of individual privacy as a key concern. Privacy watch groups recommend that the use of RFID-enabled technology be developed with the three principles of informational privacy protection kept in mind. These three principles are (i) notice and consent, (ii) choice, and (iii) control.134 As with any customer loyalty or rewards program,135 consumers must be given notice of and consent to the program, be informed of what information is being collected and how that information will be used. These programs should be optional and an individual can opt in (and out) at any time without incurring any costs. Control would also come in the form of consumers being able to choose to have their personal information kept separate from the identity of the product.136

Additionally, following the

obtainment of the consumers’ consent, the collectors of such information will still be obliged to limit the collection, use and disclosure for purposes that a reasonable person would consider appropriate under the circumstances, and individuals must still retain their right to see the personal information that are gathered and held about them, and to correct any inaccuracies.

134

Ibid. at 20. Supra note 62. 136 Supra note 1 at 20. 135

- 28 -

(a)

Fair Information Practices

The International Conference of Data Protection & Privacy Commissioners adopted a resolution on RFID in November of 2003.137 This resolution highlighted the importance of respecting privacy where the tags are linked to personal information. This resolution is also based on the international Fair Information Practices,138 which set out the minimum privacy standards that apply to the collection of all personal information. The three principles highlighted in the pervious paragraph, are only part of the Practices (which are consistent with the principles forming the foundation of the private sector privacy laws in Canada139) and which also include the following elements: •

placing limits on the collection of personal information by way of lawful and fair means with the knowledge and consent of the consumer;

•

any personal information collected should be relevant, accurate, complete and up-to-date;

•

the data collected should be for a specific and current purpose, and should not be disclosed other than for that purpose except with consent or as required by law;

•

safeguards should be in place to protect the collected information;

•

companies should be open about their policies for the collection and use of the personal information;

137

Ibid. at 24. Ibid. at 20. 139 Supra note 95; supra note 96. 138

- 29 -

•

individuals should be given access to the information relating to themselves to ensure it is accurate; and

•

measures should be in place to ensure companies are held accountable for their collection and use of personal consumer information.140

Researchers and commentators in the field of RFID technology are discussing including features in tags to prevent unwanted collection of personal information, such as having cashiers ask customers whether they would like the tags deactivated at the point of purchase or requiring consumers to ask for the tags in the products to be deactivated.141 Unfortunately, both of these solutions rely on consumers and employees being informed about the system and could be cumbersome in a busy retail environment. Additionally, an RFID blocker tag is being developed that would block the electromagnetic field emitted by readers and prevent the capture of the data stored on the tag.142 While this solution may be effective, it would be costly and would place the onus solely on the consumer. A more popular solution with privacy advocates includes installing “kill switches”143 in the tags, so that such tags will be permanently deactivated once a customer exits the store. This solution is supported by the MIT Auto-ID Center and has been adopted by several producers of RFID tags.144 However, none of these solutions conforms to the “notice and consent” principle of informational privacy.

140

Supra note 1 at 20-21. Ibid. at 19-20. 142 Ibid. at 18-19. 143 Ibid. at 19. 144 Ibid. 141

- 30 -

A paper released by the Electronic Privacy Information Center (“EPIC”) has expanded on the Fair Information Practices specifically as they relate to RFID technology.145 This position paper concludes that retailers should be prevented from forcing consumers into accepting live or dormant tags in products and, without the informed written consent of consumers, they should not be able to track the consumer. As well, the group suggests that consumers should be allowed to use any means available to detect and disable tags in products they purchase. The group is also opposed to the use of RFID technology in personal items, such as money, on the basis that it will eliminate the current anonymity associated with such objects.146 Adherence to the principles of privacy will enable organizations to implement RFID technology in ways that will have beneficial results for their business without alienating their consumers by invading their privacy. 5.3

Intellectual Property Infringement

As with any technology, patent infringement and disputes over patents are issues that users of the technology must bear in mind. Currently, it is unclear whether it is possible to develop an RFID system using the Gen 2 standard without infringing any one of the 140 RFID patents Intermec Technologies Corp. (“Intermec”) claims to own.147 Intermec sells a variety of RFID products, including tags, readers, RFID-encoded labels and printers.148

145

Ibid. at 21. Ibid. at 21-22. 147 Kenneth A. Alder, “RFID Technology and Intellectual Property May Be an Ever-Shifting Legal Landscape” RFID Product News (July/August 2005). 148 Bob Brewin, “Intermec sues Matrics over RFID patent infringement” ComputerWorld (9 June 2004), online: ComputerWorld . 146

- 31 -

Recently, Intermec claimed that 18 of its patents were “essential” to developing a Gen 2 standard compatible RFID system. Initially, it was prepared to donate five of these “essential” patents on a royalty-free basis, while offering licenses for an additional nine.

