RFID Technology: Current Business and Legal

Considerations

Lisa R. Lifshitz∗ and Blair McKechnie**

*
Lisa R. Lifshitz, B.A., M.A., B.C.L., LL.B. is a Partner in the Toronto office of Gowling Lafleur Henderson LLP
specalizing in business and technology law. She can be reached at lisa.lifshitz@gowlings.com.
**
Blair McKechnie, B. Com., LL.B., is a student-at-law in the Toronto office of Gowling Lafleur Henderson LLP.
This paper was prepared for the Ontario Bar Association’s conference Technology in Bloom 2006: New
Developments in Technology Law, March 27, 2006.
 TABLE OF CONTENTS

Page

1. INTRODUCTION ............................................................................................................. 1

2. WHAT IS RFID? ............................................................................................................... 1

3. USES OF RFID TECHNOLOGY ..................................................................................... 5

3.1 Potential Uses of RFID Technology ...................................................................... 6
3.2 Canada.................................................................................................................... 6
3.3 International ........................................................................................................... 8
3.4 Emerging Uses ..................................................................................................... 11

4. IMPLEMENTATION ISSUES ....................................................................................... 13

5. LEGAL CONCERNS SURROUNDING RFID.............................................................. 17

5.1 Privacy ................................................................................................................. 17
5.2 Privacy Law as it Applies to RFID ...................................................................... 24
5.3 Intellectual Property Infringement....................................................................... 30
5.4 Licensing.............................................................................................................. 32

6. IMPLEMENTING RFID ................................................................................................. 33

6.1 Business Objectives ............................................................................................. 33
6.2 Patents .................................................................................................................. 36
6.3 Privacy ................................................................................................................. 36
6.4 Internal Policies ................................................................................................... 38

7. CONCLUSION................................................................................................................ 39

-i-
1. Introduction

Radio Frequency Identification technology (“RFID”) has become a hot-button issue recently as

much has been written about the potential privacy implications of widespread implementation of

this technology. While the privacy implications of this technology are certainly important

considerations, there are a number of other important legal and business issues that must be taken

into account by any organization thinking about implementing an RFID system. This paper will

begin by describing RFID, what it is, how it works and where it is being used, and will then

proceed to discuss the various business and legal issues that must be considered by any

organization looking to implement RFID.

2. What is RFID?

The term “RFID” has become a general term used to describe sensory technology that uses radio

waves to scan and identify separate and distinct items.1 This type of sensory technology has

been around since World War II, where transponders were installed in Allied forces fighter

planes. Allied forces could read the radio waves transmitted by these transponders attached to

the planes in order to distinguish Allied aircraft from enemy aircraft.2 This technology is now a

basic component of all aircraft, both military and civilian, and following the war, was used in a

variety of other military applications.3

1
Information and Privacy Commissioner/Ontario, Tag, You’re It: Privacy Implications of Radio Frequency
Identification (RFID) Technology by Ann Cavoukian, Ph.D. (Toronto: Information and Privacy
Commissioner/Ontario, 2004) at 3.
2
Ibid.
3
Ibid.
 -2-

Today, RFID technology is being heralded as the replacement for bar code technology. Bar

codes are a generic product identification technology.4 By contrast, one advantage of an RFID

system over bar code technology, is that each specific individual item will have its own specific

individual “code”.5 As a result, information can be gathered about each individual item and each

individual item can be tracked. As well, as RFID systems are powered by electromagnetic fields,

the information can be collected and transmitted in harsh environmental conditions and across

long distances, instead of having to be directly scanned, as with bar codes.6 For example, in

grocery stores, each brand of detergent has one code which, at the check-out counter, must be

passed across the scanner at a particular angle in order for the data stored on the bar code to be

read. With an RFID system, each box of detergent, will have a different code and just bringing

the item past a certain point in the store or through an exit, will be sufficient for the data to be

captured. Further, depending on the design of the RFID system, data can be stored and altered

throughout a manufacturing process or a product life cycle.7

There are various types of RFID systems but all are comprised of two basic components: a tag,

which gathers and stores the information, and a reader, which scans the tag and captures the

information.8 The tag itself is composed of three parts: an antenna, a wireless transducer which

can also be linked to a single silicon microchip which functions as the tag’s memory, and some

type of encapsulating material.9 The readers, which may be portable handheld devices or fixed

4
Dr. Patrick Van Eecke & Georgia Skouma, “RFID and privacy: a difficult marriage?” Communications Law, vol.
10, no. 3 (2005) at 84.
5
Supra note 1 at 8.
6
Ibid.
7
Ibid.
8
Ibid. at 4.
9
Ibid.
 -3-

at strategic points in a store or warehouse facility, read the tag and then transmit the information

to a host computer for storage and analysis.10

One feature which distinguishes types of RFID is whether the tags are active or passive.11

Active tags have their own power source and an active transmitter.12 Because of this individual

power source, these active tags can be read across greater distances.13 As a result, they perform

better but generally have a shorter life cycle, are larger and more expensive then the passive

tags.14 Active tags are good for tracking components, such as in a supply chain management

system,15 or, because of the expense associated with these tags, with products where the tags can

be re-used. In RFID systems that use active tags, the tags may periodically transmit a signal so

that the data stored on the tag may be read by multiple readers located throughout a facility.16

Passive tags, on the other hand, do not have a power source nor an individual transmitter on the

tags themselves.17 Because of this, the tags are dependent on readers for their power18 and

therefore, have less range and the ability of the readers to capture of the information stored on

the tags is more susceptible to environmental conditions.19 Passive tags are less expensive and

are better suited then active tags to mass single-use applications, such as to be used to replace the

bar codes on individual consumer items.20

10
Ibid. at 7.
11
Ibid. at 5.
12
Ibid.
13
Ibid.
14
Ibid.
15
Ibid.
16
Ibid.
17
Ibid.
18
Ibid. at 7.
19
Ibid. at 5.
20
Ibid.
 -4-

Tags may also contain an integrated circuit chip, which enables the data to be stored on the tag

and transmitted to the readers.21 Even small tags with integrated circuit chips can store 96-bits of

data, as opposed to tags without chips, which, while less expensive to manufacture, can generally

only store up to 24-bits of data.22 “Chipless” tags usually have sufficient memory for internal

applications, such as tracking items within a manufacturing facility.23 However, “chip” tags will

likely be required for use in a retail setting. This is because in a large retail setting the tags will

be required to have enough memory to store a large identification number so that each individual

item can be uniquely identified by any one of a number of readers located throughout a store.24

96-bits of data is reportedly enough to store the name of the item and of the manufacturer, and an

individual product code assigned to the item from a trillion possible different combinations.25

For a company’s internal use, such as along an assembly line, less information will likely be

required to be stored on a tag in order for that item to be uniquely identified and tracked within

the warehouse.

Another distinction in the design of tags in RFID systems is whether the tags are inductively or

conductively coupled.26 As mentioned above, passive tags are powered by an electromagnetic

field produced by the readers. In an inductively coupled tag, the tag’s antenna is made from a

copper or aluminium coil, and this antenna receives the electromagnetic energy produced by the

reader and then, through its transducer, uses that energy to retrieve or send its data back to the

reader.27 Tags which are conductively coupled employ conductive ink, eliminating the need for

21
Ibid.
22
Ibid.
23
Ibid.
24
Ibid.
25
Ibid.
26
Ibid. at 6.
27
Ibid.
 -5-

an antenna.28 These tags can still transmit data to the reader but only within a very limited

range.29 However, without the antenna, these tags are much more durable and less expensive to

manufacture then their inductively coupled counterparts.30

The final feature of a tag is that it can either be read-only or can have the ability to be written to

as well. Read-only tags have a memory chip with the product’s identification code imprinted on

it, either at the time the tag is manufactured or when a tag is allocated to the specific item.31

Read-only tags are less expensive to make and are usually used in passive tags.32 On the other

hand, tags that can be written to have the capacity to have their memory changed many times,

and as a result, these types of tags are more versatile but are also more expensive to

manufacture.33

With the variety of types of RFID tags available, the uses for an RFID system are almost

limitless and it is possible that a tag could be imbedded into almost any “thing”, from a dress to a

dollar bill to a person.

