Presentation is loading. Please wait.

Presentation is loading. Please wait.

The 2nd Annual RFID India Informedia India Conference 2008 22-23 July 2008 ITC Grand Maratha, Mumbai. ITC Grand Maratha, Mumbai. RFID TECHNOLOGY- A LEGAL.

Similar presentations


Presentation on theme: "The 2nd Annual RFID India Informedia India Conference 2008 22-23 July 2008 ITC Grand Maratha, Mumbai. ITC Grand Maratha, Mumbai. RFID TECHNOLOGY- A LEGAL."— Presentation transcript:

1 The 2nd Annual RFID India Informedia India Conference 2008 22-23 July 2008 ITC Grand Maratha, Mumbai. ITC Grand Maratha, Mumbai. RFID TECHNOLOGY- A LEGAL ANALYSIS Karnika Seth Cyber law Expert & Managing Partner Cyber law Expert & Managing Partner SETH ASSOCIATES SETH ASSOCIATES ADVOCATES AND LEGAL CONSULTANTS ADVOCATES AND LEGAL CONSULTANTS © 2008 Seth Associates. All Rights Reserved.

2 Legal Issues Impacting RFID Technology in India RFID Technology- an Introduction RFID Technology- an Introduction RFID Applications in India RFID Applications in India Legal Approvals & compliances Legal Approvals & compliances Global standardisation Global standardisation Legal Issues Legal Issues Privacy and Data Protection Privacy and Data Protection Security and other issues Security and other issues

3 RFID Technology- An Introduction Radio Frequency Identification (RFID) Technology uses radio waves to automatically identify wirelessly, contact less and without visibility objects which, or people who have an RFID tag attached. It is grouped under the broad category of automatic identification technologies. It consists of two parts: a tag that contains an identification number and a reader who works as a scanner that triggers the tag to broadcast its identification number. This number usually acts as an input to further data processing. RFID is designed to enable readers to capture data on tags and transmit it to computer system without needing a person to be involved. A typical RFID tag consists of a small integrated circuit attached to a radio antenna, capable of transmitting a unique serial number at a distance of several meters to a reading device in response to a query. RFID tags can be active, semi-active or passive.

4 RFID Technology- an Introduction Technology behind RFID An electromagnetic or electrostatic coupling in the RF (radio frequency) portion of the electromagnetic spectrum is used to transmit signals. An electromagnetic or electrostatic coupling in the RF (radio frequency) portion of the electromagnetic spectrum is used to transmit signals.RF The RFID system consists of an antenna and a transceiver, which reads the radio frequency and transfers the information to a processing device (reader) and a transponder, or RF tag, which contains the RF circuitry and information to be transmitted. The RFID system consists of an antenna and a transceiver, which reads the radio frequency and transfers the information to a processing device (reader) and a transponder, or RF tag, which contains the RF circuitry and information to be transmitted.RFID systemtransceiverdevicetransponderRF tagRFID systemtransceiverdevicetransponderRF tag The Radio frequency band allocated to India for RFID is 865 – 867 MHz. This band has been freed solely for RFID since March 2005. The Radio frequency band allocated to India for RFID is 865 – 867 MHz. This band has been freed solely for RFID since March 2005. RFID systems can use a variety of frequencies to communicate, but because radio waves work and act differently at different frequencies, a frequency for a specific RFID system is often dependant on its application RFID systems can use a variety of frequencies to communicate, but because radio waves work and act differently at different frequencies, a frequency for a specific RFID system is often dependant on its application

5 RFID Applications in India © All Rights Reserved Seth Associates Few ExamplesFew Examples Transport industry The Minister of Road Transport and Highways, Government of India, launched a pilot project for radio frequency identification (RFID)-based vehicle tracking project on the Delhi-Jaipur highway of India. Under the project, 68 buses of Rajasthan State Road Transport Corporation (RSRTC) plying on the highway have been fitted with RFID tags and readers have been placed to track the vehicle movement along the highway, whereby their movement is being tracked, monitored and managed Apparel Tracking Using RFID –Pantaloons Pantaloon Retail (India) has piloted an RFID project at one its warehouses in Tarapur using 1,000 RFID tags. The company is starting from where it matters the most by implementing the technology at the warehouse. Ticketing More recently, NXP Semiconductors, SmartTags and Gemini Traze have collaborated to implement a hands-free RFID ticketing solution for a sporting event.

6 RFID Applications in India RFID in the Pharmaceutical Industry RFID in the Pharmaceutical Industry (Ranbaxy), a wholly owned subsidiary of Ranbaxy Laboratories Limited, Indias largest pharmaceutical company, has chosen Acsis to implement a radio frequency identification (RFID) tracking system to meet Wal-Marts RFID mandate for its Class 2 pharmaceutical suppliers. (Ranbaxy), a wholly owned subsidiary of Ranbaxy Laboratories Limited, Indias largest pharmaceutical company, has chosen Acsis to implement a radio frequency identification (RFID) tracking system to meet Wal-Marts RFID mandate for its Class 2 pharmaceutical suppliers. Animal Tracking The Kopordem farm at Valpoi in Sattari Taluk in North Goa has become the first farm in India to use RFID microchips that can be injected into the animal's body. Manufacturing Sector Wipros Manufacturing Solutions Center of Excellence (CoE) has a dedicated team of consultants who help customers define, analyze, design and implement RFID solutions. Amongst others, their RFID solutions include a Wireless Yard Management System for a large automobile manufacturer and a Real-Time WIP Tracking System for an electronic component product manufacturer

