Thursday 17 February 2011

Identifiability in RFID

My abstract on "Identifiability in RFID" has been accepted for the forthcoming British Irish Law, Education and Technology Association (BILETA) 2011 Conference.

Abstract:


By 2011-2013, Radio Frequency Identification (RFID) is expected to grow at a Compound Annual Growth Rate (CAGR) of 17 percent. Globally, it is predicted that the Asia-Pacific region will witness the highest growth in terms of revenue. Europe and North America will gradually focus to improving their business processes with the RFID technology. The world’s second largest economy, China, has had deployed major and large scale RFID applications in her Beijing Olympics 2008 and the World Expo 2010 at Shanghai. It is predicted that from 2007 to 2011, the market size of RFID deployment in China shall be 17.83 percent of CAGR.

Against these backgrounds, it could be seen that RFID deployment and business is handsomely expeditious. Nonetheless, the data protection and privacy’s response on RFID is still crawling for an outreach. In the world’s data protection and privacy laws today, there are still dividing demography that segmented the application of data protection and privacy laws. Such application is influenced by different principles and approaches mainly the OECD Guidelines on Privacy, the European Union Data Protection Directive 95/46/EC, the APEC Privacy Principles, the United States Safe Harbor principles and respective national laws’ data protection and privacy laws, piecemeal and sector specific legislation. Broadly, the applications of these laws are not straight forward as it has its defined complexities, challenges and adoptions. Specifically, attempts have been made to address data protection and privacy concerns in RFID. This paper, in particular, attempts to go back to the basic principles of identifiability within the context of RFID. It analyses what constitute identifiability in RFID, if, there is an involvement of a person or many persons that collect, process, aggregate, manage, retain and expunge such data within an RFID application. The concept of identifiability will be appraised by referring to the European Union Data Protection Directive 95/46/EC.

In order to achieve the above, this paper is divided into 3 sections. The first section will briefly narrate the genealogy of RFID and how it develops to being a commoditised technology today. The second section analyses the summarised consultations that have had taken place within the Article 29 Data Protection Working Party and to what extend it has achieved the desired levels of outcome. Section three will then look into the meaning of data processor, controller and third party from the context of RFID. The discussion will then extend to the crux of the issue: identifiability. It outlines these fundamental questions; what, why, who, when and how identifiability is regarded as a fundamental concept in RFID, data protection and privacy.


Keywords: RFID. Data protection and privacy. European Union Directive 95/46/EC. Article 29 Data Protection Working Party.

Thursday 23 December 2010

2010 - The Year of Data Protection and Privacy in Malaysia!

2010 is a year of technology laws' hope in Malaysia.

I remain with the above statement due to this chief reason: The Personal and Data Protection (PDP) Act 2010 was  gazetted on April 2010. As I write, the proposed Data Protection Commissioner's Office is still being planned. Rumours learned that it may be in place by the first (1st) quarter of 2011. This development means a lot to Malaysia in many ways. Three pointers of assertion are submitted. First, the PDP Act enables everyone (individuals) and stakeholders to collect, handle, manage, process, retain, share and expunge data in a responsible and compliant manner. Second, the PDP has pushed Malaysia (indirectly) to recognise 'informational privacy' as rights - although the incentive and motivation of this Act governs commercial transactions only. Third, the PDP will also trigger possible amendments or revisions of peacemeal legislations that contained the words "privacy" in Malaysian statutes.

The PDP Act (although, a very new law, to Malaysians) is a testimony of Malaysia in getting herself ready to be on board as par as others. In the Asia Pacific contours, Malaysia is the second (2nd) country, after Hong Kong having her own data protection and privacy legislation. Other countries' legislation are based on sectorial-specific and code/voluntary approaches. As some may have known, the global's privacy and data protection laws are generally motivated by these: The European Data Protection Directive 95/46/EC, American Safe Harbor approach, OECD Guidelines, APEC Privacy Principles, Industrial and technological approaches.

Besides the PDP, interesting developments that have taken place are the observations of Malaysian court judges on privacy protection. There are two cases that glanced through (generally) on this.