3. Uses of RFID Technology

Replacing bar codes in grocery stores is only one of the many uses for RFID technology. While

RFID technology has recently been garnering much attention, this technology has been in use, in

various forms, throughout the Canada and the rest of the commercial world for a number of

years.

28
Ibid.
29
Ibid.
30
Ibid.
31
Ibid.
32
Ibid.
33
Ibid.
 -6-

3.1 Potential Uses of RFID Technology

Plainly put, the potential use for RFID technology is enormous, and many public and private

sector organizations are either using or planning to use RFID technology for the following

purposes:

(a) Supply Chain Management – i.e. monitoring and controlling the flow of goods
from raw materials through to finished products, from manufacturer;

(b) Product Integrity – i.e. ensuring that products, such as pharmaceuticals, are
authentic and have not been altered in any way;

(c) Warranty Services – i.e. marking durable goods with a tag incorporating a product
registration code to facilitate warranty services;

(d) ID, Travel and Ticketing – i.e. providing a means to verify the identity of the
traveler and to ensure that the documents are genuine;

(e) Baggage Tracking – i.e. monitoring and controlling the movement of baggage
from check-in to loading on an airplane; and

(f) Patient Care and Management – i.e. providing a means to rapidly and accurately
verify information concerning patient allergies, prescription history, etc. to
prevent surgical errors.34

3.2 Canada

One of the most widely-used implementations of RFID systems in Canada are “easy-pay”

systems. Gas companies, like Shell and Imperial Oil, use RFID tags in their easy-pay systems,

eliminating the need for cash or credit cards at the gas pumps.35 The “Dexit” fast pay system36

34
Office of the Privacy Commissioner of Canada, Fact Sheet, “RFID Technology” (5 March 2006) at 2.
35
Supra note 1 at 12.
 -7-

used in a number of food courts in the financial district in Toronto is another example of an easy-

pay system. The tags (which are often referred to as “fobs”) store information about the

consumer and hold a balance of money. The readers, located at the cash registers, read the tags

and automatically deduct the price of the purchased item from the balance on the tag. Another

common use for RFID systems is in workplace access cards.37 The cards can generally be read

through pockets and wallets, illustrating the strength and range capabilities of this technology.

Another example of RFID technology being used in Canada is the technology used to charge

users of the Highway 407 toll road in Ontario.38 The tag is the pass drivers place on their

dashboards or hang from their rear-view mirrors and readers are placed at every on and off-ramp

to the toll road. The electromagnetic field generated by the readers captures the driver’s

information stored on the tag as the car enters onto and exits from the highway. This system

works in fog, rain and snow, illustrating the effectiveness of this technology for use in harsh

environmental conditions and in situations where the readers are required to be located at

significant distances from where the tags will pass.

Following the “mad cow” crisis in Western Canada, the Canadian Cattlemen’s Identification

Association has recently begun to require all U.S. cattle that graze on Canadian feedlots to be

tagged with an RFID chip that stores the location of each individual cow’s place of birth. All

Canadian cattle were already required to be tagged. The goal of the program is to be able to

36
Michael Burns, “Retailers discover venerable radio technology” The Bottom Line 20:15 (November 2004) (QL).
37
“Privacy in the Workplace: Case Studies on the Use of Radio Frequency Identification in Access Cards” RAND
Corporation research brief series, 2005, online: RAND Corporation <http://www.rand.org>.
38
Supra note 1 at 12.
 -8-

react more quickly to any mad cow scare by being able to quickly identify the origin of the

animal.39

Bell Canada is also currently working with a group of suppliers and retailers, called the “Supply

Chain Network Project” to implement a RFID-enabled supply chain. The project is the first of

its kind in Canada and will help retailers and suppliers better understand how RFID technology

can improve efficiency and decrease costs all the way along the supply chain.40

Interestingly, Canada opened its first “RFID Centre” in Markham, Ontario on September 21,

2005. Formed by several partner organizations (including the Canadian Council of Grocery

Distributors, the Canadian Federation of Independent Grocers, the Canadian Marketing

Association, EPCglobal Canada (GS1 Canada), Food and Consumer Products Canada, IBM

Canada, Intermec Technologies Corp., Symbol Technologies Inc. and Agriculture and Agri-Food

Canada), the Centre was created to enable the Canadian industry to “better understand,

experience, experiment with and test the latest RFID technologies and demonstrate the potential

business case for tracking products”.41 Additionally, the Centre is the first in North America to

demonstrate use of Generation 2 technology which increases RFID applicability and stability to

operate in many different industries and environments.

3.3 International

RFID systems likely have a bright future in retail, where the technology can be used to better

manage the supply chain and keep accurate accounts of inventory levels. Wal-Mart, Albertson’s,

39
Laurie Sullivan, “Canada Expands RFID Policy to Stave Off Mad-Cow Disease” InformationWeek (21 July
2005), online: InformationWeek <http://informationweek.com>.
40
“Bell selected for EPC RFID pilot” CRN Canada (16 October 2005), online: CRN Canada
<http://www.crncanada.ca>.
41
“New RFID Centre Opens in Canada” (Press Release) online: < http://www.intermec.com> at 1.
 -9-

Tesco, Procter & Gamble, Johnson & Johnson, Gillette and Hewlett-Packard have all begun

testing the use of RFID systems to assist with supply chain management.42 Gillette, in

conjunction with retailers Wal-Mart and Tesco in Great Britain, planned to test RFID-embedded

shelves in the stores to assist with better inventory tracking.43 Essentially, the shelves functioned

as the readers that read the tags imbedded in Gillette products placed on the shelves,44 keeping

more accurate and timely accounts of inventory levels. The U.S. Department of Defense has also

been running pilot projects, which would require all of its suppliers to implement this technology

in order to better manage and track its supply orders.45

Wal-Mart has indicated that the use of RFID technology in their supply chain results in

customers being less likely to find items out-of-stock and significantly decreases the time it takes

to re-stock a sold-out item in a store.46 Wal-Mart is one of the biggest proponents of the

technology in the retail sector. Wal-Mart began running pilot projects a number of years ago and

in the fall of 2005 it had more than 130 suppliers imbedding RFID tags in the products shipped

to its distribution centres.47 The retailing giant aims to have implemented the technology

throughout its operations in North America and the United Kingdom by 2007.48

42
See e.g. supra note 1 at 12-13; Alorie Gilbert, “Static over RFID” CNET News.com (13 September 2004), online:
CNET News.com <http://news.com.com> (“CNET News”); Cliona Reeves, “I.D. For Food: Radio-Frequency
Identification (RFID)” Guelph Food Technology Centre (October 2005), online: GFTC <http://www.gftc.ca>
(“GFTC”).
43
Supra note 1 at 12-13.
44
Ibid. Public opposition to the program after it became public that Gillette was taking photographs of customers at
the shelves resulted in Wal-Mart cancelling the test project with Gillette and announcing that it would limit the use
of the technology to its supply chain.
45
Ibid. See also supra note 36.
46
Gene J. Koprowski, “Retailers Using RFID for Better Holiday Customer Service” CRMBuyer (4 November
2005), online: CRMBuyer <http://www.crmbuyer.com>.
47
Keith Axline, “RFID Fleece Blue-Collar Dollars” Wired News (27 October 2005) online: Wired
<http://www.wired.com>.
48
GFTC, supra note 42.
 - 10 -

