Legal Issues Impacting RFID Technology in India

8/6/2019 Legal Issues Impacting RFID Technology in India

1/44

The 2nd Annual RFID India InformediaThe 2nd Annual RFID India Informedia

India Conference 2008India Conference 20082222--23 July 200823 July 2008

ITC Grand Maratha, Mumbai.ITC Grand Maratha, Mumbai.

RFID TECHNOLOGYRFID TECHNOLOGY-- A LEGAL ANALYSISA LEGAL ANALYSIS

Karnika Seth

Cyber law ExpertCyber law Expert & Managing Partner& Managing Partner

SETH ASSOCIATESSETH ASSOCIATESADVOCATES AND LEGALADVOCATES AND LEGAL

CONSULTANTSCONSULTANTS

2008 Seth Associates. All Rights Reserved.


2/44

Legal Issues Impacting RFIDLegal Issues Impacting RFID

Technology in IndiaTechnology in India

RFID TechnologyRFID Technology-- an Introductionan Introduction

RFID Applications in IndiaRFID Applications in India

Legal Approvals & compliancesLegal Approvals & compliances

Global standardisationGlobal standardisation

Legal IssuesLegal Issues

Privacy and Data ProtectionPrivacy and Data Protection

Security and other issuesSecurity and other issues


3/44

RFID TechnologyRFID Technology-- An IntroductionAn Introduction

Radio Frequency Identification (RFID) Technology uses radio waves to

automatically identify wirelessly, contact less and without visibility objects

which, or people who have an RFID tag attached. It is grouped under the

broad category of automatic identification technologies.

It consists of two parts: a tag that contains an identification number and a

reader who works as a scanner that triggers the tag to broadcast itsidentification number. This number usually acts as an input to further data

processing. RFID is designed to enable readers to capture data on tags and

transmit it to computer system without needing a person to be involved.

A typical RFID tag consists of a small integrated circuit attached to a radio

antenna, capable of transmitting a unique serial number at a distance ofseveral meters to a reading device in response to a query.

RFID tags can be active, semi-active or passive.


4/44

RFID TechnologyRFID Technology-- an Introductionan Introduction

Technology behind RFIDTechnology behind RFID

An electromagnetic or electrostatic coupling in theAn electromagnetic or electrostatic coupling in the RFRF (radio frequency)(radio frequency)portion of the electromagnetic spectrum is used to transmit signals.portion of the electromagnetic spectrum is used to transmit signals.

TheThe RFID systemRFID system consists of an antenna and aconsists of an antenna and a transceivertransceiver, which reads, which readsthe radio frequency and transfers the information to a processingthe radio frequency and transfers the information to a processing devicedevice(reader) and a(reader) and a transpondertransponder, or, orRF tagRF tag, which contains the RF circuitry and, which contains the RF circuitry andinformation to be transmitted.information to be transmitted.

The Radio frequency band allocated to India for RFID is 865The Radio frequency band allocated to India for RFID is 865 867 MHz.867 MHz.This band has been freed solely for RFID since March 2005.This band has been freed solely for RFID since March 2005.

RFID systems can use a variety of frequencies to communicate, butRFID systems can use a variety of frequencies to communicate, butbecause radio waves work and act differently at different frequencies, abecause radio waves work and act differently at different frequencies, afrequency for a specific RFID system is often dependant on its applicationfrequency for a specific RFID system is often dependant on its application


5/44

RFID Applications in IndiaRFID Applications in India

All Rights Reserved Seth Associates All Rights Reserved Seth Associates

Few ExamplesFew Examples

Transport industryTransport industryThe Minister of Road Transport and Highways, Government of India, launched aThe Minister of Road Transport and Highways, Government of India, launched a

pilot project for radio frequency identification (RFID)pilot project for radio frequency identification (RFID)--based vehicle tracking projectbased vehicle tracking project

on the Delhion the Delhi--Jaipur highway of India.Jaipur highway of India.

Under the project, 68 buses of Rajasthan State Road Transport CorporationUnder the project, 68 buses of Rajasthan State Road Transport Corporation

(RSRTC) plying on the highway have been fitted with RFID tags and readers have(RSRTC) plying on the highway have been fitted with RFID tags and readers have

been placed to track the vehicle movement along the highway, whereby theirbeen placed to track the vehicle movement along the highway, whereby their

movement is being tracked, monitored and managedmovement is being tracked, monitored and managed

Apparel Tracking Using RFIDApparel Tracking Using RFID PantaloonsPantaloons

Pantaloon Retail (India) has piloted an RFID project at one its warehouses inPantaloon Retail (India) has piloted an RFID project at one its warehouses inTarapur using 1,000 RFID tags. The company is starting from where it matters theTarapur using 1,000 RFID tags. The company is starting from where it matters the

most by implementing the technology at the warehouse.most by implementing the technology at the warehouse.

TicketingTicketing

More recently, NXP Semiconductors, SmartTags and Gemini Traze haveMore recently, NXP Semiconductors, SmartTags and Gemini Traze have

collaborated to implement a handscollaborated to implement a hands--free RFID ticketing solution for a sportingfree RFID ticketing solution for a sporting

event.event.


6/44

RFID Applications in IndiaRFID Applications in IndiaRFID in the Pharmaceutical IndustryRFID in the Pharmaceutical Industry

(Ranbaxy), a wholly owned subsidiary of Ranbaxy Laboratories Limited,(Ranbaxy), a wholly owned subsidiary of Ranbaxy Laboratories Limited,

Indias largest pharmaceutical company, has chosen Acsis to implement aIndias largest pharmaceutical company, has chosen Acsis to implement a

radio frequency identification (RFID) tracking system to meet Walradio frequency identification (RFID) tracking system to meet Wal--MartsMarts

RFID mandate for its Class 2 pharmaceutical suppliers.RFID mandate for its Class 2 pharmaceutical suppliers.

Animal TrackingAnimal Tracking

The Kopordem farm at Valpoi in Sattari Taluk in North Goa has become theThe Kopordem farm at Valpoi in Sattari Taluk in North Goa has become the

first farm in India to use RFID microchips that can be injected into thefirst farm in India to use RFID microchips that can be injected into the

animal's body.animal's body.

Manufacturing Sector

Wipros Manufacturing Solutions Center ofExcellence (CoE) has a

dedicated team of consultants who help customers define, analyze, design

and implement RFID solutions. Amongst others, their RFID solutionsinclude a Wireless Yard Management System for a large automobile

manufacturer and a Real-Time WIP Tracking System for an electronic

component product manufacturer


7/44

Legal approvals & compliancesLegal approvals & compliances--

Statutory framework & Regulatory AuthorityStatutory framework & Regulatory Authority

Wireless Planning and Coordination Wing of Ministry of Communications andWireless Planning and Coordination Wing of Ministry of Communications andInformation Technology, Government of India deals with issues of licensing use ofInformation Technology, Government of India deals with issues of licensing use ofRFID devices in India.RFID devices in India.