First, in Ultra Dimension Sdn Bhd v Kook Wei Kuan [2004] 5 CLJ 285, Justice Faiza Thamby Chik observed: "...English common law does not recognise the privacy rights; therefore invasion of privacy rights does not give right to a cause of action. Since English common law, pursuant to Section 3 of the Civil Law Act 1950, is applicable in Malaysia, privacy rights which is not recognised under English Law is accordingly not recognised under Malaysian Law.." However, in an interesting case of Dr Bernadine Malini Martin v MPH Magazine Sdn. Bhd. & Ors [2010] 1 LNS 694, Justice Hishamudin observed: "...it is unfortunate for the plaintiff, that the law of this country, as it stands presently, does not make an invasion of privacy as an actionable wrongdoing (it is actionable under the law of some other jurisdictions, for example, in the United States)..." 

These observations, seem to be interesting in one way; mainly that Malaysians are getting to recognising their privacy rights. Adding to this, there were headlines on Malaysian national dailies during the third (3rd) quarter of 2010, which highlighted the complaints of a mobile phone customer of a leading Government-linked telecommunications company. The complainant claimed that the mobile service provider did not secure her consent in sharing her confidential data that is retained in the database. Thus, it breaches certain aspects of her data confidentiality. When the case was brought to press, thus far, and to date, my research suggests that there's no "hard push" by, and from, consumer groups or organisations in issuing such statements representing consumer's rights. What more, in privacy!

After the PDP Act was passed, there were many trainings and workshops that took place mostly in Kuala Lumpur. Stakeholders and public were very much concerned how the Act would be affected and applied in their daily life and transactions. My observations from these eagerness are twofold. Firstly, practitioners, academics and consultants should collaborate to disseminate the basic principles first. Which means, besides explaining or paraphrasing the sections in the PDP Act, it's fundamentally focal to enlighten the public what these terminologies mean: data, personal data, privacy, informational privacy, the applications in daily life and the applications in commercial transactions. Secondly, after diffusing the meanings and differences in clarity, we must be able to explain clearly and coherently selected case by case basis from different perspectives. These observations, in my humble opinion, may take a longer time  to witness its maturity. Nonetheless, the practitioners, academics, consultants and researchers who are experts in this subject matter, must collectively offer the appropriate theoretical foundation to the Malaysian public. I am calling for a collective responsibility to disseminate a meaningful comprehension on this (for the purpose of nation building).

From the business strategy perspective, the PDP Act will provide potential opportunities in terms of 'commodotisation'. Technology companies may strategise to call their Research & Development (R&D) team to write a particular system that may be customised for their existing clients and potential clients. In other words, such systems now, should have certain checklists on privacy impact assessment. Also, privacy by design approach. Whatever perspectives of opportunities that Malaysian stakeholders (whether from business or consultancy) come from, it is indispensable for them to understand the basics. Then, move on to the next level of understanding (whether they have clearly understood what privacy and data protection is?).

And why I claim 2010 is the year of data protection and privacy in Malaysia?

The answer lies onto Malaysians' hands and minds. The Malaysians' Legislative and Executives (politicians) deserve a pat. The abstract and outlines of the laws have been exposed. Now, we will witness the implementation and enforcement (in anticipation) - which will be the subsequent chapters of how the laws will grow, develop and mature.

RFID is still "hot"

After almost fifteenth (15th) month of research, I have had reached to a preliminary analysis that RFID is still a hot topic.

Much of the progress and developments in RFID are surrounded by commercial and technological incentives. It is arguably a "commodotised technology". The world today, by way of economy's segregation, (The United States of America, The Euro zone and the emerging markets) have deployed RFID applications in many ways. Mostly, give benefits and yielded dividends to large companies and organisations which have the budget. Although recession took place in 2010 and silently taking place (to date) in some continents, the prediction on RFID applications' deployable expansion remains bullish. 

Interestingly, the European Union is very active to map a possible roadmap for RFID and its growth by 2020. The East Asia technological leaders - South Korea, Taiwan and Japan - by far, have been leading the game (in terms of the deployment). China, had handsomely deployed her RFID applications in the most spectacular Olympic games of 2008 in Beijing (through the enabled RFID ticket applications). It is predicted that London 2012, will anticipate to deploy the similar move. Not only deploying selected RFID applications, but also to potentially extend the technological infrastructure capacity through cloud computing (the Cloud).