Correctional facilities in the U.S. are also reported to be implementing a high-tech head counting

system using RFID. In these participating facilities, both inmates and corrections officers wear

wristbands imbedded with RFID tags that transmit the location of each inmate and guard every

two seconds.49

In Singapore, RFID technology is being used in libraries to replace bar code technology50 as well

as in hospitals to track cases of Severe Acute Respiratory Syndrome (“SARS”). Alexandra

Hospital in Singapore began issuing cards imbedded with an RFID chip, similar to workplace

access cards, to visitors to the hospital so that a record of whom a patient came into contact with

could be easily produced should that person later come down with SARS.51

Australia is using RFID chips to confirm whether imported pork products have stayed within

specified temperature ranges during shipment.52

In 2004, the Food and Drug Administration in the U.S. approved the VeriChip Personal

Identification System, which includes a tag that can be implanted beneath the skin of humans for

medical purposes.53 The “VeriChip” can be imprinted with an individual’s name, blood type and

details of any medical conditions. While no hospitals have reportedly ordered these chips, the

hope of the manufacturer, Applied Digital Solutions Inc., is that individuals who suffer from

diseases requiring complicated courses of treatment, such as cancer or diabetes, and patients

suffering from deteriorative diseases like Alzheimer’s disease, will implant these chips under the

49
Alan D. Gold, “Tech Developments” Collection of Criminal Law Articles (19 September 2005) (QL).
50
CNET News, supra note 42.
51
Supra note 1 at 14.
52
CNET News, supra note 42.
53
Kim Zetter, “RFID: To Tag or Not to Tag” Wired News (9 August 2005) online: Wired <http://www.wired.com>.
 - 11 -

skin on their arms, giving doctors with compatible readers immediate access to the patient’s

medical records.54

3.4 Emerging Uses

RFID technology has a number of advantages over current bar code systems, including that

RFID tags are very small and can be imbedded in almost any product. RFID tags can also be

read from significant distances and in a variety of environmental conditions. Researchers

working in the field of RFID technology are developing systems that are becoming increasingly

small while at the same time becoming more effective and able to capture data across increasing

distances.

Researchers at Corning have recently developed tiny RFID-encoded beads that can be imbedded

in inks to tag currency and other documents or can be added to paints, such as automobile

paint.55 The imbedded paint could be used to track the automobiles throughout the

manufacturing stages or even after the car is driven off of the lot. RFID-tagged currency could

track every transaction in which a particular bill is used. Governments claim that this technology

could be a major break through in fighting money-laundering. In fact, the European Central

Bank is reportedly working on plans to imbed tiny RFID “threads” in high denomination Euro

notes.56

54
“FDA Approves Subdermal RFID VeriChip” RFID Gazette (14 October 2004).
55
Supra note 1 at 9.
56
Supra note 1 at 13. See also Oliver M. Habel, “Legal Issues raised by the RFID Technology in data protection
and privacy” CLA 2005 World Computer & Internet Law Congress, Computer Law Association Held May 4 & 5,
2005 at 2 (“Habel”).
 - 12 -

Researchers at the University of California in Berkley are working on developing “smart dust”,

which would be an active, read-write RFID system, all within a cubic millimetre.57 The tiny tags

would each have their own power supply, programmable microprocessor and optical

communication link.58 Another group of researchers are developing what they call “TinyOS”,

which is a complete software operating system comprised of a number of tiny sensors and

requiring very little hardware in order to be operational.59

A company in the United Kingdom is developing a system that will allow a network of fixed and

portable readers to identify tags imbedded in license plates from distances of up to 300 feet.60

This use of RFID technology, and its use in currency and passports, could make this technology

very valuable in the areas of law enforcement and national security.

The healthcare industry is another sector where RFID could be implemented in a number of

ways. As discussed above, RFID systems are already in use in Singapore hospitals to track cases

of SARS. A hospital in California is using RFID tags to prevent newborn babies from being

kidnapped.61 RFID also has the potential to be used to track pharmaceuticals and prevent

tampering with the packaging. A 2004 report issued by the Food and Drug Administration in the

United States encouraged pharmaceutical companies to use RFID tags as a means of tracking

drugs all the way along the supply chain, from the manufacturing facility to the point of purchase

57
Supra note 1 at 9.
58
Ibid.
59
Ibid.
60
Mark Baard, “Brit License Plates Get Chipped” Wired News (9 August 2005) online: Wired
<http://www.wired.com>.
61
Vawn Himmelsbach, “Panel explores the untapped possibilities for RFID” Computing Canada, vol. 31, no. 15 (28
October 2005) online: itbusiness.ca <http://itbusiness.ca>.
 - 13 -

as a means of reducing tampering and counterfeiting.62 Pfizer Inc. began using RFID tags in all

shipments of Viagra in the United States on December 15, 2005 in an effort to detect counterfeit

pills.63

RFID tracking systems are also considered by governments to be very useful in national security.

The U.S. is planning on introducing RFID-enabled passports;64 an idea that is also being

considered in Europe and Asia.65 In fact, reports indicate that the U.S. could require all countries

whose citizens do not require visas to enter the United States to begin issuing RFID-enabled

passports by the fall of 2006.66 This would mean that Canada would also likely be required to

begin looking into these developments.

4. Implementation Issues

While there have been great advances in RFID technology over the last number of years, the

costs of implementing the technology is still prohibitive to most organizations, especially for use

in a mass retail setting. RFID tags currently cost anywhere from $0.20 to $1.00 per tag versus

just pennies for bar codes.67 As well, the readers are also expensive, often priced upwards of

$1000.68 Readers that have been developed in conjunction with the VeriChip cost $650 a piece

and the high expense is being cited as one of the major reasons for the lack of implementation of

62
Jerry Brito, “Relax Don’t Do It: Why RFID Privacy Concerns are Exaggerated and Legislation is Premature”
(2004) UCLA J. L. Tech. 5.
63
Javad Heydary, ed., “To Fight Counterfeits Pfizer Inserts RFID Tags in Viagra Packages” Laws of .Com: E-
Business, Privacy & Technology Law Journal, vol. IV, issue 1 (12 January 2006), online: Laws of .Com
<http://www.lawsof.com>.
64
Bruce Schneier, “Fatal Flaw Weakens RFID Passports” Wired News (3 November 2005) online: Wired
<http://www.wired.com>.
65
Supra note 61.
66
Ryan Singel, “Airline Tests RFID on the Fly” Wired News (9 August 2005) online: Wired
<http://www.wired.com>.
67
Supra note 1 at 10.
68
Supra note 36.
 - 14 -

the system by hospitals. The manufacturer has donated 200 readers to trauma centres and

emergency rooms throughout the U.S. in hopes of “jump-starting” the market for their

technology.69

Related to the expense of the tags and readers themselves, is the cost associated with replacing,

updating and/or integrating an RFID system with a company’s current information system.70

Replacing the bar code on every consumer item in a store with a RFID tag is only one step. In

order for RFID to be beneficial to an organization, the information being captured must be

capable of analysis and producing results useful to the company’s business.71 The company’s

information system for tracking, collecting and analyzing product or consumer data may have to

be upgraded or replaced with RFID integration software. Additionally, a company’s supply

chain management system is often times connected with the information systems of its suppliers

or business partners. Implementing a RFID system can thus be costly and can have significant

impacts on current information systems infrastructure for both the company and any organization

linked to that company’s system.72 Proponents of RFID argue that these costs can be offset by

RFID through a better streamlined supply chain and general improvements in business processes

and access to consumer and product information.73

Another issue preventing widespread implementation of this technology was, until recently, a

lack of industry standards to be used in the creation of RFID-enabled software. Experts reported

that the main problem was that a variety of different protocols were governing the