However, EPCglobal

reportedly was of the opinion that none of Intermec’s patents were, in fact, essential for the implementation of the Gen 2 standard. Following this announcement, Intermec revoked its original offer and now requires any company looking to utilize the Gen 2 standard in implementing an RFID system to negotiate licenses with Intermec on an individual basis. Intermec claims that because of the number of RFID patents it has registered, no company would be able to design a functioning RFID system based on the Gen 2 standard without infringing any of its patents.149 In fact, Intermec has been involved in law suits with Matrics Inc.150 and Symbol Technologies Inc.151 (“Symbol”) in the U.S. over RFID patents. Proponents of this technology believe that these disputes have the potential of derailing widespread implementation of RFID systems and increasing the cost of the technology, a fact that already prohibits the use of RFID is mass retail settings.152 On a positive note, Symbol and Intermec agreed on September 12, 2005 to settle much of their year-long dispute over intellectual property for RFID. Previously, Symbol had acquired Matrics, which Intermec alleged had infringed on Intermec’s patents. In March, 2004 Symbol had sued Intermec for patent infringement and at the same time pulled out of an agreement to supply Internec with laser-scan engines. Intermec countersued with another patent suit against Symbol. Under the terms of the settlement, each vendor agreed to license technology from the other and

149

Supra note 147. Supra note 148. 151 “Symbol Sues Intermec for Patent Infringement” RFIDNews (11 March 2005), online: RFIDNews . 152 CNET News, supra note 42. 150

- 32 -

Symbol also agreed to join Intermec’s “Rapid Start” RFID licensing program, which provides access to various Intermec technologies, including RFID tags and portable readers. Intermec will gain access to Symbol’s intellectual property through the cross-licensing of Rapid Start. The companies also agreed to dismiss most of their pending suits against one another and put the remainder on hold for 90 days while they tried to work out any unresolved intellectual property issues.153 Despite these patent disputes, a number of companies are continuing to develop and implement RFID systems, illustrating that companies appear willing to risk the possibility of facing infringement claims in order to achieve the benefits to their business that RFID heralds. Certain companies believe that patent disputes are a normal part of setting intellectual property standards,154 and while many in the industry support the development of a royalty-free interface standard,155 some companies believe that any royalties will be negligible as compared to the cost savings generated by implementing the technology.156 5.4

Licensing

Related to the issues surrounding the RFID patents are licensing issues. Following the conflict over which Intermec patents were essential to the use of the Gen 2 standard, Intermec introduced its “Rapid Start” RFID licensing program.157 Pursuant to this program, Intermec offered blanket licenses to its four portfolios of RFID patents. One element of this program, which highlights another issue related to licensing, is that the agreements signed between Intermec and the

153

S. Lawson, “Symbol, Intermec Settle Most Patent Disputes Over RFID”, Computerworld (September 12, 2005). Ibid. 155 Clint Boulton, “Symbol Strikes Over RFID Patents” Wireless (29 April 2005), online: Internetnews.com . 156 CNET News, supra note 42. 157 Supra note 147. 154

- 33 -

manufacturers contained cross-licensing provisions. Cross-licensing can be an effective way to offset some of the costs associated with the licensing arrangement.158 However, companies will have to be conscious of any restrictions in its own licenses that may prohibit a cross-licensing arrangement. Further, companies will have to be aware of any restrictions in software and hardware licenses that may restrict its ability to implement an RFID system.159 In order for a company to derive benefits from the use of this technology, the RFID technology will have to either be integrated into or will have to replace a company’s current tracking system and information databases, which could result in breaches to current licensing agreements. 6.

Implementing RFID

The issues discussed above must be considered by any organization considering implementing an RFID system. Primary consideration must be given to the business objectives for implementing the technology. RFID technology can be designed in a variety of ways and for a variety of functions, and therefore a company must first consider what the system is meant to achieve. 6.1

Business Objectives

A company considering implementing an RFID system must define the purpose behind implementing the system. Is the system going to be used only to track products as they proceed along the assembly line? Is it to improve supply chain management? Is the system to better manage in-store inventory? Or is the system going to be used to gather information about

158

Ibid. Kenneth A. Adler, “RFID in Healthcare” Healthcare Informatics (May 2005), online: Healthcare Informatics . 159

