The 2nd Annual RFID India Informedia

India Conference 2008

22-23 July 2008

ITC Grand Maratha, Mumbai.

RFID TECHNOLOGY- A LEGAL ANALYSIS

Karnika Seth
Cyber law Expert & Managing Partner
SETH ASSOCIATES
ADVOCATES AND LEGAL CONSULTANTS

© 2008 Seth Associates. All Rights Reserved.

 Legal Issues Impacting RFID
Technology in India
 RFID Technology- an Introduction

 RFID Applications in India

 Legal Approvals & compliances

 Global standardisation

 Legal Issues

 Privacy and Data Protection


Security and other issues
 RFID Technology- An Introduction
 Radio Frequency Identification (RFID) Technology uses radio waves to
automatically identify wirelessly, contact less and without visibility objects
which, or people who have an RFID tag attached. It is grouped under the
broad category of automatic identification technologies.
 It consists of two parts: a tag that contains an identification number and a
reader who works as a scanner that triggers the tag to broadcast its
identification number. This number usually acts as an input to further data
processing. RFID is designed to enable readers to capture data on tags and
transmit it to computer system without needing a person to be involved.

 A typical RFID tag consists of a small integrated circuit attached to a radio

antenna, capable of transmitting a unique serial number at a distance of
several meters to a reading device in response to a query.
 RFID tags can be active, semi-active or passive.
 RFID Technology- an Introduction
Technology behind RFID

 An electromagnetic or electrostatic coupling in the RF (radio frequency)

portion of the electromagnetic spectrum is used to transmit signals.

 The RFID system consists of an antenna and a transceiver, which reads the
radio frequency and transfers the information to a processing device
(reader) and a transponder, or RF tag, which contains the RF circuitry and
information to be transmitted.

 The Radio frequency band allocated to India for RFID is 865 – 867 MHz.
This band has been freed solely for RFID since March 2005.

 RFID systems can use a variety of frequencies to communicate, but

because radio waves work and act differently at different frequencies, a
frequency for a specific RFID system is often dependant on its application
RFID Applications in India
•Few Examples

Transport industry
The Minister of Road Transport and Highways, Government of India, launched a
pilot project for radio frequency identification (RFID)-based vehicle tracking project
on the Delhi-Jaipur highway of India.

Under the project, 68 buses of Rajasthan State Road Transport Corporation

(RSRTC) plying on the highway have been fitted with RFID tags and readers have
been placed to track the vehicle movement along the highway, whereby their
movement is being tracked, monitored and managed

Apparel Tracking Using RFID –Pantaloons

Pantaloon Retail (India) has piloted an RFID project at one its warehouses in
Tarapur using 1,000 RFID tags. The company is starting from where it matters the
most by implementing the technology at the warehouse.

Ticketing
More recently, NXP Semiconductors, SmartTags and Gemini Traze have
collaborated to implement a “hands-free” RFID ticketing solution for a sporting
event.
© All Rights Reserved Seth Associates
RFID Applications in India
RFID in the Pharmaceutical Industry
(Ranbaxy), a wholly owned subsidiary of Ranbaxy Laboratories Limited,
India’s largest pharmaceutical company, has chosen Acsis to implement a
radio frequency identification (RFID) tracking system to meet Wal-Mart’s
RFID mandate for its Class 2 pharmaceutical suppliers.
Animal Tracking
The Kopordem farm at Valpoi in Sattari Taluk in North Goa has become the
first farm in India to use RFID microchips that can be injected into the
animal's body.
Manufacturing Sector
Wipro’s Manufacturing Solutions’ Center of Excellence (CoE) has a
dedicated team of consultants who help customers define, analyze, design
and implement RFID solutions. Amongst others, their RFID solutions
include a Wireless Yard Management System for a large automobile
manufacturer and a Real-Time WIP Tracking System for an electronic
component product manufacturer
 Legal approvals & compliances-
Statutory framework & Regulatory Authority
 Wireless Planning and Coordination Wing of Ministry of Communications and Information
Technology, Government of India deals with issues of licensing use of RFID devices in India.
Indian Wireless Telegraphy Act