7 Legal approvals & compliances- Statutory framework & Regulatory Authority Wireless Planning and Coordination Wing of Ministry of Communications and Information Technology, Government of India deals with issues of licensing use of RFID devices in India. Wireless Planning and Coordination Wing of Ministry of Communications and Information Technology, Government of India deals with issues of licensing use of RFID devices in India. Indian Wireless Telegraphy Act Indian Wireless Telegraphy Act 1933-An Act to regulate the possession of wireless telegraphy apparatus-wireless communication defined in Section 2 of the Act means any transmission, omission or reception of signs, signals, writing, images and sounds, or intelligence of any nature by means of electricity, magnetism, or Radio waves or Hertzian waves, without the use of wires or other continuous electrical conductors between the transmitting and the receiving apparatus; Indian Wireless Telegraphy Act 1933-An Act to regulate the possession of wireless telegraphy apparatus-wireless communication defined in Section 2 of the Act means any transmission, omission or reception of signs, signals, writing, images and sounds, or intelligence of any nature by means of electricity, magnetism, or Radio waves or Hertzian waves, without the use of wires or other continuous electrical conductors between the transmitting and the receiving apparatus; Explanation.Radio waves or Hertzian waves means electromagnetic waves of frequencies lower than 3,000 gigacycles per second propagated in space without artificial guide; Explanation.Radio waves or Hertzian waves means electromagnetic waves of frequencies lower than 3,000 gigacycles per second propagated in space without artificial guide; Section 5 of the Indian Wireless Telegraphy Act 1933- Licences.The telegraphy authority constituted under the Indian Telegraph Act, 1885, shall be the authority competent to issue licences to possess wireless telegraphy apparatus under this Act, and may issue licences in such manner, on such conditions and subject to such payments, as may be prescribed. According to Section 3 of the Act Possession of wireless telegraphy apparatus without licence is strictly prohibited-possessing wireless transmitter without licence -3 years punishment, fine or both. Section 4 deals with Power of Central Government to exempt persons from provisions of the Act and Section 10 elucidates Power of Central Government to make rules Section 5 of the Indian Wireless Telegraphy Act 1933- Licences.The telegraphy authority constituted under the Indian Telegraph Act, 1885, shall be the authority competent to issue licences to possess wireless telegraphy apparatus under this Act, and may issue licences in such manner, on such conditions and subject to such payments, as may be prescribed. According to Section 3 of the Act Possession of wireless telegraphy apparatus without licence is strictly prohibited-possessing wireless transmitter without licence -3 years punishment, fine or both. Section 4 deals with Power of Central Government to exempt persons from provisions of the Act and Section 10 elucidates Power of Central Government to make rules

8 Indian Telegraph Act The Indian Telegraph Act was passed by the Legislature in 1885 and it came into force on 1st October, 1885-An Act to amend the law relating to Telegraphs in India The Indian Telegraph Act was passed by the Legislature in 1885 and it came into force on 1st October, 1885-An Act to amend the law relating to Telegraphs in India Telegraph which expression by the definition would include a telephone and FAX also. A video and Television both fall with in the definition of telegraph. A telegraph wireless receiving station is a telegraph as defined in the Act.Section 3 of the Indian Telegraph Act defines Telegraph as - "telegraph" means any appliance, instrument, material or apparatus used or capable of use for transmission or reception of signs, signals, writing, images, and sounds or intelligence of any nature by wire, visual or other electro-magnetic emissions, Radio waves or Hertzian waves, galvanic, electric or magnetic means; Telegraph which expression by the definition would include a telephone and FAX also. A video and Television both fall with in the definition of telegraph. A telegraph wireless receiving station is a telegraph as defined in the Act.Section 3 of the Indian Telegraph Act defines Telegraph as - "telegraph" means any appliance, instrument, material or apparatus used or capable of use for transmission or reception of signs, signals, writing, images, and sounds or intelligence of any nature by wire, visual or other electro-magnetic emissions, Radio waves or Hertzian waves, galvanic, electric or magnetic means; Explanation "Radio waves" or "Hertzian waves" means electro magnetic waves of frequencies lower than 3,000 giga-cycles per sound propagated in space without artificial guide. Explanation "Radio waves" or "Hertzian waves" means electro magnetic waves of frequencies lower than 3,000 giga-cycles per sound propagated in space without artificial guide. "telegraph authority" means the Director-General of Posts and Telegraphs, and includes any officer empowered by him to perform all or any of the functions of the telegraph authority under this Act; "telegraph authority" means the Director-General of Posts and Telegraphs, and includes any officer empowered by him to perform all or any of the functions of the telegraph authority under this Act; Section 4 of the Indian Telegraph Act- Exclusive privilege in respect of telegraphs, and power to grant licences Section 4 of the Indian Telegraph Act- Exclusive privilege in respect of telegraphs, and power to grant licences

9 Power to Grant RFID License in India Section 4 Indian Telegraph Act- Exclusive privilege in respect of telegraphs, and power to grant licences Section 4 Indian Telegraph Act- Exclusive privilege in respect of telegraphs, and power to grant licences (1) Within India, the Central Government shall have the exclusive privilege of establishing, maintaining and working telegraphs: Provided that the Central Government may grant a licence, on such conditions and in consideration of such payments as it thinks fit, to any person to establish, maintain or work a telegraph within any part of India: Provided that the Central Government may grant a licence, on such conditions and in consideration of such payments as it thinks fit, to any person to establish, maintain or work a telegraph within any part of India: Provided further that the Central Government may, by rules made under this Act and published in the Official Gazette, permit, subject to such restrictions and conditions as it thinks fit, the establishment, maintenance and working Provided further that the Central Government may, by rules made under this Act and published in the Official Gazette, permit, subject to such restrictions and conditions as it thinks fit, the establishment, maintenance and working (a) of wireless telegraphs on ships within Indian territorial waters and on aircraft within or above India, or Indian territorial waters, and (b) of telegraphs other than wireless telegraphs within any part of India. Section 8(2) The Central Government may, by notification in the Official Gazette, delegate to the telegraph authority all or any of its powers under the first proviso to sub-section (1). Section 8(2) The Central Government may, by notification in the Official Gazette, delegate to the telegraph authority all or any of its powers under the first proviso to sub-section (1). The exercise by the telegraph authority of any power so delegated shall be subject to such restrictions and conditions as the Central Government may, by the notification, think fit to impose.

