D7.7: RFID, Profiling, and AmI

Title: LIABILITY ISSUES

Liability Issues

Colette Cuijpers (TILT) 

Introduction

In the previous paragraph an illustration is given of possible privacy infringements within AmI-systems. These infringements can lead to damages for which the injured party might desire compensation. In the SWAMI (De Hert et al., 2006) research, problems regarding compensation for damages caused by privacy infringements in an AmI environment have already been addressed. This article incorporates the findings of the SWAMI research. However, the scope of liability issues within AmI environments will be extended beyond privacy. From the scenarios sketched in the third chapter it becomes clear that a (technical) malfunction within an AmI environment, as well as the use of AmI-systems or even the mere ‘living within’ such an environment can lead to a variety of damages.  

As mentioned in chapter , RFID systems* can be understood as forerunner technologies or basic enablers for AmI. As RFID systems* already raise enough liability questions, those related to the more complex AmI-system are not elaborated upon. In this respect, the liability regime regarding service providers as regulated by the E-commerce directive is left out of the discussion as the role of these providers is more related to AmI-systems then with RFID systems*.

Regarding privacy in relation to RFID systems*, damages can for example result from the accumulation of data in central servers, the (concealed) processing of personal data on a RFID tag*, the possibility that tags are read by third parties without the tag holder being aware of this, and the tracking and tracing of tagged persons. In this respect the SWAMI research states that it is desirable to further examine the need for specific rules on the liability for infringement of privacy and data protection law, including security infringements. This statement being true, nevertheless it leaves you wondering whether the need for general unified liability rules might not be even more desirable? This question will be central to this contribution. In order to answer this question, the current liability regime and its main problems regarding the application of this regime within RFID systems* will be described.

RFID systems*

From the description in the second chapter of a RFID system*, it already becomes clear that it involves a lot of different components. In this respect mention is made of tags, corresponding readers*, computing device(s), an infrastructure for data transport from the reader* to the computing device, software, reference database, interfaces to external data and services, and components to use the results of the matching process.  

Within the RFID system*, different parties can be responsible for the different components. Even with regard to each and every component there might be different parties involved in the production and functioning of these components. This leads to a very complex structure of products and parties and to opacity with regard to legal responsibilities if damages occur due to a malfunction, or even the mere (mis)use of the RFID system* (cp. the scenarios of sections , and ). In an AmI environment there might even be more complicating factors such as the use of intelligent agents. As already explained, this contribution will be limited to liability problems regarding RFID systems*.

In part, the question as to who is liable for inflicted damages is not influenced by (the use of) RFID systems*. For example, the case of the Metro Futures Store. In this case, the store is liable for the infringement of privacy caused by the customer card. Not so much the use of the RFID tag*, but the concealment of the use of the tag as well as the use of the gathered data led to the infringement of the privacy. Any means of gathering, storing and analysing personal data in a concealed manner, would have made the store liable for the privacy infringement. However, RFID systems* do raise a lot of liability issues that are difficult to solve, because of the complexity of these systems. In this respect the following remark in the SWAMI research is illustrative:  

“Nearly in every situation regarding consumer relationships, the factual situation might be very complex (e.g. in case of data mismatch and access refusal, the client is faced with a problem caused by a complex technological system, which has been constructed by the joint efforts of several actors). It can be very troublesome for a user to point at the party who is actually responsible for the damages caused, especially if (s)he does not know which parties were actually involved in the service/software creation and delivery.” (Friedewald et al., 2006: 151)

As an example, reference can also be made to the scenario for social inclusion in which the issue of tag-collision is addressed.  

So, the different components as well as the variety of involved parties lead to a complex context for assessing liability. The opacity and lack of predictability with regard to the (mal)functioning of the system makes it even more intricate. Technical specifications will be a decisive factor with regard to questions like:  

• How big are the chances of tag-collision?  

• How big are the chances of miscommunications between tags and readers*?  

• How much influence do different tags and different readers* bear on each other?  

• What can be the consequences of this influence?  

• Can security with regard to internal and external reference data within the RFID system* be guaranteed?

Even though these questions will be different for each and every RFID system*, they do in general justify legal research into the question as to whether current liability regimes are a sufficient means with regard to RFID systems* to allocate legal responsibilities and to be used as a tool to compensate for inflicted damages caused by (the use of) the RFID system*.  