69
“FDA Approves Subdermal RFID VeriChip”, RFID Gazette (14 October 2004), online: RFID Gazette:
<http://www.rfidgazette.com>. See also Rob Stein, “Implantable Medical ID Approved by FDA” The Washington
Post (14 October 2004), online: The Washington Post <http://www.washingtonpost.com>.
70
John S. Webster, “Hope & Hesitation” ComputerWorld (2 January 2006) at 35.
71
Ibid.
72
Ibid.
73
Ibid.
 - 15 -

electromagnetic communication between the tags and the readers.74 Developing one standard

protocol will result in any reader utilizing the standard being able to recognize and read any tag

using the standard, regardless of its manufacturer.75 Instead of the readers being designed so that

they can be programmed to match any number of tags, which requires new software upgrades

every time a new tag is introduced into the market, all tags and readers will be compatible

internationally.76 In September of 2003, the Electronic Product Code (the “EPC”) was

introduced and was touted as “creating an Internet of things”.77 This standard went far beyond

the Universal Product Code (the “UPC”) commonly used in bar codes.78 A number of

organizations have been working to create standards. The Massachusetts Institute of Technology

Auto-ID Center, which was financed by a number of corporate partners, was formed to develop a

RFID tag suitable and appropriately priced for use in a mass retail setting.79 It was this lab that

was responsible for the early development of the technology and was working towards the

creation of the royalty-free EPC standard.80 This code can link an object to a person and can

uniquely identify one object from another: two of the most significant advantages of RFID as

compared to standard bar code technology.81

Recently, EPCglobal Inc., the New Jersey-based RFID standards-setting body (“EPCglobal”)

connected with the Uniform Code Council, which took over the standards development project

74
CNET News, supra note 42.
75
Ibid.
76
Ibid.
77
Supra note 1 at 11.
78
Ibid.
79
Ibid.
80
CNET News, supra note 42.
81
Supra note 1 at 11.
 - 16 -

from the MIT Auto-ID Center in 2003,82 implemented the Generation 2 RFID standard (the “Gen

2 standard”). This standard was ratified in December of 2004 and mandates RFID systems to

have a 96-bit memory, better encryption and an ability for the tags to be permanently

deactivated.83 EPCglobal continues to work towards devising standards in order to

commercialize the technology.84

Additionally, the use of open source code is an important component in the development of most

new technology and RFID is no exception. Unfortunately, disputes over patents that are

considered “essential” to the creation of an RFID solution utilizing the Gen 2 standard may

continue to stall widespread implementation of this technology. The RadioActive Foundation is

in the design phase of three open source projects.85

One of the most significant issues facing the implementation of RFID relates to privacy. Many

consumers and privacy advocates are wary of the ability of the technology to link a specific

product to a specific individual without that individual’s knowledge or consent and for the

tracking of the product to continue beyond the supply chain. In fact, consumer protests about

this issue have been effective in preventing a number of companies from even implementing

pilot RFID projects.86

82
Harold E. Davis & Michael S. Leuhlfing, “Technology: Radio Frequency Identification: The Wave of the Future”
(2004) 11-04 J.A. 43 at 48-49.
83
Joanna Glasner, “RFID: The Future is in the Chips” Wired News (16 August 2005) online: Wired
<http://www.wired.com>.
84
CNET News, supra note 42.
85
Supra note 61.
86
See e.g. supra note 1 at 15. As discussed earlier, public outcry resulted in Wal-Mart cancelling its “smart shelf”
trials with Gillette. Consumer opposition also caused the Benetton Group to cancel plans to imbed RFID tags into
its clothing.
 - 17 -

5. Legal Concerns Surrounding RFID

5.1 Privacy

(a) Initial Concerns

Notwithstanding the current status of the implementation of RFID or current practices, certain

aspects of the technology have been seen by privacy advocates as posing a threat to individual

privacy. While the use of RFID technology purely for internal supply chain management

purposes or to track products along the assembly line are generally thought to be harmless

propositions, the use of the technology to link a product to an individual consumer and to collect

personal information about that consumer has many privacy watch groups very troubled.87

These concerns include:

Surreptitious collection of information. Plainly put, RFID tags are so small that they can

be embedded into/onto objects and documents without the knowledge of the individual

who obtains those items. Moreover, given that radio waves can travel easily and silently

through fabrics, plastics and other materials, RFID tags can be sewn into clothing or

affixed to objects contained in purses, suitcases, shopping bags, etc. Also, since tags be

read from a distance, readers can be incorporated virtually invisibly into environments

where people and items congregate, with the net result that it may not be readily apparent

that RFID technology is in use, making it virtually impossible for a consumer to know

when she/he is being “scanned”.88

87
Supra note 1 at 15. See also supra note 83.
88
Supra note 34 at 2.
 - 18 -

Tracking an individual’s movements. Privacy advocates worry that individuals can be

tracked through tags embedded in clothing and vehicles and a sufficiently dense network

of readers, possibly using a combination of RFID and Global Positioning System

technology. If the tags can be associated with an individual, then by that association the

individual’s movements can be tracked. For example, a tag embedded in an article of

clothing could serve as an identifier for the person wearing it, and while the information

regarding the tagged item remains generic, identifying the items people wear or carry

could associate them, for example, with attendance at particular events such as political

protests or rallies.89

Profiling of individuals. Unlike barcodes, where a bottle of soda has the same barcode as

all other bottles of soda of that particular brand, RFID technology potentially enables

every object to have its own unique ID. The use of the unique ID could lead to the

creation of a global item registration system in which every physical object is identified

and linked to its purchaser or owner at the point of sale or transfer. Further, if these

unique identifiers are then additionally associated with an individual, such as by linking

through a credit card number, for example, then a profile of that individual’s purchasing

habits can be easily created.90

Secondary use (particularly from the perspective of limiting or controlling such use).

There is also great concern that the creation of profiles and the tracking of movement can

reveal a great deal of additional information. To name just one example, the linking of a

89
Ibid.
90
Ibid.
 - 19 -

person’s personal information, such as a medical prescription or personal health history,

could have an adverse impact upon the availability of insurance or employment.91

Massive data aggregation. Lastly, RFID deployment requires the creation of massive

databases containing unique tag data. These records could be linked with personal

identifying data, especially as computer memory and processing expand in capacity and

capability. Privacy advocates worry that this, in turn, could facilitate any of the practices

listed above.92

Given the above scenarios, privacy groups are also concerned that privacy legislation and the

common law lag behind the advancements in the technology.93 Currently, relevant legislation

that would apply in this area is as follows:

(b) Privacy Legislation in Canada

Federal government institutions are regulated in their collection, use and disclosure of personal

information by the Privacy Act.94 However, the federal Personal Information Protection and

Electronic Documents Act95 applies to all federal works, undertakings or businesses and to all

private sector organizations regulated by provinces that do not have substantially similar private

sector privacy legislation. Only Alberta, British Columbia and Quebec have legislation that has

been declared substantially similar to PIPEDA and that legislation governs private sector

91
Ibid.
92
Ibid.
93
Karen Kavanaugh, “Law and Technology Institute keeps the legal community abreast on innovation” The
Lawyers Weekly 25:5 (3 June 2005) (QL). See also Chad Kopach, “Radio Frequency Identification Devices: Big
Brother is Watching” Ontario Bar Association, Young Lawyers’ Division 12:1 (August 2004).
94
R.S. 1985, c. P-21.
95
2000, c. 5 (hereinafter, “PIPEDA”).
 - 20 -

organizations regulated under provincial law in those provinces.96 PIPEDA, however, applies to

federal works, undertakings or businesses that operate in those provinces.

PIPEDA, and the substantially similar provincial legislation, consider “personal information” to

be information about an identifiable individual97 and apply to the collection, use and disclosure

of personal information in the course of a commercial activity. All four pieces of legislation

apply similar principles,98 including: (i) mandating that personal information may only be

collected, used or disclosed with the knowledge and consent of the individual; (ii) limiting the

collection of personal information to what is necessary for identified purposes; and (iii)

mandating that personal information be collected by fair and lawful means. Additionally,

personal information must be protected by adequate safeguards and individuals must be able to

easily access information about an organization’s privacy policies and practices. RFID

technology which captures information that can be linked to an identifiable individual would

trigger an organization’s obligations under these legislative principles.