10 Revocation of RFID licenses in India Section 8-Indian Telegraph Act Revocation of licences Section 8-Indian Telegraph Act Revocation of licences The Central Government may, at any time, revoke any license granted under section 4, on the breach of any of the conditions therein contained, or in default of payment of any consideration payable thereunder. The Central Government may, at any time, revoke any license granted under section 4, on the breach of any of the conditions therein contained, or in default of payment of any consideration payable thereunder.

11 Radio Frequency Identification Devices (Exemption from Licensing Requirement) Rules, 2005 Use of low power Equipment in the frequency band 865 – 867 MHz for (RFID) Radio Frequency Identification Devices (Exemption from Licensing Requirement) Rules, 2005 -rules were published in the Gazette of India, Part II, Section 3, Sub-Section (i), dated the 11th March, 2005, vide notification No.168 (E), dated the 11th March, 2005. Use of low power Equipment in the frequency band 865 – 867 MHz for (RFID) Radio Frequency Identification Devices (Exemption from Licensing Requirement) Rules, 2005 -rules were published in the Gazette of India, Part II, Section 3, Sub-Section (i), dated the 11th March, 2005, vide notification No.168 (E), dated the 11th March, 2005. Rule 3.Use of wireless equipment in the band 865 – 867 MHz.- Notwithstanding anything contained in any law for the time being in force, no licence shall be required by any person to establish, maintain, work, possess or deal in Radio Frequency Identification Devices (RFID), on non- interference, non-protection and non-exclusive basis, in the frequency band 865 – 867 MHz with maximum 1 Watt transmitter power, 4 Watts Effective Radiated Power and 200 kHz carrier bandwidth. Rule 3.Use of wireless equipment in the band 865 – 867 MHz.- Notwithstanding anything contained in any law for the time being in force, no licence shall be required by any person to establish, maintain, work, possess or deal in Radio Frequency Identification Devices (RFID), on non- interference, non-protection and non-exclusive basis, in the frequency band 865 – 867 MHz with maximum 1 Watt transmitter power, 4 Watts Effective Radiated Power and 200 kHz carrier bandwidth. Rule 4. In case where any person to whom a licence has been issued under section 4 of the Act, informs that his licensed system is getting harmful interference from any other radio communication system exempted under these rules, the use of such unlicensed Wireless equipment shall be discontinued forthwith. Rule 4. In case where any person to whom a licence has been issued under section 4 of the Act, informs that his licensed system is getting harmful interference from any other radio communication system exempted under these rules, the use of such unlicensed Wireless equipment shall be discontinued forthwith.

12 RFID Standardisation RFID standards first came into being during the early 1990s, when the (newly created) CENTC225 committee on bar coding focused the attention on automatic ID techniques in general. RFID standards first came into being during the early 1990s, when the (newly created) CENTC225 committee on bar coding focused the attention on automatic ID techniques in general. There are two competing initiatives in the RFID standardisation arena: ISO and EPC global. There are two competing initiatives in the RFID standardisation arena: ISO and EPC global. There are also a number of special interest groups including industry specific such as the American Trucking Association in the transport industry, the NFC forum in consumer electronics, mobile devices and computer industry or the Automotive Industry Action Group in the automotive industry that seek to influence RFID standards development. There are also a number of special interest groups including industry specific such as the American Trucking Association in the transport industry, the NFC forum in consumer electronics, mobile devices and computer industry or the Automotive Industry Action Group in the automotive industry that seek to influence RFID standards development.

13 International Organization for Standardization (ISO) approach The ISO approach The ISO approach RFID standards first came into being during the early 1990s, when the (newly created) CENTC225 committee on bar coding focused the attention on automatic ID techniques in general. RFID standards first came into being during the early 1990s, when the (newly created) CENTC225 committee on bar coding focused the attention on automatic ID techniques in general. During the early 1990s, the standardisation activity on automatic ID techniques was mainly carried out in Europe within the CEN standard body (TC225 committee), with little involvement from the US. However, during the 1995, a joint ISO IEC JTC1 committee – theSC31 – was set up for standardisation of automatic identification techniques generally drawing from the earlier work on RFID standards within CEN. Another influence on the RFID work within ISO was the work on the G Tag initiative for RFID standardisation of asset tracking and logistics which was launched by UCC and EAN in 2000 along with input from international companies including Philips Semiconductors, Intermec, and Gemplus. During the early 1990s, the standardisation activity on automatic ID techniques was mainly carried out in Europe within the CEN standard body (TC225 committee), with little involvement from the US. However, during the 1995, a joint ISO IEC JTC1 committee – theSC31 – was set up for standardisation of automatic identification techniques generally drawing from the earlier work on RFID standards within CEN. Another influence on the RFID work within ISO was the work on the G Tag initiative for RFID standardisation of asset tracking and logistics which was launched by UCC and EAN in 2000 along with input from international companies including Philips Semiconductors, Intermec, and Gemplus. The members of the SC31 committees are the representatives of the national standard bodies such as in UK the BSI IST34 committee on bar coding, including the same people who tend to participate in CEN TC225. They represent either internal consultants within big corporations,or external consultants which are representing the interest of different companies. As a result,three different levels of representativeness (and thus interests) can be identified in the ISO process: the individual, the organisational, and the national level. The members of the SC31 committees are the representatives of the national standard bodies such as in UK the BSI IST34 committee on bar coding, including the same people who tend to participate in CEN TC225. They represent either internal consultants within big corporations,or external consultants which are representing the interest of different companies. As a result,three different levels of representativeness (and thus interests) can be identified in the ISO process: the individual, the organisational, and the national level.