 Indian Wireless Telegraphy Act 1933-An Act to regulate the possession of wireless
telegraphy apparatus-‘wireless communication’ defined in Section 2 of the Act means any
transmission, omission or reception of signs, signals, writing, images and sounds, or
intelligence of any nature by means of electricity, magnetism, or Radio waves or Hertzian
waves, without the use of wires or other continuous electrical conductors between the
transmitting and the receiving apparatus;
 Explanation.—‘Radio waves’ or ‘Hertzian waves’ means electromagnetic waves of frequencies
lower than 3,000 gigacycles per second propagated in space without artificial guide;
 Section 5 of the Indian Wireless Telegraphy Act 1933- Licences.—The telegraphy
authority constituted under the Indian Telegraph Act, 1885, shall be the authority competent to
issue licences to possess wireless telegraphy apparatus under this Act, and may issue
licences in such manner, on such conditions and subject to such payments, as may be
prescribed.
According to Section 3 of the Act Possession of wireless telegraphy apparatus without licence
is strictly prohibited-possessing wireless transmitter without licence -3 years punishment , fine
or both. Section 4 deals with Power of Central Government to exempt persons from provisions
of the Act and Section 10 elucidates Power of Central Government to make rules
 Indian Telegraph Act
 The Indian Telegraph Act was passed by the Legislature in 1885 and it came into
force on 1st October, 1885-An Act to amend the law relating to Telegraphs in India

 ‘Telegraph’ which expression by the definition would include a telephone and FAX
also. A video and Television both fall with in the definition of ‘‘ telegraph’’. A telegraph
wireless receiving station is a ‘‘ telegraph’’ as defined in the Act.Section 3 of the
Indian Telegraph Act defines Telegraph as - "telegraph" means any appliance,
instrument, material or apparatus used or capable of use for transmission or reception
of signs, signals, writing, images, and sounds or intelligence of any nature by wire,
visual or other electro-magnetic emissions, Radio waves or Hertzian waves, galvanic,
electric or magnetic means;
 Explanation — "Radio waves" or "Hertzian waves" means electro magnetic waves
of frequencies lower than 3,000 giga-cycles per sound propagated in space without
artificial guide.
 "telegraph authority" means the Director-General of Posts and Telegraphs, and
includes any officer empowered by him to perform all or any of the functions of the
telegraph authority under this Act;

 Section 4 of the Indian Telegraph Act- Exclusive privilege in respect of

telegraphs, and power to grant licences
 Power to Grant RFID License in
India
 Section 4 Indian Telegraph Act- Exclusive privilege in respect of telegraphs,
and power to grant licences —
(1) Within India, the Central Government shall have the exclusive privilege of
establishing, maintaining and working telegraphs:
Provided that the Central Government may grant a licence, on such
conditions and in consideration of such payments as it thinks fit, to any
person to establish, maintain or work a telegraph within any part of India :
Provided further that the Central Government may, by rules made under this
Act and published in the Official Gazette, permit, subject to such restrictions
and conditions as it thinks fit, the establishment, maintenance and working—
(a) of wireless telegraphs on ships within Indian territorial waters and on aircraft
within or above India, or Indian territorial waters, and
(b) of telegraphs other than wireless telegraphs within any part of India.
 Section 8(2) The Central Government may, by notification in the Official
Gazette, delegate to the telegraph authority all or any of its powers under
the first proviso to sub-section (1).
The exercise by the telegraph authority of any power so delegated shall
be subject to such restrictions and conditions as the Central Government
may, by the notification, think fit to impose.
Revocation of RFID licenses in India
 Section 8-Indian Telegraph Act
Revocation of licences —
 The Central Government may, at any

time, revoke any license granted

under section 4, on the breach of
any of the conditions therein
contained, or in default of payment
of any consideration payable
thereunder.
 Radio Frequency Identification Devices
(Exemption from Licensing Requirement) Rules,
2005
 “Use of low power Equipment in the frequency band 865 – 867 MHz for
(RFID) Radio Frequency Identification Devices (Exemption from Licensing
Requirement) Rules, 2005 -rules were published in the Gazette of India,
Part II, Section 3, Sub-Section (i), dated the 11th March, 2005, vide
notification No.168 (E), dated the 11th March, 2005.

 Rule 3. Use of wireless equipment in the band 865 – 867 MHz.-

Notwithstanding anything contained in any law for the time being in force, no
licence shall be required by any person to establish, maintain, work,
possess or deal in Radio Frequency Identification Devices (RFID), on non-
interference, non-protection and non-exclusive basis, in the frequency band
865 – 867 MHz with maximum 1 Watt transmitter power, 4 Watts Effective
Radiated Power and 200 kHz carrier bandwidth.  