Indian Wireless Telegraphy ActIndian Wireless Telegraphy Act

Indian Wireless Telegraphy Act 1933Indian Wireless Telegraphy Act 1933--An Act to regulate the possession ofAn Act to regulate the possession of

wireless telegraphy apparatuswireless telegraphy apparatus--wireless communication defined in

Section 2 of the

wireless communication defined in

Section 2 of theAct means any transmission, omission or reception of signs, signals, writing, imagesAct means any transmission, omission or reception of signs, signals, writing, images

and sounds, or intelligence of any nature by means of electricity, magnetism, orand sounds, or intelligence of any nature by means of electricity, magnetism, orRadio waves or Hertzian waves, without the use of wires or other continuousRadio waves or Hertzian waves, without the use of wires or other continuouselectrical conductors between the transmitting and the receiving apparatus;electrical conductors between the transmitting and the receiving apparatus;

Explanation.Explanation.Radio waves orHertzian waves means electromagnetic waves ofRadio waves orHertzian waves means electromagnetic waves offrequencies lower than 3,000 gigacycles per second propagated in space withoutfrequencies lower than 3,000 gigacycles per second propagated in space withoutartificial guide;artificial guide;

Section 5 of the Indian Wireless Telegraphy Act 1933Section 5 of the Indian Wireless Telegraphy Act 1933-- Licences.Licences.TheThetelegraphy authority constituted under the Indian Telegraph Act, 1885, shall be thetelegraphy authority constituted under the Indian Telegraph Act, 1885, shall be theauthority competent to issue licences to possess wireless telegraphy apparatus underauthority competent to issue licences to possess wireless telegraphy apparatus underthis Act, and may issue licences in such manner, on such conditions and subject tothis Act, and may issue licences in such manner, on such conditions and subject tosuch payments, as may be prescribed.such payments, as may be prescribed.

According toAccording to SectionSection 33 of the Act Possession of wireless telegraphy apparatusof the Act Possession of wireless telegraphy apparatuswithout licence is strictly prohibitedwithout licence is strictly prohibited--possessing wireless transmitter without licencepossessing wireless transmitter without licence --33years punishment , fine or both.years punishment , fine or both. Section 4Section 4 deals with Power of Central Governmentdeals with Power of Central Government

to exempt persons from provisions of the Act andto exempt persons from provisions of the Act and Section 10Section 10 elucidates Power ofelucidates Power ofCentral Government to make rulesCentral Government to make rules


8/44

Indian Telegraph ActIndian Telegraph Act

TheThe Indian Telegraph ActIndian Telegraph Act was passed by the Legislature in 1885 and it came intowas passed by the Legislature in 1885 and it came intoforce on 1st October, 1885force on 1st October, 1885--An Act to amend the law relating to Telegraphs in IndiaAn Act to amend the law relating to Telegraphs in India

TelegraphTelegraph which expression by the definition would include a telephone and FAX which expression by the definition would include a telephone and FAXalso. A video and Television both fall with in the definition ofalso. A video and Television both fall with in the definition oftelegraphtelegraph. A telegraph. A telegraphwireless receiving station is a wireless receiving station is a telegraphtelegraph as defined in the Act.Section 3 of the as defined in the Act.Section 3 of theI

ndian Telegraph ActI

ndian Telegraph Act defines Telegraph asdefines Telegraph as -- ""telegraphtelegraph" means any appliance," means any appliance,instrument, material or apparatus used or capable of use for transmission orinstrument, material or apparatus used or capable of use for transmission orreception of signs, signals, writing, images, and sounds or intelligence of any naturereception of signs, signals, writing, images, and sounds or intelligence of any natureby wire, visual or other electroby wire, visual or other electro--magnetic emissions, Radio waves or Hertzian waves,magnetic emissions, Radio waves or Hertzian waves,galvanic, electric or magnetic means;galvanic, electric or magnetic means;

ExplanationExplanation ""Radio wavesRadio waves" or "" or "Hertzian wavesHertzian waves" means electro magnetic waves" means electro magnetic wavesof frequencies lower than 3,000 gigaof frequencies lower than 3,000 giga--cycles per sound propagated in space withoutcycles per sound propagated in space withoutartificial guide.artificial guide.

""telegraph authoritytelegraph authority" means the" means the DirectorDirector--General of Posts and Telegraphs,General of Posts and Telegraphs, andandincludes any officer empowered by him to perform all or any of the functions of theincludes any officer empowered by him to perform all or any of the functions of thetelegraph authority under this Act;telegraph authority under this Act;

Section 4 of the Indian Telegraph ActSection 4 of the Indian Telegraph Act-- Exclusive privilege in respect ofExclusive privilege in respect oftelegraphs, and power to grant licencestelegraphs, and power to grant licences


9/44

Power to Grant RFID License inPower to Grant RFID License in

IndiaIndia Section 4Section 4 Indian Telegraph ActIndian Telegraph Act-- Exclusive privilegeExclusive privilege in respect of telegraphs,in respect of telegraphs,and power to grant licencesand power to grant licences

(1) Within India, the(1) Within India, the Central GovernmentCentral Government shall have the exclusive privilege ofshall have the exclusive privilege ofestablishing, maintaining and working telegraphs:establishing, maintaining and working telegraphs:

Provided that theProvided that the Central Government may grant a licence, on suchCentral Government may grant a licence, on suchconditions and in consideration of such payments as it thinks fit, toconditions and in consideration of such payments as it thinks fit, toany person to establish, maintain or work a telegraph within any partany person to establish, maintain or work a telegraph within any partofIndiaofIndia::

Provided further that the Central Government may, by rules made under thisProvided further that the Central Government may, by rules made under thisAct and published in the OfficialGazette, permit, subject to such restrictionsAct and published in the OfficialGazette, permit, subject to such restrictionsand conditions as it thinks fit, the establishment, maintenance andand conditions as it thinks fit, the establishment, maintenance andworkingworking

(a) of wireless telegraphs on ships within Indian territorial waters and on aircraft(a) of wireless telegraphs on ships within Indian territorial waters and on aircraft

within or above India, or Indian territorial waters, andwithin or above India, or Indian territorial waters, and(b) of telegraphs other than wireless telegraphs within any part of India.(b) of telegraphs other than wireless telegraphs within any part of India.

Section 8(2) The Central Government may, by notification in theSection 8(2) The Central Government may, by notification in theOfficial Gazette, delegate to the telegraph authority all or any of itsOfficial Gazette, delegate to the telegraph authority all or any of itspowers under the first proviso to subpowers under the first proviso to sub--section (1).section (1).

