Professional Documents
Culture Documents
Rfid Technology: Current Business and Legal Considerations: Lisa R. Lifshitz and Blair Mckechnie
Rfid Technology: Current Business and Legal Considerations: Lisa R. Lifshitz and Blair Mckechnie
Considerations
*
Lisa R. Lifshitz, B.A., M.A., B.C.L., LL.B. is a Partner in the Toronto office of Gowling Lafleur Henderson LLP
specalizing in business and technology law. She can be reached at lisa.lifshitz@gowlings.com.
**
Blair McKechnie, B. Com., LL.B., is a student-at-law in the Toronto office of Gowling Lafleur Henderson LLP.
This paper was prepared for the Ontario Bar Association’s conference Technology in Bloom 2006: New
Developments in Technology Law, March 27, 2006.
TABLE OF CONTENTS
Page
1. INTRODUCTION ............................................................................................................. 1
7. CONCLUSION................................................................................................................ 39
-i-
1. Introduction
Radio Frequency Identification technology (“RFID”) has become a hot-button issue recently as
much has been written about the potential privacy implications of widespread implementation of
this technology. While the privacy implications of this technology are certainly important
considerations, there are a number of other important legal and business issues that must be taken
into account by any organization thinking about implementing an RFID system. This paper will
begin by describing RFID, what it is, how it works and where it is being used, and will then
proceed to discuss the various business and legal issues that must be considered by any
2. What is RFID?
The term “RFID” has become a general term used to describe sensory technology that uses radio
waves to scan and identify separate and distinct items.1 This type of sensory technology has
been around since World War II, where transponders were installed in Allied forces fighter
planes. Allied forces could read the radio waves transmitted by these transponders attached to
the planes in order to distinguish Allied aircraft from enemy aircraft.2 This technology is now a
basic component of all aircraft, both military and civilian, and following the war, was used in a
1
Information and Privacy Commissioner/Ontario, Tag, You’re It: Privacy Implications of Radio Frequency
Identification (RFID) Technology by Ann Cavoukian, Ph.D. (Toronto: Information and Privacy
Commissioner/Ontario, 2004) at 3.
2
Ibid.
3
Ibid.
-2-
Today, RFID technology is being heralded as the replacement for bar code technology. Bar
codes are a generic product identification technology.4 By contrast, one advantage of an RFID
system over bar code technology, is that each specific individual item will have its own specific
individual “code”.5 As a result, information can be gathered about each individual item and each
individual item can be tracked. As well, as RFID systems are powered by electromagnetic fields,
the information can be collected and transmitted in harsh environmental conditions and across
long distances, instead of having to be directly scanned, as with bar codes.6 For example, in
grocery stores, each brand of detergent has one code which, at the check-out counter, must be
passed across the scanner at a particular angle in order for the data stored on the bar code to be
read. With an RFID system, each box of detergent, will have a different code and just bringing
the item past a certain point in the store or through an exit, will be sufficient for the data to be
captured. Further, depending on the design of the RFID system, data can be stored and altered
There are various types of RFID systems but all are comprised of two basic components: a tag,
which gathers and stores the information, and a reader, which scans the tag and captures the
information.8 The tag itself is composed of three parts: an antenna, a wireless transducer which
can also be linked to a single silicon microchip which functions as the tag’s memory, and some
type of encapsulating material.9 The readers, which may be portable handheld devices or fixed
4
Dr. Patrick Van Eecke & Georgia Skouma, “RFID and privacy: a difficult marriage?” Communications Law, vol.
10, no. 3 (2005) at 84.
5
Supra note 1 at 8.
6
Ibid.
7
Ibid.
8
Ibid. at 4.
9
Ibid.
-3-
at strategic points in a store or warehouse facility, read the tag and then transmit the information
One feature which distinguishes types of RFID is whether the tags are active or passive.11
Active tags have their own power source and an active transmitter.12 Because of this individual
power source, these active tags can be read across greater distances.13 As a result, they perform
better but generally have a shorter life cycle, are larger and more expensive then the passive
tags.14 Active tags are good for tracking components, such as in a supply chain management
system,15 or, because of the expense associated with these tags, with products where the tags can
be re-used. In RFID systems that use active tags, the tags may periodically transmit a signal so
that the data stored on the tag may be read by multiple readers located throughout a facility.16
Passive tags, on the other hand, do not have a power source nor an individual transmitter on the
tags themselves.17 Because of this, the tags are dependent on readers for their power18 and
therefore, have less range and the ability of the readers to capture of the information stored on
the tags is more susceptible to environmental conditions.19 Passive tags are less expensive and
are better suited then active tags to mass single-use applications, such as to be used to replace the
10
Ibid. at 7.
11
Ibid. at 5.
12
Ibid.
13
Ibid.
14
Ibid.
15
Ibid.
16
Ibid.
17
Ibid.
18
Ibid. at 7.
19
Ibid. at 5.
20
Ibid.
-4-
Tags may also contain an integrated circuit chip, which enables the data to be stored on the tag
and transmitted to the readers.21 Even small tags with integrated circuit chips can store 96-bits of
data, as opposed to tags without chips, which, while less expensive to manufacture, can generally
only store up to 24-bits of data.22 “Chipless” tags usually have sufficient memory for internal
applications, such as tracking items within a manufacturing facility.23 However, “chip” tags will
likely be required for use in a retail setting. This is because in a large retail setting the tags will
be required to have enough memory to store a large identification number so that each individual
item can be uniquely identified by any one of a number of readers located throughout a store.24
96-bits of data is reportedly enough to store the name of the item and of the manufacturer, and an
individual product code assigned to the item from a trillion possible different combinations.25
For a company’s internal use, such as along an assembly line, less information will likely be
required to be stored on a tag in order for that item to be uniquely identified and tracked within
the warehouse.
Another distinction in the design of tags in RFID systems is whether the tags are inductively or
field produced by the readers. In an inductively coupled tag, the tag’s antenna is made from a
copper or aluminium coil, and this antenna receives the electromagnetic energy produced by the
reader and then, through its transducer, uses that energy to retrieve or send its data back to the
reader.27 Tags which are conductively coupled employ conductive ink, eliminating the need for
21
Ibid.
22
Ibid.
23
Ibid.
24
Ibid.
25
Ibid.
26
Ibid. at 6.
27
Ibid.
-5-
an antenna.28 These tags can still transmit data to the reader but only within a very limited
range.29 However, without the antenna, these tags are much more durable and less expensive to
The final feature of a tag is that it can either be read-only or can have the ability to be written to
as well. Read-only tags have a memory chip with the product’s identification code imprinted on
it, either at the time the tag is manufactured or when a tag is allocated to the specific item.31
Read-only tags are less expensive to make and are usually used in passive tags.32 On the other
hand, tags that can be written to have the capacity to have their memory changed many times,
and as a result, these types of tags are more versatile but are also more expensive to
manufacture.33
With the variety of types of RFID tags available, the uses for an RFID system are almost
limitless and it is possible that a tag could be imbedded into almost any “thing”, from a dress to a
Replacing bar codes in grocery stores is only one of the many uses for RFID technology. While
RFID technology has recently been garnering much attention, this technology has been in use, in
various forms, throughout the Canada and the rest of the commercial world for a number of
years.
