1. RFID & PrivacyOttawa Wireless Cluster10 November 2005

2. Privacy Applies • Tags transmit identifying information when read • Privacy laws apply to this data

3. What Bothers People • Profile Creation - linking RFID data (time, product type) to an identity. • Location Tracking – physically having/wearing RFID tags maps location.

4. What Privacy Laws? • Canada • PIPEDA • PIPAs (BC/AB) • QC • European Union (25 MS) • Australia • Japan

5. Legal Requirements = Operational Issues • Legal requirements associated with personal information protection • Transparency • RFID data management/record retention • Consent • Security • Requirements • Inform individuals of the presence of RFID-like or activated RFID readers. • Identify the existence of RFIDs surrounding an individual • Inform individuals as to the activability or the real time activation of RFIDs

6. Legal Developments • Japan/South Korea/Italy • Guidelines issued • California • Identity Information Protection Act of 2005 (SB682): Shelved until Jan 06

7. Technical Compliance • Possible technical implications • How to provide notice; • How to ensure de-activate function is triggered at specific times (e.g. EPCglobal’s specs call for passive tags designed to respond to a password-protected command to disable itself.) • Consider RFID architectures • allow tags to emit series of random pseudonyms as opposed to a unique ID or “deserialize” RFID tags; or • strip out unique identifiers; keep only generic descriptions.

8. Conclusion • Generally, comply with applicable data protection laws • Tags not ubiquitous yet so longer term issue (5-7 years) • Have adequate information security andinformation management policies and procedures to keep personal data secure; • Notify individuals of when and how their data may be collected and processed; • Allow individuals to disenable tags if they wish.

9. If You’re Interested…

10. Postscript: Privacy Newsletterhttp://www.gowlings.com/resources/newsletters.asp

11. Thank youmichael.power@gowlings.com