 Rule 4. In case where any person to whom a licence has been issued under
section 4 of the Act, informs that his licensed system is getting harmful
interference from any other radio communication system exempted under
these rules, the use of such unlicensed Wireless equipment shall be
discontinued forthwith.
 RFID Standardisation
 RFID standards first came into being during the early 1990s, when
the (newly created) CENTC225 committee on bar coding focused
the attention on automatic ID techniques in general.

 There are two competing initiatives in the RFID standardisation

arena: ISO and EPC global.

 There are also a number of special interest groups including industry

specific such as the American Trucking Association in the transport
industry, the NFC forum in consumer electronics, mobile devices and
computer industry or the Automotive Industry Action Group in the
automotive industry that seek to influence RFID standards
development.
 International Organization for Standardization
(ISO) approach
 The ISO approach
 RFID standards first came into being during the early 1990s, when the (newly
created) CENTC225 committee on bar coding focused the attention on automatic ID
techniques in general.
 During the early 1990s, the standardisation activity on automatic ID techniques was
mainly carried out in Europe within the CEN standard body (TC225 committee), with
little involvement from the US. However, during the 1995, a joint ISO IEC JTC1
committee – theSC31 – was set up for standardisation of automatic identification
techniques generally drawing from the earlier work on RFID standards within CEN.
Another influence on the RFID work within ISO was the work on the G Tag initiative
for RFID standardisation of asset tracking and logistics which was launched by UCC
and EAN in 2000 along with input from international companies including Philips
Semiconductors, Intermec, and Gemplus.

 The members of the SC31 committees are the representatives of the national
standard bodies such as in UK the BSI IST34 committee on bar coding, including the
same people who tend to participate in CEN TC225. They represent either internal
consultants within big corporations,or external consultants which are representing the
interest of different companies. As a result,three different levels of representativeness
(and thus interests) can be identified in the ISO process: the individual, the
organisational, and the national level .
 Standardisation-The ISO approach

 RFID ISO standards cover 4 different areas: technology

(e.g. ISO 18000 series), data content(e.g. ISO 15418),
conformance and performance (e.g. ISO 18046), and
application standards(e.g. ISO 10374) .
 The ISO standards are defined at a very high level,
focusing on the interface rather than on the data which is
transported. As a result, ISO standards are generic,
being able to be supported by any system and in any
context, irrespective of the data that is being carried.
 RFID Standardisation
The Electronic Product Code (EPC) Global approach
MIT and UCC together with a number of industrial partners including
Procter & Gamble, Gilette and Wal-Mart set up the Auto-ID
consortium in 1999 to research RFID technologies and standards.

The members included end users, primarily from consumer

packaged goods, large retailers and solution providers, including
hardware and software providers and consultants. The Auto-ID
members included large retailers such as Wal-Mart, Gilette, Coca
Cola, Unilever, Tesco and Carrefour.

A new entity was created in October 2003, the EPC Global as a joint
venture between UCC and EAN to undertake the standardisation
and commercialisation work within Auto-ID.. Whereas Auto-ID would
continue to research RFID technologies, EPC Global focuses on
standardisation activities, as well as their commercialisation.
 The EPC Global approach

 In contrast with ISO RFID standards which are generic standards,

EPC standards are specific.

 EPC standards describe the tag and the air interface depending on
the data being carried. EPCstandards prescribe the physical
implementation of the tags and readers, rather then specifying their
generic characteristics. The standards are also much more limited in
their scope, forexample where the ISO standards for air interface
cover all the frequency range, EPC operatesonly within the UHF
between 860-930MHz with one standard for 13.56MHz
 The EPC vs ISO Global approach

 Whereas ISO can claim that it reflects the global requirements into a
legitimate process (equalfooting and consensus based), EPC
focuses on speed and emphasises the broad support it receives
from the industry community.
 The ISO and EPC processes can be seen as complementary, even
more so when one consider that the only competing area is the
standard for air interfaces frequencies.
 However, for both EPC supporters and for ISO the need for a single,
global standard is impetuous.

 The benefits coming from standardization would be lost if in different

parts of the globe, multinationals would have to invest in different
technologies for RFID
 Taxonomy of RFID tags and legal
implications
 Tags that only contain item numbers that cannot be linked to persons (usually
passive tags
 Tags that may reveal the identity of persons through item numbers that are linked
to backend databases e.g by connecting the information obtained by the tagged
object that individuals carry with them and credit cards that they submit at the
purchase point e.g to analyse the favourite shopping routes of customers that
have already been identified by one of the shops in the mall for better
management and promotion policy to increase consumption.