28
Ibid.
29
Ibid.
30
Ibid.
31
Ibid.
32
Ibid.
33
Ibid.
-6-
Plainly put, the potential use for RFID technology is enormous, and many public and private
sector organizations are either using or planning to use RFID technology for the following
purposes:
(a) Supply Chain Management – i.e. monitoring and controlling the flow of goods
from raw materials through to finished products, from manufacturer;
(b) Product Integrity – i.e. ensuring that products, such as pharmaceuticals, are
authentic and have not been altered in any way;
(c) Warranty Services – i.e. marking durable goods with a tag incorporating a product
registration code to facilitate warranty services;
(d) ID, Travel and Ticketing – i.e. providing a means to verify the identity of the
traveler and to ensure that the documents are genuine;
(e) Baggage Tracking – i.e. monitoring and controlling the movement of baggage
from check-in to loading on an airplane; and
(f) Patient Care and Management – i.e. providing a means to rapidly and accurately
verify information concerning patient allergies, prescription history, etc. to
prevent surgical errors.34
3.2 Canada
One of the most widely-used implementations of RFID systems in Canada are “easy-pay”
systems. Gas companies, like Shell and Imperial Oil, use RFID tags in their easy-pay systems,
eliminating the need for cash or credit cards at the gas pumps.35 The “Dexit” fast pay system36
34
Office of the Privacy Commissioner of Canada, Fact Sheet, “RFID Technology” (5 March 2006) at 2.
35
Supra note 1 at 12.
-7-
used in a number of food courts in the financial district in Toronto is another example of an easy-
pay system. The tags (which are often referred to as “fobs”) store information about the
consumer and hold a balance of money. The readers, located at the cash registers, read the tags
and automatically deduct the price of the purchased item from the balance on the tag. Another
common use for RFID systems is in workplace access cards.37 The cards can generally be read
through pockets and wallets, illustrating the strength and range capabilities of this technology.
Another example of RFID technology being used in Canada is the technology used to charge
users of the Highway 407 toll road in Ontario.38 The tag is the pass drivers place on their
dashboards or hang from their rear-view mirrors and readers are placed at every on and off-ramp
to the toll road. The electromagnetic field generated by the readers captures the driver’s
information stored on the tag as the car enters onto and exits from the highway. This system
works in fog, rain and snow, illustrating the effectiveness of this technology for use in harsh
environmental conditions and in situations where the readers are required to be located at
Following the “mad cow” crisis in Western Canada, the Canadian Cattlemen’s Identification
Association has recently begun to require all U.S. cattle that graze on Canadian feedlots to be
tagged with an RFID chip that stores the location of each individual cow’s place of birth. All
Canadian cattle were already required to be tagged. The goal of the program is to be able to
36
Michael Burns, “Retailers discover venerable radio technology” The Bottom Line 20:15 (November 2004) (QL).
37
“Privacy in the Workplace: Case Studies on the Use of Radio Frequency Identification in Access Cards” RAND
Corporation research brief series, 2005, online: RAND Corporation <http://www.rand.org>.
38
Supra note 1 at 12.
-8-
react more quickly to any mad cow scare by being able to quickly identify the origin of the
animal.39
Bell Canada is also currently working with a group of suppliers and retailers, called the “Supply
Chain Network Project” to implement a RFID-enabled supply chain. The project is the first of
its kind in Canada and will help retailers and suppliers better understand how RFID technology
can improve efficiency and decrease costs all the way along the supply chain.40
Interestingly, Canada opened its first “RFID Centre” in Markham, Ontario on September 21,
2005. Formed by several partner organizations (including the Canadian Council of Grocery
Association, EPCglobal Canada (GS1 Canada), Food and Consumer Products Canada, IBM
Canada, Intermec Technologies Corp., Symbol Technologies Inc. and Agriculture and Agri-Food
Canada), the Centre was created to enable the Canadian industry to “better understand,
experience, experiment with and test the latest RFID technologies and demonstrate the potential
business case for tracking products”.41 Additionally, the Centre is the first in North America to
demonstrate use of Generation 2 technology which increases RFID applicability and stability to
3.3 International
RFID systems likely have a bright future in retail, where the technology can be used to better
manage the supply chain and keep accurate accounts of inventory levels. Wal-Mart, Albertson’s,
39
Laurie Sullivan, “Canada Expands RFID Policy to Stave Off Mad-Cow Disease” InformationWeek (21 July
2005), online: InformationWeek <http://informationweek.com>.
40
“Bell selected for EPC RFID pilot” CRN Canada (16 October 2005), online: CRN Canada
<http://www.crncanada.ca>.
41
“New RFID Centre Opens in Canada” (Press Release) online: < http://www.intermec.com> at 1.
-9-
Tesco, Procter & Gamble, Johnson & Johnson, Gillette and Hewlett-Packard have all begun
testing the use of RFID systems to assist with supply chain management.42 Gillette, in
conjunction with retailers Wal-Mart and Tesco in Great Britain, planned to test RFID-embedded
shelves in the stores to assist with better inventory tracking.43 Essentially, the shelves functioned
as the readers that read the tags imbedded in Gillette products placed on the shelves,44 keeping
more accurate and timely accounts of inventory levels. The U.S. Department of Defense has also
been running pilot projects, which would require all of its suppliers to implement this technology
Wal-Mart has indicated that the use of RFID technology in their supply chain results in
customers being less likely to find items out-of-stock and significantly decreases the time it takes
to re-stock a sold-out item in a store.46 Wal-Mart is one of the biggest proponents of the
technology in the retail sector. Wal-Mart began running pilot projects a number of years ago and
in the fall of 2005 it had more than 130 suppliers imbedding RFID tags in the products shipped
to its distribution centres.47 The retailing giant aims to have implemented the technology
throughout its operations in North America and the United Kingdom by 2007.48
42
See e.g. supra note 1 at 12-13; Alorie Gilbert, “Static over RFID” CNET News.com (13 September 2004), online:
CNET News.com <http://news.com.com> (“CNET News”); Cliona Reeves, “I.D. For Food: Radio-Frequency
Identification (RFID)” Guelph Food Technology Centre (October 2005), online: GFTC <http://www.gftc.ca>
(“GFTC”).
43
Supra note 1 at 12-13.
44
Ibid. Public opposition to the program after it became public that Gillette was taking photographs of customers at
the shelves resulted in Wal-Mart cancelling the test project with Gillette and announcing that it would limit the use
of the technology to its supply chain.
45
Ibid. See also supra note 36.
46
Gene J. Koprowski, “Retailers Using RFID for Better Holiday Customer Service” CRMBuyer (4 November
2005), online: CRMBuyer <http://www.crmbuyer.com>.
47
Keith Axline, “RFID Fleece Blue-Collar Dollars” Wired News (27 October 2005) online: Wired
<http://www.wired.com>.
48
GFTC, supra note 42.