The Privacy Commissioner of Canada (or of British Columbia, Alberta or Quebec, as the case

may be) is responsible for overseeing the privacy legislation in his or her jurisdiction and

addressing complaints that an individual’s privacy rights, as protected under the legislation, have

been violated.99 Where an individual believes that their privacy rights have been violated by a

commercial organization, they may complain to the Privacy Commissioner in the appropriate

96
Personal Information Protection Act (Alberta), S.A. 2003, c. P-6.5 (the “Alberta PIPA”), Personal Information
Protection Act (British Columbia), S.B.C. 2003, c. 63 (the “B.C. PIPA”), An Act respecting the protection of
personal information in the private sector, R.S.Q., c. P-39.1 (the “Quebec PIPA”) (collectively, the “PIPAs”).
Please also note that in Ontario, the Personal Health Information Protection Act, 2004, S.O.2004, c. 3 (“PHIPA”)
was also declared to be substantially similar to PIPEDA. PHIPA applies to personal health information.
97
Supra note 95 at s. 2; Alberta PIPA, supra note 96 at s. 1; B.C. PIPA, supra note 96 at s.1; Quebec PIPA, supra
note 96 at s. 2.
98
See generally supra note 95 and supra note 95.
99
Office of the Privacy Commissioner of Canada, Fact Sheet, “Questions and Answers regarding the application of
PIPEDA, Alberta and British Columbia’s Personal Information Protection Acts (PIPAs)” (5 November 2004).
 - 21 -

jurisdiction.100 Generally, the role of the Commissioners is to facilitate the resolution of

complaints through persuasion, negotiation and/or mediation.101 However, the Commissioners

have a variety of powers as part of the investigative responsibilities under the applicable privacy

legislation, including the power to compel the production of evidence.102 The Commissions may

investigate complaints and issue reports. Violations of these private sector privacy laws can

result in an organization being ordered to comply with the legislation and/or correct its

information management practices. Additionally, monetary damages and/or fines can be

imposed.103 Under PIPEDA, complainants may bring an action before the Federal Court in

relation to a matter addressed in the Commissioner’s report.104 Where the Commissioner in

Alberta or British Columbia has found an organization to be in violation of the legislation, its

order can be the basis for a civil cause of action against the organization by the complainant.105

In Quebec, orders of the Commissioner can be appealed to the Quebec Superior Court.106

(c) Other Applicable Canadian Legislation

In addition to the substantially similar provincial PIPAs, each of the provinces and territories in

Canada have legislation that governs the collection, use and disclosure of personal information

by government organizations and departments.107 Additionally, a number of provinces have

100
Supra note 895 at s. 11; Alberta PIPA, supra note 96 at s. 46(2); B.C. PIPA, supra note 96 at s. 46(2); Quebec
PIPA, supra note 96 at s. 42.
101
Canada, Office of the Privacy Commissioner of Canada, Your Privacy Responsibilities: Canada’s Personal
Information Protection and Electronic Documents Act (Ottawa, March 2004) at 19. See also supra note 99.
102
Supra note 95 at s. 12(1); Alberta PIPA, supra note 96 at s. 38; B.C. PIPA, supra note 96 at s. 38; Quebec PIPA,
supra note 96 at s. 51, 81.
103
Supra note 95 at s. 13, 16; Alberta PIPA, supra note 96 at s. 52, 59; B.C. PIPA, supra note 96 at s. 52, 56;
Quebec PIPA, supra note 96 at s. 55, 91.
104
Supra note 95 at s. 14.
105
Alberta PIPA, supra note 96 at s. 60; B.C. PIPA, supra note 96 at s. 57.
106
Quebec PIPA, supra note 96 at s. 61.
107
Office of the Privacy Commissioner of Canada, Fact Sheet, “Privacy Legislation in Canada” (17 December
2004).
 - 22 -

legislation dealing with personal health information collected and used by health care providers

and related government departments.108

Further, the Bank Act109 regulates the collection, use and disclosure by federally-regulated

financial institutions of all personal financial information. Similarly, most provinces have

legislation governing the collection, use and disclosure of consumer credit information by credit

agencies.110

An organization will have to be aware of the requirements under any and all legislation that

applies to its particular industry and specific application of RFID technology.

(d) International Privacy Law

The Data Protection Directive of the European Parliament (the “Directive”) has been adopted by

25 member nations111 and, similar to PIPEDA, only applies where personal data is processed.112

Australia’s Privacy Act 1988113 also applies to information collected where the identity of the

individual is apparent or can reasonably be ascertained. However, similarly to the Privacy

Act114, the U.S. Privacy Act of 1974 applies only to government institutions.115

108
Ibid.
109
S.C. 1991, c. 46. See also supra note 107.
110
Supra note 107. See e.g. infra note 121.
111
See Status of Implementation of Directive 95/46 on the Protection of Individuals with regard to the Processing of
Personal Data, online: European Union’s area of freedom, justice and security <http://europa.eu.int>.
112
Supra note 4 at 85.
113
Privacy Act 1988 (Cth), s. 6(1).
114
Supra note 94.
115
John M. Eden, “When Big Brother Privatizes: Commercial Surveillance, the Privacy Act of 1974, and the Future
of RFID” (2005) Duke L. & Tech. Rev. 20.
 - 23 -

Certain groups are in favour of enacting legislation specifically applicable to RFID technology.

Legislation applying specifically to RFID has been proposed in a number of states in the U.S.116

A bill was introduced in California entitled the “California Identity Information Protection Act of

2005”. This bill, which, while referred back to the Committee on Appropriations at the end of

June of 2005,117 was believed to be the furthest reaching of its kind,118 and would have prevented

the use of RFID chips in any state-issued identification, such as driver’s licenses, health cards

and school ID cards, and would have made the unauthorized reading of RFID tags a crime.119

(e) Canadian Common Law

The common law in Canada has not been particularly responsive to advancements in these types

of automatic identification technology.120 While not directly related to RFID, a recent Ontario

Superior Court of Justice decision discussed the common law approach in Canada to invasions of

privacy. The recent decision in Somwar v. McDonald’s Restaurants of Canada Ltd.121 reviewed

a claim for invasion of privacy resulting from the defendant conducting an unauthorized credit

check on the plaintiff.122 The court relied on the Ontario Consumer Reporting Act, which

governs the collection and release of information relating to consumers’ income, debts, cost of

living obligations and assets, in deciding that the plaintiff’s privacy had been invaded.123 The

Court rejected the defendant’s Rule 21 motion for determination that the plaintiff’s statement of

116
Supra note 60.
117
California Office of Privacy Protection, Current Privacy Legislation, online: Bill Information
<http://www.leginfo.ca.gov/bilinfo.html>.
118
Supra note 62.
119
Kim Zetter, “State Bill to Limit RFID” Wired News (29 April 2005) online: Wired <http://www.wired.com>.
120
Supra note 62.
121
[2006] O.J. No. 64 (QL) (“Somwar”). For a review of the decision, see e.g. Javad Heydary, ed., “Does Ontario
Law Recognize the Tort of Invasion of Privacy?” Laws of .Com: E-Business, Privacy & Technology Law Journal,
vol. IV, issue 3 (9 February 2006), online: Laws of .Com <http://www.lawsof.com>.
122
Somwar, ibid. at para. 3.
123
Ibid. at para. 7.
 - 24 -

claim contained no reasonable cause of action on the basis that it was not clear that a breach of a

statute cannot give rise to liability where the elements of tortious responsibility have been

established.124 In its reasons, the Court also explained that the common law is unclear as to

whether the tort of invasion of privacy exists in Ontario.125 Other provinces have created a

statutory tort of invasion of privacy; however, Ontario has not created such a statutory remedy.126

Further, the Canadian Charter of Rights and Freedoms recognizes an individual’s right to

privacy in section 8 in the context of unreasonable search and seizure.