The exercise by the telegraph authority of any power so delegatedThe exercise by the telegraph authority of any power so delegatedshall be subject to such restrictions and conditions as the Centralshall be subject to such restrictions and conditions as the Central

Government may, by the notification, think fit to imposeGovernment may, by the notification, think fit to impose..


10/44

Revocation ofRFID licenses in IndiaRevocation ofRFID licenses in India

Section 8Section 8--Indian Telegraph ActIndian Telegraph ActRevocation of licencesRevocation of licences

The Central Government may, at anyThe Central Government may, at anytime, revoke any license grantedtime, revoke any license grantedunder section 4, on the breach ofunder section 4, on the breach ofany of the conditions thereinany of the conditions therein

contained, or in default of paymentcontained, or in default of paymentof any consideration payableof any consideration payablethereunder.thereunder.


11/44

Radio Frequency Identification DevicesRadio Frequency Identification Devices

(Exemption from Licensing Requirement) Rules,(Exemption from Licensing Requirement) Rules,

20052005 Use of low powerEquipment in the frequency band 865Use of low powerEquipment in the frequency band 865 867 MHz for867 MHz for

(RFID) Radio Frequency Identification Devices (Exemption from Licensing(RFID) Radio Frequency Identification Devices (Exemption from LicensingRequirement) Rules, 2005Requirement) Rules, 2005 --rules were published in the Gazette of India,rules were published in the Gazette of India,Part II, Section 3, SubPart II, Section 3, Sub--Section (i), dated the 11th March, 2005, videSection (i), dated the 11th March, 2005, videnotification No.168 (E), dated the 11th March, 2005.notification No.168 (E), dated the 11th March, 2005.

Rule 3.Rule 3. Use of wireless equipment in the band 865Use of wireless equipment in the band 865 867 MHz.867 MHz.--Notwithstanding anything contained in any law for the time being in force,Notwithstanding anything contained in any law for the time being in force,no licence shall be required by any person to establish, maintain, work,no licence shall be required by any person to establish, maintain, work,possess or deal in Radio Frequency Identification Devices (RFID), on nonpossess or deal in Radio Frequency Identification Devices (RFID), on non--interference, noninterference, non--protection and nonprotection and non--exclusive basis, in the frequencyexclusive basis, in the frequency bandband865865 867 MHz with maximum 1 Watt transmitter power867 MHz with maximum 1 Watt transmitter power,, 4 Watts4 Watts EffectiveEffectiveRadiated PowerRadiated Power andand 200 kHz carrier bandwidth200 kHz carrier bandwidth..

Rule 4Rule 4. In case where any person to whom a licence has been issued under. In case where any person to whom a licence has been issued undersection 4 of the Act, informs that his licensed system is getting harmfulsection 4 of the Act, informs that his licensed system is getting harmfulinterference from any other radio communication system exempted underinterference from any other radio communication system exempted underthese rules, the use of such unlicensed Wireless equipment shall bethese rules, the use of such unlicensed Wireless equipment shall bediscontinued forthwith.discontinued forthwith.


12/44

RFIDRFID StandardisationStandardisation

RFID standards first came into being during the early 1990s, whenRFID standards first came into being during the early 1990s, whenthe (newly created) CENTC225 committee on bar coding focused thethe (newly created) CENTC225 committee on bar coding focused the

attention on automatic ID techniques in general.attention on automatic ID techniques in general.

There are two competing initiatives in the RFID standardisationThere are two competing initiatives in the RFID standardisation

arena:arena: ISO and EPC global.ISO and EPC global.

There are also a number of special interest groups including industryThere are also a number of special interest groups including industry

specific such as the American Trucking Association in the transportspecific such as the American Trucking Association in the transport

industry, the NFC forum in consumer electronics, mobile devices andindustry, the NFC forum in consumer electronics, mobile devices and

computer industry or the Automotive Industry Action Group in thecomputer industry or the Automotive Industry Action Group in theautomotive industry that seek to influence RFID standardsautomotive industry that seek to influence RFID standards

development.development.


13/44

International Organization for StandardizationInternational Organization for Standardization

((ISO) approachISO) approach

The ISO approachThe ISO approach

RFID standards first came into being during the early 1990s, when the (newlyRFID standards first came into being during the early 1990s, when the (newlycreated) CENTC225 committee on bar coding focused the attention on automatic IDcreated) CENTC225 committee on bar coding focused the attention on automatic IDtechniques in general.techniques in general.

During the early 1990s, the standardisation activity on automatic ID techniques wasDuring the early 1990s, the standardisation activity on automatic ID techniques wasmainly carried out in Europe within the CEN standard body (TC225 committee), withmainly carried out in Europe within the CEN standard body (TC225 committee), withlittle involvement from the US. However, during the 1995, a joint ISO IEC JTC1little involvement from the US. However, during the 1995, a joint ISO IEC JTC1committeecommittee theSC31theSC31 was set up for standardisation of automatic identificationwas set up for standardisation of automatic identificationtechniques generally drawing from the earlier work on RFID standards within CEN.techniques generally drawing from the earlier work on RFID standards within CEN.

Another influence on the RFID work within ISO was the work on the G Tag initiativeAnother influence on the RFID work within ISO was the work on the G Tag initiativefor RFID standardisation of asset tracking and logistics which was launched by UCCfor RFID standardisation of asset tracking and logistics which was launched by UCCand EAN in 2000 along with input from international companies including Philipsand EAN in 2000 along with input from international companies including PhilipsSemiconductors, Intermec, and Gemplus.Semiconductors, Intermec, and Gemplus.

The members of the SC31 committees are the representatives of the nationalThe members of the SC31 committees are the representatives of the nationalstandard bodies such as in UK the BSI IST34 committee on bar coding, including thestandard bodies such as in UK the BSI IST34 committee on bar coding, including thesame people who tend to participate in CEN TC225. They represent either internalsame people who tend to participate in CEN TC225. They represent either internal

consultants within big corporations,or external consultants which are representing theconsultants within big corporations,or external consultants which are representing theinterest of different companies. As a result,three different levels of representativenessinterest of different companies. As a result,three different levels of representativeness(and thus interests) can be identified in the ISO process: the individual, the(and thus interests) can be identified in the ISO process: the individual, theorganisational, and the national levelorganisational, and the national level..


14/44

StandardisationStandardisation--The ISO approachThe ISO approach

RFID ISO standards cover 4 different areas: technologyRFID ISO standards cover 4 different areas: technology

(e.g. ISO 18000 series), data content(e.g. ISO 15418),(e.g. ISO 18000 series), data content(e.g. ISO 15418),

conformance and performance (e.g. ISO

18046), andconformance and performance (e.g. ISO

18046), andapplication standards(e.g. ISO 10374) .application standards(e.g. ISO 10374) .