 Tags that usually store personal data ( active tags) e.g passports issued with RFID
technology-RFID chips containing biometric information -Germany, Belgium-
 In compliance with the recommendations of the ICAO the Council of the European
Union adopted on 13/12/2004 a regulation mandating the inclusion of both facial
image andfingerprints in future passports and travel documents issued by EU
Member States. The new regulation aims at better protecting EU passports against
forgery, at enabling better identification of passport holders and at harmonising
security standard features used in the production of passports and travel
documents issued by Member States-Council Regulation 2252/2004 on standards
for security features and biometrics in passports and travel documents issued by
Member States.
 Legal Issues

 Protecting the right to privacy and data protection

concerns.
 Identification and profiling of a person ( for example-to
analyse the favourite shopping routes of customers for
better management and promotion policy).

 Unnoticed remote reading without line of sight- for

noticing consumer preferences, worker surveillance

 Search, seizure law enforcement purposes

for e.g -the lists of the movement of cars passing
through the toll-controls, the tracking of people carrying
RFID enabled IDs or passports, or even RFIDimplanted
tags.
 Legal Issues
 Impersonation and cheating
Chances of identity theft increase as unauthorised scanning of a personal data of an
individual is possible by unlawful interception

 Monetary counterfeit
Even the use of RFID tags in banknotes can be highly problematic in this perspective.
Through RFID it will be possible to determine which banknotes were withdrawn by
whom from which automatic teller machine, or where those banknotes were then
used to buy certain products or services.

Protection of right to dignity-In

dignity- this regard, the Japanese program for the children)
might breach children's right to privacy and dignity by treating them like cattle or a
piece of inventory and by familiarizing them with an environment and a world of
absolute surveillance. A group of children in Yokohama City in Japan wears active
tags to keep them safe on their way to and from school. Each child participating to the
programme wears a bracelet with a RFID tag.
 Legal Issues
 Unfair competition.

 Inexpensive tags simply do not have the memory to store lists of readers
that can authenticate themselves to the tag, in order to avoid unwanted
reading of tags; and they don't have the power to call out to an enterprise
server to get this information from a database. So they are exposed to
unauthorised reading by competitors, for instance if a rival enters the shop
of a competitor and “scans” by a mobile reader its inventory.

 Labour law.
 Besides, the use of the same RFID tags for other purposes, such as the
surveillance of employees which is already mentioned above, this
technology may affect the health of employees in terms of possible radiation
emitted during the data communication between tag and reader. It might
also lead to cutting personnel as a result of rationalisation through the use
of the technology.
 Privacy and Data Protection
 Privacy is closely connected to Data Protection. An individual’s data like his
name address, telephonenumbers, profession, family, choices, etc. are often
available at various places like schools, colleges, banks, directories, surveys
and on various web sites.

 Passing on such information to interested parties can lead to intrusion in

privacy like incessant marketing calls.

 It would be a misnomer to say that India does not have ‘data protection’
legislation at all.

 This is factually wrong. The fact is that there exists data protection legislation
in India. The subject matter of data protection and privacy has been dealt
within the Information Technology Act, 2000 but not in an exclusive manner.
 Data Protection-legislative domain-India

 Data protection is not a subject in any of the three lists in Schedule

VII of the Constitution of India.

 But Entry 97 of List 1 states: “any other matter not enumerated in

List II and List III …….”

 Thus only the Indian Parliament is competent to legislate on data

protection since it can be interpreted ‘as any other matter not
enumerated in List II and List III.’ Data protection is, thus, a Central
subject and only the Central Government is competent to frame
legislations on issues dealing with data protection.

