The 2nd Annual RFID India Informedia The 2nd Annual RFID India Informedia India Conference 2008India Conference 2008

22-23 July 200822-23 July 2008

ITC Grand Maratha, Mumbai.ITC Grand Maratha, Mumbai.

RFID TECHNOLOGY- A LEGAL ANALYSISRFID TECHNOLOGY- A LEGAL ANALYSIS

Karnika Seth Cyber law ExpertCyber law Expert & Managing Partner & Managing Partner

SETH ASSOCIATESSETH ASSOCIATES ADVOCATES AND LEGAL CONSULTANTSADVOCATES AND LEGAL CONSULTANTS

© 2008 Seth Associates. All Rights Reserved.

Legal Issues Impacting RFID Legal Issues Impacting RFID Technology in IndiaTechnology in India

RFID Technology- an IntroductionRFID Technology- an Introduction

RFID Applications in IndiaRFID Applications in India

Legal Approvals & compliancesLegal Approvals & compliances

Global standardisationGlobal standardisation

Legal IssuesLegal Issues

Privacy and Data ProtectionPrivacy and Data Protection

Security and other issuesSecurity and other issues

RFID Technology- An IntroductionRFID Technology- An Introduction Radio Frequency Identification (RFID) Technology uses radio waves to

automatically identify wirelessly, contact less and without visibility objects which, or people who have an RFID tag attached. It is grouped under the broad category of automatic identification technologies.

It consists of two parts: a tag that contains an identification number and a reader who works as a scanner that triggers the tag to broadcast its identification number. This number usually acts as an input to further data processing. RFID is designed to enable readers to capture data on tags and transmit it to computer system without needing a person to be involved.

A typical RFID tag consists of a small integrated circuit attached to a radio antenna, capable of transmitting a unique serial number at a distance of several meters to a reading device in response to a query.

RFID tags can be active, semi-active or passive.

RFID Technology- an IntroductionRFID Technology- an IntroductionTechnology behind RFIDTechnology behind RFID

An electromagnetic or electrostatic coupling in the An electromagnetic or electrostatic coupling in the RFRF (radio frequency) (radio frequency) portion of the electromagnetic spectrum is used to transmit signals.portion of the electromagnetic spectrum is used to transmit signals.

The The RFID systemRFID system consists of an antenna and a consists of an antenna and a transceivertransceiver, which reads the , which reads the radio frequency and transfers the information to a processing radio frequency and transfers the information to a processing devicedevice (reader) and a (reader) and a transpondertransponder, or , or RF tagRF tag, which contains the RF circuitry and , which contains the RF circuitry and information to be transmitted.information to be transmitted.

The Radio frequency band allocated to India for RFID is 865 – 867 MHz. The Radio frequency band allocated to India for RFID is 865 – 867 MHz.

This band has been freed solely for RFID since March 2005.This band has been freed solely for RFID since March 2005.

RFID systems can use a variety of frequencies to communicate, but RFID systems can use a variety of frequencies to communicate, but because radio waves work and act differently at different frequencies, a because radio waves work and act differently at different frequencies, a frequency for a specific RFID system is often dependant on its applicationfrequency for a specific RFID system is often dependant on its application

RFID Applications in IndiaRFID Applications in India

© All Rights Reserved Seth Associates© All Rights Reserved Seth Associates

•Few ExamplesFew Examples

Transport industry Transport industry The Minister of Road Transport and Highways, Government of India, launched a The Minister of Road Transport and Highways, Government of India, launched a pilot project for radio frequency identification (RFID)-based vehicle tracking project pilot project for radio frequency identification (RFID)-based vehicle tracking project on the Delhi-Jaipur highway of India.on the Delhi-Jaipur highway of India.

Under the project, 68 buses of Rajasthan State Road Transport Corporation Under the project, 68 buses of Rajasthan State Road Transport Corporation (RSRTC) plying on the highway have been fitted with RFID tags and readers have (RSRTC) plying on the highway have been fitted with RFID tags and readers have been placed to track the vehicle movement along the highway, whereby their been placed to track the vehicle movement along the highway, whereby their movement is being tracked, monitored and managedmovement is being tracked, monitored and managed

Apparel Tracking Using RFID –PantaloonsApparel Tracking Using RFID –PantaloonsPantaloon Retail (India) has piloted an RFID project at one its warehouses in Pantaloon Retail (India) has piloted an RFID project at one its warehouses in Tarapur using 1,000 RFID tags. The company is starting from where it matters the Tarapur using 1,000 RFID tags. The company is starting from where it matters the most by implementing the technology at the warehouse.most by implementing the technology at the warehouse.

TicketingTicketingMore recently, NXP Semiconductors, SmartTags and Gemini Traze have More recently, NXP Semiconductors, SmartTags and Gemini Traze have collaborated to implement a “hands-free” RFID ticketing solution for a sporting collaborated to implement a “hands-free” RFID ticketing solution for a sporting event.event.

RFID Applications in IndiaRFID Applications in India RFID in the Pharmaceutical IndustryRFID in the Pharmaceutical Industry (Ranbaxy), a wholly owned subsidiary of Ranbaxy Laboratories Limited, (Ranbaxy), a wholly owned subsidiary of Ranbaxy Laboratories Limited,

India’s largest pharmaceutical company, has chosen Acsis to implement a India’s largest pharmaceutical company, has chosen Acsis to implement a radio frequency identification (RFID) tracking system to meet Wal-Mart’s radio frequency identification (RFID) tracking system to meet Wal-Mart’s RFID mandate for its Class 2 pharmaceutical suppliers.RFID mandate for its Class 2 pharmaceutical suppliers.

Animal TrackingAnimal TrackingThe Kopordem farm at Valpoi in Sattari Taluk in North Goa has become the The Kopordem farm at Valpoi in Sattari Taluk in North Goa has become the first farm in India to use RFID microchips that can be injected into the first farm in India to use RFID microchips that can be injected into the animal's body.animal's body.

Manufacturing Sector Wipro’s Manufacturing Solutions’ Center of Excellence (CoE) has a

dedicated team of consultants who help customers define, analyze, design and implement RFID solutions. Amongst others, their RFID solutions include a Wireless Yard Management System for a large automobile manufacturer and a Real-Time WIP Tracking System for an electronic component product manufacturer

Legal approvals & compliances-Legal approvals & compliances-Statutory framework & Regulatory AuthorityStatutory framework & Regulatory Authority

Wireless Planning and Coordination Wing of Ministry of Communications and Information Wireless Planning and Coordination Wing of Ministry of Communications and Information Technology, Government of India deals with issues of licensing use of RFID devices in India.Technology, Government of India deals with issues of licensing use of RFID devices in India.

