Stanford CIS

Must RFID-Legislation Be Technology Neutral?

By Christian Laux on

It is a common mantra both of industry’s and consumers’ advocates that legislation related to radio frequency identification ("RFID") should be technology-neutral.

I am not convinced although the mantra has some merits:  A tech-specific act is likely to become useless once there is technological improvement.  Also, technology specific regulation might lead to unequal treatment.  Further, technology specific regulation can lead to a different perception of several categories of data.  This might have the undesired effect that some data is looked at to be worthy of protection while other data starts to be overlooked and gets in fact less protection.  And this would disregard the choice of the consumer: What can be cool for one, can be a concern for another one.  Legislation should give the consumer the tools so he can determine whether he has a privacy concern or not.  And technology specific legislation is less likely to operate on this general level.

However, to me it still looks all right to create and apply technology specific rules if one intends to regulate a pervasive technology.

Obviously, there is no standard to determine what pervasiveness means.  It is not even clear if this is the relevant factor.  Nevertheless, some thoughts:

A technology might be considered as pervasive if it monitors essential daily activities of all consumers without allowing an opt-out.  If buying a body lotion or a shaving cream is not possible without leaving traces, doesn’t this go too far?  Here, the concern is that too much information is collected.  Also, as an example related to RFID, the focus very often lies on who gets access to the data that is stored on the RFID chip.  If the devices that are capable to read the information on a chip may recognize a consumer over time, in other contexts, privacy is much at risk.  Things get worse if these devices together build a widespread network, or if the radio spectrum gets harmonized.  In other words, when the technology that has been chosen to collect data inherently allows to connect the dots and come up with detailed profiles, I think it is a pervasive technology.  Again, the concern lies on data collection.

Sometimes, already the mere fact that data is collected is a concern for the person whom the data belongs to.  “If people knew what is collected about them while they use the internet they would not do what they do.”  This is a quote from a discussion I recently had, about data collection practices in the internet.  It expresses that it might not be sufficient just to regulate how the collected data should be used.  Rather, the regulation should control also the earlier process: data collection.

Now, data collection usually is very technology specific:  Whether information is collected through weblogs, cookies, beacons, or RFID, impacts on how the collected data will look.  It looks pretty difficult to describe the duty to apply “kill-switches” (tools which allow the automatic deactivation of an RFID-chip at the point of sale) or to forbid the hiding of RFID tags in containers or packaging material (to avoid that the consumer can detect the tag and dispose it) in a general, non-technology specific way without making the rule too broad (which would it impossible to get adopted).  Or to put it this way:  Would there be only technology neutral legislation, a very important step -- data collection -- is likely to fall outside the scope of it.  The rules then would only set requirements as to how the data has to be managed.

RFID has an enormous potential to become very pervasive: "In the near future, we will see the breakdown of the boundary between cyberspace and real space.  The worlds of data and things will merge so that the virtual world of the Web will be rendered physical as we move towards – what computer scientists have called 'the Internet of Things'." (EU Commissioner Viviane Reding, International CeBIT Summit, Hannover 9 March 2006)

To address these concerns, even the European Union -- which has a baseline privacy regulation -- sees the need to complement the existing legal framework.  The existing EU regulation consists of two directives:  a general Data Protection Directive (Directive 95/46/EC) and the Privacy and Electronic Communications Directive (also known as the ePrivacy Directive, 2002/58/EC).  The ePrivacy Directive complements the general Data Protection Directive but does not cover RFID because it is limited to the processing of personal data in connection with the provision of publicly available electronic communications services in public communications networks.

As referred to before, the European Commission has announced several steps in order to address the concerns related to RFID technology.  During the year 2006 the European Commission invited stakeholders to express their concerns.  The results are available here and here.  Based on the consultation the Commission now released a Communication announcing the key results and further actions.  I expect some technology specific provisions to be inserted.

For what is going on in the U.S., see the comprehensive overviews here and here.

Also, in California legislation related to RFID tags is on its way.  A bill for enactment of the Identity Information Protection Act has been reintroduced in 2007, after a first draft has been vetoed by Governor Schwarzenegger.  The text as reintroduced is here.  The California bill is conceived to be an “interim measure[s] until subsequent legislation or regulations are enacted based on new information […]” (Section 2(c) of this Bill).  It is said to be a technology-neutral act, but I do not think it is.  However, the California approach definitely makes sense, even more as there is no general baseline privacy law in the U.S.

All in all, I do not see why tech-specifity should necessarily be a bad thing.

Published in: Blog , RFID , Privacy , Notice by Design