Radio Frequency Identification and Privacy Law: An Integrative Approach
American Business Law Journal, Vol. 46, No. 1, Spring 2009
45 Pages Posted: 1 Mar 2009
Date Written: February, 22 2009
Abstract
The indiscriminate nature of Radio Frequency Identification (RFID) technology creates unique privacy issues. RFID holds great promise as a disruptive technology that will reshape the way individuals live. However, the undeniable privacy concerns, not only of data collected by RFID in particular, but also other indiscriminate technologies that are similarly disruptive, have received inadequate focus. The Fair Information Practice Principles (FIPP) is an outdated view of privacy for advanced technology such as RFID. A future challenge is to develop privacy standards that go beyond the narrow understanding of privacy evidenced in FIPP, while allowing increased efficiency and effectiveness through the use of RFID. We address this challenge by integrating several theoretical lenses of privacy in this paper and applying an integrative approach to data collected using RFID. The intent of this article is twofold. First we provide a baseline definition of privacy beyond the legal precedents and understanding, by incorporating other theoretical perspectives so as to frame broadly our discussion of RFID data collection. Second, we begin the discussion of potential solutions to managing private data obtained through RFID technology with an emphasis on data expiration policies as an important component of data retention practices. In Part II of this paper, we provide the relevant background for our discussion, including the capabilities of RFID and related technologies that raise issues of privacy protection. The current regulation of technology and attempts to legislate RFID technology is highlighted.
In the first portion of Part III, we examine the law and economics underpinnings of privacy law as an important base for the specific concerns raised by RFID. The second portion of Part III outlines legal models for further expansion of individual privacy rights in light of expanding technological capabilities. We argue that current legal scholarship often fails in two crucial aspects when considering regulation of technology with privacy implications. The first demands limiting the operational use of the technology and discouraging developing the full potential of technological advances. The second is that the legal theory does not incorporate adequately a range of important understandings about privacy gleaned from economic, behavioral, and sociological research. In Part IV we discuss three theoretical lenses concerning privacy: behavioral economics, communications privacy management, and social networks. Each lens offers relevant insight for evaluating privacy law and constructing privacy rights while permitting technological advancement. We advocate in Part V for an integrative privacy approach utilizing the three crucial Integrative Considerations gleaned from our integrative theoretical research: 1) individuals expect to own, control, and share personal information even after disclosing it; 2) advancing technologies raise concerns about individuals' bounded rationality and ineffective analysis of the costs and benefits of disclosing personal information; and 3) the significant threat to personal privacy comes not from the initial disclosure of personal information but from the subsequent re-use, transfer to third parties, and aggregation of that information. This Part concludes by applying the Integrative Considerations to data collected by RFID. This integrative approach requires limits on information obtained through RFID, including the types of information gathered, the time frame in which the information is used and then expired, and the re-use and transfer of information.
Keywords: privacy, privacy law, Radio Frequency Identification, RFID, Fair Information Practice Principles, FIPP, law and economics, behavioral economics, communications privacy management, social networks
Suggested Citation: Suggested Citation