Indian Wireless Telegraphy ActIndian Wireless Telegraphy Act

Indian Wireless Telegraphy Act 1933-An Act to regulate the possession of wireless Indian Wireless Telegraphy Act 1933-An Act to regulate the possession of wireless telegraphy apparatus-telegraphy apparatus-‘wireless communication’ defined in Section 2 of the Act means any ‘wireless communication’ defined in Section 2 of the Act means any transmission, omission or reception of signs, signals, writing, images and sounds, or transmission, omission or reception of signs, signals, writing, images and sounds, or intelligence of any nature by means of electricity, magnetism, or Radio waves or Hertzian intelligence of any nature by means of electricity, magnetism, or Radio waves or Hertzian waves, without the use of wires or other continuous electrical conductors between the waves, without the use of wires or other continuous electrical conductors between the transmitting and the receiving apparatus;transmitting and the receiving apparatus;

Explanation.—Explanation.—‘Radio waves’ or ‘Hertzian waves’ means electromagnetic waves of frequencies ‘Radio waves’ or ‘Hertzian waves’ means electromagnetic waves of frequencies lower than 3,000 gigacycles per second propagated in space without artificial guide;lower than 3,000 gigacycles per second propagated in space without artificial guide;

Section 5 of the Indian Wireless Telegraphy Act 1933- Licences.Section 5 of the Indian Wireless Telegraphy Act 1933- Licences.—The telegraphy —The telegraphy authority constituted under the Indian Telegraph Act, 1885, shall be the authority competent to authority constituted under the Indian Telegraph Act, 1885, shall be the authority competent to issue licences to possess wireless telegraphy apparatus under this Act, and may issue issue licences to possess wireless telegraphy apparatus under this Act, and may issue licences in such manner, on such conditions and subject to such payments, as may be licences in such manner, on such conditions and subject to such payments, as may be prescribed.prescribed.

According to According to SectionSection 3 3 of the Act Possession of wireless telegraphy apparatus without licence of the Act Possession of wireless telegraphy apparatus without licence is strictly prohibited-possessing wireless transmitter without licence -3 years punishment , fine is strictly prohibited-possessing wireless transmitter without licence -3 years punishment , fine or both. or both. Section 4 Section 4 deals with Power of Central Government to exempt persons from provisions deals with Power of Central Government to exempt persons from provisions of the Act and of the Act and Section 10 Section 10 elucidates Power of Central Government to make rules elucidates Power of Central Government to make rules

Indian Telegraph ActIndian Telegraph Act The The Indian Telegraph ActIndian Telegraph Act was passed by the Legislature in 1885 and it came into was passed by the Legislature in 1885 and it came into

force on 1st October, 1885-force on 1st October, 1885-An Act to amend the law relating to Telegraphs in IndiaAn Act to amend the law relating to Telegraphs in India

‘ ‘TelegraphTelegraph’ which expression by the definition would include a telephone and FAX ’ which expression by the definition would include a telephone and FAX also. A video and Television both fall with in the definition of ‘‘also. A video and Television both fall with in the definition of ‘‘ telegraphtelegraph’’. A telegraph ’’. A telegraph wireless receiving station is a ‘‘wireless receiving station is a ‘‘telegraphtelegraph’’ as defined in the Act.Section 3 of the ’’ as defined in the Act.Section 3 of the Indian Telegraph ActIndian Telegraph Act defines Telegraph as - " defines Telegraph as - "telegraphtelegraph" means any appliance, " means any appliance, instrument, material or apparatus used or capable of use for transmission or instrument, material or apparatus used or capable of use for transmission or reception of signs, signals, writing, images, and sounds or intelligence of any nature reception of signs, signals, writing, images, and sounds or intelligence of any nature by wire, visual or other electro-magnetic emissions, Radio waves or Hertzian waves, by wire, visual or other electro-magnetic emissions, Radio waves or Hertzian waves, galvanic, electric or magnetic means;galvanic, electric or magnetic means;

ExplanationExplanation — "— "Radio wavesRadio waves" or "" or "Hertzian wavesHertzian waves" means electro magnetic waves " means electro magnetic waves of frequencies lower than 3,000 giga-cycles per sound propagated in space without of frequencies lower than 3,000 giga-cycles per sound propagated in space without artificial guide.artificial guide.

""telegraph authoritytelegraph authority" means the " means the Director-General of Posts and Telegraphs,Director-General of Posts and Telegraphs, and and includes any officer empowered by him to perform all or any of the functions of the includes any officer empowered by him to perform all or any of the functions of the telegraph authority under this Act;telegraph authority under this Act;

Section 4 of the Indian Telegraph Act-Section 4 of the Indian Telegraph Act- Exclusive privilege in respect of Exclusive privilege in respect of telegraphs, and power to grant licencestelegraphs, and power to grant licences

Power to Grant RFID License in Power to Grant RFID License in IndiaIndia

Section 4 Section 4 Indian Telegraph Act- Exclusive privilegeIndian Telegraph Act- Exclusive privilege in respect of telegraphs, in respect of telegraphs, and power to grant licences and power to grant licences ——

(1) Within India, the (1) Within India, the Central GovernmentCentral Government shall have the exclusive privilege of shall have the exclusive privilege of establishing, maintaining and working telegraphs:establishing, maintaining and working telegraphs:

Provided that the Provided that the Central Government may grant a licence, on such Central Government may grant a licence, on such conditions and in consideration of such payments as it thinks fit, to any conditions and in consideration of such payments as it thinks fit, to any person to establish, maintain or work a telegraph within any part of Indiaperson to establish, maintain or work a telegraph within any part of India ::

Provided further that the Central Government may, by rules made under this Provided further that the Central Government may, by rules made under this Act and published in the Official Gazette, permit, subject to such restrictions Act and published in the Official Gazette, permit, subject to such restrictions and conditions as it thinks fit, the establishment, maintenance and working—and conditions as it thinks fit, the establishment, maintenance and working—

(a) of wireless telegraphs on ships within Indian territorial waters and on aircraft (a) of wireless telegraphs on ships within Indian territorial waters and on aircraft within or above India, or Indian territorial waters, andwithin or above India, or Indian territorial waters, and

(b) of telegraphs other than wireless telegraphs within any part of India.(b) of telegraphs other than wireless telegraphs within any part of India. Section 8(2) The Central Government may, by notification in the Official Section 8(2) The Central Government may, by notification in the Official

Gazette, delegate to the telegraph authority all or any of its powers under Gazette, delegate to the telegraph authority all or any of its powers under the first proviso to sub-section (1).the first proviso to sub-section (1).The exercise by the telegraph authority of any power so delegated shall The exercise by the telegraph authority of any power so delegated shall be subject to such restrictions and conditions as the Central Government be subject to such restrictions and conditions as the Central Government may, by the notification, think fit to imposemay, by the notification, think fit to impose..