14 Standardisation-The ISO approach RFID ISO standards cover 4 different areas: technology (e.g. ISO 18000 series), data content(e.g. ISO 15418), conformance and performance (e.g. ISO 18046), and application standards(e.g. ISO 10374). RFID ISO standards cover 4 different areas: technology (e.g. ISO 18000 series), data content(e.g. ISO 15418), conformance and performance (e.g. ISO 18046), and application standards(e.g. ISO 10374). The ISO standards are defined at a very high level, focusing on the interface rather than on the data which is transported. As a result, ISO standards are generic, being able to be supported by any system and in any context, irrespective of the data that is being carried. The ISO standards are defined at a very high level, focusing on the interface rather than on the data which is transported. As a result, ISO standards are generic, being able to be supported by any system and in any context, irrespective of the data that is being carried.

15 RFID Standardisation The Electronic Product Code (EPC) Global approach MIT and UCC together with a number of industrial partners including Procter & Gamble, Gilette and Wal-Mart set up the Auto-ID consortium in 1999 to research RFID technologies and standards. The members included end users, primarily from consumer packaged goods, large retailers and solution providers, including hardware and software providers and consultants. The Auto-ID members included large retailers such as Wal-Mart, Gilette, Coca Cola, Unilever, Tesco and Carrefour. A new entity was created in October 2003, the EPC Global as a joint venture between UCC and EAN to undertake the standardisation and commercialisation work within Auto-ID.. Whereas Auto-ID would continue to research RFID technologies, EPC Global focuses on standardisation activities, as well as their commercialisation.

16 The EPC Global approach In contrast with ISO RFID standards which are generic standards, EPC standards are specific. In contrast with ISO RFID standards which are generic standards, EPC standards are specific. EPC standards describe the tag and the air interface depending on the data being carried. EPCstandards prescribe the physical implementation of the tags and readers, rather then specifying their generic characteristics. The standards are also much more limited in their scope, forexample where the ISO standards for air interface cover all the frequency range, EPC operatesonly within the UHF between 860-930MHz with one standard for 13.56MHz EPC standards describe the tag and the air interface depending on the data being carried. EPCstandards prescribe the physical implementation of the tags and readers, rather then specifying their generic characteristics. The standards are also much more limited in their scope, forexample where the ISO standards for air interface cover all the frequency range, EPC operatesonly within the UHF between 860-930MHz with one standard for 13.56MHz

17 The EPC vs ISO Global approach Whereas ISO can claim that it reflects the global requirements into a legitimate process (equalfooting and consensus based), EPC focuses on speed and emphasises the broad support it receives from the industry community. Whereas ISO can claim that it reflects the global requirements into a legitimate process (equalfooting and consensus based), EPC focuses on speed and emphasises the broad support it receives from the industry community. The ISO and EPC processes can be seen as complementary, even more so when one consider that the only competing area is the standard for air interfaces frequencies. The ISO and EPC processes can be seen as complementary, even more so when one consider that the only competing area is the standard for air interfaces frequencies. However, for both EPC supporters and for ISO the need for a single, global standard is impetuous. However, for both EPC supporters and for ISO the need for a single, global standard is impetuous. The benefits coming from standardization would be lost if in different parts of the globe, multinationals would have to invest in different technologies for RFID The benefits coming from standardization would be lost if in different parts of the globe, multinationals would have to invest in different technologies for RFID

18 Taxonomy of RFID tags and legal implications Tags that only contain item numbers that cannot be linked to persons (usually passive tags Tags that only contain item numbers that cannot be linked to persons (usually passive tags Tags that may reveal the identity of persons through item numbers that are linked to backend databases e.g Tags that may reveal the identity of persons through item numbers that are linked to backend databases e.g by connecting the information obtained by the tagged object that individuals carry with them and credit cards that they submit at the purchase point e.g to analyse the favourite shopping routes of customers that have already been identified by one of the shops in the mall for better management and promotion policy to increase consumption. Tags that usually store personal data ( active tags) e.g passports issued with RFID technology-RFID chips containing biometric information - Germany, Belgium- Tags that usually store personal data ( active tags) e.g passports issued with RFID technology-RFID chips containing biometric information - Germany, Belgium- In compliance with the recommendations of the ICAO the Council of the European Union adopted on 13/12/2004 a regulation mandating the inclusion of both facial image andfingerprints in future passports and travel documents issued by EU Member States. The new regulation aims at better protecting EU passports against forgery, at enabling better identification of passport holders and at harmonising security standard features used in the production of passports and travel documents issued by Member States- Council Regulation 2252/2004 on standards for security features and biometrics in passports and travel documents issued by Member States.

19 Legal Issues Protecting the right to privacy and data protection concerns. Protecting the right to privacy and data protection concerns. Identification and profiling of a person ( for example-to Identification and profiling of a person ( for example-to analyse the favourite shopping routes of customers for better management and promotion policy). Unnoticed remote reading without line of sight- for noticing consumer preferences, worker surveillance Unnoticed remote reading without line of sight- for noticing consumer preferences, worker surveillance Search, seizure law enforcement purposes Search, seizure law enforcement purposes for e.g -the lists of the movement of cars passing through the toll-controls, the tracking of people carrying RFID enabled IDs or passports, or even RFIDimplanted tags.

20 Legal Issues Impersonation and cheating Impersonation and cheating Chances of identity theft increase as unauthorised scanning of a personal data of an individual is possible by unlawful interception Chances of identity theft increase as unauthorised scanning of a personal data of an individual is possible by unlawful interception Monetary counterfeit Monetary counterfeit Even the use of RFID tags in banknotes can be highly problematic in this perspective. Through RFID it will be possible to determine which banknotes were withdrawn by whom from which automatic teller machine, or where those banknotes were then used to buy certain products or services. Protection of right to dignity- Protection of right to dignity-In this regard, the Japanese program for the children) might breach children's right to privacy and dignity by treating them like cattle or a piece of inventory and by familiarizing them with an environment and a world of absolute surveillance. A group of children in Yokohama City in Japan wears active tags to keep them safe on their way to and from school. Each child participating to the programme wears a bracelet with a RFID tag.