Much of the global's progress in RFID is still segmented through the continents. Several issues are still being discussed at the higher level (means: policy, strategy and government). Three (3) issues are of relevance; firstly, interoperability. Secondly, standardisation and thirdly, data protection and privacy. Of course, there are other contributing and pressing issues that may add to the list. Nonetheless, by way of priority, the aforementioned issues are of significance that demand urging progress. 

In the leading RFID Journal and other RFID Service Providers' write ups and marketing collateral's -  they have had marketed sophisticated RFID applications to its existing customers and potential customers. The features seem to be appealing especially to the stakeholders that have benefited from its applications. These groups are merely tagged as the RFID-proponent. To the contrary, RFID-opponent seems to be quite quiet to demand for more awareness of this technology. Back 2002-2006, the push by public policy and civil liberties' groups in the US were so powerful. Now, the voices are less being heard. Maybe (arguendo), this is due to the other pressing issues that canvassed the US today. The developments in the European Union (EU) are largely still, at a higher level. In review of the EU's efforts, there is minimal progress that takes place. The recent one is the Article 29 Data Protection Working Party in relation to the Privacy Impact Assessment's response by the industries and stakeholders with regards to RFID. Although the responses seem to be a turning point for such a progress, however, it is submitted that much needs to be done not only at the EU level, but also, between and amongst the 27 Member States.

Across Asia; China, India, South Korea, Taiwan, Japan, Malaysia and Singapore have had gradually deployed and realised the importance of RFID. Out of these countries, taking Malaysia as example, the Malaysian Communications and Multimedia Commission (MCMC) has had issued an RFID survey to the stakeholders. Upon perusing the survey, it is adduced that it aims to gauge the technical understanding and perceptions only towards RFID, but lacks the data protection and privacy bit. Perhaps, MCMC would be able to issue another round of survey that touches the stakeholders' perceptions on RFID, Data Protection and Privacy.

As issues on RFID are still hot, I predict these will emerge in 2011:

1) That the EU's RFID progress will take its aggressive mode once the review of the European Commission's Data Protection Directive has completed. This means, once the revised European Directive 95/46/EC takes place, the Article 29 Working Party and related Directives will take RFID into a more serious tone/level;

2) That the RFID's standardisation and interoperability needs active involvement not only from the EU level, but also other international organisations such as the International Telecommunications Union (ITU). This prediction is based on the possibility that Mobile-RFID will boom and penetrate the market on gradual growth (by 2020); and

3) That the RFID's discussion from the perspectives of data protection and privacy are still important. Although there are such RFID technical guidance, codes, regulations and best practices, but, the efforts need to be beefed up. Especially, when the booming of cloud computing business takes place. This means data that are retained and kept in the RFID Service Provider or a Data Controller's server may also be parked and retained in the Cloud. Hence, issues of data protection, privacy and contractual liabilities may also arise.


RFID indeed, is still relevant and a "hot" topic, and will promise more progress in 2011 and the years ahead!


Tuesday 14 December 2010

Call for public consultation: Strategy to strengthen EU Data Protection rules

On 4 November 2011, the European Commission has issued its call for public consultation in relation to its data protection rules. The call is retrievable HERE. Deadline for interested stakeholders to submit their views is on 15 January 2011. I will submit my proposal (for consideration) individually and also as a collective proposal under the banner of the Data Protection & Open Society Project's Oxford Centre for Socio-Legal Studies. On 2 December 2010, a total of 6 researchers brainstormed to reach certain consensus. Overall, the solicited views have been taken into account and the draft would be expected to be ready by end of December 2010 or early January 2011. Updates will follow suit when the time comes.

Visiting Researcher in Oxford

For the forthcoming 2011, I will be a visiting researcher in the esteemed Data Protection & Open Society Project (DPOS), at the Oxford University's Centre for Socio-Legal Studies. My visiting research status will be from 14 February 2011 - 4 April 2011. Further details on the DPOS are reachable HERE.