- 10 -
Correctional facilities in the U.S. are also reported to be implementing a high-tech head counting
system using RFID. In these participating facilities, both inmates and corrections officers wear
wristbands imbedded with RFID tags that transmit the location of each inmate and guard every
two seconds.49
In Singapore, RFID technology is being used in libraries to replace bar code technology50 as well
Hospital in Singapore began issuing cards imbedded with an RFID chip, similar to workplace
access cards, to visitors to the hospital so that a record of whom a patient came into contact with
could be easily produced should that person later come down with SARS.51
Australia is using RFID chips to confirm whether imported pork products have stayed within
In 2004, the Food and Drug Administration in the U.S. approved the VeriChip Personal
Identification System, which includes a tag that can be implanted beneath the skin of humans for
medical purposes.53 The “VeriChip” can be imprinted with an individual’s name, blood type and
details of any medical conditions. While no hospitals have reportedly ordered these chips, the
hope of the manufacturer, Applied Digital Solutions Inc., is that individuals who suffer from
diseases requiring complicated courses of treatment, such as cancer or diabetes, and patients
suffering from deteriorative diseases like Alzheimer’s disease, will implant these chips under the
49
Alan D. Gold, “Tech Developments” Collection of Criminal Law Articles (19 September 2005) (QL).
50
CNET News, supra note 42.
51
Supra note 1 at 14.
52
CNET News, supra note 42.
53
Kim Zetter, “RFID: To Tag or Not to Tag” Wired News (9 August 2005) online: Wired <http://www.wired.com>.
- 11 -
skin on their arms, giving doctors with compatible readers immediate access to the patient’s
medical records.54
RFID technology has a number of advantages over current bar code systems, including that
RFID tags are very small and can be imbedded in almost any product. RFID tags can also be
working in the field of RFID technology are developing systems that are becoming increasingly
small while at the same time becoming more effective and able to capture data across increasing
distances.
Researchers at Corning have recently developed tiny RFID-encoded beads that can be imbedded
in inks to tag currency and other documents or can be added to paints, such as automobile
paint.55 The imbedded paint could be used to track the automobiles throughout the
manufacturing stages or even after the car is driven off of the lot. RFID-tagged currency could
track every transaction in which a particular bill is used. Governments claim that this technology
could be a major break through in fighting money-laundering. In fact, the European Central
Bank is reportedly working on plans to imbed tiny RFID “threads” in high denomination Euro
notes.56
54
“FDA Approves Subdermal RFID VeriChip” RFID Gazette (14 October 2004).
55
Supra note 1 at 9.
56
Supra note 1 at 13. See also Oliver M. Habel, “Legal Issues raised by the RFID Technology in data protection
and privacy” CLA 2005 World Computer & Internet Law Congress, Computer Law Association Held May 4 & 5,
2005 at 2 (“Habel”).
- 12 -
Researchers at the University of California in Berkley are working on developing “smart dust”,
which would be an active, read-write RFID system, all within a cubic millimetre.57 The tiny tags
would each have their own power supply, programmable microprocessor and optical
communication link.58 Another group of researchers are developing what they call “TinyOS”,
which is a complete software operating system comprised of a number of tiny sensors and
A company in the United Kingdom is developing a system that will allow a network of fixed and
portable readers to identify tags imbedded in license plates from distances of up to 300 feet.60
This use of RFID technology, and its use in currency and passports, could make this technology
The healthcare industry is another sector where RFID could be implemented in a number of
ways. As discussed above, RFID systems are already in use in Singapore hospitals to track cases
of SARS. A hospital in California is using RFID tags to prevent newborn babies from being
kidnapped.61 RFID also has the potential to be used to track pharmaceuticals and prevent
tampering with the packaging. A 2004 report issued by the Food and Drug Administration in the
United States encouraged pharmaceutical companies to use RFID tags as a means of tracking
drugs all the way along the supply chain, from the manufacturing facility to the point of purchase
57
Supra note 1 at 9.
58
Ibid.
59
Ibid.
60
Mark Baard, “Brit License Plates Get Chipped” Wired News (9 August 2005) online: Wired
<http://www.wired.com>.
61
Vawn Himmelsbach, “Panel explores the untapped possibilities for RFID” Computing Canada, vol. 31, no. 15 (28
October 2005) online: itbusiness.ca <http://itbusiness.ca>.
- 13 -
as a means of reducing tampering and counterfeiting.62 Pfizer Inc. began using RFID tags in all
shipments of Viagra in the United States on December 15, 2005 in an effort to detect counterfeit
pills.63
RFID tracking systems are also considered by governments to be very useful in national security.
The U.S. is planning on introducing RFID-enabled passports;64 an idea that is also being
considered in Europe and Asia.65 In fact, reports indicate that the U.S. could require all countries
whose citizens do not require visas to enter the United States to begin issuing RFID-enabled
passports by the fall of 2006.66 This would mean that Canada would also likely be required to
4. Implementation Issues
While there have been great advances in RFID technology over the last number of years, the
costs of implementing the technology is still prohibitive to most organizations, especially for use
in a mass retail setting. RFID tags currently cost anywhere from $0.20 to $1.00 per tag versus
just pennies for bar codes.67 As well, the readers are also expensive, often priced upwards of
$1000.68 Readers that have been developed in conjunction with the VeriChip cost $650 a piece
and the high expense is being cited as one of the major reasons for the lack of implementation of
62
Jerry Brito, “Relax Don’t Do It: Why RFID Privacy Concerns are Exaggerated and Legislation is Premature”
(2004) UCLA J. L. Tech. 5.
63
Javad Heydary, ed., “To Fight Counterfeits Pfizer Inserts RFID Tags in Viagra Packages” Laws of .Com: E-
Business, Privacy & Technology Law Journal, vol. IV, issue 1 (12 January 2006), online: Laws of .Com
<http://www.lawsof.com>.
64
Bruce Schneier, “Fatal Flaw Weakens RFID Passports” Wired News (3 November 2005) online: Wired
<http://www.wired.com>.
65
Supra note 61.
66
Ryan Singel, “Airline Tests RFID on the Fly” Wired News (9 August 2005) online: Wired
<http://www.wired.com>.
67
Supra note 1 at 10.
68
Supra note 36.
- 14 -
the system by hospitals. The manufacturer has donated 200 readers to trauma centres and
emergency rooms throughout the U.S. in hopes of “jump-starting” the market for their
technology.69
Related to the expense of the tags and readers themselves, is the cost associated with replacing,
updating and/or integrating an RFID system with a company’s current information system.70
Replacing the bar code on every consumer item in a store with a RFID tag is only one step. In
order for RFID to be beneficial to an organization, the information being captured must be
capable of analysis and producing results useful to the company’s business.71 The company’s
information system for tracking, collecting and analyzing product or consumer data may have to
chain management system is often times connected with the information systems of its suppliers
or business partners. Implementing a RFID system can thus be costly and can have significant
impacts on current information systems infrastructure for both the company and any organization
linked to that company’s system.72 Proponents of RFID argue that these costs can be offset by
RFID through a better streamlined supply chain and general improvements in business processes
Another issue preventing widespread implementation of this technology was, until recently, a
lack of industry standards to be used in the creation of RFID-enabled software. Experts reported
that the main problem was that a variety of different protocols were governing the
69
“FDA Approves Subdermal RFID VeriChip”, RFID Gazette (14 October 2004), online: RFID Gazette:
<http://www.rfidgazette.com>. See also Rob Stein, “Implantable Medical ID Approved by FDA” The Washington
Post (14 October 2004), online: The Washington Post <http://www.washingtonpost.com>.