 In fact, the Information Technology Act, 2000, enacted by the Indian

Parliament is the first legislation, which contains provisions on data
protection.
 Data Protection law in India and
RFID
 The IT Act, 2000 was enacted to provide legal recognition for transactions carried out by
means of EDI and other means of electronic communication, commonly referred to as e-
commerce which involve use of alternatives to paper based methods of communication
and storage of information to facilitate electronic filing of documents with Government
agencies. RFID in essence falls within its operative domain
 Section 2 definitions- "computer" means electronic, magnetic, optical or other high-
speed date processing device or system which performs logical, arithmetic and memory
functions by manipulations of electronic, magnetic or optical impulses, and includes all
input, output, processing, storage, computer software or communication facilities which
are connected or relates to the computer in a computer system or computer network;
 "computer network" means the inter-connection of one or more computers through-
 (i) the use of satellite, microwave, terrestrial lime or other communication media; and
 (ii) terminals or a complex consisting of two or more interconnected computers whether
or not the interconnection is continuously maintained;
 "computer resources" means computer, computer system, computer network, data,
computer database or software;
 "computer system" means a device or collection of devices, including input and output
support devices and excluding calculators which are not programmable and capable
being used in conjunction with external files which contain computer programmes,
electronic instructions, input data and output data that performs logic, arithmetic, data
storage and retrieval, communication control and other functions;
 The Information Technology Act, 2000

 The Indian Parliament enacted an Act called the Information

Technology Act, 2000. It received the assent of the President on the
9th June, 2000 and is effective from 17thOctober, 2000.

 This Act is based on the Resolution A/RES/51/162 adopted by the

General Assembly of the United Nations on 30th January, 1997
regarding the Model Law on Electronic Commerce earlier adopted by
the United Nations Commission on International Trade Law
(UNCITRAL) in its twenty-ninth session.

 The aforesaid resolution of the U.N. General Assembly recommends

that all States give favourable consideration to the Model Law on
Electronic Commerce when they enact or revise their laws, in view of
the need for uniformity of the law applicable to alternatives to paper-
based methods of communication and storage of information.
 Main principles of the Information
Technology Act, 2000
 It is significant to note that by enactment of the Information Technology Act,
2000, the Indian Parliament provided a new legal basis to data protection and
privacy.

 The main principles on data protection and privacy enumerated under the
Information Technology Act, 2000 are:

(i)defining ‘data’,‘computer database’, ‘information’, ‘electronic form',

'originator’, ‘addressee’ etc.

(ii) creating civil liability if any person accesses or secures access to

computer, computer system or computer network.

(iii) creating criminal liability if any person accesses or secures access to

computer, computer system or computer network .
Main principles of the Information Technology Act,
2000

 (iv)declaring any computer, computer system or computer network

as a protected System.

 (v)imposing penalty for breach of confidentiality and privacy.

 (vi)setting up of hierarchy of regulatory authorities, namely

adjudicating officers,the Cyber Regulations Appellate Tribunal etc.

 Further, the Information Technology Act, 2000 defines certain key

terms with respect to data protection, like access [S.2 (1)(a)],
Computer [S.2 (1)(i)], Computer network [S.2(1)(j), Computer
resource [S.2 (1)(k)], Computer system [S.2 (1)(l)], Computer
database[S.43, Explanation (ii)],Data [S.2 (1)(o)], Electronic form
[S.2 (1)(r)], Electronic record[S.2 (1)(t],Information[S.2(1)(v)],
Intermediary [S.2 (1)(w)], Secure system [S.2(1)(ze)] and Security
procedure [S.2 (1)(zf)].
 Main principles of the Information
Technology Act, 2000
 Interestingly, section 72 [Penalty for breach of confidentiality and
privacy] is aimed at public (and private) authorities, which have
been granted power under the Act to secure access to any
electronic record, book, register, correspondence, information,
document or other material information.

 The idea behind the aforesaid section is that the person who has
secured access to any such information shall not take unfair
advantage of it by disclosing it to the third party without obtaining the
consent of the disclosing party.
 Cyber contraventions under IT Act

The Information Technology Act, 2000 provides for civil liability in

case of data, computer database theft, privacy violation etc.

 The Act provides a complete Chapter (Chapter IX) on cyber contraventions,

i.e., section43 (a) – (h) which cover a wide range of cyber contraventions
related to unauthorised access to computer, computer system, computer
network or resources.
 Section 43 of the Act covers instances such as:

(a) computer trespass, violation of Privacy etc.

(b)unauthorised digital copying, downloading and extraction of data, computer

database or information;. theft of data held or stored in any media,
 Cyber contraventions under IT Act

(c) unauthorised transmission of data or programme residing within a computer,

computer system or computer network cookies, spy ware, GUID or digital
profiling are not legally permissible,

(d) data loss, data corruption etc.,

(e) computer data/database disruption, spamming etc.,

(f) denial of service attacks, data theft, fraud, forgery etc.,

(g) unauthorised access to computer data/computer databases and

(h) instances of data theft (passwords, login IDs) etc.