Forthcoming publication

I presented a paper on: "Cursing the Cloud (or) Controlling the Cloud. Briefly, this paper (generally) appraises the move by Microsoft in relation to the Cloud. In detail, it touches on the level of adequacy of data protection from the perspectives of the European Data Protection Directive 95/46/EC and Safe Harbor. It also extends the concern or adequacy to non EEA countries (where the level of adequacy) is still underdeveloped, immature and emerging. This paper also proffers a potential hypothetical model which is called as Cloud Compliant Strategy (CCS). The CCS aims to develop a theoretical base / framework that is usable to specific continents and market economies: particularly, the US, the Europe Zone and the emerging markets. Although the CCS is still at its embryonic stage, I endeavour to extend this in my next paper.

In the meantime, this paper has been published in: Kierkegaard & Kierkegaard (eds), Private Law: Rights, Duties and Conflicts (2010) ISBN: 978-87-991385-8-6 at pp 158-171. This paper will also be published in the Computer Law & Security Review's forthcoming 2011 publication.

In the interest of knowledge sharing, my paper is retrievable HERE. Such potential citation on this article is also appreciated (by letting me know through my e-mail: n o r i s w a d i [at] g m a i l . c o m.

Alas, for those who are keen to research related legal issues surrounding the Cloud, do visit this SITE. This project is undertaken by Queen Mary University of London (QMUL), branded as: QMUL Cloud Legal Project.

Monday 27 September 2010

Article 29 Data Protection Working Party on RFID (in response to the Industry's proposal)



The Article 29 Data Protection Working Party on RFID has issued their Opinion 5/2010 in relation to the industry proposal for a Privacy Data Protection Impact Assessment Framework for RFID Applications. It's retrievable here.

Briefly, the Article 29 Data Protection Working Party does not endorse (technically: rejected) the proposed response from the industry mainly due to the absence of a CLEAR privacy and data protection approach in it's proposed framework. Besides, the Working Party opined that a rigorous consultation phases with stakeholders are of relevance - as to determine the viability - of the proposed framework. The industry proposal, in a way, failed to address the same.  In particular, the issue of tag deactivation in the retail sector needs a much more coherent and clarity explanation. Overall, the proposal failed to address the concerns on transparency of RFID usage ("information and transparency on RFID use") and the emphasis on "security and privacy by design".

Tuesday 24 August 2010

Cloud Security Summit




I confirm to attend the forthcoming Cloud Security Summit.

As part and parcel of my data protection and privacy research. This will be useful from the context of cloud computing. Currently, I am examining to what extend, and how RFID (being the Internet of Things) may be able to integrate within a cloud computing environment - whether, it only applies in front-end, middleware or bank-end applications. If exists, how shall be the privacy impact assessment applies and how data protection is being controlled. Technology seems to be integrated from one end to the other end, hence, laws, regulations and policies (arguably) should be able to adopt this too.

I hope to be able to secure some insights for such a "legal integration answer"

Keywords in my research:

Data, Privacy, RFID, Cloud Computing, Privacy Impact Assessment and Security.

Friday 13 August 2010

Cursing the Cloud (or) Controlling the Cloud?


On March 2010, I presented on "Cloud Computing Got Talent! - A Nemesis to Data Protection?". Further to the presentation, I have been developing substantial comments, feedbacks and detailed analysis from various stakeholders. To share these, I will be presenting the Version 2, titled: "Cursing the Cloud (or) Controlling the Cloud?". The abstract is readable here. It could be retrievable HERE. This paper will be presented in the forthcoming Fifth (5th) International Conference on Legal, Security and Privacy Issues in IT at Barcelona, Spain.

Monday 14 June 2010

Information Technology Law - The Law and Society by Andrew Murray (Selected Chapter Reviews)


I was at Hammicks Legal Bookshops in Lincoln's Inn with a Professor from Malaysia. My eyes zoomed onto a newly published book: "Information Technology Law: The Law and Society" (Oxford, 2010), by Andrew Murray.

Andrew Murray is a Reader in the Law Department, London School of Economics and Political Science. He is teaching, researching and supervising students of various levels (undergraduates and postgraduate research) in areas of technology laws, intellectual property, media laws policies and regulations.

The chief motivation in buying this book was due to his writings on; PART VI PRIVACY IN THE INFORMATION SOCIETY.