70
John S. Webster, “Hope & Hesitation” ComputerWorld (2 January 2006) at 35.
71
Ibid.
72
Ibid.
73
Ibid.
- 15 -
electromagnetic communication between the tags and the readers.74 Developing one standard
protocol will result in any reader utilizing the standard being able to recognize and read any tag
using the standard, regardless of its manufacturer.75 Instead of the readers being designed so that
they can be programmed to match any number of tags, which requires new software upgrades
every time a new tag is introduced into the market, all tags and readers will be compatible
internationally.76 In September of 2003, the Electronic Product Code (the “EPC”) was
introduced and was touted as “creating an Internet of things”.77 This standard went far beyond
the Universal Product Code (the “UPC”) commonly used in bar codes.78 A number of
organizations have been working to create standards. The Massachusetts Institute of Technology
Auto-ID Center, which was financed by a number of corporate partners, was formed to develop a
RFID tag suitable and appropriately priced for use in a mass retail setting.79 It was this lab that
was responsible for the early development of the technology and was working towards the
creation of the royalty-free EPC standard.80 This code can link an object to a person and can
uniquely identify one object from another: two of the most significant advantages of RFID as
Recently, EPCglobal Inc., the New Jersey-based RFID standards-setting body (“EPCglobal”)
connected with the Uniform Code Council, which took over the standards development project
74
CNET News, supra note 42.
75
Ibid.
76
Ibid.
77
Supra note 1 at 11.
78
Ibid.
79
Ibid.
80
CNET News, supra note 42.
81
Supra note 1 at 11.
- 16 -
from the MIT Auto-ID Center in 2003,82 implemented the Generation 2 RFID standard (the “Gen
2 standard”). This standard was ratified in December of 2004 and mandates RFID systems to
have a 96-bit memory, better encryption and an ability for the tags to be permanently
Additionally, the use of open source code is an important component in the development of most
new technology and RFID is no exception. Unfortunately, disputes over patents that are
considered “essential” to the creation of an RFID solution utilizing the Gen 2 standard may
One of the most significant issues facing the implementation of RFID relates to privacy. Many
consumers and privacy advocates are wary of the ability of the technology to link a specific
product to a specific individual without that individual’s knowledge or consent and for the
tracking of the product to continue beyond the supply chain. In fact, consumer protests about
this issue have been effective in preventing a number of companies from even implementing
82
Harold E. Davis & Michael S. Leuhlfing, “Technology: Radio Frequency Identification: The Wave of the Future”
(2004) 11-04 J.A. 43 at 48-49.
83
Joanna Glasner, “RFID: The Future is in the Chips” Wired News (16 August 2005) online: Wired
<http://www.wired.com>.
84
CNET News, supra note 42.
85
Supra note 61.
86
See e.g. supra note 1 at 15. As discussed earlier, public outcry resulted in Wal-Mart cancelling its “smart shelf”
trials with Gillette. Consumer opposition also caused the Benetton Group to cancel plans to imbed RFID tags into
its clothing.
- 17 -
5.1 Privacy
Notwithstanding the current status of the implementation of RFID or current practices, certain
aspects of the technology have been seen by privacy advocates as posing a threat to individual
privacy. While the use of RFID technology purely for internal supply chain management
purposes or to track products along the assembly line are generally thought to be harmless
propositions, the use of the technology to link a product to an individual consumer and to collect
personal information about that consumer has many privacy watch groups very troubled.87
Surreptitious collection of information. Plainly put, RFID tags are so small that they can
be embedded into/onto objects and documents without the knowledge of the individual
who obtains those items. Moreover, given that radio waves can travel easily and silently
through fabrics, plastics and other materials, RFID tags can be sewn into clothing or
affixed to objects contained in purses, suitcases, shopping bags, etc. Also, since tags be
read from a distance, readers can be incorporated virtually invisibly into environments
where people and items congregate, with the net result that it may not be readily apparent
that RFID technology is in use, making it virtually impossible for a consumer to know
87
Supra note 1 at 15. See also supra note 83.
88
Supra note 34 at 2.
- 18 -
tracked through tags embedded in clothing and vehicles and a sufficiently dense network
technology. If the tags can be associated with an individual, then by that association the
clothing could serve as an identifier for the person wearing it, and while the information
regarding the tagged item remains generic, identifying the items people wear or carry
could associate them, for example, with attendance at particular events such as political
protests or rallies.89
Profiling of individuals. Unlike barcodes, where a bottle of soda has the same barcode as
all other bottles of soda of that particular brand, RFID technology potentially enables
every object to have its own unique ID. The use of the unique ID could lead to the
creation of a global item registration system in which every physical object is identified
and linked to its purchaser or owner at the point of sale or transfer. Further, if these
unique identifiers are then additionally associated with an individual, such as by linking
through a credit card number, for example, then a profile of that individual’s purchasing
Secondary use (particularly from the perspective of limiting or controlling such use).
There is also great concern that the creation of profiles and the tracking of movement can
reveal a great deal of additional information. To name just one example, the linking of a
89
Ibid.
90
Ibid.
- 19 -
Massive data aggregation. Lastly, RFID deployment requires the creation of massive
databases containing unique tag data. These records could be linked with personal
identifying data, especially as computer memory and processing expand in capacity and
capability. Privacy advocates worry that this, in turn, could facilitate any of the practices
listed above.92
Given the above scenarios, privacy groups are also concerned that privacy legislation and the
common law lag behind the advancements in the technology.93 Currently, relevant legislation
Federal government institutions are regulated in their collection, use and disclosure of personal
information by the Privacy Act.94 However, the federal Personal Information Protection and
Electronic Documents Act95 applies to all federal works, undertakings or businesses and to all
private sector organizations regulated by provinces that do not have substantially similar private
sector privacy legislation. Only Alberta, British Columbia and Quebec have legislation that has
been declared substantially similar to PIPEDA and that legislation governs private sector
91
Ibid.
92
Ibid.
93
Karen Kavanaugh, “Law and Technology Institute keeps the legal community abreast on innovation” The
Lawyers Weekly 25:5 (3 June 2005) (QL). See also Chad Kopach, “Radio Frequency Identification Devices: Big
Brother is Watching” Ontario Bar Association, Young Lawyers’ Division 12:1 (August 2004).
94
R.S. 1985, c. P-21.
95
2000, c. 5 (hereinafter, “PIPEDA”).