Different liability regimes; no unified law on liability

In the European Union there is no unified general law on contractual, nor on non-contractual liability. If a RFID system* completely consists of components from one country, and all parties involved reside in that same country, the lack of unified rules regarding contractual and non contractual liability might not be that much of a problem. As it is more likely that a RFID system*, and even more so an AmI-system, consists of components and involves parties from all over the world, the lack of a unified legal framework might be a highly complicating factor.  

Without a European legal framework, liability for damage caused by RFID systems* is to a large extent regulated by national law. Within the European Union several projects are, or have been, running with regard to the harmonization of tort law, the harmonization of the law on contract and even on a ‘European Civil Code’. From this research it becomes clear that, within the European Union, a legal “rift” exists in liability law. Not only between Common law-countries (e.g. UK) and Civil law-countries (e.g. France, Germany) a lot of differences in the laws on contractual and non-contractual liability exist. Also the different civil law regimes regarding contractual and non-contractual liability display a large variety of legal rules. In the research projects regarding European Private Law, the question as to whether this “rift” should be solved by European legislative measures is answered in an affirmative manner. However, until now, none of these research projects has lead to legally binding regulations.

The absence of unified liability rules leads to complex questions as to applicable law and competent forums. At the European level, Private International Law issues are regulated by the Rome Convention on the law applicable to contractual obligations and the Brussels Regulation on jurisdiction and enforcement of judgements. Even with the existence of this legal framework a lot of practical problems remain, which will not be elaborated upon in this contribution. The issue is just addressed to illustrate the desirability of unified liability rules, as within a RFID system* it is already complicated enough to trace a malfunction and the responsible party, without having to assess what liability rules apply and what forum to address. Also the SWAMI research states that:

“Clear rules determining the law applicable between the parties are an important guarantee of the legal certainty. They allow to predict what rules (i.e. which law) will apply to his activity beforehand, and thus to know which rules to obey. Private international law is an important element which can facilitate the adherence to the legal requirements. Clear rules on the applicable law and the choice of jurisdiction to determine the case can facilitate the court actions and create the impulse to enforce the law by individuals who suffered damages.” (Friedewald et al., 2006: 162 – 163)

Even though there is no general harmonisation of liability law within the European Union, there are several European directives regarding liability in specific areas or concerning specific parties. Regarding RFID systems*, relevant liability clauses can for example be found in the E-commerce directive, the directives concerning product liability, and the unfair contract terms directive. Even though these regulations bring some clarity to specific legal relationships, they do not constitute a harmonized legal framework regarding liability. Also the level of harmonization established by the mentioned directives is not unambiguous as differences in interpretation, as well as differences in national implementation law, remain. In the following paragraph, a short description is given of the most important directive with regard to RFID systems*, the directive on defective products. The description of this directive will illustrate the above mentioned problems.  

Different liability regimes; Directive on defective products

Products, software and services

Liability for defective products is regulated by Directive 85/374/EEC as amended by Directive 1999/34/EC. Besides the lack of a unified legal framework regarding contractual and non-contractual liability within the EU, the scope of the directive on defective products is one of the reasons for differing liability regimens regarding RFID systems*. As described in the first chapter, a RFID system* consists of products as well as software and is able to provide services. However, from a European legislative perspective, these three issues are not dealt with by the same liability regime as services fall outside the scope of the directive for defective products and with regard to software it is doubtful whether this falls within the definition of a ‘product’. From the contents of the directive it becomes clear that not only the differing liability regimes might lead to problems when harmed persons try to get compensation for inflicted damages caused by a RFID system*. The following paragraphs will address the most eminent problems in this respect.