- 34 -

identifiable customers? Each implementation involves different considerations and will require different tag and reader features. A system that will track and gather consumer intelligence will have different legal obligations than a purely supply chain-oriented system, such as the undisputed requirement of the company’s owner to comply with PIPEDA and other similar provincial privacy legislation. The business objectives should also consider whether and/or how the RFID technology can be integrated with the information systems already in use. Can the hardware and software currently in use in the business be adapted or upgraded to seamlessly integrate the RFID technology or will the company require an entire systems overhaul? The company would be well advised to map their entire system in order to be able to anticipate any potential integration problems.160 These decisions will likely be influenced by any restrictions in current software and hardware licenses.161 This would likely involve counsel reviewing all licenses currently being used by the client and perhaps negotiating amendments to or releases from these licenses. The intended use of the technology and the environment in which the system will be implemented are additional factors requiring consideration prior to deciding on a supplier. Are active or passive tags best suited to the company’s facilities and intended use? Are the tags only meant to be used once and then discarded or should they be able to be read and rewritten numerous times? Will the system be used outdoors? Do the readers need to be able to capture the data stored on the tags from long distances or at various points in a facility? Counsel will

160

Marc Dautlich, “Before you roll out RFID… read this” silicon.com (20 January 2005), online: silicon.com . 161 Supra note 159.

- 35 -

also need to have a good understanding of the supply chain, assembly line or store layout to be able to effectively negotiate with suppliers. These business goals will have to be translated into contractual provisions with the RFID technology supplier or vendor.162

In negotiating the relevant licensing agreement, counsel

should keep in the forefront of their minds their client’s objectives and ensure that the contract includes representations that the system will function appropriately and effectively given the desired results. Additionally, the contract should include mechanisms to revisit the contract should the system fail to meet these goals at some point in the future or should the company’s goals change over the course of the license.163 Additionally, the contract must include penalties or terms for dealing with any malfunctions or systems failures. Once the business objectives have been identified, a company can canvass the service providers for the technology components that will best meet its needs. This will result in determining whether it is more advantageous to use one integrated supplier or to license the various components from different suppliers.164 This decision will likely be influenced by widespread implementation of the Gen 2 standard. If all components are based on one uniform protocol, a company can more easily purchase the various components from different vendors. However, with the murkiness surrounding the Gen 2 standard and use of Intermec’s patents, using one integrated supplier could better ensure compatibility.

162

Supra note 160. Ibid. 164 Supra note 159. 163

- 36 -

6.2

Patents

The decision as to which service provider to select should be informed by the status of the vendor’s RFID intellectual property.165 Counsel should investigate which suppliers are licensed to use the RFID technology they provide (i.e. have signed a licensing agreement with Intermec) and which have relied on the Gen 2 standard and EPCglobal’s claim that none of Intermec’s patents are essential for the implementation of that standard. Concerns over patent issues might be more easily dealt with through contracting with one integrated supplier. Regardless of the supplier, counsel for a client implementing this technology should (i) identify all of the components required for the client’s system and require each supplier to identify the owner of any intellectual property for each RFID component; (ii) include language in the licensing contract confirming that the supplier has made all required royalty payments; and (iii) confirm that it has the authority to permit the use of the equipment and the software that it is providing under the contract.166 Additionally, counsel should negotiate to have the supplier indemnify and hold harmless its client for any and all intellectual property infringement claims arising from the use of the technology in the client’s business, preferably on a global basis.167 6.3

Privacy

Companies will have to pay particular attention to protecting the privacy of their customers and/or employees if the objective for, or result of, implementing an RFID system is, even in part, to be able to link products to specific individuals. As has been previously discussed, RFID 165

Ibid. Supra note 147. 167 Ibid. 166

- 37 -

technology is a hot-button item for privacy advocates today and to date, consumer protests and boycotts have been effective at preventing, or at least stalling, a number of system implementations. Companies would be wise to not only comply with the legal requirements under PIPEDA (or other applicable privacy legislation) but to also consider complying with the Fair Information Practices discussed earlier in the paper. As RFID technology continues to develop, remedies for invasion of “informational privacy” will likely continue to develop and solidify at common law. While legislation like PIPEDA and its provincial equivalents has been implemented, in part, to fill the gap left by the failure of the common law to create or evolve a general tort remedy for conduct which constitutes an invasion of privacy,168 the common law has been reluctant to recognize a right of action for invasion of informational privacy. As the technology continues to advance, both the common law and the provincial legislatures may likely continue to develop the law in this area. In addition to the use and environmental considerations discussed above, concerns about the protection of personal information will impact decisions about the type of technology a company will implement and the suppliers best suited to provide the various components. For example, if a company is looking to implement RFID technology in a mass retail setting, it would be wise to consider purchasing tags with built-in “kill switches” that deactivate the tags once the tagged item is removed from the store. Organizations should consider the best way to incorporate a deactivation function into its specific implementation of RFID technology.

168

G.H.L. Fridman, The Law of Torts in Canada, 2nd ed. (Toronto: Carswell, 2002) at 708.