- 20 -
organizations regulated under provincial law in those provinces.96 PIPEDA, however, applies to
PIPEDA, and the substantially similar provincial legislation, consider “personal information” to
be information about an identifiable individual97 and apply to the collection, use and disclosure
of personal information in the course of a commercial activity. All four pieces of legislation
apply similar principles,98 including: (i) mandating that personal information may only be
collected, used or disclosed with the knowledge and consent of the individual; (ii) limiting the
collection of personal information to what is necessary for identified purposes; and (iii)
mandating that personal information be collected by fair and lawful means. Additionally,
personal information must be protected by adequate safeguards and individuals must be able to
easily access information about an organization’s privacy policies and practices. RFID
technology which captures information that can be linked to an identifiable individual would
The Privacy Commissioner of Canada (or of British Columbia, Alberta or Quebec, as the case
may be) is responsible for overseeing the privacy legislation in his or her jurisdiction and
addressing complaints that an individual’s privacy rights, as protected under the legislation, have
been violated.99 Where an individual believes that their privacy rights have been violated by a
commercial organization, they may complain to the Privacy Commissioner in the appropriate
96
Personal Information Protection Act (Alberta), S.A. 2003, c. P-6.5 (the “Alberta PIPA”), Personal Information
Protection Act (British Columbia), S.B.C. 2003, c. 63 (the “B.C. PIPA”), An Act respecting the protection of
personal information in the private sector, R.S.Q., c. P-39.1 (the “Quebec PIPA”) (collectively, the “PIPAs”).
Please also note that in Ontario, the Personal Health Information Protection Act, 2004, S.O.2004, c. 3 (“PHIPA”)
was also declared to be substantially similar to PIPEDA. PHIPA applies to personal health information.
97
Supra note 95 at s. 2; Alberta PIPA, supra note 96 at s. 1; B.C. PIPA, supra note 96 at s.1; Quebec PIPA, supra
note 96 at s. 2.
98
See generally supra note 95 and supra note 95.
99
Office of the Privacy Commissioner of Canada, Fact Sheet, “Questions and Answers regarding the application of
PIPEDA, Alberta and British Columbia’s Personal Information Protection Acts (PIPAs)” (5 November 2004).
- 21 -
have a variety of powers as part of the investigative responsibilities under the applicable privacy
legislation, including the power to compel the production of evidence.102 The Commissions may
investigate complaints and issue reports. Violations of these private sector privacy laws can
result in an organization being ordered to comply with the legislation and/or correct its
imposed.103 Under PIPEDA, complainants may bring an action before the Federal Court in
Alberta or British Columbia has found an organization to be in violation of the legislation, its
order can be the basis for a civil cause of action against the organization by the complainant.105
In Quebec, orders of the Commissioner can be appealed to the Quebec Superior Court.106
In addition to the substantially similar provincial PIPAs, each of the provinces and territories in
Canada have legislation that governs the collection, use and disclosure of personal information
100
Supra note 895 at s. 11; Alberta PIPA, supra note 96 at s. 46(2); B.C. PIPA, supra note 96 at s. 46(2); Quebec
PIPA, supra note 96 at s. 42.
101
Canada, Office of the Privacy Commissioner of Canada, Your Privacy Responsibilities: Canada’s Personal
Information Protection and Electronic Documents Act (Ottawa, March 2004) at 19. See also supra note 99.
102
Supra note 95 at s. 12(1); Alberta PIPA, supra note 96 at s. 38; B.C. PIPA, supra note 96 at s. 38; Quebec PIPA,
supra note 96 at s. 51, 81.
103
Supra note 95 at s. 13, 16; Alberta PIPA, supra note 96 at s. 52, 59; B.C. PIPA, supra note 96 at s. 52, 56;
Quebec PIPA, supra note 96 at s. 55, 91.
104
Supra note 95 at s. 14.
105
Alberta PIPA, supra note 96 at s. 60; B.C. PIPA, supra note 96 at s. 57.
106
Quebec PIPA, supra note 96 at s. 61.
107
Office of the Privacy Commissioner of Canada, Fact Sheet, “Privacy Legislation in Canada” (17 December
2004).
- 22 -
legislation dealing with personal health information collected and used by health care providers
Further, the Bank Act109 regulates the collection, use and disclosure by federally-regulated
financial institutions of all personal financial information. Similarly, most provinces have
legislation governing the collection, use and disclosure of consumer credit information by credit
agencies.110
An organization will have to be aware of the requirements under any and all legislation that
The Data Protection Directive of the European Parliament (the “Directive”) has been adopted by
25 member nations111 and, similar to PIPEDA, only applies where personal data is processed.112
Australia’s Privacy Act 1988113 also applies to information collected where the identity of the
Act114, the U.S. Privacy Act of 1974 applies only to government institutions.115
108
Ibid.
109
S.C. 1991, c. 46. See also supra note 107.
110
Supra note 107. See e.g. infra note 121.
111
See Status of Implementation of Directive 95/46 on the Protection of Individuals with regard to the Processing of
Personal Data, online: European Union’s area of freedom, justice and security <http://europa.eu.int>.
112
Supra note 4 at 85.
113
Privacy Act 1988 (Cth), s. 6(1).
114
Supra note 94.
115
John M. Eden, “When Big Brother Privatizes: Commercial Surveillance, the Privacy Act of 1974, and the Future
of RFID” (2005) Duke L. & Tech. Rev. 20.
- 23 -
Certain groups are in favour of enacting legislation specifically applicable to RFID technology.
Legislation applying specifically to RFID has been proposed in a number of states in the U.S.116
A bill was introduced in California entitled the “California Identity Information Protection Act of
2005”. This bill, which, while referred back to the Committee on Appropriations at the end of
June of 2005,117 was believed to be the furthest reaching of its kind,118 and would have prevented
the use of RFID chips in any state-issued identification, such as driver’s licenses, health cards
and school ID cards, and would have made the unauthorized reading of RFID tags a crime.119
The common law in Canada has not been particularly responsive to advancements in these types
of automatic identification technology.120 While not directly related to RFID, a recent Ontario
Superior Court of Justice decision discussed the common law approach in Canada to invasions of
privacy. The recent decision in Somwar v. McDonald’s Restaurants of Canada Ltd.121 reviewed
a claim for invasion of privacy resulting from the defendant conducting an unauthorized credit
check on the plaintiff.122 The court relied on the Ontario Consumer Reporting Act, which
governs the collection and release of information relating to consumers’ income, debts, cost of
living obligations and assets, in deciding that the plaintiff’s privacy had been invaded.123 The
Court rejected the defendant’s Rule 21 motion for determination that the plaintiff’s statement of
116
Supra note 60.
117
California Office of Privacy Protection, Current Privacy Legislation, online: Bill Information
<http://www.leginfo.ca.gov/bilinfo.html>.
118
Supra note 62.
119
Kim Zetter, “State Bill to Limit RFID” Wired News (29 April 2005) online: Wired <http://www.wired.com>.
120
Supra note 62.
121
[2006] O.J. No. 64 (QL) (“Somwar”). For a review of the decision, see e.g. Javad Heydary, ed., “Does Ontario
Law Recognize the Tort of Invasion of Privacy?” Laws of .Com: E-Business, Privacy & Technology Law Journal,
vol. IV, issue 3 (9 February 2006), online: Laws of .Com <http://www.lawsof.com>.