5.2 Privacy Law as it Applies to RFID

Canadian private sector privacy legislation, like PIPEDA, will apply to particular

implementations of RFID technology where an individual can be linked to the information

captured by the technology for the following reasons:

• chips, which can have personal information written to them, are repositories of personal

information;

• tags with unique identification numbers, which can be associated with an individual, are

unique identifiers or proxies for that individual; and

• information about possessions or purchases, which is captured by an RFID system and then

stored in a database that can manipulate or process the information to compile personal

profiles of individual consumers, is personal information, whether gathered through multiple

124
Ibid. at para. 41.
125
Ibid. at para. 22.
126
Ibid. at para. 28.
 - 25 -

visits to a facility or organization, or though access to the database of RFID purchase

information.127

In order to comply with any of the applicable privacy legislation in Canada, any organization

implementing RFID that collects personal information must ensure transparency in its use of this

technology. The organization must inform individuals of the presence of the tags and readers

and their locations and whether the tags are active or will become active.

The application of privacy legislation to RFID technology depends on whether information about

an identifiable individual will be collected or whether the technology is merely going to be used

to track products. One reason cited by consumer groups for differentiating between these two

applications of RFID systems is that once a tagged product has been purchased and removed

from the point of purchase by a consumer, critics of RFID argue that the product becomes the

property of the consumer, and a tag that continues to be active (especially if the consumer is not

aware of the tag and its functions) could be viewed as an invasion of privacy.128 When a tag is

being used within a facility or along the supply chain, the product is still the property of the

manufacturer and it is likely not being used to collect information about an identifiable

individual consumer. Additional concerns stem from the ability of anyone with a compatible

reader to then be able to read a RFID-tagged product.129

The use of RFID in the supply chain provides companies with the ability to better manage their

inventory without linking the product to personal information. These uses of the technology will

have positive effects for an organization without invading consumers’ informational privacy.

127
Supra note 34 at 3.
128
Supra note 1 at 19.
129
Ibid. at 15.
 - 26 -

RFID systems, like those used in easy-pay systems, are linked directly to consumers, but, as with

any loyalty program, the consumer must register for the program and consent to the collection of

his or her personal information,130 thereby complying with the knowledge and consent principle

of privacy legislation. Unless the RFID-enabled tracking system has some way of linking the

item to the individual, an individual’s privacy will likely not be invaded, even if the tag is still

active once the individual removes the product from the store shelves.

Protection of personal informational privacy will become more important as the technology

becomes smaller, more discrete and able to transmit across greater distances.131 As a result,

privacy advocates are concerned with the ability of organizations to embed tags into objects

without the knowledge of the purchaser. As readers do not require a line of sight in order to be

able to capture the information stored on the tags, the tags could be read from a distance through

clothing or other material.132 The concern is that, as a result, individuals could be tracked

without their knowledge. As more and more consumer products and personal items, like

passports and money, are imbedded with RFID tags, the more possible it is that anyone with a

reader, not just the organization that manufactured or sold the product, will be able to capture

information stored on any one of these numerous tags.133 However, regardless of the number of

products that are imbedded with RFID chips, there has to be a system in place capable of linking

the information to an individual and compiling and analyzing that data.

Companies will have to inform consumers, who themselves will have to be vigilant about staying

informed, about the products that contain tags, the location of the tags and readers, and the

130
Supra note 62.
131
Supra note 1 at 16.
132
Supra note 34.
133
Supra note 1 at 15.
 - 27 -

purpose of any RFID systems being used. Efforts at devising standards for the development of

RFID, which, as mentioned above, includes features such as the ability of a tag to be

permanently deactivated after use, as in the Gen 2 standard, demonstrates a commitment to the

continued development of this technology with the protection of individual privacy as a key

concern.

Privacy watch groups recommend that the use of RFID-enabled technology be developed with

the three principles of informational privacy protection kept in mind. These three principles are

(i) notice and consent, (ii) choice, and (iii) control.134 As with any customer loyalty or rewards

program,135 consumers must be given notice of and consent to the program, be informed of what

information is being collected and how that information will be used. These programs should be

optional and an individual can opt in (and out) at any time without incurring any costs. Control

would also come in the form of consumers being able to choose to have their personal

information kept separate from the identity of the product.136 Additionally, following the

obtainment of the consumers’ consent, the collectors of such information will still be obliged to

limit the collection, use and disclosure for purposes that a reasonable person would consider

appropriate under the circumstances, and individuals must still retain their right to see the

personal information that are gathered and held about them, and to correct any inaccuracies.

134
Ibid. at 20.
135
Supra note 62.
136
Supra note 1 at 20.
 - 28 -

(a) Fair Information Practices

The International Conference of Data Protection & Privacy Commissioners adopted a resolution

on RFID in November of 2003.137 This resolution highlighted the importance of respecting

privacy where the tags are linked to personal information. This resolution is also based on the

international Fair Information Practices,138 which set out the minimum privacy standards that

apply to the collection of all personal information. The three principles highlighted in the

pervious paragraph, are only part of the Practices (which are consistent with the principles

forming the foundation of the private sector privacy laws in Canada139) and which also include

the following elements:

• placing limits on the collection of personal information by way of lawful and fair means with

the knowledge and consent of the consumer;

• any personal information collected should be relevant, accurate, complete and up-to-date;

• the data collected should be for a specific and current purpose, and should not be disclosed

other than for that purpose except with consent or as required by law;

• safeguards should be in place to protect the collected information;

• companies should be open about their policies for the collection and use of the personal

information;

137
Ibid. at 24.
138
Ibid. at 20.
139
Supra note 95; supra note 96.
 - 29 -

• individuals should be given access to the information relating to themselves to ensure it is

accurate; and

• measures should be in place to ensure companies are held accountable for their collection and

use of personal consumer information.140

Researchers and commentators in the field of RFID technology are discussing including features

in tags to prevent unwanted collection of personal information, such as having cashiers ask

customers whether they would like the tags deactivated at the point of purchase or requiring

consumers to ask for the tags in the products to be deactivated.141 Unfortunately, both of these

solutions rely on consumers and employees being informed about the system and could be

cumbersome in a busy retail environment.

Additionally, an RFID blocker tag is being developed that would block the electromagnetic field

emitted by readers and prevent the capture of the data stored on the tag.142 While this solution

may be effective, it would be costly and would place the onus solely on the consumer. A more

popular solution with privacy advocates includes installing “kill switches”143 in the tags, so that

such tags will be permanently deactivated once a customer exits the store. This solution is

supported by the MIT Auto-ID Center and has been adopted by several producers of RFID

tags.144 However, none of these solutions conforms to the “notice and consent” principle of

informational privacy.

140
Supra note 1 at 20-21.
141
Ibid. at 19-20.
142
Ibid. at 18-19.
143
Ibid. at 19.
144
Ibid.
 - 30 -

A paper released by the Electronic Privacy Information Center (“EPIC”) has expanded on the

Fair Information Practices specifically as they relate to RFID technology.145 This position paper

concludes that retailers should be prevented from forcing consumers into accepting live or

dormant tags in products and, without the informed written consent of consumers, they should

not be able to track the consumer. As well, the group suggests that consumers should be allowed

to use any means available to detect and disable tags in products they purchase. The group is

also opposed to the use of RFID technology in personal items, such as money, on the basis that it

will eliminate the current anonymity associated with such objects.146

Adherence to the principles of privacy will enable organizations to implement RFID technology

in ways that will have beneficial results for their business without alienating their consumers by

invading their privacy.