The ISO standards are defined at a very high level,The ISO standards are defined at a very high level,

focusing on the interface rather than on the data which isfocusing on the interface rather than on the data which is

transported. As a result, ISO standards are generic,transported. As a result, ISO standards are generic,

being able to be supported by any system and in anybeing able to be supported by any system and in anycontext, irrespective of the data that is being carried.context, irrespective of the data that is being carried.


15/44

RFID StandardisationRFID Standardisation

TheThe Electronic Product CodeElectronic Product Code (E(EPC) Global approachPC) Global approach

MIT and UCC together with a number of industrial partners includingMIT and UCC together with a number of industrial partners includingProcter & Gamble, Gilette and WalProcter & Gamble, Gilette and Wal--Mart set up the AutoMart set up the Auto--IDIDconsortium in 1999 to research RFID technologies and standards.consortium in 1999 to research RFID technologies and standards.

The members included end users, primarily from consumerThe members included end users, primarily from consumerpackaged goods, large retailers and solution providers, includingpackaged goods, large retailers and solution providers, includinghardware and software providers and consultants. The Autohardware and software providers and consultants. The Auto--IDIDmembers included large retailers such as Walmembers included large retailers such as Wal--Mart,Gilette, CocaMart,Gilette, CocaCola, Unilever, Tesco and Carrefour.Cola, Unilever, Tesco and Carrefour.

A new entity was created in October 2003, the EPC Global as a jointA new entity was created in October 2003, the EPC Global as a jointventure between UCC and EAN to undertake the standardisationventure between UCC and EAN to undertake the standardisationand commercialisation work within Autoand commercialisation work within Auto--ID.. Whereas AutoID.. Whereas Auto--ID wouldID wouldcontinue to research RFID technologies, EPC Global focuses oncontinue to research RFID technologies, EPC Global focuses onstandardisation activities, as well as their commercialisation.standardisation activities, as well as their commercialisation.


16/44

The EPC Global approachThe EPC Global approach

In contrast with ISO RFID standards which are generic standards,In contrast with ISO RFID standards which are generic standards,

EPC standards are specific.EPC standards are specific.

EPC standards describe the tag and the air interface depending onEPC standards describe the tag and the air interface depending onthe data being carried. EPCstandards prescribe the physicalthe data being carried. EPCstandards prescribe the physical

implementation of the tags and readers, rather then specifying theirimplementation of the tags and readers, rather then specifying their

generic characteristics. The standards are also much more limited ingeneric characteristics. The standards are also much more limited in

their scope, forexample where the ISO standards for air interfacetheir scope, forexample where the ISO standards for air interface

cover all the frequency range, EPC operatesonly within the UHFcover all the frequency range, EPC operatesonly within the UHFbetween 860between 860--930MHz with one standard for 13.56MHz930MHz with one standard for 13.56MHz


17/44

The EPC vs ISO Global approachThe EPC vs ISO Global approach

Whereas ISO can claim that it reflects the global requirements into aWhereas ISO can claim that it reflects the global requirements into alegitimate process (equalfooting and consensus based), EPClegitimate process (equalfooting and consensus based), EPCfocuses on speed and emphasises the broad support it receivesfocuses on speed and emphasises the broad support it receivesfrom the industry community.from the industry community.

The ISO and EPC processes can be seen as complementary, evenThe ISO and EPC processes can be seen as complementary, evenmore so when one consider that the only competing area is themore so when one consider that the only competing area is thestandard for air interfaces frequencies.standard for air interfaces frequencies.

However, for both EPC supporters and for ISO the need for a single,However, for both EPC supporters and for ISO the need for a single,global standard is impetuous.global standard is impetuous.

The benefits coming from standardization would be lost if in differentThe benefits coming from standardization would be lost if in differentparts of the globe, multinationals would have to invest in differentparts of the globe, multinationals would have to invest in differenttechnologies for RFIDtechnologies for RFID


18/44

Taxonomy of RFID tags and legalTaxonomy of RFID tags and legal

implicationsimplications Tags that only contain item numbers that cannot be linked to personsTags that only contain item numbers that cannot be linked to persons(usually passive tags(usually passive tags

Tags that may reveal the identity of persons through item numbers that areTags that may reveal the identity of persons through item numbers that arelinked to backend databases e.glinked to backend databases e.g by connecting the information obtained bythe tagged object that individuals carry with them and credit cards that theysubmit at the purchase point e.g to analyse the favourite shopping routes of

customers that have already been identified by one of the shops in the mallfor better management and promotion policy to increase consumption.

Tags that usually store personal dataTags that usually store personal data ( active tags) e.g passports issued( active tags) e.g passports issuedwith RFID technologywith RFID technology--RFID chips containing biometric informationRFID chips containing biometric information --Germany, BelgiumGermany, Belgium--

In compliance with the recommendations of the ICAO the Council of the

European Union adopted on 13/12/2004 a regulation mandating theinclusion of both facial image andfingerprints in future passports and traveldocuments issued by EU MemberStates. The new regulation aims at betterprotecting EU passports against forgery, at enabling better identification ofpassport holders and at harmonising security standard features used in theproduction of passports and travel documents issued by MemberStates-Council Regulation 2252/2004 on standards for security features andbiometrics in passports and travel documents issued by MemberStates.


19/44


Protecting the right to privacy and data protectionProtecting the right to privacy and data protectionconcernsconcerns..

Identification and profiling of a personIdentification and profiling of a person ( for example( for example--totoanalyse the favourite shopping routes of customers for

better management and promotion policy).

Unnoticed remote reading without line of sightUnnoticed remote reading without line of sight-- forfornoticing consumer preferences, worker surveillancenoticing consumer preferences, worker surveillance

Search, seizure law enforcement purposesSearch, seizure law enforcement purposesfor e.g -the lists of the movement of cars passingthrough the toll-controls, the tracking of people carryingRFID enabled IDs or passports, or even RFIDimplantedtags.


20/44


Impersonation and cheatingImpersonation and cheating

Chances of identity theft increase as unauthorised scanning of a personal data of anChances of identity theft increase as unauthorised scanning of a personal data of anindividual is possible by unlawful interceptionindividual is possible by unlawful interception

Monetary counterfeitMonetary counterfeit

Even the use of RFID tags in banknotes can be highly problematic in this perspective.Through RFID it will be possible to determine which banknotes were withdrawn by

whom from which automatic teller machine, or where those banknotes were thenused to buy certain products or services.

Protection of right to dignityProtection of right to dignity--In this regard, the Japanese program for the children)might breach children's right to privacy and dignity by treating them like cattle or apiece of inventory and by familiarizing them with an environment and a world ofabsolute surveillance. A group of children in Yokohama City in Japan wears activetags to keep them safe on their way to and from school. Each child participating tothe programme wears a bracelet with a RFID tag.