Revocation of RFID licenses in IndiaRevocation of RFID licenses in India

Section 8-Indian Telegraph Act Section 8-Indian Telegraph Act Revocation of licences Revocation of licences ——

The Central Government may, at any The Central Government may, at any time, revoke any license granted time, revoke any license granted under section 4, on the breach of any under section 4, on the breach of any of the conditions therein contained, of the conditions therein contained, or in default of payment of any or in default of payment of any consideration payable thereunder.consideration payable thereunder.

Radio Frequency Identification Devices Radio Frequency Identification Devices (Exemption from Licensing Requirement) Rules, (Exemption from Licensing Requirement) Rules,

20052005 ““Use of low power Equipment in the frequency band 865 – 867 MHz for Use of low power Equipment in the frequency band 865 – 867 MHz for

(RFID) Radio Frequency Identification Devices (Exemption from Licensing (RFID) Radio Frequency Identification Devices (Exemption from Licensing Requirement) Rules, 2005 -rules were published in the Gazette of India, Requirement) Rules, 2005 -rules were published in the Gazette of India, Part II, Section 3, Sub-Section (i), dated the 11th March, 2005, vide Part II, Section 3, Sub-Section (i), dated the 11th March, 2005, vide notification No.168 (E), dated the 11th March, 2005.notification No.168 (E), dated the 11th March, 2005.

Rule 3.Rule 3. Use of wireless equipment in the band 865 – 867 MHz.Use of wireless equipment in the band 865 – 867 MHz.- -

Notwithstanding anything contained in any law for the time being in force, no Notwithstanding anything contained in any law for the time being in force, no licence shall be required by any person to establish, maintain, work, licence shall be required by any person to establish, maintain, work, possess or deal in Radio Frequency Identification Devices (RFID), on non-possess or deal in Radio Frequency Identification Devices (RFID), on non-interference, non-protection and non-exclusive basis, in the frequency interference, non-protection and non-exclusive basis, in the frequency band band 865 – 867 MHz with maximum 1 Watt transmitter power865 – 867 MHz with maximum 1 Watt transmitter power, , 4 Watts4 Watts Effective Effective Radiated PowerRadiated Power and and 200 kHz carrier bandwidth200 kHz carrier bandwidth. .   

Rule 4Rule 4. In case where any person to whom a licence has been issued under . In case where any person to whom a licence has been issued under section 4 of the Act, informs that his licensed system is getting harmful section 4 of the Act, informs that his licensed system is getting harmful interference from any other radio communication system exempted under interference from any other radio communication system exempted under these rules, the use of such unlicensed Wireless equipment shall be these rules, the use of such unlicensed Wireless equipment shall be discontinued forthwith. discontinued forthwith.

RFIDRFID Standardisation Standardisation RFID standards first came into being during the early 1990s, when RFID standards first came into being during the early 1990s, when

the (newly created) CENTC225 committee on bar coding focused the (newly created) CENTC225 committee on bar coding focused the attention on automatic ID techniques in general.the attention on automatic ID techniques in general.

There are two competing initiatives in the RFID standardisation There are two competing initiatives in the RFID standardisation arena: arena: ISO and EPC global.ISO and EPC global.

There are also a number of special interest groups including industry There are also a number of special interest groups including industry specific such as the American Trucking Association in the transport specific such as the American Trucking Association in the transport industry, the NFC forum in consumer electronics, mobile devices and industry, the NFC forum in consumer electronics, mobile devices and computer industry or the Automotive Industry Action Group in the computer industry or the Automotive Industry Action Group in the automotive industry that seek to influence RFID standards automotive industry that seek to influence RFID standards development.development.

International Organization for Standardization International Organization for Standardization ((ISO) approachISO) approach

The ISO approachThe ISO approach RFID standards first came into being during the early 1990s, when the (newly RFID standards first came into being during the early 1990s, when the (newly

created) CENTC225 committee on bar coding focused the attention on automatic ID created) CENTC225 committee on bar coding focused the attention on automatic ID techniques in general.techniques in general.

During the early 1990s, the standardisation activity on automatic ID techniques was During the early 1990s, the standardisation activity on automatic ID techniques was mainly carried out in Europe within the CEN standard body (TC225 committee), with mainly carried out in Europe within the CEN standard body (TC225 committee), with little involvement from the US. However, during the 1995, a joint ISO IEC JTC1 little involvement from the US. However, during the 1995, a joint ISO IEC JTC1 committee – theSC31 – was set up for standardisation of automatic identification committee – theSC31 – was set up for standardisation of automatic identification techniques generally drawing from the earlier work on RFID standards within CEN. techniques generally drawing from the earlier work on RFID standards within CEN. Another influence on the RFID work within ISO was the work on the G Tag initiative Another influence on the RFID work within ISO was the work on the G Tag initiative for RFID standardisation of asset tracking and logistics which was launched by UCC for RFID standardisation of asset tracking and logistics which was launched by UCC and EAN in 2000 along with input from international companies including Philips and EAN in 2000 along with input from international companies including Philips Semiconductors, Intermec, and Gemplus.Semiconductors, Intermec, and Gemplus.

The members of the SC31 committees are the representatives of the national The members of the SC31 committees are the representatives of the national standard bodies such as in UK the BSI IST34 committee on bar coding, including the standard bodies such as in UK the BSI IST34 committee on bar coding, including the same people who tend to participate in CEN TC225. They represent either internal same people who tend to participate in CEN TC225. They represent either internal consultants within big corporations,or external consultants which are representing the consultants within big corporations,or external consultants which are representing the interest of different companies. As a result,three different levels of representativeness interest of different companies. As a result,three different levels of representativeness (and thus interests) can be identified in the ISO process: the individual, the (and thus interests) can be identified in the ISO process: the individual, the organisational, and the national levelorganisational, and the national level..

Standardisation-Standardisation-The ISO approachThe ISO approach

RFID ISO standards cover 4 different areas: technology RFID ISO standards cover 4 different areas: technology (e.g. ISO 18000 series), data content(e.g. ISO 15418), (e.g. ISO 18000 series), data content(e.g. ISO 15418), conformance and performance (e.g. ISO 18046), and conformance and performance (e.g. ISO 18046), and application standards(e.g. ISO 10374) .application standards(e.g. ISO 10374) .