21 Legal Issues Unfair competition. Unfair competition. Inexpensive tags simply do not have the memory to store lists of readers that can authenticate themselves to the tag, in order to avoid unwanted reading of tags; and they don't have the power to call out to an enterprise server to get this information from a database. So they are exposed to unauthorised reading by competitors, for instance if a rival enters the shop of a competitor and scans by a mobile reader its inventory. Labour law. Labour law. Besides, the use of the same RFID tags for other purposes, such as the surveillance of employees which is already mentioned above, this technology may affect the health of employees in terms of possible radiation emitted during the data communication between tag and reader. It might also lead to cutting personnel as a result of rationalisation through the use of the technology.

22 Privacy and Data Protection Privacy is closely connected to Data Protection. An individuals data like his name address, telephonenumbers, profession, family, choices, etc. are often available at various places like schools, colleges, banks, directories, surveys and on various web sites. Privacy is closely connected to Data Protection. An individuals data like his name address, telephonenumbers, profession, family, choices, etc. are often available at various places like schools, colleges, banks, directories, surveys and on various web sites. Passing on such information to interested parties can lead to intrusion in privacy like incessant marketing calls. Passing on such information to interested parties can lead to intrusion in privacy like incessant marketing calls. It would be a misnomer to say that India does not have data protection legislation at all. It would be a misnomer to say that India does not have data protection legislation at all. This is factually wrong. The fact is that there exists data protection legislation in India. The subject matter of data protection and privacy has been dealt within the Information Technology Act, 2000 but not in an exclusive manner. This is factually wrong. The fact is that there exists data protection legislation in India. The subject matter of data protection and privacy has been dealt within the Information Technology Act, 2000 but not in an exclusive manner.

23 Data Protection-legislative domain-India Data protection is not a subject in any of the three lists in Schedule VII of the Constitution of India. Data protection is not a subject in any of the three lists in Schedule VII of the Constitution of India. But Entry 97 of List 1 states: any other matter not enumerated in List II and List III ……. But Entry 97 of List 1 states: any other matter not enumerated in List II and List III ……. Thus only the Indian Parliament is competent to legislate on data protection since it can be interpreted as any other matter not enumerated in List II and List III. Data protection is, thus, a Central subject and only the Central Government is competent to frame legislations on issues dealing with data protection. Thus only the Indian Parliament is competent to legislate on data protection since it can be interpreted as any other matter not enumerated in List II and List III. Data protection is, thus, a Central subject and only the Central Government is competent to frame legislations on issues dealing with data protection. In fact, the Information Technology Act, 2000, enacted by the Indian Parliament is the first legislation, which contains provisions on data protection. In fact, the Information Technology Act, 2000, enacted by the Indian Parliament is the first legislation, which contains provisions on data protection.

24 Data Protection law in India and RFID The IT Act, 2000 was enacted to provide legal recognition for transactions carried out by means of EDI and other means of electronic communication, commonly referred to as e-commerce which involve use of alternatives to paper based methods of communication and storage of information to facilitate electronic filing of documents with Government agencies. RFID in essence falls within its operative domain The IT Act, 2000 was enacted to provide legal recognition for transactions carried out by means of EDI and other means of electronic communication, commonly referred to as e-commerce which involve use of alternatives to paper based methods of communication and storage of information to facilitate electronic filing of documents with Government agencies. RFID in essence falls within its operative domain Section 2 definitions- "computer" means electronic, magnetic, optical or other high- speed date processing device or system which performs logical, arithmetic and memory functions by manipulations of electronic, magnetic or optical impulses, and includes all input, output, processing, storage, computer software or communication facilities which are connected or relates to the computer in a computer system or computer network; Section 2 definitions- "computer" means electronic, magnetic, optical or other high- speed date processing device or system which performs logical, arithmetic and memory functions by manipulations of electronic, magnetic or optical impulses, and includes all input, output, processing, storage, computer software or communication facilities which are connected or relates to the computer in a computer system or computer network; "computer network" means the inter-connection of one or more computers through- "computer network" means the inter-connection of one or more computers through- (i) the use of satellite, microwave, terrestrial lime or other communication media; and (i) the use of satellite, microwave, terrestrial lime or other communication media; and (ii) terminals or a complex consisting of two or more interconnected computers whether or not the interconnection is continuously maintained; (ii) terminals or a complex consisting of two or more interconnected computers whether or not the interconnection is continuously maintained; "computer resources" means computer, computer system, computer network, data, computer database or software; "computer resources" means computer, computer system, computer network, data, computer database or software; "computer system" means a device or collection of devices, including input and output support devices and excluding calculators which are not programmable and capable being used in conjunction with external files which contain computer programmes, electronic instructions, input data and output data that performs logic, arithmetic, data storage and retrieval, communication control and other functions; "computer system" means a device or collection of devices, including input and output support devices and excluding calculators which are not programmable and capable being used in conjunction with external files which contain computer programmes, electronic instructions, input data and output data that performs logic, arithmetic, data storage and retrieval, communication control and other functions;

25 The Information Technology Act, 2000 The Indian Parliament enacted an Act called the Information Technology Act, 2000. It received the assent of the President on the 9th June, 2000 and is effective from 17thOctober, 2000. The Indian Parliament enacted an Act called the Information Technology Act, 2000. It received the assent of the President on the 9th June, 2000 and is effective from 17thOctober, 2000. This Act is based on the Resolution A/RES/51/162 adopted by the General Assembly of the United Nations on 30th January, 1997 regarding the Model Law on Electronic Commerce earlier adopted by the United Nations Commission on International Trade Law (UNCITRAL) in its twenty-ninth session. This Act is based on the Resolution A/RES/51/162 adopted by the General Assembly of the United Nations on 30th January, 1997 regarding the Model Law on Electronic Commerce earlier adopted by the United Nations Commission on International Trade Law (UNCITRAL) in its twenty-ninth session. The aforesaid resolution of the U.N. General Assembly recommends that all States give favourable consideration to the Model Law on Electronic Commerce when they enact or revise their laws, in view of the need for uniformity of the law applicable to alternatives to paper-based methods of communication and storage of information. The aforesaid resolution of the U.N. General Assembly recommends that all States give favourable consideration to the Model Law on Electronic Commerce when they enact or revise their laws, in view of the need for uniformity of the law applicable to alternatives to paper-based methods of communication and storage of information.