21/44


Unfair competition.Unfair competition.

Inexpensive tags simply do not have the memory to store lists of readersthat can authenticate themselves to the tag, in order to avoid unwantedreading of tags; and they don't have the power to call out to an enterpriseserver to get this information from a database. So they are exposed to

unauthorised reading by competitors, for instance if a rival enters the shopof a competitor and scans by a mobile reader its inventory.

Labour law.Labour law.

Besides, the use of the same RFID tags for other purposes, such as thesurveillance of employees which is already mentioned above, thistechnology may affect the health of employees in terms of possible radiationemitted during the data communication between tag and reader. It mightalso lead to cutting personnel as a result of rationalisation through the useof the technology.


22/44

Privacy and Data ProtectionPrivacy and Data Protection

Privacy is closely connected to Data Protection. An individuals dataPrivacy is closely connected to Data Protection. An individuals datalike his name address, telephonenumbers, profession, family,like his name address, telephonenumbers, profession, family,choices, etc. are often available at various places like schools,choices, etc. are often available at various places like schools,colleges, banks, directories, surveys and on various web sites.colleges, banks, directories, surveys and on various web sites.

Passing on such information to interested parties can lead toPassing on such information to interested parties can lead tointrusion in privacy likeintrusion in privacy like incessant marketing calls.incessant marketing calls.

It would be a misnomer to say that India does not have dataIt would be a misnomer to say that India does not have dataprotection legislation at all.protection legislation at all.

This is factually wrong. The fact is that there exists data protectionThis is factually wrong. The fact is that there exists data protectionlegislation in India.legislation in India. The subject matter of data protection and privacyThe subject matter of data protection and privacyhas been dealt within the Information Technology Act, 2000 but nothas been dealt within the Information Technology Act, 2000 but notin an exclusive manner.in an exclusive manner.


23/44

Data ProtectionData Protection--legislative domainlegislative domain--IndiaIndia

Data protection is not a subject in any of the three lists in ScheduleData protection is not a subject in any of the three lists in ScheduleVII of the Constitution of India.VII of the Constitution of India.

But Entry 97 of List 1 states: any other matter not enumerated inBut Entry 97 of List 1 states: any other matter not enumerated inList II and List III .List II and List III .

Thus only the Indian Parliament is competent to legislate on dataThus only the Indian Parliament is competent to legislate on dataprotection since it can be interpreted as any other matter notprotection since it can be interpreted as any other matter notenumerated in List II and List III. Data protection is, thus, a Centralenumerated in List II and List III. Data protection is, thus, a Centralsubject and only the Central Government is competent tosubject and only the Central Government is competent to frameframelegislations on issues dealing with data protection.legislations on issues dealing with data protection.

In fact, the Information Technology Act, 2000, enacted by the IndianIn fact, the Information Technology Act, 2000, enacted by the IndianParliament is the first legislation, which contains provisions on dataParliament is the first legislation, which contains provisions on dataprotection.protection.


24/44

Data Protection law in India andData Protection law in India and

RFIDRFID The IT Act, 2000 was enacted to provide legal recognition for transactions carried outThe IT Act, 2000 was enacted to provide legal recognition for transactions carried out

by means ofEDI and other means of electronic communication, commonly referred toby means ofEDI and other means of electronic communication, commonly referred toas eas e--commerce which involve use of alternatives to paper based methods ofcommerce which involve use of alternatives to paper based methods ofcommunication and storage of information to facilitate electronic filing of documentscommunication and storage of information to facilitate electronic filing of documentswith Government agencies.with Government agencies. RFID in essence falls within its operative domainRFID in essence falls within its operative domain

Section 2 definitionsSection 2 definitions-- ""computercomputer" means electronic, magnetic, optical or other high" means electronic, magnetic, optical or other high--speed date processing device or system which performs logical, arithmetic andspeed date processing device or system which performs logical, arithmetic and

memory functions by manipulations of electronic, magnetic or optical impulses, andmemory functions by manipulations of electronic, magnetic or optical impulses, andincludes all input, output, processing, storage, computer software or communicationincludes all input, output, processing, storage, computer software or communicationfacilities which are connected or relates to the computer in a computer system orfacilities which are connected or relates to the computer in a computer system orcomputer network;computer network;

""computer networkcomputer network" means the inter" means the inter--connection of one or more computers throughconnection of one or more computers through--

(i) the use of satellite, microwave, terrestrial lime or other communication media; and(i) the use of satellite, microwave, terrestrial lime or other communication media; and

(ii) terminals or a complex consisting of two or more interconnected computers(ii) terminals or a complex consisting of two or more interconnected computerswhether or not the interconnection is continuously maintained;whether or not the interconnection is continuously maintained;

""computer resourcescomputer resources" means computer, computer system, computer network, data," means computer, computer system, computer network, data,computer database or software;computer database or software;

""computer systemcomputer system" means a device or collection of devices, including input and" means a device or collection of devices, including input andoutput support devices and excluding calculators which are not programmable andoutput support devices and excluding calculators which are not programmable andcapable being used in conjunction with external files which contain computercapable being used in conjunction with external files which contain computerprogrammes, electronic instructions, input data and output data that performs logic,programmes, electronic instructions, input data and output data that performs logic,arithmetic, data storage and retrieval, communication control and other functions;arithmetic, data storage and retrieval, communication control and other functions;


25/44

The Information Technology Act, 2000The Information Technology Act, 2000

The Indian Parliament enacted an Act called the InformationThe Indian Parliament enacted an Act called the InformationTechnology Act, 2000. It received the assent of the President on theTechnology Act, 2000. It received the assent of the President on the9th June, 2000 and is effective from 17th9th June, 2000 and is effective from 17thOctober, 2000.October, 2000.

This Act is based on the Resolution A/RES/51/162 adopted by theThis Act is based on the Resolution A/RES/51/162 adopted by theGeneral Assembly of the United Nations on 30th January, 1997General Assembly of the United Nations on 30th January, 1997regarding the Model Law on Electronic Commerce earlier adoptedregarding the Model Law on Electronic Commerce earlier adoptedby the United Nations Commission on International Trade Lawby the United Nations Commission on International Trade Law(UNCITRAL) in its twenty(UNCITRAL) in its twenty--ninth session.ninth session.

The aforesaid resolution of theU

.N.G

eneral AssemblyThe aforesaid resolution of theU

.N.G

eneral Assemblyrrecommendsecommends that all States give favourable consideration to thethat all States give favourable consideration to theModel Law on Electronic Commerce when they enact or revise theirModel Law on Electronic Commerce when they enact or revise theirlaws, in view of the need for uniformity of the law applicable tolaws, in view of the need for uniformity of the law applicable toalternatives to paperalternatives to paper--based methods of communication and storagebased methods of communication and storageof information.of information.