The ISO standards are defined at a very high level, The ISO standards are defined at a very high level, focusing on the interface rather than on the data which is focusing on the interface rather than on the data which is transported. As a result, ISO standards are generic, transported. As a result, ISO standards are generic, being able to be supported by any system and in any being able to be supported by any system and in any context, irrespective of the data that is being carried.context, irrespective of the data that is being carried.

RFID StandardisationRFID StandardisationThe The Electronic Product CodeElectronic Product Code (E(EPC) Global approachPC) Global approach

MIT and UCC together with a number of industrial partners including MIT and UCC together with a number of industrial partners including Procter & Gamble, Gilette and Wal-Mart set up the Auto-ID Procter & Gamble, Gilette and Wal-Mart set up the Auto-ID consortium in 1999 to research RFID technologies and standards. consortium in 1999 to research RFID technologies and standards.

The members included end users, primarily from consumer The members included end users, primarily from consumer packaged goods, large retailers and solution providers, including packaged goods, large retailers and solution providers, including hardware and software providers and consultants. The Auto-ID hardware and software providers and consultants. The Auto-ID members included large retailers such as Wal-Mart, Gilette, Coca members included large retailers such as Wal-Mart, Gilette, Coca Cola, Unilever, Tesco and Carrefour.Cola, Unilever, Tesco and Carrefour.

A new entity was created in October 2003, the EPC Global as a joint A new entity was created in October 2003, the EPC Global as a joint venture between UCC and EAN to undertake the standardisation venture between UCC and EAN to undertake the standardisation and commercialisation work within Auto-ID.. Whereas Auto-ID would and commercialisation work within Auto-ID.. Whereas Auto-ID would continue to research RFID technologies, EPC Global focuses on continue to research RFID technologies, EPC Global focuses on standardisation activities, as well as their commercialisation.standardisation activities, as well as their commercialisation.

The EPC Global approachThe EPC Global approach

In contrast with ISO RFID standards which are generic standards, In contrast with ISO RFID standards which are generic standards, EPC standards are specific.EPC standards are specific.

EPC standards describe the tag and the air interface depending on EPC standards describe the tag and the air interface depending on the data being carried. EPCstandards prescribe the physical the data being carried. EPCstandards prescribe the physical implementation of the tags and readers, rather then specifying their implementation of the tags and readers, rather then specifying their generic characteristics. The standards are also much more limited in generic characteristics. The standards are also much more limited in their scope, forexample where the ISO standards for air interface their scope, forexample where the ISO standards for air interface cover all the frequency range, EPC operatesonly within the UHF cover all the frequency range, EPC operatesonly within the UHF between 860-930MHz with one standard for 13.56MHz between 860-930MHz with one standard for 13.56MHz

The EPC vs ISO Global approachThe EPC vs ISO Global approach

Whereas ISO can claim that it reflects the global requirements into a Whereas ISO can claim that it reflects the global requirements into a legitimate process (equalfooting and consensus based), EPC legitimate process (equalfooting and consensus based), EPC focuses on speed and emphasises the broad support it receives focuses on speed and emphasises the broad support it receives from the industry community. from the industry community.

The ISO and EPC processes can be seen as complementary, even The ISO and EPC processes can be seen as complementary, even more so when one consider that the only competing area is the more so when one consider that the only competing area is the standard for air interfaces frequencies. standard for air interfaces frequencies.

However, for both EPC supporters and for ISO the need for a single, However, for both EPC supporters and for ISO the need for a single, global standard is impetuous. global standard is impetuous.

The benefits coming from standardization would be lost if in different The benefits coming from standardization would be lost if in different parts of the globe, multinationals would have to invest in different parts of the globe, multinationals would have to invest in different technologies for RFIDtechnologies for RFID

Taxonomy of RFID tags and legal Taxonomy of RFID tags and legal implications implications

Tags that only contain item numbers that cannot be linked to personsTags that only contain item numbers that cannot be linked to persons (usually (usually passive tagspassive tags

Tags that may reveal the identity of persons through item numbers that are linked Tags that may reveal the identity of persons through item numbers that are linked to backend databases e.g to backend databases e.g by connecting the information obtained by the tagged object that individuals carry with them and credit cards that they submit at the purchase point e.g to analyse the favourite shopping routes of customers that have already been identified by one of the shops in the mall for better management and promotion policy to increase consumption.

Tags that usually store personal dataTags that usually store personal data ( active tags) e.g passports issued with RFID ( active tags) e.g passports issued with RFID technology-RFID chips containing biometric information -Germany, Belgium-technology-RFID chips containing biometric information -Germany, Belgium-

In compliance with the recommendations of the ICAO the Council of the European Union adopted on 13/12/2004 a regulation mandating the inclusion of both facial image andfingerprints in future passports and travel documents issued by EU Member States. The new regulation aims at better protecting EU passports against forgery, at enabling better identification of passport holders and at harmonising security standard features used in the production of passports and travel documents issued by Member States-Council Regulation 2252/2004 on standards for security features and biometrics in passports and travel documents issued by Member States.

Legal IssuesLegal Issues

Protecting the right to privacy and data protection Protecting the right to privacy and data protection concernsconcerns..

Identification and profiling of a personIdentification and profiling of a person ( for example-to ( for example-to analyse the favourite shopping routes of customers for better management and promotion policy).

Unnoticed remote reading without line of sight-Unnoticed remote reading without line of sight- for for noticing consumer preferences, worker surveillancenoticing consumer preferences, worker surveillance

Search, seizure law enforcement purposesSearch, seizure law enforcement purposes for e.g -the lists of the movement of cars passing

through the toll-controls, the tracking of people carrying RFID enabled IDs or passports, or even RFIDimplanted tags.

Legal IssuesLegal Issues

Impersonation and cheatingImpersonation and cheating Chances of identity theft increase as unauthorised scanning of a personal data of an Chances of identity theft increase as unauthorised scanning of a personal data of an

individual is possible by unlawful interception individual is possible by unlawful interception

Monetary counterfeitMonetary counterfeit Even the use of RFID tags in banknotes can be highly problematic in this perspective.

Through RFID it will be possible to determine which banknotes were withdrawn by whom from which automatic teller machine, or where those banknotes were then

used to buy certain products or services. Protection of right to dignity-Protection of right to dignity-In this regard, the Japanese program for the children)

might breach children's right to privacy and dignity by treating them like cattle or a piece of inventory and by familiarizing them with an environment and a world of absolute surveillance. A group of children in Yokohama City in Japan wears active tags to keep them safe on their way to and from school. Each child participating to the programme wears a bracelet with a RFID tag.