26 Main principles of the Information Technology Act, 2000 It is significant to note that by enactment of the Information Technology Act, 2000, the Indian Parliament provided a new legal basis to data protection and privacy. It is significant to note that by enactment of the Information Technology Act, 2000, the Indian Parliament provided a new legal basis to data protection and privacy. The main principles on data protection and privacy enumerated under the Information Technology Act, 2000 are: The main principles on data protection and privacy enumerated under the Information Technology Act, 2000 are: (i)defining data,computer database, information, electronic form', 'originator, addressee etc. (ii) creating civil liability if any person accesses or secures access to computer, computer system or computer network. (iii) creating criminal liability if any person accesses or secures access to computer, computer system or computer network.

27 Main principles of the Information Technology Act, 2000 (iv)declaring any computer, computer system or computer network as a protected System. (iv)declaring any computer, computer system or computer network as a protected System. (v)imposing penalty for breach of confidentiality and privacy. (v)imposing penalty for breach of confidentiality and privacy. (vi)setting up of hierarchy of regulatory authorities, namely adjudicating officers,the Cyber Regulations Appellate Tribunal etc. (vi)setting up of hierarchy of regulatory authorities, namely adjudicating officers,the Cyber Regulations Appellate Tribunal etc. Further, the Information Technology Act, 2000 defines certain key terms with respect to data protection, like access [S.2 (1)(a)], Computer [S.2 (1)(i)], Computer network [S.2(1)(j), Computer resource [S.2 (1)(k)], Computer system [S.2 (1)(l)], Computer database[S.43, Explanation (ii)],Data [S.2 (1)(o)], Electronic form [S.2 (1)(r)], Electronic record[S.2 (1)(t],Information[S.2(1)(v)], Intermediary [S.2 (1)(w)], Secure system [S.2(1)(ze)] and Security procedure [S.2 (1)(zf)]. Further, the Information Technology Act, 2000 defines certain key terms with respect to data protection, like access [S.2 (1)(a)], Computer [S.2 (1)(i)], Computer network [S.2(1)(j), Computer resource [S.2 (1)(k)], Computer system [S.2 (1)(l)], Computer database[S.43, Explanation (ii)],Data [S.2 (1)(o)], Electronic form [S.2 (1)(r)], Electronic record[S.2 (1)(t],Information[S.2(1)(v)], Intermediary [S.2 (1)(w)], Secure system [S.2(1)(ze)] and Security procedure [S.2 (1)(zf)].

28 Main principles of the Information Technology Act, 2000 Interestingly, section 72 [Penalty for breach of confidentiality and privacy] is aimed at public (and private) authorities, which have been granted power under the Act to secure access to any electronic record, book, register, correspondence, information, document or other material information. Interestingly, section 72 [Penalty for breach of confidentiality and privacy] is aimed at public (and private) authorities, which have been granted power under the Act to secure access to any electronic record, book, register, correspondence, information, document or other material information. The idea behind the aforesaid section is that the person who has secured access to any such information shall not take unfair advantage of it by disclosing it to the third party without obtaining the consent of the disclosing party. The idea behind the aforesaid section is that the person who has secured access to any such information shall not take unfair advantage of it by disclosing it to the third party without obtaining the consent of the disclosing party.

29 Cyber contraventions under IT Act The Information Technology Act, 2000 provides for civil liability in case of data, computer database theft, privacy violation etc. The Act provides a complete Chapter (Chapter IX) on cyber contraventions, i.e., section43 (a) – (h) which cover a wide range of cyber contraventions related to unauthorised access to computer, computer system, computer network or resources. The Act provides a complete Chapter (Chapter IX) on cyber contraventions, i.e., section43 (a) – (h) which cover a wide range of cyber contraventions related to unauthorised access to computer, computer system, computer network or resources. Section 43 of the Act covers instances such as: Section 43 of the Act covers instances such as: (a) computer trespass, violation of Privacy etc. (b)unauthorised digital copying, downloading and extraction of data, computer database or information;. theft of data held or stored in any media, (b)unauthorised digital copying, downloading and extraction of data, computer database or information;. theft of data held or stored in any media,

30 Cyber contraventions under IT Act (c) unauthorised transmission of data or programme residing within a computer, computer system or computer network cookies, spy ware, GUID or digital profiling are not legally permissible, (d) data loss, data corruption etc., (e) computer data/database disruption, spamming etc., (f) denial of service attacks, data theft, fraud, forgery etc., (g) unauthorised access to computer data/computer databases and (h) instances of data theft (passwords, login IDs) etc.

31 Cyber offences under IT Act The Information Technology Act, 2000 provides for criminal liability in case of data, computer database theft, privacy violation etc. The Act also provides a complete Chapter (Chapter XI) on cyber offences, i.e., sections 65-74 which cover a wide range of cyber offences, including offences related to unauthorised alteration, deletion, addition, modification, alteration, destruction, duplication or transmission of data, and computer database. The Act also provides a complete Chapter (Chapter XI) on cyber offences, i.e., sections 65-74 which cover a wide range of cyber offences, including offences related to unauthorised alteration, deletion, addition, modification, alteration, destruction, duplication or transmission of data, and computer database. For example,section65 [Tampering with computer source documents] of the Act is not limited to protecting computer source code only, but it also safeguards data and computer databases; and similarly section 66 [Hacking with Computer System] covers cyber offences related to For example,section65 [Tampering with computer source documents] of the Act is not limited to protecting computer source code only, but it also safeguards data and computer databases; and similarly section 66 [Hacking with Computer System] covers cyber offences related to (a) Illegal access, (b) Illegal interception, (c) Data interference, (d) System interference, (e) Misuse of devices, etc. (a) Illegal access, (b) Illegal interception, (c) Data interference, (d) System interference, (e) Misuse of devices, etc.