26/44

Main principles of the InformationMain principles of the Information

Technology Act, 2000Technology Act, 2000

It is significant to note that by enactment of the Information Technology Act,It is significant to note that by enactment of the Information Technology Act,2000, the2000, the Indian Parliament provided a new legal basis to data protectionIndian Parliament provided a new legal basis to data protectionand privacy.and privacy.

The main principles on data protection and privacy enumerated under theThe main principles on data protection and privacy enumerated under theInformation Technology Act, 2000 are:Information Technology Act, 2000 are:

(i)defining data,computer database, information, electronic form',(i)defining data,computer database, information, electronic form','originator, addressee etc.'originator, addressee etc.

(ii) creating civil liability if any person accesses or secures access to(ii) creating civil liability if any person accesses or secures access tocomputer, computer system or computer network.computer, computer system or computer network.

(iii) creating criminal liability if any person accesses or secures access to(iii) creating criminal liability if any person accesses or secures access tocomputer, computer system or computer networkcomputer, computer system or computer network..


27/44

Main principles of the Information Technology Act,Main principles of the Information Technology Act,

20002000

(iv)declaring any computer, computer system or computer network(iv)declaring any computer, computer system or computer networkas a protected System.as a protected System.

(v)imposing penalty for breach of confidentiality and privacy.(v)imposing penalty for breach of confidentiality and privacy.

(vi)setting up of hierarchy of regulatory authorities, namely(vi)setting up of hierarchy of regulatory authorities, namelyadjudicating officers,adjudicating officers,the Cyber Regulations Appellate Tribunal etc.the Cyber Regulations Appellate Tribunal etc.

Further, the Information Technology Act, 2000 defines certain keyFurther, the Information Technology Act, 2000 defines certain keyterms with respect to data protection, like accessterms with respect to data protection, like access [S.2 (1)(a)],[S.2 (1)(a)],Computer[S.2 (1)(i)], Computer network[S.2(1)(j), ComputerComputer[S.2 (1)(i)], Computer network[S.2(1)(j), Computerresource [S.2 (1)(k)], Computer system [S.2 (1)(l)], Computerresource [S.2 (1)(k)], Computer system [S.2 (1)(l)], Computerdatabase[S.43, Explanation (ii)],Data [S.2 (1)(o)], Electronic formdatabase[S.43, Explanation (ii)],Data [S.2 (1)(o)], Electronic form[S.2 (1)(r)], Electronic record[S.2 (1)(t],Information[S.2(1)(v)],[S.2 (1)(r)], Electronic record[S.2 (1)(t],Information[S.2(1)(v)],Intermediary[S.2 (1)(w)], Secure system [S.2(1)(ze)] andSecurityIntermediary[S.2 (1)(w)], Secure system [S.2(1)(ze)] andSecurityprocedure [S.2 (1)(zf)].procedure [S.2 (1)(zf)].


28/44

Main principles of the InformationMain principles of the Information

Technology Act, 2000Technology Act, 2000

Interestingly, section 72 [Penalty for breach of confidentiality andInterestingly, section 72 [Penalty for breach of confidentiality and

privacy] is aimed at public (and private) authorities, which have beenprivacy] is aimed at public (and private) authorities, which have been

granted power under the Act to secure access to any electronicgranted power under the Act to secure access to any electronic

record, book, register, correspondence, information, document orrecord, book, register, correspondence, information, document or

other material information.other material information.

The idea behind the aforesaid section is that the person who hasThe idea behind the aforesaid section is that the person who has

secured access to any such information shall not take unfairsecured access to any such information shall not take unfair

advantage of it by disclosing it to the third party without obtaining theadvantage of it by disclosing it to the third party without obtaining the

consent of the disclosing party.consent of the disclosing party.


29/44

Cyber contraventions under IT ActCyber contraventions under IT Act

The Information Technology Act, 2000 provides for civil liability inThe Information Technology Act, 2000 provides for civil liability in

case of data, computer database theft, privacy violation etc.case of data, computer database theft, privacy violation etc.

The Act provides a complete Chapter (Chapter IX) on cyber contraventions,The Act provides a complete Chapter (Chapter IX) on cyber contraventions,

i.e., section43 (a)i.e., section43 (a) (h) which cover a wide range of cyber contraventions(h) which cover a wide range of cyber contraventionsrelated to unauthorised access to computer, computer system, computerrelated to unauthorised access to computer, computer system, computer

network or resources.network or resources.

Section 43 of the Act covers instances such as:Section 43 of the Act covers instances such as:

(a) computer trespass, violation of Privacy etc.(a) computer trespass, violation of Privacy etc.

(b)unauthorised digital copying, downloading and extraction of data, computer(b)unauthorised digital copying, downloading and extraction of data, computer

database or information;. theft of data held or stored in any media,database or information;. theft of data held or stored in any media,


30/44

Cyber contraventions under IT ActCyber contraventions under IT Act

(c) unauthorised transmission of data or programme residing within a computer,(c) unauthorised transmission of data or programme residing within a computer,computer system or computer network cookies, spy ware, GUID or digitalcomputer system or computer network cookies, spy ware, GUID or digitalprofiling are not legallyprofiling are not legally permissible,permissible,

(d) data loss, data corruption etc.,(d) data loss, data corruption etc.,

(e) computer data/database disruption, spamming etc.,(e) computer data/database disruption, spamming etc.,

(f) denial of service attacks, data theft, fraud, forgery etc.,(f) denial of service attacks, data theft, fraud, forgery etc.,

(g) unauthorised access to computer data/computer databases and(g) unauthorised access to computer data/computer databases and

(h) instances of data theft (passwords, login IDs) etc.(h) instances of data theft (passwords, login IDs) etc.


31/44

Cyber offences under IT ActCyber offences under IT Act

The Information Technology Act, 2000 provides for criminalThe Information Technology Act, 2000 provides for criminal

liability in case of data, computer database theft, privacyliability in case of data, computer database theft, privacyviolation etc.violation etc.

The Act also provides a complete Chapter (Chapter XI) on cyberThe Act also provides a complete Chapter (Chapter XI) on cyberoffences, i.e., sections 65offences, i.e., sections 65--74 which cover a wide range of cyber74 which cover a wide range of cyberoffences, including offences related to unauthorised alteration,offences, including offences related to unauthorised alteration,deletion, addition, modification, alteration, destruction, duplicationdeletion, addition, modification, alteration, destruction, duplication orortransmission of data, and computer database.transmission of data, and computer database.