Legal IssuesLegal Issues Unfair competition.Unfair competition.

Inexpensive tags simply do not have the memory to store lists of readers that can authenticate themselves to the tag, in order to avoid unwanted reading of tags; and they don't have the power to call out to an enterprise server to get this information from a database. So they are exposed to unauthorised reading by competitors, for instance if a rival enters the shop of a competitor and “scans” by a mobile reader its inventory.

Labour law.Labour law. Besides, the use of the same RFID tags for other purposes, such as the

surveillance of employees which is already mentioned above, this technology may affect the health of employees in terms of possible radiation emitted during the data communication between tag and reader. It might also lead to cutting personnel as a result of rationalisation through the use of the technology.

Privacy and Data ProtectionPrivacy and Data Protection

Privacy is closely connected to Data Protection. An individual’s data like his Privacy is closely connected to Data Protection. An individual’s data like his name address, telephonenumbers, profession, family, choices, etc. are often name address, telephonenumbers, profession, family, choices, etc. are often available at various places like schools, colleges, banks, directories, surveys available at various places like schools, colleges, banks, directories, surveys and on various web sites.and on various web sites.

Passing on such information to interested parties can lead to intrusion in Passing on such information to interested parties can lead to intrusion in privacy like privacy like incessant marketing calls.incessant marketing calls.

It would be a misnomer to say that India does not have ‘data protection’ It would be a misnomer to say that India does not have ‘data protection’ legislation at all.legislation at all.

This is factually wrong. The fact is that there exists data protection legislation This is factually wrong. The fact is that there exists data protection legislation

in India. in India. The subject matter of data protection and privacy has been dealt The subject matter of data protection and privacy has been dealt within the Information Technology Act, 2000 but not in an exclusive manner.within the Information Technology Act, 2000 but not in an exclusive manner.

Data Protection-legislative domain-IndiaData Protection-legislative domain-India

Data protection is not a subject in any of the three lists in Schedule Data protection is not a subject in any of the three lists in Schedule VII of the Constitution of India. VII of the Constitution of India.

But Entry 97 of List 1 states: “any other matter not enumerated in But Entry 97 of List 1 states: “any other matter not enumerated in List II and List III …….” List II and List III …….”

Thus only the Indian Parliament is competent to legislate on data Thus only the Indian Parliament is competent to legislate on data protection since it can be interpreted ‘as any other matter not protection since it can be interpreted ‘as any other matter not enumerated in List II and List III.’ Data protection is, thus, a Central enumerated in List II and List III.’ Data protection is, thus, a Central subject and only the Central Government is competent tosubject and only the Central Government is competent to frame frame legislations on issues dealing with data protection.legislations on issues dealing with data protection.

In fact, the Information Technology Act, 2000, enacted by the Indian In fact, the Information Technology Act, 2000, enacted by the Indian Parliament is the first legislation, which contains provisions on data Parliament is the first legislation, which contains provisions on data protection. protection.

Data Protection law in India and Data Protection law in India and RFIDRFID

The IT Act, 2000 was enacted to provide legal recognition for transactions carried out by The IT Act, 2000 was enacted to provide legal recognition for transactions carried out by means of EDI and other means of electronic communication, commonly referred to as e-means of EDI and other means of electronic communication, commonly referred to as e-commerce which involve use of alternatives to paper based methods of communication commerce which involve use of alternatives to paper based methods of communication and storage of information to facilitate electronic filing of documents with Government and storage of information to facilitate electronic filing of documents with Government agencies. agencies. RFID in essence falls within its operative domainRFID in essence falls within its operative domain

Section 2 definitions- "Section 2 definitions- "computercomputer" means electronic, magnetic, optical or other high-" means electronic, magnetic, optical or other high-speed date processing device or system which performs logical, arithmetic and memory speed date processing device or system which performs logical, arithmetic and memory functions by manipulations of electronic, magnetic or optical impulses, and includes all functions by manipulations of electronic, magnetic or optical impulses, and includes all input, output, processing, storage, computer software or communication facilities which input, output, processing, storage, computer software or communication facilities which are connected or relates to the computer in a computer system or computer network;are connected or relates to the computer in a computer system or computer network;

""computer networkcomputer network" means the inter-connection of one or more computers through-" means the inter-connection of one or more computers through- (i) the use of satellite, microwave, terrestrial lime or other communication media; and(i) the use of satellite, microwave, terrestrial lime or other communication media; and (ii) terminals or a complex consisting of two or more interconnected computers whether (ii) terminals or a complex consisting of two or more interconnected computers whether

or not the interconnection is continuously maintained;or not the interconnection is continuously maintained; ""computer resourcescomputer resources" means computer, computer system, computer network, data, " means computer, computer system, computer network, data,

computer database or software;computer database or software; ""computer systemcomputer system" means a device or collection of devices, including input and output " means a device or collection of devices, including input and output

support devices and excluding calculators which are not programmable and capable support devices and excluding calculators which are not programmable and capable being used in conjunction with external files which contain computer programmes, being used in conjunction with external files which contain computer programmes, electronic instructions, input data and output data that performs logic, arithmetic, data electronic instructions, input data and output data that performs logic, arithmetic, data storage and retrieval, communication control and other functions;storage and retrieval, communication control and other functions;

The Information Technology Act, 2000The Information Technology Act, 2000

The Indian Parliament enacted an Act called the Information The Indian Parliament enacted an Act called the Information Technology Act, 2000. It received the assent of the President on the Technology Act, 2000. It received the assent of the President on the 9th June, 2000 and is effective from 17th9th June, 2000 and is effective from 17thOctober, 2000.October, 2000.

This Act is based on the Resolution A/RES/51/162 adopted by the This Act is based on the Resolution A/RES/51/162 adopted by the General Assembly of the United Nations on 30th January, 1997 General Assembly of the United Nations on 30th January, 1997 regarding the Model Law on Electronic Commerce earlier adopted by regarding the Model Law on Electronic Commerce earlier adopted by the United Nations Commission on International Trade Law the United Nations Commission on International Trade Law (UNCITRAL) in its twenty-ninth session.(UNCITRAL) in its twenty-ninth session.

The aforesaid resolution of the U.N. General Assembly rThe aforesaid resolution of the U.N. General Assembly recommends ecommends that all States give favourable consideration to the Model Law on that all States give favourable consideration to the Model Law on Electronic Commerce when they enact or revise their laws, in view of Electronic Commerce when they enact or revise their laws, in view of the need for uniformity of the law applicable to alternatives to paper-the need for uniformity of the law applicable to alternatives to paper-based methods of communication and storage of information. based methods of communication and storage of information.