- 38 -

Additionally, organizations must develop a method of notifying individuals of the presence of the RFID technology, how it works, any personal information which may be collected and why it is being collected, and how an individual can disable the tags. In order to avoid the application of PIPEDA and related privacy legislation specifically to its RFID-enabled technology, a company may want to consider designing the tags to emit a series of random pseudonyms as opposed to unique identification numbers, or to remove all information unique to an identifiable person and only retain the generic information. Finally, the organization must ensure, as with any other information technology, that it has adequate information security in place. 6.4

Internal Policies

After the company has identified its objectives and selected its RFID suppliers, and during the design and implementation process, it should also consider drafting internal policies to govern the use of RFID technology and to educate both its employees and customers. These policies could include what the technology is being used for, how it works and, if the tagged item is linked to an identifiable individual, what information is collected about that individual. For example, it may be appropriate in a workplace using RFID-enabled access cards to communicate to employees whether a record of every swipe of their access card linked to them as individuals is kept for any specified length of time.169 If employees are going to be required to inform customers about the technology, the company may want to consider implementing employee training programs and producing educational material to be provided to the customers. Internal policies will also be important for an organization as a means of documenting its compliance with any applicable privacy legislation. For example, the principle of accountability

169

Supra note 37.

- 39 -

in private sector privacy laws in Canada requires an organization to appoint an individual to be responsible for the organization’s compliance with the legislation, while the principle of openness requires that customers, clients and employees be informed of an organization’s information management practices and policies.170 7.

Conclusion

Where does RFID stand today? Regrettably, as noted in a recent “Forecast 2006” article in Computerworld, the high cost and complexity of RFID continues to block widespread adaption by enterprises, notwithstanding the fact that the IT trade press and industry analysts alike have been hailing RFID as the “second coming of bar codes”.171

To date, most users have

implemented only small, low-impact pilots that are a long way from becoming a key part of the adopting enterprise.

In fact, respondents to a recent Computerworld survey ranked RFID

“second” among technologies that hold promise for their companies or industries, but “first” among technologies that have not lived up to their hype.172 Complex deployment and entrenched tracking systems (most notably those old reliable bar code systems) are keeping RFID on the back burner at many organizations. Companies are also not certain what to with the data that they collect, as much of contains little useful information. RFID is still in the early adapter phase, with cost being the main problem (including the cost of the tags alone) and small companies are reluctant to justify the cost. From a business standpoint, despite the variety of features and functions of an RFID system, the fact remains that it may not be suitable for every

170

Office of the Privacy Commissioner of Canada, Fact Sheet, “Complying with the Personal Information Protection and Electronic Documents Act” (20 June 2005). 171 Supra note 70 at 34. 172 Ibid.

- 40 -

business. Companies must evaluate their goals, current information technology systems, and the costs of the technology as compared to the expected benefits. Despite the foregoing, there is little doubt that RFID technology can make a business more effective, having benefits that flow all the way along a supply chain, from manufacturers to distributors to retailers. As recently predicted by Computerworld, retailers will continue to strong-arm suppliers into using RFID, but so will developing standards such as passive UHF Generation 2, which is being used by Wal-Mart, Target Corp. and the U.S. Defense Department.173

While ultimately RFID will replace bar codes and other network tracking

technologies, users will closely watch how RFID’s early adapters (as well as those companies that are compelled to use it by large influential players such as Wal-Mart)174 can improve their bottom lines with the technology to make it more attractive.175 From a legal standpoint, as with any new technology, a number of legal issues need to be considered, including licensing and patent infringement.

Additionally, depending on the

intended use of the technology, companies may need to pay particular attention to protecting the privacy of their customers. As has been discussed, RFID is a topic of great concern for privacy advocates today, and companies would be well advised to be open about their proposed implementation and use of the technology. The small size of the tags and their ability to uniquely identify individual objects present potential violations of Canadian privacy legislation.

173

Supra note 70 at 35. In a recent article in Computerworld, Marc. L. Songini reported that when Wal-Mart first went live with RFID in January 2005, they had more than 100 suppliers tagging products. It now has more than three times that number involved, feeding RFID-tagged goods to 500 Wal-Mart facilities through five distibution centers. The company expects the number of stores capable of handling RFID-tagged items to double to 1,000 by January 2007, with 600 suppliers employing the technology by then. See Marc L. Songini, “Wal-Mart Details its RFID Journey”, Computerword (2 March 2006) available online at <www.computerworld.com/industrytopics/retail/story/0,10801,109132p2,00.html>. 175 Supra note 70 at 35. 174

- 41 -

Organizations that implement RFID must fully comply with all applicable legislation, like PIPEDA and its provincial equivalents, and should consider using the principles underlying private sector privacy legislation as a framework for designing effective and compliant RFIDenabled information technology systems. Failure to do so will no doubt result in adverse consequences for any adopters of RFID that will significantly nullify any anticipated business benefits that may be achieved through use of the technology.

TOR_LAW\ 6253853\6