This chapter addresses the privacy and data protection issues presented by RFID, largely in view of existing human rights policy and constitutional protection, data protection law, and fair information practices. As described in other chapters, RFID poses privacy problems that are arguably the most fundamental we have encountered in many years. If so few people understand how the telephone signaling system works and so many make uninformed decisions about such issues as caller ID or data retention, how will the public be able to make educated decisions about a sophisticated technology like RFID? In this new world of machine-to-machine (M2M) communications, it is not even clear that the paradigms on which we rest our interpretations of privacy are adequate. This chapter examines some new ways of defining privacy in North America, Europe, and elsewhere.
Privacy and consumer advocates are calling for regulation, codes of best practice, and technological fixes that give them back a measure of control over RFID. They are trying to slow down the rollout of these transformative technologies so that the public can get involved in the dialogue. That call for discussion and policy development is not being heeded in a coherent way, and although the Data Commissioners of Europe, through the Data Protection Working Party, are studying the topic and will likely issue a report in 20052, there is as yet no formal guidance from regulators. This chapter sketches out a few realistic scenarios and looks at what the existing law, policy, and best practice might say about privacy protection. Although the core concepts are similar, the diversity in the detail of the various laws precludes our providing anything more than highlights, and certainly this chapter should be considered a policy discussion, not legal advice.
Definitions of Privacy
In a global context "privacy," is understood in different ways by different individuals across many cultures and sectors. Each author in this volume may well refer to privacy in a slightly different way. This chapter fleshes out some of the meanings.
Privacy has traditionally been discussed along two vectors:
- As a fundamental human right, including the right to be free from
unreasonable search and seizure or intrusion
- As protection of personal information
The principal data protection instruments referred to in this chapter are the European Data Protection Directive 95/46/EC (1995), which sets the mandatory standards for the legislative framework in each European member state; the Canadian Personal Information Protection and Electronic Documents Act (PIPEDA) (2000), which does the same thing for Canada and its provinces; and the OECD Guidelines Governing the Protection of Privacy and Transborder Flows of Personal Data (1980), which underpin much of the U.S. privacy law. Various definitions of personal information exist within global legislation and other instruments, and the subtleties of these definitions could make a big difference when applied to RFID.
Definitions of Personal Information
The following are definitions related to personal information:
- European Directive 95/46/EC: Personal Data.3 "Shall mean any information relating to an identified or identifiable natural person ('data subject'); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural, or social identity"; also
- Processing of Personal Data. "Shall mean any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction."
- Personal Information Protection and Electronic Documents Act
(PIPEDA) (Canada). "Personal information" is defined as "information about an identifiable individual, but does not include the name, title, or business address or telephone number of an employee of an organization."
- OECD Guidelines. Personal data is defined as "any information relating to an identified or identifiable individual (data subject)."
- Safe Harbor Arrangement: Personal Data. "Personal data and personal information are data about an identified or identifiable individual that are within the scope of the Directive, received by a U.S. organization from the European Union, and recorded in any form."
History of Current Privacy Paradigm
In the 1970s, fears about loss of privacy focused on large, centrally held databases containing files about named or numbered individuals. People conceptualized the threat in terms of information in a file. As the Web and its attendant search engines have developed, we have only slightly modified our thinking about personal information or personally identifiable information and the way it is kept. The concept of personal information being dangerous when held centrally in a "file" is rather quaint, given the power of today's networks and search engines.
Now there are holes in this conceptual framework. On one hand, if RFIDs contribute information about individuals to large databases, the link with the individuals is often not specific enough for some of these definitions to be useful. On the other hand, if the feed from an RFID is not considered personal information because it is not linked to a name or an identifying number, it can still be combined with other data to provide personal information. PIPEDA expressly addresses this hole by defining personal information as "information about an identifiable individual" without specifying who identifies that individual, or how. This anticipates a world where data is agglomerated, crumb by crumb, from a host of different data holders, until sufficient attributes are present to re-identify the individual associated with the data-stream.4
"We may identify at least four relatively distinct types of privacy concern and label them, for the sake of convenience, 'freedom from intrusion,' 'negotiating the public/private divide,' 'identity management' and 'surveillance.' Each way of thinking and talking about privacy will favor particular definitions of, and solutions to, the privacy problem. Obviously, these concerns are interrelated."