5.3 Intellectual Property Infringement

As with any technology, patent infringement and disputes over patents are issues that users of the

technology must bear in mind. Currently, it is unclear whether it is possible to develop an RFID

system using the Gen 2 standard without infringing any one of the 140 RFID patents Intermec

Technologies Corp. (“Intermec”) claims to own.147 Intermec sells a variety of RFID products,

including tags, readers, RFID-encoded labels and printers.148

145
Ibid. at 21.
146
Ibid. at 21-22.
147
Kenneth A. Alder, “RFID Technology and Intellectual Property May Be an Ever-Shifting Legal Landscape”
RFID Product News (July/August 2005).
148
Bob Brewin, “Intermec sues Matrics over RFID patent infringement” ComputerWorld (9 June 2004), online:
ComputerWorld <http://www.computerworld.com>.
 - 31 -

Recently, Intermec claimed that 18 of its patents were “essential” to developing a Gen 2 standard

compatible RFID system. Initially, it was prepared to donate five of these “essential” patents on

a royalty-free basis, while offering licenses for an additional nine. However, EPCglobal

reportedly was of the opinion that none of Intermec’s patents were, in fact, essential for the

implementation of the Gen 2 standard. Following this announcement, Intermec revoked its

original offer and now requires any company looking to utilize the Gen 2 standard in

implementing an RFID system to negotiate licenses with Intermec on an individual basis.

Intermec claims that because of the number of RFID patents it has registered, no company would

be able to design a functioning RFID system based on the Gen 2 standard without infringing any

of its patents.149 In fact, Intermec has been involved in law suits with Matrics Inc.150 and Symbol

Technologies Inc.151 (“Symbol”) in the U.S. over RFID patents. Proponents of this technology

believe that these disputes have the potential of derailing widespread implementation of RFID

systems and increasing the cost of the technology, a fact that already prohibits the use of RFID is

mass retail settings.152

On a positive note, Symbol and Intermec agreed on September 12, 2005 to settle much of their

year-long dispute over intellectual property for RFID. Previously, Symbol had acquired Matrics,

which Intermec alleged had infringed on Intermec’s patents. In March, 2004 Symbol had sued

Intermec for patent infringement and at the same time pulled out of an agreement to supply

Internec with laser-scan engines. Intermec countersued with another patent suit against Symbol.

Under the terms of the settlement, each vendor agreed to license technology from the other and

149
Supra note 147.
150
Supra note 148.
151
“Symbol Sues Intermec for Patent Infringement” RFIDNews (11 March 2005), online: RFIDNews
<http://rfidnews.org>.
152
CNET News, supra note 42.
 - 32 -

Symbol also agreed to join Intermec’s “Rapid Start” RFID licensing program, which provides

access to various Intermec technologies, including RFID tags and portable readers. Intermec

will gain access to Symbol’s intellectual property through the cross-licensing of Rapid Start.

The companies also agreed to dismiss most of their pending suits against one another and put the

remainder on hold for 90 days while they tried to work out any unresolved intellectual property

issues.153

Despite these patent disputes, a number of companies are continuing to develop and implement

RFID systems, illustrating that companies appear willing to risk the possibility of facing

infringement claims in order to achieve the benefits to their business that RFID heralds. Certain

companies believe that patent disputes are a normal part of setting intellectual property

standards,154 and while many in the industry support the development of a royalty-free interface

standard,155 some companies believe that any royalties will be negligible as compared to the cost

savings generated by implementing the technology.156

5.4 Licensing

Related to the issues surrounding the RFID patents are licensing issues. Following the conflict

over which Intermec patents were essential to the use of the Gen 2 standard, Intermec introduced

its “Rapid Start” RFID licensing program.157 Pursuant to this program, Intermec offered blanket

licenses to its four portfolios of RFID patents. One element of this program, which highlights

another issue related to licensing, is that the agreements signed between Intermec and the

153
S. Lawson, “Symbol, Intermec Settle Most Patent Disputes Over RFID”, Computerworld (September 12, 2005).
154
Ibid.
155
Clint Boulton, “Symbol Strikes Over RFID Patents” Wireless (29 April 2005), online: Internetnews.com
<http://www.internetnews.com>.
156
CNET News, supra note 42.
157
Supra note 147.
 - 33 -

manufacturers contained cross-licensing provisions. Cross-licensing can be an effective way to

offset some of the costs associated with the licensing arrangement.158 However, companies will

have to be conscious of any restrictions in its own licenses that may prohibit a cross-licensing

arrangement.

Further, companies will have to be aware of any restrictions in software and hardware licenses

that may restrict its ability to implement an RFID system.159 In order for a company to derive

benefits from the use of this technology, the RFID technology will have to either be integrated

into or will have to replace a company’s current tracking system and information databases,

which could result in breaches to current licensing agreements.

6. Implementing RFID

The issues discussed above must be considered by any organization considering implementing an

RFID system. Primary consideration must be given to the business objectives for implementing

the technology. RFID technology can be designed in a variety of ways and for a variety of

functions, and therefore a company must first consider what the system is meant to achieve.

6.1 Business Objectives

A company considering implementing an RFID system must define the purpose behind

implementing the system. Is the system going to be used only to track products as they proceed

along the assembly line? Is it to improve supply chain management? Is the system to better

manage in-store inventory? Or is the system going to be used to gather information about

158
Ibid.
159
Kenneth A. Adler, “RFID in Healthcare” Healthcare Informatics (May 2005), online: Healthcare Informatics
<http://www.healthcare-informatics.com>.
 - 34 -

identifiable customers? Each implementation involves different considerations and will require

different tag and reader features. A system that will track and gather consumer intelligence will

have different legal obligations than a purely supply chain-oriented system, such as the

undisputed requirement of the company’s owner to comply with PIPEDA and other similar

provincial privacy legislation.

The business objectives should also consider whether and/or how the RFID technology can be

integrated with the information systems already in use. Can the hardware and software currently

in use in the business be adapted or upgraded to seamlessly integrate the RFID technology or

will the company require an entire systems overhaul? The company would be well advised to

map their entire system in order to be able to anticipate any potential integration problems.160

These decisions will likely be influenced by any restrictions in current software and hardware

licenses.161 This would likely involve counsel reviewing all licenses currently being used by the

client and perhaps negotiating amendments to or releases from these licenses.

The intended use of the technology and the environment in which the system will be

implemented are additional factors requiring consideration prior to deciding on a supplier. Are

active or passive tags best suited to the company’s facilities and intended use? Are the tags only

meant to be used once and then discarded or should they be able to be read and rewritten

numerous times? Will the system be used outdoors? Do the readers need to be able to capture

the data stored on the tags from long distances or at various points in a facility? Counsel will

160
Marc Dautlich, “Before you roll out RFID… read this” silicon.com (20 January 2005), online: silicon.com
<http://comment.silicon.com>.
161
Supra note 159.
 - 35 -

also need to have a good understanding of the supply chain, assembly line or store layout to be

able to effectively negotiate with suppliers.

These business goals will have to be translated into contractual provisions with the RFID

technology supplier or vendor.162 In negotiating the relevant licensing agreement, counsel

should keep in the forefront of their minds their client’s objectives and ensure that the contract

includes representations that the system will function appropriately and effectively given the

desired results. Additionally, the contract should include mechanisms to revisit the contract

should the system fail to meet these goals at some point in the future or should the company’s

goals change over the course of the license.163 Additionally, the contract must include penalties

or terms for dealing with any malfunctions or systems failures.

Once the business objectives have been identified, a company can canvass the service providers

for the technology components that will best meet its needs. This will result in determining

whether it is more advantageous to use one integrated supplier or to license the various

components from different suppliers.164 This decision will likely be influenced by widespread

implementation of the Gen 2 standard. If all components are based on one uniform protocol, a

company can more easily purchase the various components from different vendors. However,

with the murkiness surrounding the Gen 2 standard and use of Intermec’s patents, using one

integrated supplier could better ensure compatibility.