 Cyber offences under IT Act
The Information Technology Act, 2000 provides for criminal liability
in case of data, computer database theft, privacy violation etc.

 The Act also provides a complete Chapter (Chapter XI) on cyber

offences, i.e., sections 65-74 which cover a wide range of cyber
offences, including offences related to unauthorised alteration,
deletion, addition, modification, alteration, destruction, duplication or
transmission of data, and computer database.

 For example,section65 [Tampering with computer source documents]

of the Act is not limited to protecting computer source code only, but it
also safeguards data and computer databases; and similarly section
66 [Hacking with Computer System] covers cyber offences related to

 (a) Illegal access, (b) Illegal interception, (c) Data interference, (d)
System interference, (e) Misuse of devices, etc.
 The Right to Privacy in India
 Judicial activism has brought the Right to Privacy within the realm
of Fundamental Rights.

 Article 141 of the Constitution states that “the law declared by the
Supreme Court shall be binding on all courts within the territory of
India.” Therefore, the decisions of The Supreme Court of India
become the law of the Land.

 The Supreme Court of India has come to the rescue of common

citizen, time and again by construing “right to privacy ” as a part of
the Fundamental Right to “protection of life and personal liberty”
under Article 21 of the Constitution, which states “no person shall be
deprived of his life or personal liberty except according to
procedures established by law”.
 Judicial Activism: The Right to Privacy
 In the context of personal liberty, the Supreme Court has observed
“those who feel called upon to deprive other persons of their personal
liberty in the discharge of what they conceive to be their duty must
strictly and scrupulously observe the forms and rules of the law”.

 Even the fundamental right “to freedom of speech and expression” as

enumerated in Article 19(1)(a) of the Constitution of India comes with
reasonable restrictions imposed by the State relating to (i) defamation;
(ii) contempt of court; (iii) decency or morality; (iv) security of the State;
(v) friendly relations with foreign states; (vi) incitement to an offence;
(vii) public order; (viii) maintenance of the sovereignty and integrity of
India.
Thus, the right to Privacy is limited against defamation, decency or
morality.
 Judicial Activism: The Right to Privacy
The Supreme Court has reiterated the Right to Privacy in the following cases:

1. Kharak Singh v. State of UP (AIR 1963 SC 1295)

 In this case the appellant was being harassed by police under Regulation 236(b)
of UP Police Regulation, which permits domiciliary visits at night.

 The Supreme Court held that the Regulation 236 is unconstitutional and violative
of Article 21.

 It concluded that the Article 21 of the Constitution includes “right to Privacy” as a

part of the right to “ protection” of life and personal liberty”.

 The Court equated ‘personal liberty’ with ‘privacy’, and observed, that “the
concept of liberty in Article was comprehensive enough to include privacy and
that a person’s house, where he lives with his family is his ‘castle’ and that
nothing is more deleterious to a man’s physical happiness and health than a
calculated interference with his privacy”.
 Judicial Activism: The Right to Privacy

People’s Union for Civil Liberties (PUCL) v. Union of India AIR (1997) 1 SCC
301

 the Supreme Court held that the telephone tapping by Government

under S. 5(2) of Telegraph Act, 1885 amounts infraction of Article 21 of
the Constitution of India.

 Right to privacy is a part of the right to “life” and “personal liberty”

enshrined under Article 21 of the Constitution. The said right cannot be
curtailed “except according to procedure established by law”.
 Judicial Activism: The Right to Privacy
If one follows the judgments given by the Hon’ble Supreme Court,
three principles emerge:

 (1) that the individual’s right to privacy exists and any unlawful invasion
of privacy would make the ‘offender’ liable for the consequences in
accordance with law;

 (2) that there is constitutional recognition given to the right of privacy

which protects personal privacy against unlawful governmental invasion;

 (3) that the person’s “right to be let alone” is not an absolute right and
may be lawfully restricted for the prevention of crime, disorder or
protection of health or morals or protection of rights and freedom of
others.
RFID and Data protection laws in
other countries
GERMANY
Article 6c of the German Federal Data Protection Law (BDSG) is partly applicable to
RFID tags, notably where the tag does not directly process or store personal data, as
for instance passive tags

USA
Utah recently reviewed its laws on unauthorised access to networks and added
wireless networks as it previously only addressed wire line networks: it clarifies that
computer crimes laws apply to wireless networks.