Prior to reading the latter religiously, Andrew Murray's introductory works on PART I INFORMATION AND SOCIETY has given an impeccable insights to the many taxonomies relating to bits, network of networks and digitisation and society (information, convergence and cross border challenge of information law) by inferring to laws and regulations as the backbone. Whilst Andrew's style of writing is akin to story telling, he has never failed to mesmerise his analysis referencing to many comparative literatures - ranging from the United States of America selected states' jurisdictions and in between, to interweaving it with socio-economic aspects, incentives and social sciences' approaches.

This is the Key difference of Andrew's book as compared to the previous IT Law book authors that have had taken precedence, such as Professor Ian Lloyd's, David Bainbridge's, Chris Reed and John Angel's. The another key difference that distinguishes Andrew's writing is through the incorporation of pictorial diagrams, highlights, examples, case studies and further reading lists, in which, the look and feel runs away from typical black letter treatises! This gives indepth clarity to readers who may not come from a legal background. What makes it more innovative is its guidance to the online resource centre that could be retrievable vide:

http://www.oxfordtextbooks.co.uk/orc/murray

which also extends regular audio updates, web links, flashcard glossary of key items and a link to an IT law blog. This approach, in my speculative opinion, will become a hype and precedence for any forthcoming legal publications. Welcome to the Web 3.0!

Whilst PART 1 touched mainly on taxonomies and grounded theories, there is slightly an untouched area when it comes to other leading jurisdictions' technology evolution that may comparatively be relevant; such as Germany, France, and East Asia (Japan, Taiwan and South Korea). On the one hand, arguably, Andrew's focus of analysis is largely based on the UK and the USA leading authors and perspectives. That, in particular, carries invaluable anecdotes of theories and practices. On the other hand, arguably, a fair balance could also be inferred to the non-UK and USA invaluable anecdotes of theories and practices. Such comparative balancing between these two maybe worth mentioning. If the latter materialises, PART 1 looks beyond immaculate.

I escaped reading most of the substantive parts and spent three (3) working days to read PART VI. In comparing the previous IT Law book authors, Andrew has enticed and enlightened me with constructive ideas and useful cross referencing. The Chapter on Data Protection has been addressed precisely clear without detailed paraphrasing of Sections of the UK Data Protection Act 1998. The coverage and analysis of the history, progress and trails are explained on pragmatic approach, instead of, arguing and attempting to emphasize on pure legal reasonings of the Act. Chapter 19 on Data and personal privacy, nevertheless, falls short on certain composition that readers deserve to be educated. Primarily, on the RFID tracking section.

Arguendo (assuming), Andrew's intention to illustrate the technology is naturally motivated by the previous data protection chapter, I, however and persuasively opine, a brief technical illustration on what consists RFID might be useful to be illustrated. This, from my observation, shall provide broader comprehension to a first timer who needs to know what is RFID all about. The only, impressive findings, that may warrant me to further expand my research relates to Andrew's footnote number 65 on page 514: CAGARAS (read as: Coordination And Support Action for Global RFID-related Activities and Standardisation). That compels me to gauge and analyse; to what extend shall the (present) British Government perceives and reacts upon.

Andrew has further written a section on Data retention and identity; by highlighting the Code of Practice on Location Services. He has also highlighted the types of Data to be retained. Much of these analysis and cursory discussions on this section stemmed out from media laws' viewpoints - where, convergence in mobile communications technology, being made as a strong reference. The attempt is slightly brief and arguably, as a reader and a Doctoral researcher, I implore more from this section. As mitigation, Andrew has satisfied me with his foregoing conclusions by ending these:-

 "...The law cannot keep pace with technological development; it always lags some months or years behind. The internet of things is coming; we will become part of the network. What is not clear is whether this will give us greater or less freedom."

And I concur no more.

By Noriswadi Ismail
MPhil/PhD Candidate
Institute of Computer and Communications Law
Centre for Commercial Law Studies
School of Law, Queen Mary, University of London

Think Privacy Toolkit for Employees


The UK Information Commissioner's Office has issued a Toolkit on the above. It is very much useful for organisation and companies to initiate a privacy-friendly environment amongst the employees. This toolkit is considered as best practices (though non-binding), in legal effect, but, it carries the notion of "soft law" approaches.