162
Supra note 160.
163
Ibid.
164
Supra note 159.
 - 36 -

6.2 Patents

The decision as to which service provider to select should be informed by the status of the

vendor’s RFID intellectual property.165 Counsel should investigate which suppliers are licensed

to use the RFID technology they provide (i.e. have signed a licensing agreement with Intermec)

and which have relied on the Gen 2 standard and EPCglobal’s claim that none of Intermec’s

patents are essential for the implementation of that standard.

Concerns over patent issues might be more easily dealt with through contracting with one

integrated supplier. Regardless of the supplier, counsel for a client implementing this technology

should (i) identify all of the components required for the client’s system and require each

supplier to identify the owner of any intellectual property for each RFID component; (ii) include

language in the licensing contract confirming that the supplier has made all required royalty

payments; and (iii) confirm that it has the authority to permit the use of the equipment and the

software that it is providing under the contract.166 Additionally, counsel should negotiate to have

the supplier indemnify and hold harmless its client for any and all intellectual property

infringement claims arising from the use of the technology in the client’s business, preferably on

a global basis.167

6.3 Privacy

Companies will have to pay particular attention to protecting the privacy of their customers

and/or employees if the objective for, or result of, implementing an RFID system is, even in part,

to be able to link products to specific individuals. As has been previously discussed, RFID

165
Ibid.
166
Supra note 147.
167
Ibid.
 - 37 -

technology is a hot-button item for privacy advocates today and to date, consumer protests and

boycotts have been effective at preventing, or at least stalling, a number of system

implementations.

Companies would be wise to not only comply with the legal requirements under PIPEDA (or

other applicable privacy legislation) but to also consider complying with the Fair Information

Practices discussed earlier in the paper. As RFID technology continues to develop, remedies for

invasion of “informational privacy” will likely continue to develop and solidify at common law.

While legislation like PIPEDA and its provincial equivalents has been implemented, in part, to

fill the gap left by the failure of the common law to create or evolve a general tort remedy for

conduct which constitutes an invasion of privacy,168 the common law has been reluctant to

recognize a right of action for invasion of informational privacy. As the technology continues to

advance, both the common law and the provincial legislatures may likely continue to develop the

law in this area.

In addition to the use and environmental considerations discussed above, concerns about the

protection of personal information will impact decisions about the type of technology a company

will implement and the suppliers best suited to provide the various components. For example, if

a company is looking to implement RFID technology in a mass retail setting, it would be wise to

consider purchasing tags with built-in “kill switches” that deactivate the tags once the tagged

item is removed from the store. Organizations should consider the best way to incorporate a

deactivation function into its specific implementation of RFID technology.

168
G.H.L. Fridman, The Law of Torts in Canada, 2nd ed. (Toronto: Carswell, 2002) at 708.
 - 38 -

Additionally, organizations must develop a method of notifying individuals of the presence of

the RFID technology, how it works, any personal information which may be collected and why it

is being collected, and how an individual can disable the tags. In order to avoid the application

of PIPEDA and related privacy legislation specifically to its RFID-enabled technology, a

company may want to consider designing the tags to emit a series of random pseudonyms as

opposed to unique identification numbers, or to remove all information unique to an identifiable

person and only retain the generic information. Finally, the organization must ensure, as with

any other information technology, that it has adequate information security in place.

6.4 Internal Policies

After the company has identified its objectives and selected its RFID suppliers, and during the

design and implementation process, it should also consider drafting internal policies to govern

the use of RFID technology and to educate both its employees and customers. These policies

could include what the technology is being used for, how it works and, if the tagged item is

linked to an identifiable individual, what information is collected about that individual.

For example, it may be appropriate in a workplace using RFID-enabled access cards to

communicate to employees whether a record of every swipe of their access card linked to them

as individuals is kept for any specified length of time.169 If employees are going to be required

to inform customers about the technology, the company may want to consider implementing

employee training programs and producing educational material to be provided to the customers.

Internal policies will also be important for an organization as a means of documenting its

compliance with any applicable privacy legislation. For example, the principle of accountability

169
Supra note 37.
 - 39 -

in private sector privacy laws in Canada requires an organization to appoint an individual to be

responsible for the organization’s compliance with the legislation, while the principle of

openness requires that customers, clients and employees be informed of an organization’s

information management practices and policies.170

7. Conclusion

Where does RFID stand today? Regrettably, as noted in a recent “Forecast 2006” article in

Computerworld, the high cost and complexity of RFID continues to block widespread adaption

by enterprises, notwithstanding the fact that the IT trade press and industry analysts alike have

been hailing RFID as the “second coming of bar codes”.171 To date, most users have

implemented only small, low-impact pilots that are a long way from becoming a key part of the

adopting enterprise. In fact, respondents to a recent Computerworld survey ranked RFID

“second” among technologies that hold promise for their companies or industries, but “first”

among technologies that have not lived up to their hype.172 Complex deployment and entrenched

tracking systems (most notably those old reliable bar code systems) are keeping RFID on the

back burner at many organizations. Companies are also not certain what to with the data that

they collect, as much of contains little useful information. RFID is still in the early adapter

phase, with cost being the main problem (including the cost of the tags alone) and small

companies are reluctant to justify the cost. From a business standpoint, despite the variety of

features and functions of an RFID system, the fact remains that it may not be suitable for every

170
Office of the Privacy Commissioner of Canada, Fact Sheet, “Complying with the Personal Information
Protection and Electronic Documents Act” (20 June 2005).
171
Supra note 70 at 34.
172
Ibid.
 - 40 -

business. Companies must evaluate their goals, current information technology systems, and the

costs of the technology as compared to the expected benefits.

Despite the foregoing, there is little doubt that RFID technology can make a business more

effective, having benefits that flow all the way along a supply chain, from manufacturers to

distributors to retailers. As recently predicted by Computerworld, retailers will continue to

strong-arm suppliers into using RFID, but so will developing standards such as passive UHF

Generation 2, which is being used by Wal-Mart, Target Corp. and the U.S. Defense

Department.173 While ultimately RFID will replace bar codes and other network tracking

technologies, users will closely watch how RFID’s early adapters (as well as those companies

that are compelled to use it by large influential players such as Wal-Mart)174 can improve their

bottom lines with the technology to make it more attractive.175

From a legal standpoint, as with any new technology, a number of legal issues need to be

considered, including licensing and patent infringement. Additionally, depending on the

intended use of the technology, companies may need to pay particular attention to protecting the

privacy of their customers. As has been discussed, RFID is a topic of great concern for privacy

advocates today, and companies would be well advised to be open about their proposed

implementation and use of the technology. The small size of the tags and their ability to

uniquely identify individual objects present potential violations of Canadian privacy legislation.

173
Supra note 70 at 35.
174
In a recent article in Computerworld, Marc. L. Songini reported that when Wal-Mart first went live with RFID in
January 2005, they had more than 100 suppliers tagging products. It now has more than three times that number
involved, feeding RFID-tagged goods to 500 Wal-Mart facilities through five distibution centers. The company
expects the number of stores capable of handling RFID-tagged items to double to 1,000 by January 2007, with 600
suppliers employing the technology by then. See Marc L. Songini, “Wal-Mart Details its RFID Journey”,
Computerword (2 March 2006) available online at
<www.computerworld.com/industrytopics/retail/story/0,10801,109132p2,00.html>.
175
Supra note 70 at 35.
 - 41 -

Organizations that implement RFID must fully comply with all applicable legislation, like

PIPEDA and its provincial equivalents, and should consider using the principles underlying

private sector privacy legislation as a framework for designing effective and compliant RFID-

enabled information technology systems. Failure to do so will no doubt result in adverse

consequences for any adopters of RFID that will significantly nullify any anticipated business

benefits that may be achieved through use of the technology.

TOR_LAW\ 6253853\6