For example,section65 [Tampering with computer sourceFor example,section65 [Tampering with computer sourcedocuments] of the Act is not limited to protecting computer sourcedocuments] of the Act is not limited to protecting computer source

code only, but it also safeguards data and computer databases; andcode only, but it also safeguards data and computer databases; andsimilarly section 66 [Hacking with ComputerSystem] covers cybersimilarly section 66 [Hacking with ComputerSystem] covers cyberoffences related tooffences related to

(a) Illegal access, (b) Illegal interception, (c) Data interference,(a) Illegal access, (b) Illegal interception, (c) Data interference,(d) System interference, (e) Misuse of devices, etc.(d) System interference, (e) Misuse of devices, etc.


32/44

The Right to PrivacyThe Right to Privacy in Indiain India

Judicial activism has brought the Right toJudicial activism has brought the Right to Privacy within the realmPrivacy within the realmof Fundamental Rights.of Fundamental Rights.

Article 141 of the Constitution states that the law declared by theArticle 141 of the Constitution states that the law declared by theSupreme Court shall be binding on all courts within the territory ofSupreme Court shall be binding on all courts within the territory ofIndia. Therefore, the decisions of The Supreme Court of IndiaIndia. Therefore, the decisions of The Supreme Court of Indiabecome the law of the Land.become the law of the Land.

The Supreme Court of India has come to the rescue of commonThe Supreme Court of India has come to the rescue of commoncitizen, time and again by construing right to privacy as a part ofcitizen, time and again by construing right to privacy as a part of

the Fundamental Right to protection of life and personal libertythe Fundamental Right to protection of life and personal libertyunder Article 21 of the Constitution, which states no person shall beunder Article 21 of the Constitution, which states no person shall bedeprived of his life or personal liberty except according todeprived of his life or personal liberty except according toprocedures established byprocedures established by law.law.


33/44

Judicial Activism: The Right to PrivacyJudicial Activism: The Right to Privacy

In the context of personal liberty, the Supreme Court has observedIn the context of personal liberty, the Supreme Court has observed

those who feel called upon to deprive other persons of theirthose who feel called upon to deprive other persons of their

personal liberty in the discharge of what they conceive to be theirpersonal liberty in the discharge of what they conceive to be their

duty must strictly and scrupulously observe the forms and rules ofduty must strictly and scrupulously observe the forms and rules of

the law.the law.

Even the fundamental right to freedom of speech and expressionEven the fundamental right to freedom of speech and expression

as enumerated in Article 19(1)(a) of the Constitution of India comesas enumerated in Article 19(1)(a) of the Constitution of India comes

with reasonable restrictions imposed by the State relating to (i)with reasonable restrictions imposed by the State relating to (i)

defamation; (ii) contempt of court; (iii) decency or morality; (iv)defamation; (ii) contempt of court; (iii) decency or morality; (iv)

security of the State; (v) friendly relations with foreign states; (vi)security of the State; (v) friendly relations with foreign states; (vi)incitement to an offence; (vii) public order; (viii) maintenance of theincitement to an offence; (vii) public order; (viii) maintenance of the

sovereignty and integrity of India.sovereignty and integrity of India.

Thus, the right to Privacy is limited against defamation, decency orThus, the right to Privacy is limited against defamation, decency or

morality.morality.


34/44


The Supreme Court has reiterated the Right to Privacy in the following cases:The Supreme Court has reiterated the Right to Privacy in the following cases:

1.1. Kharak SinghKharak Singhv.v. State of UPState of UP(AIR 1963 SC 1295)(AIR 1963 SC 1295)

In this case the appellant was being harassed by police under Regulation 236(b)In this case the appellant was being harassed by police under Regulation 236(b)ofUP Police Regulation, which permits domiciliary visits at night.ofUP Police Regulation, which permits domiciliary visits at night.

The Supreme Court held that the Regulation 236 is unconstitutional and violativeThe Supreme Court held that the Regulation 236 is unconstitutional and violativeof Article 21.of Article 21.

It concluded that the Article 21 of the Constitution includes right to Privacy as aIt concluded that the Article 21 of the Constitution includes right to Privacy as apart of the right to protection of life and personal liberty.part of the right to protection of life and personal liberty.

The Court equatedpersonal liberty with

privacy, and observed, that theThe Court equated

personal liberty with

privacy, and observed, that theconcept of liberty in Article was comprehensive enough to include privacy andconcept of liberty in Article was comprehensive enough to include privacy and

that a persons house, where he lives with his family is his castle and thatthat a persons house, where he lives with his family is his castle and thatnothing is more deleterious to a mans physical happiness and health than anothing is more deleterious to a mans physical happiness and health than acalculated interference with his privacy.calculated interference with his privacy.


35/44


Peoples Union for Civil Liberties (PUCL)Peoples Union for Civil Liberties (PUCL) v.v. Union of IndiaUnion of IndiaAIR (1997) 1 SCCAIR (1997) 1 SCC301301

the Supreme Court held that the telephone tapping by Governmentthe Supreme Court held that the telephone tapping by Government

underS. 5(2) of Telegraph Act, 1885 amounts infraction of Article 21 ofunderS. 5(2) of Telegraph Act, 1885 amounts infraction of Article 21 of

the Constitution of India.the Constitution of India.

Right to privacy is a part of the right to life and personal libertyRight to privacy is a part of the right to life and personal liberty

enshrined under Article 21 of the Constitution. The said right cannot beenshrined under Article 21 of the Constitution. The said right cannot becurtailed except according to procedure established by law.curtailed except according to procedure established by law.


36/44


If one follows the judgments given by the Honble Supreme Court,If one follows the judgments given by the Honble Supreme Court,three principlesthree principles emerge:emerge:

(1) that the individuals right to privacy exists and any unlawful invasion(1) that the individuals right to privacy exists and any unlawful invasion

of privacy would make the offender liable for the consequences inof privacy would make the offender liable for the consequences in

accordance with law;accordance with law;

(2) that there is constitutional recognition given to the right of privacy(2) that there is constitutional recognition given to the right of privacy

which protects personal privacy against unlawful governmental invasion;which protects personal privacy against unlawful governmental invasion;

(3) that the persons right to be let alone is not an absolute right and(3) that the persons right to be let alone is not an absolute right and

may be lawfully restricted for the prevention of crime, disorder ormay be lawfully restricted for the prevention of crime, disorder orprotection of health or morals or protection of rights and freedom ofprotection of health or morals or protection of rights and freedom of

others.others.


37/44

RFID and Data protection laws inRFID and Data protection laws in

other countriesother countriesGERMANY

Article 6c of the German Federal Data Protection Law (BDSG) is partly applicable toRFID tags, notably where the tag does not directly process or store personal data, asfor instance passive tags

USA

Utah recently reviewed its laws on unauthorised access to networks and addedwireless networks as it previously only addressed wire line networks: it clarifies that

computer crimes laws apply to wireless networks.