Virginia’s law authorises research relating to methods of electronic toll collection. Also
provides that data generated by automated electronic toll-collection systems on use
of toll facilities can only be disclosed when so required by order of a court.

Wyoming authorises tele-pharmacies to use automated inventory control including

radio frequency tags. In many other states there exist draft legislation on RFID
technology, which sometimes just seek to require only labelling and notice that RFID
is in use, while in other cases like the California’s approach would most tightly
regulate the technology itself, including prohibitions of certain applications and
technology-specific security requirements containing only the product ID64.
 Data protection in the EU
• The protection of personal data is an important
principle in the EU. Article 6 of the Treaty on the
European Union states that the Union is founded on
the principles of liberty, democracy, respect for
human rights and fundamental freedoms;
• Article 30 requires appropriate provisions on the
protection of personal data for the collection, storage,
processing, analysis and exchange of information in
the field of police co-operation.
• The protection of personal data is set as one of the
freedoms in Article 8 of the Charter of Fundamental
Rights.
 European initiatives on data protection
 The Community legislation framework on data protection and privacy in Europe was
designed to be robust in the face of innovation. The protection of personal data is
covered by the general Data Protection Directive Directive 95/46/EC on the protection
of individuals with regard to the processing of personal data and on the free
movement of such data, OJ L 281, 23.11.1995, p. 31. regardless of the means and
procedures used for data processing. The Directive is applicable to all technologies,
including RFID.

 Emphasises need for prior consent of the individual whose data is being collected. It
defines the principles of data protection and requires that a data controller
implements these principles- ( purpose limitation, proportionality, data quality ,
lawfulness and ensure the security of the processing of personal data.

 The general Data Protection Directive is complemented by the ePrivacy Directive

-Directive 2002/58/EC concerning the processing of personal data and the protection
of privacy in the electronic communications sector (Directive on privacy and electronic
communications), OJ L 201,31.7.2002, p. 37.which applies these principles to the
processing of personal data in connection with the provision of publicly available
electronic communications services in public communications networks.
 The OECD Initiative
 “RFID Position Statement of Consumer
Privacy and Civil Liberties Organizations.”
Privacy guidelines published by the
Organization for Economic Co-operation a
nd Development
(OECD) offers some useful guidelines
related to the disclosure of RFID
technology use and the purpose behind its
use.
 US and Data Protection
 In the U.S ,the Federal Trade Commission’s
Fair Information Practice Principles would seem to play a role in the
legalities of RFID.
In its Fair Information Practice Principles, the FTC writes about the
collection and use of personal information and addresses “the safeguards
required to assure those practices are fair and provide adequate privacy
protection.” Government agencies in the past quarter century have
deliberated about the way in which entities gather and use personal
information. A succession of reports and guidelines have identified five
central principles of privacy protection:
1. Notice and awareness of collection of information.
2. Choice and consent of how this information can be used.
3. Access to the individual’s gathered information and the ability to contest
the accuracy of the collected data.
4. Integrity and security of the collected data.
5. Enforcement of the aforementioned principle
 Data security measures in RFID
implementation
 Kill order solutions
 Shielding with Aluminum sheets

 Blocker tags

 Encryption

 User model solution

 Privacy bit- RSA Security-tag specific

pincode -to switch on and off the bit on

the tag
 Alleviating Consumer privacy concerns in
adopting RFID technology
 Businesses can deploy RFID systems and use “read
only” (not rewritable) tags
 “kill” the tags before they are released to consumers
 affix tags to packaging rather than the object
 alert consumers to the presence of readers and the
manner in which they will be used
 place a notice that RFID tags are present together with
instructions for removal.
 Retailers that use RFID should have a privacy policy
available to consumers.
 address consumer privacy concerns by educating the
public about RFID –description of RFID tags and
acquainting consumers about its technology process
 Thank You!
SETH ASSOCIATES
ADVOCATES AND LEGAL CONSULTANTS
New Delhi Law Office:
C-1/16, Daryaganj, New Delhi-110002, India
Tel:+91 (11) 65352272, +91 9868119137
Corporate Law Office:
B-10, Sector 40, NOIDA-201301, N.C.R ,India
Tel: +91 (120) 4352846, +91 9810155766
Fax: +91 (120) 4331304
E-mail: mail@sethassociates.com

© Seth Associates, 2008 All Rights Reserved