32 The Right to Privacy in India The Right to Privacy in India Judicial activism has brought the Right to Privacy within the realm of Fundamental Rights. Judicial activism has brought the Right to Privacy within the realm of Fundamental Rights. Article 141 of the Constitution states that the law declared by the Supreme Court shall be binding on all courts within the territory of India. Therefore, the decisions of The Supreme Court of India become the law of the Land. Article 141 of the Constitution states that the law declared by the Supreme Court shall be binding on all courts within the territory of India. Therefore, the decisions of The Supreme Court of India become the law of the Land. The Supreme Court of India has come to the rescue of common citizen, time and again by construing right to privacy as a part of the Fundamental Right to protection of life and personal liberty under Article 21 of the Constitution, which states no person shall be deprived of his life or personal liberty except according to procedures established by law. The Supreme Court of India has come to the rescue of common citizen, time and again by construing right to privacy as a part of the Fundamental Right to protection of life and personal liberty under Article 21 of the Constitution, which states no person shall be deprived of his life or personal liberty except according to procedures established by law.

33 Judicial Activism: The Right to Privacy In the context of personal liberty, the Supreme Court has observed those who feel called upon to deprive other persons of their personal liberty in the discharge of what they conceive to be their duty must strictly and scrupulously observe the forms and rules of the law. In the context of personal liberty, the Supreme Court has observed those who feel called upon to deprive other persons of their personal liberty in the discharge of what they conceive to be their duty must strictly and scrupulously observe the forms and rules of the law. Even the fundamental right to freedom of speech and expression as enumerated in Article 19(1)(a) of the Constitution of India comes with reasonable restrictions imposed by the State relating to (i) defamation; (ii) contempt of court; (iii) decency or morality; (iv) security of the State; (v) friendly relations with foreign states; (vi) incitement to an offence; (vii) public order; (viii) maintenance of the sovereignty and integrity of India. Even the fundamental right to freedom of speech and expression as enumerated in Article 19(1)(a) of the Constitution of India comes with reasonable restrictions imposed by the State relating to (i) defamation; (ii) contempt of court; (iii) decency or morality; (iv) security of the State; (v) friendly relations with foreign states; (vi) incitement to an offence; (vii) public order; (viii) maintenance of the sovereignty and integrity of India. Thus, the right to Privacy is limited against defamation, decency or morality. Thus, the right to Privacy is limited against defamation, decency or morality.

34 Judicial Activism: The Right to Privacy The Supreme Court has reiterated the Right to Privacy in the following cases: 1. Kharak Singh v. State of UP (AIR 1963 SC 1295) In this case the appellant was being harassed by police under Regulation 236(b) of UP Police Regulation, which permits domiciliary visits at night. In this case the appellant was being harassed by police under Regulation 236(b) of UP Police Regulation, which permits domiciliary visits at night. The Supreme Court held that the Regulation 236 is unconstitutional and violative of Article 21. The Supreme Court held that the Regulation 236 is unconstitutional and violative of Article 21. It concluded that the Article 21 of the Constitution includes right to Privacy as a part of the right to protection of life and personal liberty. It concluded that the Article 21 of the Constitution includes right to Privacy as a part of the right to protection of life and personal liberty. The Court equated personal liberty with privacy, and observed, that the concept of liberty in Article was comprehensive enough to include privacy and that a persons house, where he lives with his family is his castle and that nothing is more deleterious to a mans physical happiness and health than a calculated interference with his privacy. The Court equated personal liberty with privacy, and observed, that the concept of liberty in Article was comprehensive enough to include privacy and that a persons house, where he lives with his family is his castle and that nothing is more deleterious to a mans physical happiness and health than a calculated interference with his privacy.

35 Judicial Activism: The Right to Privacy Peoples Union for Civil Liberties (PUCL) v. Union of India AIR (1997) 1 SCC 301 the Supreme Court held that the telephone tapping by Government under S. 5(2) of Telegraph Act, 1885 amounts infraction of Article 21 of the Constitution of India. the Supreme Court held that the telephone tapping by Government under S. 5(2) of Telegraph Act, 1885 amounts infraction of Article 21 of the Constitution of India. Right to privacy is a part of the right to life and personal liberty enshrined under Article 21 of the Constitution. The said right cannot be curtailed except according to procedure established by law. Right to privacy is a part of the right to life and personal liberty enshrined under Article 21 of the Constitution. The said right cannot be curtailed except according to procedure established by law.

36 Judicial Activism: The Right to Privacy If one follows the judgments given by the Honble Supreme Court, three principles emerge: (1) that the individuals right to privacy exists and any unlawful invasion of privacy would make the offender liable for the consequences in accordance with law; (1) that the individuals right to privacy exists and any unlawful invasion of privacy would make the offender liable for the consequences in accordance with law; (2) that there is constitutional recognition given to the right of privacy which protects personal privacy against unlawful governmental invasion; (2) that there is constitutional recognition given to the right of privacy which protects personal privacy against unlawful governmental invasion; (3) that the persons right to be let alone is not an absolute right and may be lawfully restricted for the prevention of crime, disorder or protection of health or morals or protection of rights and freedom of others. (3) that the persons right to be let alone is not an absolute right and may be lawfully restricted for the prevention of crime, disorder or protection of health or morals or protection of rights and freedom of others.