Virginias law authorises research relating to methods of electronic toll collection. Alsoprovides that data generated by automated electronic toll-collection systems on useof toll facilities can only be disclosed when so required by order of a court.

Wyoming authorises tele-pharmacies to use automated inventory control includingradio frequency tags. In many other states there exist draft legislation on RFIDtechnology, which sometimes just seek to require only labelling and notice that RFIDis in use, while in other cases like the Californias approach would most tightlyregulate the technology itself, including prohibitions of certain applications andtechnology-specific security requirements containing only the product ID64.


38/44

Data protection in the EUData protection in the EU

The protection of personal data is an importantprinciple in the EU. Article 6 of the Treaty on theEuropean Union states that the Union is founded onthe principles of liberty, democracy, respect for

human rights and fundamental freedoms; Article 30 requires appropriate provisions on the

protection of personal data for the collection, storage,processing, analysis and exchange of information inthe field of police co-operation.

The protection of personal data is set as one of thefreedoms in Article 8 of the Charter of FundamentalRights.


39/44

European initiatives on data protectionEuropean initiatives on data protection

The Community legislation framework on data protection and privacy in Europe was

designed to be robust in the face of innovation. The protection of personal data iscovered by the general Data Protection Directive Directive 95/46/EC on the protectionof individuals with regard to the processing of personal data and on the freemovement of such data, OJ L 281, 23.11.1995, p. 31. regardless of the means andprocedures used for data processing. The Directive is applicable to all technologies,including RFID.

Emphasises need for prior consent of the individual whose data is being collected. Itdefines the principles of data protection and requires that a data controllerimplements these principles- ( purpose limitation, proportionality, data quality ,lawfulness and ensure the security of the processing of personal data.

The general Data Protection Directive is complemented by the ePrivacy Directive -Directive 2002/58/EC concerning the processing of personal data and the protectionof privacy in the electronic communications sector (Directive on privacy and electroniccommunications), OJ L 201,31.7.2002, p. 37.which applies these principles to theprocessing of personal data in connection with the provision of publicly availableelectronic communications services in public communications networks.


40/44

The OECD InitiativeThe OECD Initiative

RFIDRFID Position Statement of ConsumerPosition Statement of Consumer

Privacy and Civil Liberties Organizations.Privacy and Civil Liberties Organizations.

Privacy guidelines published by thePrivacy guidelines published by the

Organization forEconomic CoOrganization forEconomic Co--operationoperation

and Developmentand Development (OECD) offers some(OECD) offers some

useful guidelines related to the disclosureuseful guidelines related to the disclosure

ofofRFIDRFID technology use and the purposetechnology use and the purposebehind its use.behind its use.


41/44

US and Data ProtectionUS and Data Protection

In the U.S ,the Federal Trade CommissionsIn the U.S ,the Federal Trade Commissions Fair Information PracticeFair Information PracticePrinciplesPrinciples would seem to play a role in the legalities ofwould seem to play a role in the legalities ofRFIDRFID..

In its Fair Information Practice Principles, the FTC writes about theIn its Fair Information Practice Principles, the FTC writes about thecollection and use of personal information and addresses the safeguardscollection and use of personal information and addresses the safeguardsrequired to assure those practices are fair and provide adequate privacyrequired to assure those practices are fair and provide adequate privacy

protection.G

overnment agencies in the past quarter century haveprotection.G

overnment agencies in the past quarter century havedeliberated about the way in which entities gather and use personaldeliberated about the way in which entities gather and use personalinformation. A succession of reports and guidelines have identified fiveinformation. A succession of reports and guidelines have identified fivecentral principles of privacy protection:central principles of privacy protection:

1. Notice and awareness of collection of information.1. Notice and awareness of collection of information.2. Choice and consent of how this information can be used.2. Choice and consent of how this information can be used.3. Access to the individuals gathered information and the ability to contest3. Access to the individuals gathered information and the ability to contest

the accuracy of the collected data.the accuracy of the collected data.4. Integrity and security of the collected data.4. Integrity and security of the collected data.5. Enforcement of the aforementioned principle5. Enforcement of the aforementioned principle


42/44

Data security measures in RFIDData security measures in RFID

implementationimplementation

Kill order solutionsKill order solutions

Shielding with Aluminum sheetsShielding with Aluminum sheets

Blocker tagsBlocker tags EncryptionEncryption

User model solutionUser model solution

Privacy bitPrivacy bit-- RSA SecurityRSA Security--tag specifictag specificpincodepincode --to switch on and off the bit onto switch on and off the bit on

the tagthe tag


43/44

Alleviating Consumer privacy concerns inAlleviating Consumer privacy concerns in

adopting RFID technologyadopting RFID technology

Businesses can deployBusinesses can deploy RFIDRFID systems and use readsystems and use readonly (not rewritable) tagsonly (not rewritable) tags

kill the tags before they are released to consumerskill the tags before they are released to consumers

affix tags to packaging rather than the objectaffix tags to packaging rather than the object

alert consumers to the presence of readers and thealert consumers to the presence of readers and themanner in which they will be usedmanner in which they will be used

place a notice thatplace a notice that RFIDRFID tags are present together withtags are present together withinstructions for removal.instructions for removal.

Retailers that useRetailers that use RFIDRFID should have a privacy policyshould have a privacy policy

available to consumers.available to consumers. address consumer privacy concerns by educating theaddress consumer privacy concerns by educating the

public aboutpublic about RFIDRFIDdescription ofdescription ofRFIDRFID tags andtags andacquainting consumers about its technology processacquainting consumers about its technology process


44/44

SETH ASSOCIATESSETH ASSOCIATESADVOCATES AND LEGAL CONSULTANTSADVOCATES AND LEGAL CONSULTANTS

New Delhi Law OfficeNew Delhi Law Office::

CC--1/16, Daryaganj, New Delhi1/16, Daryaganj, New Delhi--110002, India110002, IndiaTel:+91 (11) 65352272, +91 9868119137Tel:+91 (11) 65352272, +91 9868119137

Corporate Law OfficeCorporate Law Office::BB--10, Sector 40, NOIDA10, Sector 40, NOIDA--201301, N.C.R ,India201301, N.C.R ,India

Tel:+9

1 (120) 4352846,+9

19

810155766Tel:+9

1 (120) 4352846,+9

19

810155766Fax:+91 (120) 4331304Fax:+91 (120) 4331304EE--mail:mail:[email protected]@sethassociates.com

Seth Associates, 2008 All Rights Reserved

Thank You!Thank You!

Legal Issues Impacting RFID Technology in India

Documents

Transcript of Legal Issues Impacting RFID Technology in India