122
Somwar, ibid. at para. 3.
123
Ibid. at para. 7.
- 24 -
claim contained no reasonable cause of action on the basis that it was not clear that a breach of a
statute cannot give rise to liability where the elements of tortious responsibility have been
established.124 In its reasons, the Court also explained that the common law is unclear as to
whether the tort of invasion of privacy exists in Ontario.125 Other provinces have created a
statutory tort of invasion of privacy; however, Ontario has not created such a statutory remedy.126
Further, the Canadian Charter of Rights and Freedoms recognizes an individual’s right to
Canadian private sector privacy legislation, like PIPEDA, will apply to particular
• chips, which can have personal information written to them, are repositories of personal
information;
• tags with unique identification numbers, which can be associated with an individual, are
• information about possessions or purchases, which is captured by an RFID system and then
stored in a database that can manipulate or process the information to compile personal
124
Ibid. at para. 41.
125
Ibid. at para. 22.
126
Ibid. at para. 28.
- 25 -
information.127
In order to comply with any of the applicable privacy legislation in Canada, any organization
implementing RFID that collects personal information must ensure transparency in its use of this
technology. The organization must inform individuals of the presence of the tags and readers
and their locations and whether the tags are active or will become active.
The application of privacy legislation to RFID technology depends on whether information about
an identifiable individual will be collected or whether the technology is merely going to be used
to track products. One reason cited by consumer groups for differentiating between these two
applications of RFID systems is that once a tagged product has been purchased and removed
from the point of purchase by a consumer, critics of RFID argue that the product becomes the
property of the consumer, and a tag that continues to be active (especially if the consumer is not
aware of the tag and its functions) could be viewed as an invasion of privacy.128 When a tag is
being used within a facility or along the supply chain, the product is still the property of the
manufacturer and it is likely not being used to collect information about an identifiable
individual consumer. Additional concerns stem from the ability of anyone with a compatible
The use of RFID in the supply chain provides companies with the ability to better manage their
inventory without linking the product to personal information. These uses of the technology will
have positive effects for an organization without invading consumers’ informational privacy.
127
Supra note 34 at 3.
128
Supra note 1 at 19.
129
Ibid. at 15.
- 26 -
RFID systems, like those used in easy-pay systems, are linked directly to consumers, but, as with
any loyalty program, the consumer must register for the program and consent to the collection of
his or her personal information,130 thereby complying with the knowledge and consent principle
of privacy legislation. Unless the RFID-enabled tracking system has some way of linking the
item to the individual, an individual’s privacy will likely not be invaded, even if the tag is still
active once the individual removes the product from the store shelves.
Protection of personal informational privacy will become more important as the technology
becomes smaller, more discrete and able to transmit across greater distances.131 As a result,
privacy advocates are concerned with the ability of organizations to embed tags into objects
without the knowledge of the purchaser. As readers do not require a line of sight in order to be
able to capture the information stored on the tags, the tags could be read from a distance through
clothing or other material.132 The concern is that, as a result, individuals could be tracked
without their knowledge. As more and more consumer products and personal items, like
passports and money, are imbedded with RFID tags, the more possible it is that anyone with a
reader, not just the organization that manufactured or sold the product, will be able to capture
information stored on any one of these numerous tags.133 However, regardless of the number of
products that are imbedded with RFID chips, there has to be a system in place capable of linking
Companies will have to inform consumers, who themselves will have to be vigilant about staying
informed, about the products that contain tags, the location of the tags and readers, and the
130
Supra note 62.
131
Supra note 1 at 16.
132
Supra note 34.
133
Supra note 1 at 15.
- 27 -
purpose of any RFID systems being used. Efforts at devising standards for the development of
RFID, which, as mentioned above, includes features such as the ability of a tag to be
permanently deactivated after use, as in the Gen 2 standard, demonstrates a commitment to the
continued development of this technology with the protection of individual privacy as a key
concern.
Privacy watch groups recommend that the use of RFID-enabled technology be developed with
the three principles of informational privacy protection kept in mind. These three principles are
(i) notice and consent, (ii) choice, and (iii) control.134 As with any customer loyalty or rewards
program,135 consumers must be given notice of and consent to the program, be informed of what
information is being collected and how that information will be used. These programs should be
optional and an individual can opt in (and out) at any time without incurring any costs. Control
would also come in the form of consumers being able to choose to have their personal
information kept separate from the identity of the product.136 Additionally, following the
obtainment of the consumers’ consent, the collectors of such information will still be obliged to
limit the collection, use and disclosure for purposes that a reasonable person would consider
appropriate under the circumstances, and individuals must still retain their right to see the
personal information that are gathered and held about them, and to correct any inaccuracies.
134
Ibid. at 20.
135
Supra note 62.
136
Supra note 1 at 20.
- 28 -
The International Conference of Data Protection & Privacy Commissioners adopted a resolution
privacy where the tags are linked to personal information. This resolution is also based on the
international Fair Information Practices,138 which set out the minimum privacy standards that
apply to the collection of all personal information. The three principles highlighted in the
pervious paragraph, are only part of the Practices (which are consistent with the principles
forming the foundation of the private sector privacy laws in Canada139) and which also include
• placing limits on the collection of personal information by way of lawful and fair means with
• any personal information collected should be relevant, accurate, complete and up-to-date;
• the data collected should be for a specific and current purpose, and should not be disclosed
other than for that purpose except with consent or as required by law;
• companies should be open about their policies for the collection and use of the personal
information;
137
Ibid. at 24.
138
Ibid. at 20.
139
Supra note 95; supra note 96.
- 29 -
accurate; and
• measures should be in place to ensure companies are held accountable for their collection and
Researchers and commentators in the field of RFID technology are discussing including features
in tags to prevent unwanted collection of personal information, such as having cashiers ask
customers whether they would like the tags deactivated at the point of purchase or requiring
consumers to ask for the tags in the products to be deactivated.141 Unfortunately, both of these
solutions rely on consumers and employees being informed about the system and could be
Additionally, an RFID blocker tag is being developed that would block the electromagnetic field
emitted by readers and prevent the capture of the data stored on the tag.142 While this solution
may be effective, it would be costly and would place the onus solely on the consumer. A more
popular solution with privacy advocates includes installing “kill switches”143 in the tags, so that
such tags will be permanently deactivated once a customer exits the store. This solution is
supported by the MIT Auto-ID Center and has been adopted by several producers of RFID
tags.144 However, none of these solutions conforms to the “notice and consent” principle of
informational privacy.
140
Supra note 1 at 20-21.
141
Ibid. at 19-20.
142
Ibid. at 18-19.
143
Ibid. at 19.
144
Ibid.