Main principles of the Information Main principles of the Information Technology Act, 2000Technology Act, 2000

It is significant to note that by enactment of the Information Technology Act, It is significant to note that by enactment of the Information Technology Act, 2000, the 2000, the Indian Parliament provided a new legal basis to data protection and Indian Parliament provided a new legal basis to data protection and privacy.privacy.

The main principles on data protection and privacy enumerated under the The main principles on data protection and privacy enumerated under the Information Technology Act, 2000 are:Information Technology Act, 2000 are:

(i)defining ‘data’,‘computer database’, ‘information’, ‘electronic form', (i)defining ‘data’,‘computer database’, ‘information’, ‘electronic form', 'originator’, ‘addressee’ etc.'originator’, ‘addressee’ etc.

(ii) creating civil liability if any person accesses or secures access to (ii) creating civil liability if any person accesses or secures access to computer, computer system or computer network. computer, computer system or computer network.

(iii) creating criminal liability if any person accesses or secures access to (iii) creating criminal liability if any person accesses or secures access to computer, computer system or computer networkcomputer, computer system or computer network. .

Main principles of the Information Technology Act, Main principles of the Information Technology Act, 20002000

(iv)declaring any computer, computer system or computer network (iv)declaring any computer, computer system or computer network as a protected System.as a protected System.

(v)imposing penalty for breach of confidentiality and privacy.(v)imposing penalty for breach of confidentiality and privacy.

(vi)setting up of hierarchy of regulatory authorities, namely (vi)setting up of hierarchy of regulatory authorities, namely adjudicating officers,adjudicating officers,the Cyber Regulations Appellate Tribunal etc.the Cyber Regulations Appellate Tribunal etc.

Further, the Information Technology Act, 2000 defines certain key Further, the Information Technology Act, 2000 defines certain key terms with respect to data protection, like access terms with respect to data protection, like access [S.2 (1)(a)], [S.2 (1)(a)], Computer [S.2 (1)(i)], Computer network [S.2(1)(j), Computer Computer [S.2 (1)(i)], Computer network [S.2(1)(j), Computer resource [S.2 (1)(k)], Computer system [S.2 (1)(l)], Computer resource [S.2 (1)(k)], Computer system [S.2 (1)(l)], Computer database[S.43, Explanation (ii)],Data [S.2 (1)(o)], Electronic form database[S.43, Explanation (ii)],Data [S.2 (1)(o)], Electronic form [S.2 (1)(r)], Electronic record[S.2 (1)(t],Information[S.2(1)(v)], [S.2 (1)(r)], Electronic record[S.2 (1)(t],Information[S.2(1)(v)], Intermediary [S.2 (1)(w)], Secure system [S.2(1)(ze)] and Security Intermediary [S.2 (1)(w)], Secure system [S.2(1)(ze)] and Security procedure [S.2 (1)(zf)].procedure [S.2 (1)(zf)].

Main principles of the Information Main principles of the Information Technology Act, 2000Technology Act, 2000

Interestingly, section 72 [Penalty for breach of confidentiality and Interestingly, section 72 [Penalty for breach of confidentiality and privacy] is aimed at public (and private) authorities, which have privacy] is aimed at public (and private) authorities, which have been granted power under the Act to secure access to any been granted power under the Act to secure access to any electronic record, book, register, correspondence, information, electronic record, book, register, correspondence, information, document or document or other material information.other material information.

The idea behind the aforesaid section is that the person who has The idea behind the aforesaid section is that the person who has secured access to any such information shall not take unfair secured access to any such information shall not take unfair advantage of it by disclosing it to the third party without obtaining advantage of it by disclosing it to the third party without obtaining the consent of the disclosing party. the consent of the disclosing party.

Cyber contraventions under IT ActCyber contraventions under IT Act

The Information Technology Act, 2000 provides for civil liability in The Information Technology Act, 2000 provides for civil liability in case of data, computer database theft, privacy violation etc.case of data, computer database theft, privacy violation etc.

The Act provides a complete Chapter (Chapter IX) on cyber contraventions, The Act provides a complete Chapter (Chapter IX) on cyber contraventions, i.e., section43 (a) – (h) which cover a wide range of cyber contraventions i.e., section43 (a) – (h) which cover a wide range of cyber contraventions related to unauthorised access to computer, computer system, computer related to unauthorised access to computer, computer system, computer network or resources. network or resources.

Section 43 of the Act covers instances such as:Section 43 of the Act covers instances such as:

(a) computer trespass, violation of Privacy etc.(a) computer trespass, violation of Privacy etc.

(b)unauthorised digital copying, downloading and extraction of data, computer (b)unauthorised digital copying, downloading and extraction of data, computer database or information;. theft of data held or stored in any media, database or information;. theft of data held or stored in any media,

Cyber contraventions under IT ActCyber contraventions under IT Act

(c) unauthorised transmission of data or programme residing within a computer, (c) unauthorised transmission of data or programme residing within a computer, computer system or computer network cookies, spy ware, GUID or digital computer system or computer network cookies, spy ware, GUID or digital profiling are not legally profiling are not legally permissible,permissible,

(d) data loss, data corruption etc.,(d) data loss, data corruption etc.,

(e) computer data/database disruption, spamming etc.,(e) computer data/database disruption, spamming etc.,

(f) denial of service attacks, data theft, fraud, forgery etc.,(f) denial of service attacks, data theft, fraud, forgery etc.,

(g) unauthorised access to computer data/computer databases and(g) unauthorised access to computer data/computer databases and

(h) instances of data theft (passwords, login IDs) etc.(h) instances of data theft (passwords, login IDs) etc.

Cyber offences under IT ActCyber offences under IT ActThe Information Technology Act, 2000 provides for criminal liability The Information Technology Act, 2000 provides for criminal liability

in case of data, computer database theft, privacy violation etc.in case of data, computer database theft, privacy violation etc.

The Act also provides a complete Chapter (Chapter XI) on cyber The Act also provides a complete Chapter (Chapter XI) on cyber offences, i.e., sections 65-74 which cover a wide range of cyber offences, i.e., sections 65-74 which cover a wide range of cyber offences, including offences related to unauthorised alteration, offences, including offences related to unauthorised alteration, deletion, addition, modification, alteration, destruction, duplicationdeletion, addition, modification, alteration, destruction, duplication or or transmission of data, and computer database.transmission of data, and computer database.