37 RFID and Data protection laws in other countries GERMANY Article 6c of the German Federal Data Protection Law (BDSG) is partly applicable to RFID tags, notably where the tag does not directly process or store personal data, as for instance passive tags USA Utah recently reviewed its laws on unauthorised access to networks and added wireless networks as it previously only addressed wire line networks: it clarifies that computer crimes laws apply to wireless networks. Virginias law authorises research relating to methods of electronic toll collection. Also provides that data generated by automated electronic toll-collection systems on use of toll facilities can only be disclosed when so required by order of a court. Wyoming authorises tele-pharmacies to use automated inventory control including radio frequency tags. In many other states there exist draft legislation on RFID technology, which sometimes just seek to require only labelling and notice that RFID is in use, while in other cases like the Californias approach would most tightly regulate the technology itself, including prohibitions of certain applications and technology-specific security requirements containing only the product ID64.

38 Data protection in the EU The protection of personal data is an important principle in the EU. Article 6 of the Treaty on the European Union states that the Union is founded on the principles of liberty, democracy, respect for human rights and fundamental freedoms; Article 30 requires appropriate provisions on the protection of personal data for the collection, storage, processing, analysis and exchange of information in the field of police co-operation. The protection of personal data is set as one of the freedoms in Article 8 of the Charter of Fundamental Rights.

39 European initiatives on data protection The Community legislation framework on data protection and privacy in Europe was designed to be robust in the face of innovation. The protection of personal data is covered by the general Data Protection Directive Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data, OJ L 281, 23.11.1995, p. 31. regardless of the means and procedures used for data processing. The Directive is applicable to all technologies, including RFID. Emphasises need for prior consent of the individual whose data is being collected. It defines the principles of data protection and requires that a data controller implements these principles- ( purpose limitation, proportionality, data quality, lawfulness and ensure the security of the processing of personal data. The general Data Protection Directive is complemented by the ePrivacy Directive - Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications), OJ L 201,31.7.2002, p. 37.which applies these principles to the processing of personal data in connection with the provision of publicly available electronic communications services in public communications networks.

40 The OECD Initiative RFID Position Statement of Consumer Privacy and Civil Liberties Organizations. Privacy guidelines published by the Organization for Economic Co-operation and Development (OECD) offers some useful guidelines related to the disclosure of RFID technology use and the purpose behind its use.RFID Position Statement of Consumer Privacy and Civil Liberties Organizations. Privacy guidelines published by the Organization for Economic Co-operation and Development (OECD) offers some useful guidelines related to the disclosure of RFID technology use and the purpose behind its use. Organization for Economic Co-operation and Development Organization for Economic Co-operation and Development

41 US and Data Protection In the U.S,the Federal Trade Commissions Fair Information Practice Principles would seem to play a role in the legalities of RFID. In its Fair Information Practice Principles, the FTC writes about the collection and use of personal information and addresses the safeguards required to assure those practices are fair and provide adequate privacy protection. Government agencies in the past quarter century have deliberated about the way in which entities gather and use personal information. A succession of reports and guidelines have identified five central principles of privacy protection: 1. Notice and awareness of collection of information. 2. Choice and consent of how this information can be used. 3. Access to the individuals gathered information and the ability to contest the accuracy of the collected data. 4. Integrity and security of the collected data. 5. Enforcement of the aforementioned principle In the U.S,the Federal Trade Commissions Fair Information Practice Principles would seem to play a role in the legalities of RFID. In its Fair Information Practice Principles, the FTC writes about the collection and use of personal information and addresses the safeguards required to assure those practices are fair and provide adequate privacy protection. Government agencies in the past quarter century have deliberated about the way in which entities gather and use personal information. A succession of reports and guidelines have identified five central principles of privacy protection: 1. Notice and awareness of collection of information. 2. Choice and consent of how this information can be used. 3. Access to the individuals gathered information and the ability to contest the accuracy of the collected data. 4. Integrity and security of the collected data. 5. Enforcement of the aforementioned principleFair Information Practice PrinciplesFair Information Practice Principles

42 Data security measures in RFID implementation Kill order solutions Kill order solutions Shielding with Aluminum sheets Shielding with Aluminum sheets Blocker tags Blocker tags Encryption Encryption User model solution User model solution Privacy bit- RSA Security-tag specific pincode -to switch on and off the bit on the tag Privacy bit- RSA Security-tag specific pincode -to switch on and off the bit on the tag

43 Alleviating Consumer privacy concerns in adopting RFID technology Businesses can deploy RFID systems and use read only (not rewritable) tags Businesses can deploy RFID systems and use read only (not rewritable) tags kill the tags before they are released to consumers kill the tags before they are released to consumers affix tags to packaging rather than the object affix tags to packaging rather than the object alert consumers to the presence of readers and the manner in which they will be used alert consumers to the presence of readers and the manner in which they will be used place a notice that RFID tags are present together with instructions for removal. place a notice that RFID tags are present together with instructions for removal. Retailers that use RFID should have a privacy policy available to consumers. Retailers that use RFID should have a privacy policy available to consumers. address consumer privacy concerns by educating the public about RFID –description of RFID tags and acquainting consumers about its technology process address consumer privacy concerns by educating the public about RFID –description of RFID tags and acquainting consumers about its technology process

44 SETH ASSOCIATES ADVOCATES AND LEGAL CONSULTANTS New Delhi Law Office: C-1/16, Daryaganj, New Delhi-110002, India Tel:+91 (11) 65352272, +91 9868119137 Corporate Law Office: B-10, Sector 40, NOIDA-201301, N.C.R,India Tel: +91 (120) 4352846, +91 9810155766 Fax: +91 (120) 4331304 E-mail: mail@sethassociates.com mail@sethassociates.com © Seth Associates, 2008 All Rights Reserved Thank You!


Download ppt "The 2nd Annual RFID India Informedia India Conference 2008 22-23 July 2008 ITC Grand Maratha, Mumbai. ITC Grand Maratha, Mumbai. RFID TECHNOLOGY- A LEGAL."

Similar presentations


Ads by Google