- 30 -
A paper released by the Electronic Privacy Information Center (“EPIC”) has expanded on the
Fair Information Practices specifically as they relate to RFID technology.145 This position paper
concludes that retailers should be prevented from forcing consumers into accepting live or
dormant tags in products and, without the informed written consent of consumers, they should
not be able to track the consumer. As well, the group suggests that consumers should be allowed
to use any means available to detect and disable tags in products they purchase. The group is
also opposed to the use of RFID technology in personal items, such as money, on the basis that it
Adherence to the principles of privacy will enable organizations to implement RFID technology
in ways that will have beneficial results for their business without alienating their consumers by
As with any technology, patent infringement and disputes over patents are issues that users of the
technology must bear in mind. Currently, it is unclear whether it is possible to develop an RFID
system using the Gen 2 standard without infringing any one of the 140 RFID patents Intermec
Technologies Corp. (“Intermec”) claims to own.147 Intermec sells a variety of RFID products,
145
Ibid. at 21.
146
Ibid. at 21-22.
147
Kenneth A. Alder, “RFID Technology and Intellectual Property May Be an Ever-Shifting Legal Landscape”
RFID Product News (July/August 2005).
148
Bob Brewin, “Intermec sues Matrics over RFID patent infringement” ComputerWorld (9 June 2004), online:
ComputerWorld <http://www.computerworld.com>.
- 31 -
Recently, Intermec claimed that 18 of its patents were “essential” to developing a Gen 2 standard
compatible RFID system. Initially, it was prepared to donate five of these “essential” patents on
a royalty-free basis, while offering licenses for an additional nine. However, EPCglobal
reportedly was of the opinion that none of Intermec’s patents were, in fact, essential for the
implementation of the Gen 2 standard. Following this announcement, Intermec revoked its
original offer and now requires any company looking to utilize the Gen 2 standard in
Intermec claims that because of the number of RFID patents it has registered, no company would
be able to design a functioning RFID system based on the Gen 2 standard without infringing any
of its patents.149 In fact, Intermec has been involved in law suits with Matrics Inc.150 and Symbol
Technologies Inc.151 (“Symbol”) in the U.S. over RFID patents. Proponents of this technology
believe that these disputes have the potential of derailing widespread implementation of RFID
systems and increasing the cost of the technology, a fact that already prohibits the use of RFID is
On a positive note, Symbol and Intermec agreed on September 12, 2005 to settle much of their
year-long dispute over intellectual property for RFID. Previously, Symbol had acquired Matrics,
which Intermec alleged had infringed on Intermec’s patents. In March, 2004 Symbol had sued
Intermec for patent infringement and at the same time pulled out of an agreement to supply
Internec with laser-scan engines. Intermec countersued with another patent suit against Symbol.
Under the terms of the settlement, each vendor agreed to license technology from the other and
149
Supra note 147.
150
Supra note 148.
151
“Symbol Sues Intermec for Patent Infringement” RFIDNews (11 March 2005), online: RFIDNews
<http://rfidnews.org>.
152
CNET News, supra note 42.
- 32 -
Symbol also agreed to join Intermec’s “Rapid Start” RFID licensing program, which provides
access to various Intermec technologies, including RFID tags and portable readers. Intermec
will gain access to Symbol’s intellectual property through the cross-licensing of Rapid Start.
The companies also agreed to dismiss most of their pending suits against one another and put the
remainder on hold for 90 days while they tried to work out any unresolved intellectual property
issues.153
Despite these patent disputes, a number of companies are continuing to develop and implement
RFID systems, illustrating that companies appear willing to risk the possibility of facing
infringement claims in order to achieve the benefits to their business that RFID heralds. Certain
companies believe that patent disputes are a normal part of setting intellectual property
standards,154 and while many in the industry support the development of a royalty-free interface
standard,155 some companies believe that any royalties will be negligible as compared to the cost
5.4 Licensing
Related to the issues surrounding the RFID patents are licensing issues. Following the conflict
over which Intermec patents were essential to the use of the Gen 2 standard, Intermec introduced
its “Rapid Start” RFID licensing program.157 Pursuant to this program, Intermec offered blanket
licenses to its four portfolios of RFID patents. One element of this program, which highlights
another issue related to licensing, is that the agreements signed between Intermec and the
153
S. Lawson, “Symbol, Intermec Settle Most Patent Disputes Over RFID”, Computerworld (September 12, 2005).
154
Ibid.
155
Clint Boulton, “Symbol Strikes Over RFID Patents” Wireless (29 April 2005), online: Internetnews.com
<http://www.internetnews.com>.
156
CNET News, supra note 42.
157
Supra note 147.
- 33 -
offset some of the costs associated with the licensing arrangement.158 However, companies will
have to be conscious of any restrictions in its own licenses that may prohibit a cross-licensing
arrangement.
Further, companies will have to be aware of any restrictions in software and hardware licenses
that may restrict its ability to implement an RFID system.159 In order for a company to derive
benefits from the use of this technology, the RFID technology will have to either be integrated
into or will have to replace a company’s current tracking system and information databases,
6. Implementing RFID
The issues discussed above must be considered by any organization considering implementing an
RFID system. Primary consideration must be given to the business objectives for implementing
the technology. RFID technology can be designed in a variety of ways and for a variety of
functions, and therefore a company must first consider what the system is meant to achieve.
A company considering implementing an RFID system must define the purpose behind
implementing the system. Is the system going to be used only to track products as they proceed
along the assembly line? Is it to improve supply chain management? Is the system to better
manage in-store inventory? Or is the system going to be used to gather information about
158
Ibid.
159
Kenneth A. Adler, “RFID in Healthcare” Healthcare Informatics (May 2005), online: Healthcare Informatics
<http://www.healthcare-informatics.com>.
- 34 -
identifiable customers? Each implementation involves different considerations and will require
different tag and reader features. A system that will track and gather consumer intelligence will
have different legal obligations than a purely supply chain-oriented system, such as the
undisputed requirement of the company’s owner to comply with PIPEDA and other similar
The business objectives should also consider whether and/or how the RFID technology can be
integrated with the information systems already in use. Can the hardware and software currently
in use in the business be adapted or upgraded to seamlessly integrate the RFID technology or
will the company require an entire systems overhaul? The company would be well advised to
map their entire system in order to be able to anticipate any potential integration problems.160
These decisions will likely be influenced by any restrictions in current software and hardware
licenses.161 This would likely involve counsel reviewing all licenses currently being used by the
The intended use of the technology and the environment in which the system will be
implemented are additional factors requiring consideration prior to deciding on a supplier. Are
active or passive tags best suited to the company’s facilities and intended use? Are the tags only
meant to be used once and then discarded or should they be able to be read and rewritten
numerous times? Will the system be used outdoors? Do the readers need to be able to capture
the data stored on the tags from long distances or at various points in a facility? Counsel will
160
Marc Dautlich, “Before you roll out RFID… read this” silicon.com (20 January 2005), online: silicon.com
<http://comment.silicon.com>.
161
Supra note 159.
- 35 -
also need to have a good understanding of the supply chain, assembly line or store layout to be
These business goals will have to be translated into contractual provisions with the RFID
should keep in the forefront of their minds their client’s objectives and ensure that the contract
includes representations that the system will function appropriately and effectively given the
desired results. Additionally, the contract should include mechanisms to revisit the contract
should the system fail to meet these goals at some point in the future or should the company’s
goals change over the course of the license.163 Additionally, the contract must include penalties
Once the business objectives have been identified, a company can canvass the service providers
for the technology components that will best meet its needs. This will result in determining
whether it is more advantageous to use one integrated supplier or to license the various
components from different suppliers.164 This decision will likely be influenced by widespread
implementation of the Gen 2 standard. If all components are based on one uniform protocol, a
company can more easily purchase the various components from different vendors. However,
with the murkiness surrounding the Gen 2 standard and use of Intermec’s patents, using one
162
Supra note 160.