For example,section65 [Tampering with computer source documents] For example,section65 [Tampering with computer source documents] of the Act is not limited to protecting computer source code only, but it of the Act is not limited to protecting computer source code only, but it also safeguards data and computer databases; and similarly section also safeguards data and computer databases; and similarly section 66 [Hacking with Computer System] covers cyber 66 [Hacking with Computer System] covers cyber offences related tooffences related to

(a) Illegal access, (b) Illegal interception, (c) Data interference, (d) (a) Illegal access, (b) Illegal interception, (c) Data interference, (d) System interference, (e) Misuse of devices, etc. System interference, (e) Misuse of devices, etc.

The Right to PrivacyThe Right to Privacy in India in India Judicial activism has brought the Right to Judicial activism has brought the Right to Privacy within the realm Privacy within the realm

of Fundamental Rights.of Fundamental Rights.

Article 141 of the Constitution states that “the law declared by the Article 141 of the Constitution states that “the law declared by the Supreme Court shall be binding on all courts within the territory of Supreme Court shall be binding on all courts within the territory of India.” Therefore, the decisions of The Supreme Court of India India.” Therefore, the decisions of The Supreme Court of India become the law of the Land.become the law of the Land.

The Supreme Court of India has come to the rescue of common The Supreme Court of India has come to the rescue of common citizen, time and again by construing “right to privacy ” as a part of citizen, time and again by construing “right to privacy ” as a part of the Fundamental Right to “protection of life and personal liberty” the Fundamental Right to “protection of life and personal liberty” under Article 21 of the Constitution, which states “no person shall be under Article 21 of the Constitution, which states “no person shall be deprived of his life or personal liberty except according to deprived of his life or personal liberty except according to procedures established by procedures established by law”. law”.

Judicial Activism: The Right to PrivacyJudicial Activism: The Right to Privacy In the context of personal liberty, the Supreme Court has observed In the context of personal liberty, the Supreme Court has observed

“those who feel called upon to deprive other persons of their personal “those who feel called upon to deprive other persons of their personal liberty in the discharge of what they conceive to be their duty must liberty in the discharge of what they conceive to be their duty must strictly and scrupulously observe the forms and rules of the law”. strictly and scrupulously observe the forms and rules of the law”.

Even the fundamental right “to freedom of speech and expression” as Even the fundamental right “to freedom of speech and expression” as enumerated in Article 19(1)(a) of the Constitution of India comes with enumerated in Article 19(1)(a) of the Constitution of India comes with reasonable restrictions imposed by the State relating to (i) defamation; reasonable restrictions imposed by the State relating to (i) defamation; (ii) contempt of court; (iii) decency or morality; (iv) security of the State; (ii) contempt of court; (iii) decency or morality; (iv) security of the State; (v) friendly relations with foreign states; (vi) incitement to an offence; (v) friendly relations with foreign states; (vi) incitement to an offence; (vii) public order; (viii) maintenance of the sovereignty and integrity of (vii) public order; (viii) maintenance of the sovereignty and integrity of India. India.

Thus, the right to Privacy is limited against defamation, decency or Thus, the right to Privacy is limited against defamation, decency or morality. morality.

Judicial Activism: The Right to PrivacyJudicial Activism: The Right to PrivacyThe Supreme Court has reiterated the Right to Privacy in the following cases: The Supreme Court has reiterated the Right to Privacy in the following cases:

1. 1. Kharak Singh Kharak Singh v. v. State of UP State of UP (AIR 1963 SC 1295)(AIR 1963 SC 1295)

In this case the appellant was being harassed by police under Regulation 236(b) In this case the appellant was being harassed by police under Regulation 236(b)

of UP Police Regulation, which permits domiciliary visits at night. of UP Police Regulation, which permits domiciliary visits at night.

The Supreme Court held that the Regulation 236 is unconstitutional and violative The Supreme Court held that the Regulation 236 is unconstitutional and violative of Article 21.of Article 21.

It concluded that the Article 21 of the Constitution includes “right to Privacy” as a It concluded that the Article 21 of the Constitution includes “right to Privacy” as a

part of the right to “ protection” of life and personal liberty”.part of the right to “ protection” of life and personal liberty”.

The Court equated ‘personal liberty’ with ‘privacy’, and observed, that “the The Court equated ‘personal liberty’ with ‘privacy’, and observed, that “the concept of liberty in Article was comprehensive enough to include privacy and concept of liberty in Article was comprehensive enough to include privacy and that a person’s house, where he lives with his family is his ‘castle’ and that that a person’s house, where he lives with his family is his ‘castle’ and that nothing is more deleterious to a man’s physical happiness and health than a nothing is more deleterious to a man’s physical happiness and health than a calculated interference with his privacy”.calculated interference with his privacy”.

Judicial Activism: The Right to PrivacyJudicial Activism: The Right to Privacy

People’s Union for Civil Liberties (PUCL) People’s Union for Civil Liberties (PUCL) v. v. Union of India Union of India AIR (1997) 1 SCC AIR (1997) 1 SCC 301 301

the Supreme Court held that the telephone tapping by Government the Supreme Court held that the telephone tapping by Government under S. 5(2) of Telegraph Act, 1885 amounts infraction of Article 21 of under S. 5(2) of Telegraph Act, 1885 amounts infraction of Article 21 of the Constitution of India.the Constitution of India.

Right to privacy is a part of the right to “life” and “personal liberty” Right to privacy is a part of the right to “life” and “personal liberty” enshrined under Article 21 of the Constitution. The said right cannot be enshrined under Article 21 of the Constitution. The said right cannot be curtailed “except according to procedure established by law”.curtailed “except according to procedure established by law”.

Judicial Activism: The Right to PrivacyJudicial Activism: The Right to PrivacyIf one follows the judgments given by the Hon’ble Supreme Court, If one follows the judgments given by the Hon’ble Supreme Court,

three principlesthree principles emerge: emerge: (1) that the individual’s right to privacy exists and any unlawful invasion (1) that the individual’s right to privacy exists and any unlawful invasion

of privacy would make the ‘offender’ liable for the consequences in of privacy would make the ‘offender’ liable for the consequences in accordance with law; accordance with law;

(2) that there is constitutional recognition given to the right of privacy (2) that there is constitutional recognition given to the right of privacy which protects personal privacy against unlawful governmental invasion;which protects personal privacy against unlawful governmental invasion;

(3) that the person’s “right to be let alone” is not an absolute right and (3) that the person’s “right to be let alone” is not an absolute right and may be lawfully restricted for the prevention of crime, disorder or may be lawfully restricted for the prevention of crime, disorder or protection of health or morals or protection of rights and freedom of protection of health or morals or protection of rights and freedom of others.others.