Tuesday 25 May 2010

Forthcoming Workshop: Data Protection & Privacy Law

I will be conducting a workshop on 29 June 2010.

The details are downloadable HERE.

Friday 21 May 2010

Selected Issues on Data Protection & Privacy

Throughout my 3 weeks stint in Malaysia, I have had presented to four (4) stakeholders namely:-

1) Ahmad Ibrahim Kulliyyah of Laws and Kulliyyah of ICT, International Islamic University Malaysia. Audience: Professors, Senior Academic Fellows and Lecturers. Constructive comments and feedbacks were gauged and are currently being incorporated in my research and chapter writing;

2) Malaysian Institute of Management. Audience: Managers, Lawyers and Directors. Constructive responses were received. The session was recorded and I am awaiting for the DVD;

3) Azmi & Associates. Audience: Pupil-in-Chambers and Associates. Received constructive views on Data Protection & Privacy Strategies & Management. Issue currently researching: what's and where's next after the Malaysian Personal Data Protection Bill shall come into effect. Currently, I am comparing the analysis made by Professor Graham Greenleaf's; and

4) Multimedia University Malaysia. Audience: General Counsel of MMU, Researchers and Lecturers in Law & Business. MBA students. Received excellent feedbacks especially in relation to approaching data protection & privacy issues from cultural paradigm angle, human rights as well as philosophical perspectives. Currently, I am writing the pointers for an article (to be published).

The slides of the above are retrievable HERE. (file: Kulliyyah of ICT Talk 300410)

Friday 9 April 2010

Malaysia leads ASEAN's data protection & privacy?

Thanks to my colleague, Sonny Zulhuda of Multimedia University, Malaysia for a comprehensive update on this awaiting news.

The next array of anticipating issues shall be: Implementation & Enforcement. Oh. It's also compliance cost and awareness. Much to be done. But, well done Malaysia! After twelth years of waiting.

So much so, the above map's colour on Malaysia should change it's colour to blue instead of red!

Tuesday 16 March 2010

Tuesday 9 March 2010

RFID Privacy Law in the US



The Washington HB1011 is, arguably, and perhaps, a precedent for some. The RFID Journal reports.

In the United States, Nevada, New York, New Hampshire and Virginia are adopting the Washington effort towards a similar motivation. Comparatively, UK and EU RFID Technical guidance via the Information Commissioner's Office and the Article 29 Working Party should relook into some of the provisions in those  States. Maybe, UK and EU could learn something from the US. Or, alternatively, inferring to the Canadian approach, may also lead to something insightful.

By and large, personally, I would anticipate that in few years time, a review will take place in the UK and EU on this matter. The latter may also correspond the latest ICO report on "Privacy Dividend". Alas, it's not that too late for recognising RFID as a dividend of the Internet of Things!

Image source: Google Images

Monday 8 March 2010

New release by ICO: The Privacy Dividend Report



I am pleased to share the recent release of Information Commissioner's Office literature on: The Privacy Dividend Report. It will be interesting to note the findings. Hopefully, potential headways could be linked towards commercial interests and technologists' motivation. Three (3) observations came in mind. First, how can RFID fits in the setting of a balanced or return of dividend (if any)? Second, whether proactive privacy protection is an indirect translation of a privacy code for technology? Third, will the business case being sustainable should more sophisticated Privacy Enhancing Technologies (PETs) come into being? I will only be able to answer once analysed and substantiated it.

Image Source: ICO Website (Cover Report of The Privacy Dividend Report)

Wednesday 24 February 2010

RFID is not bad? But, the intention matters?



I read this article between the lines.

There were several observations that popped out. First, the writer's position in RFID deployment is linked towards the political landscape of his home country. Second, maybe, the writer should be able to understand the brief taxonomy of RFID applications in-depthly. Third, the writer maybe, could also extract whether the nationals of his home country regard RFID as a threat or a bad innovation? I think, on this point, intention matters. Oh, by looking into his profile religiously, I sense that he is running for an important post in his home country. If elected, maybe brainy technology, legal abd public policy advisers should educate him on RFID and other related issues against the country's backdrop.

Image source: Google (illustration: an RFID Car Key)