163
Ibid.
164
Supra note 159.
- 36 -
6.2 Patents
The decision as to which service provider to select should be informed by the status of the
vendor’s RFID intellectual property.165 Counsel should investigate which suppliers are licensed
to use the RFID technology they provide (i.e. have signed a licensing agreement with Intermec)
and which have relied on the Gen 2 standard and EPCglobal’s claim that none of Intermec’s
Concerns over patent issues might be more easily dealt with through contracting with one
integrated supplier. Regardless of the supplier, counsel for a client implementing this technology
should (i) identify all of the components required for the client’s system and require each
supplier to identify the owner of any intellectual property for each RFID component; (ii) include
language in the licensing contract confirming that the supplier has made all required royalty
payments; and (iii) confirm that it has the authority to permit the use of the equipment and the
software that it is providing under the contract.166 Additionally, counsel should negotiate to have
the supplier indemnify and hold harmless its client for any and all intellectual property
infringement claims arising from the use of the technology in the client’s business, preferably on
a global basis.167
6.3 Privacy
Companies will have to pay particular attention to protecting the privacy of their customers
and/or employees if the objective for, or result of, implementing an RFID system is, even in part,
to be able to link products to specific individuals. As has been previously discussed, RFID
165
Ibid.
166
Supra note 147.
167
Ibid.
- 37 -
technology is a hot-button item for privacy advocates today and to date, consumer protests and
implementations.
Companies would be wise to not only comply with the legal requirements under PIPEDA (or
other applicable privacy legislation) but to also consider complying with the Fair Information
Practices discussed earlier in the paper. As RFID technology continues to develop, remedies for
invasion of “informational privacy” will likely continue to develop and solidify at common law.
While legislation like PIPEDA and its provincial equivalents has been implemented, in part, to
fill the gap left by the failure of the common law to create or evolve a general tort remedy for
conduct which constitutes an invasion of privacy,168 the common law has been reluctant to
recognize a right of action for invasion of informational privacy. As the technology continues to
advance, both the common law and the provincial legislatures may likely continue to develop the
In addition to the use and environmental considerations discussed above, concerns about the
protection of personal information will impact decisions about the type of technology a company
will implement and the suppliers best suited to provide the various components. For example, if
a company is looking to implement RFID technology in a mass retail setting, it would be wise to
consider purchasing tags with built-in “kill switches” that deactivate the tags once the tagged
item is removed from the store. Organizations should consider the best way to incorporate a
168
G.H.L. Fridman, The Law of Torts in Canada, 2nd ed. (Toronto: Carswell, 2002) at 708.
- 38 -
the RFID technology, how it works, any personal information which may be collected and why it
is being collected, and how an individual can disable the tags. In order to avoid the application
company may want to consider designing the tags to emit a series of random pseudonyms as
person and only retain the generic information. Finally, the organization must ensure, as with
any other information technology, that it has adequate information security in place.
After the company has identified its objectives and selected its RFID suppliers, and during the
design and implementation process, it should also consider drafting internal policies to govern
the use of RFID technology and to educate both its employees and customers. These policies
could include what the technology is being used for, how it works and, if the tagged item is
communicate to employees whether a record of every swipe of their access card linked to them
as individuals is kept for any specified length of time.169 If employees are going to be required
to inform customers about the technology, the company may want to consider implementing
employee training programs and producing educational material to be provided to the customers.
Internal policies will also be important for an organization as a means of documenting its
compliance with any applicable privacy legislation. For example, the principle of accountability
169
Supra note 37.
- 39 -
responsible for the organization’s compliance with the legislation, while the principle of
7. Conclusion
Where does RFID stand today? Regrettably, as noted in a recent “Forecast 2006” article in
Computerworld, the high cost and complexity of RFID continues to block widespread adaption
by enterprises, notwithstanding the fact that the IT trade press and industry analysts alike have
been hailing RFID as the “second coming of bar codes”.171 To date, most users have
implemented only small, low-impact pilots that are a long way from becoming a key part of the
“second” among technologies that hold promise for their companies or industries, but “first”
among technologies that have not lived up to their hype.172 Complex deployment and entrenched
tracking systems (most notably those old reliable bar code systems) are keeping RFID on the
back burner at many organizations. Companies are also not certain what to with the data that
they collect, as much of contains little useful information. RFID is still in the early adapter
phase, with cost being the main problem (including the cost of the tags alone) and small
companies are reluctant to justify the cost. From a business standpoint, despite the variety of
features and functions of an RFID system, the fact remains that it may not be suitable for every
170
Office of the Privacy Commissioner of Canada, Fact Sheet, “Complying with the Personal Information
Protection and Electronic Documents Act” (20 June 2005).
171
Supra note 70 at 34.
172
Ibid.
- 40 -
business. Companies must evaluate their goals, current information technology systems, and the
Despite the foregoing, there is little doubt that RFID technology can make a business more
effective, having benefits that flow all the way along a supply chain, from manufacturers to
strong-arm suppliers into using RFID, but so will developing standards such as passive UHF
Generation 2, which is being used by Wal-Mart, Target Corp. and the U.S. Defense
Department.173 While ultimately RFID will replace bar codes and other network tracking
technologies, users will closely watch how RFID’s early adapters (as well as those companies
that are compelled to use it by large influential players such as Wal-Mart)174 can improve their
From a legal standpoint, as with any new technology, a number of legal issues need to be
intended use of the technology, companies may need to pay particular attention to protecting the
privacy of their customers. As has been discussed, RFID is a topic of great concern for privacy
advocates today, and companies would be well advised to be open about their proposed
implementation and use of the technology. The small size of the tags and their ability to
uniquely identify individual objects present potential violations of Canadian privacy legislation.
173
Supra note 70 at 35.
174
In a recent article in Computerworld, Marc. L. Songini reported that when Wal-Mart first went live with RFID in
January 2005, they had more than 100 suppliers tagging products. It now has more than three times that number
involved, feeding RFID-tagged goods to 500 Wal-Mart facilities through five distibution centers. The company
expects the number of stores capable of handling RFID-tagged items to double to 1,000 by January 2007, with 600
suppliers employing the technology by then. See Marc L. Songini, “Wal-Mart Details its RFID Journey”,
Computerword (2 March 2006) available online at
<www.computerworld.com/industrytopics/retail/story/0,10801,109132p2,00.html>.
175
Supra note 70 at 35.
- 41 -
Organizations that implement RFID must fully comply with all applicable legislation, like
PIPEDA and its provincial equivalents, and should consider using the principles underlying
private sector privacy legislation as a framework for designing effective and compliant RFID-
consequences for any adopters of RFID that will significantly nullify any anticipated business
TOR_LAW\ 6253853\6