RFID and Data protection laws in RFID and Data protection laws in other countries other countries

GERMANY Article 6c of the German Federal Data Protection Law (BDSG) is partly applicable to

RFID tags, notably where the tag does not directly process or store personal data, as for instance passive tags

USA Utah recently reviewed its laws on unauthorised access to networks and added

wireless networks as it previously only addressed wire line networks: it clarifies that computer crimes laws apply to wireless networks.

Virginia’s law authorises research relating to methods of electronic toll collection. Also provides that data generated by automated electronic toll-collection systems on use of toll facilities can only be disclosed when so required by order of a court.

Wyoming authorises tele-pharmacies to use automated inventory control including radio frequency tags. In many other states there exist draft legislation on RFID technology, which sometimes just seek to require only labelling and notice that RFID is in use, while in other cases like the California’s approach would most tightly regulate the technology itself, including prohibitions of certain applications and technology-specific security requirements containing only the product ID64.

Data protection in the EUData protection in the EU• The protection of personal data is an important

principle in the EU. Article 6 of the Treaty on the European Union states that the Union is founded on the principles of liberty, democracy, respect for human rights and fundamental freedoms;

• Article 30 requires appropriate provisions on the protection of personal data for the collection, storage, processing, analysis and exchange of information in the field of police co-operation.

• The protection of personal data is set as one of the freedoms in Article 8 of the Charter of Fundamental Rights.

European initiatives on data protectionEuropean initiatives on data protection The Community legislation framework on data protection and privacy in Europe was designed to be robust in the face of innovation. The protection of personal data is

covered by the general Data Protection Directive Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data, OJ L 281, 23.11.1995, p. 31. regardless of the means and procedures used for data processing. The Directive is applicable to all technologies, including RFID.

Emphasises need for prior consent of the individual whose data is being collected. It defines the principles of data protection and requires that a data controller implements these principles- ( purpose limitation, proportionality, data quality , lawfulness and ensure the security of the processing of personal data.

The general Data Protection Directive is complemented by the ePrivacy Directive -Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications), OJ L 201,31.7.2002, p. 37.which applies these principles to the processing of personal data in connection with the provision of publicly available electronic communications services in public communications networks.

The OECD InitiativeThe OECD Initiative ““RFIDRFID Position Statement of Consumer Position Statement of Consumer

Privacy and Civil Liberties Organizations.” Privacy and Civil Liberties Organizations.” Privacy guidelines published by the Privacy guidelines published by the Organization for Economic Co-operation aOrganization for Economic Co-operation and Developmentnd Development (OECD) offers some useful guidelines (OECD) offers some useful guidelines related to the disclosure of related to the disclosure of RFIDRFID technology use and the purpose behind its technology use and the purpose behind its use. use.

US and Data ProtectionUS and Data Protection In the U.S ,the Federal Trade Commission’s In the U.S ,the Federal Trade Commission’s

Fair Information Practice PrinciplesFair Information Practice Principles would seem to play a role in the would seem to play a role in the legalities of legalities of RFIDRFID. .

In its Fair Information Practice Principles, the FTC writes about the In its Fair Information Practice Principles, the FTC writes about the collection and use of personal information and addresses “the safeguards collection and use of personal information and addresses “the safeguards required to assure those practices are fair and provide adequate privacy required to assure those practices are fair and provide adequate privacy protection.” Government agencies in the past quarter century have protection.” Government agencies in the past quarter century have deliberated about the way in which entities gather and use personal deliberated about the way in which entities gather and use personal information. A succession of reports and guidelines have identified five information. A succession of reports and guidelines have identified five central principles of privacy protection: central principles of privacy protection:

1. Notice and awareness of collection of information. 1. Notice and awareness of collection of information. 2. Choice and consent of how this information can be used. 2. Choice and consent of how this information can be used. 3. Access to the individual’s gathered information and the ability to contest 3. Access to the individual’s gathered information and the ability to contest the accuracy of the collected data. the accuracy of the collected data. 4. Integrity and security of the collected data. 4. Integrity and security of the collected data. 5. Enforcement of the aforementioned principle 5. Enforcement of the aforementioned principle

Data security measures in RFID Data security measures in RFID implementationimplementation

Kill order solutionsKill order solutions Shielding with Aluminum sheets Shielding with Aluminum sheets Blocker tags Blocker tags EncryptionEncryption User model solutionUser model solution Privacy bit- RSA Security-tag specific Privacy bit- RSA Security-tag specific

pincode -to switch on and off the bit on pincode -to switch on and off the bit on the tagthe tag

Alleviating Consumer privacy concerns in Alleviating Consumer privacy concerns in adopting RFID technologyadopting RFID technology

Businesses can deploy Businesses can deploy RFIDRFID systems and use “read systems and use “read only” (not rewritable) tagsonly” (not rewritable) tags

“ “kill” the tags before they are released to consumerskill” the tags before they are released to consumers affix tags to packaging rather than the objectaffix tags to packaging rather than the object alert consumers to the presence of readers and the alert consumers to the presence of readers and the

manner in which they will be usedmanner in which they will be used place a notice that place a notice that RFIDRFID tags are present together with tags are present together with

instructions for removal. instructions for removal. Retailers that use Retailers that use RFIDRFID should have a privacy policy should have a privacy policy

available to consumers. available to consumers. address consumer privacy concerns by educating the address consumer privacy concerns by educating the

public about public about RFIDRFID –description of –description of RFIDRFID tags and tags and acquainting consumers about its technology process acquainting consumers about its technology process

SETH ASSOCIATESSETH ASSOCIATES

ADVOCATES AND LEGAL CONSULTANTSADVOCATES AND LEGAL CONSULTANTSNew Delhi Law OfficeNew Delhi Law Office::

C-1/16, Daryaganj, New Delhi-110002, IndiaC-1/16, Daryaganj, New Delhi-110002, IndiaTel:+91 (11) 65352272, +91 9868119137Tel:+91 (11) 65352272, +91 9868119137

Corporate Law OfficeCorporate Law Office: : B-10, Sector 40, NOIDA-201301, N.C.R ,IndiaB-10, Sector 40, NOIDA-201301, N.C.R ,India

Tel: +91 (120) 4352846, +91 9810155766Tel: +91 (120) 4352846, +91 9810155766Fax: +91 (120) 4331304Fax: +91 (120) 4331304

E-mail: E-mail: mail@sethassociates.commail@sethassociates.com

© Seth Associates, 2008 All Rights Reserved

Thank You!Thank You!