The definition of a product

One of the problems regarding liability for defective products and RFID systems* is the uncertainty with regard to the definition of a ‘product’. Article 2 of the Directive states: “For the purpose of this Directive, ‘product’ means all movables even if incorporated into another movable or into an immovable. ‘Product’ includes electricity.” This definition does provide room for interpretation leaving uncertain whether software must be qualified as a product. Due to this uncertainty differences in interpretation can emerge between the Member States of the European Union. The problems this can impose with regard to solving liability conflicts arising out of (trans-border) RFID systems* are obvious. For now, it seems that the view taken within the European Union is that software is not covered by the definition of ‘product’. However, as is highlighted in the SWAMI research, from a technological perspective it is difficult to distinguish between hardware and software. The SWAMI research also refers to the growing number of products with embedded software, which do fall under the regime of the directive. This makes the distinction between software and products even more doubtful. Therefore the question is raised why such a distinction should be drawn from a legal perspective? The SWAMI research goes as far as to propose to consider an explicit provision providing for the strict liability for software. The researchers are aware of the resistance against such a provision founded on the argument that such a provision would threaten industry and innovation:

“Since, in the opinion of the computer specialists, the software is never defect-free, the strict liability would expose software producers unfairly to the damages claims. Thus, the degree of required safety of the programs is the policy decision. Strict Liability could also impede innovation, especially the innovation of new, experimental and life-savings applications. Others argue that strict liability might increase the software quality by making producers more diligent, especially, in properly testing the product.” (Friedewald et al., 2006: 152)  

In the SWAMI research mention is also made of the difficulty to draw the line between software and services. As several efforts to establish a directive for defective services did not make it, strict liability currently does not apply to services. Service liability is regulated by the national laws. With regard to strict liability for services, the same kind of reservations are used as with regard to strict liability for software; it would impede innovation and creativity and put too much of a burden on the service provider. Whether these reservations are legitimate can be disputed, especially as exemptions, such as the state of the art defence as described in paragraph 4.2.4.4, can offer relief for software producers as well as for service providers.

With regard to Internet service providers some rules regarding liability have been harmonized by the E-commerce directive. Liability of these providers for mere conduit, caching and hosting is regulated in the articles 12 to 14. Also the electronic signatures directive contains in article 6 a specific liability clause with regard to certification-service-providers. These provisions will not be elaborated upon as they are not that influential in relation to RFID systems*.

Damage and proof

The Directive on defective products introduces the concept of strict liability (without fault) on the part of the producer in favour of the victim with regard to defective products that cause personal injury or property damage. Even though the directive favours the victim in this respect, an important disadvantage for them remains as the directive places the burden of proof on the injured party insofar as the damage, the defect, and the causal relationship between the two is concerned. As the Directive provides for liability without fault, it is not necessary to prove the negligence or fault of the producer or importer.

For the purposes of Directive 85/374/EEC ‘damage’ means damage caused by death or by personal injuries; and damage to an item of property intended for private use or consumption other than the defective product, with a lower threshold of ECU 500.  

Even though the directive does not apply to other kinds of damages, it does not in any way restrict compensation for non-material damage under national legislation.  

The question is which types of damages are caused by RFID systems*? As mentioned before, today RFID systems* are mostly used in SCM, for the identification of objects. In this respect, the probability for substantial damages for the parties involved might not seem that urgent. For example, if you look at the scenario of the Metro Future Store, severe damages are not that likely. Also the scenario regarding usage of RFID technology in educational settings does not necessarily require an analysis of liability risks as they are likely to be minimal. However, if we broaden the scope of supply chain management outside the borders of one specific store, liability risks become clearer. For example in case of dislocation of perishable goods, caused by a malfunction in the RFID system*, it is not that hard to imagine this resulting in a huge amount of damages.  

Also with regard to the CVS case concerning RFID labelling of drugs, liability issues might come into play. Even though the scenario mentions a decrease in errors in the delivery because wrong types or numbers of drugs can be detected easily, it can also be imagined that miscommunications within the RFID system*, could lead to life threatening situations. Also the scenarios of social inclusion, as well as the one on security risks for RFID-enabled profiling, provide examples of RFID systems* causing personal injury. 

Another example of a completely different kind of damage can be illustrated with the CVS scenario. In this scenario it is described that no drugs tagged with RFID are handed out to consumers for privacy reasons. Acting against this principle can lead to severe cases of social exclusion, leading to possible material damage (e.g. exclusion of insurance) but also immaterial damage (e.g. stigmatisation). 

Another important issue that must not be forgotten is that current applications of RFID systems* do not preclude the possibility that future applications of these systems can lead to even more severe damages.  

As already can be concluded from the discussion with regard to RFID and the invasion of privacy, not only a malfunction of the RFID system* can lead to damage, but also the use of such a systems or even the mere fact that you ‘live’ within an environment in which you are submitted to RFID systems* without the possibility to withdraw. For instance because you are not aware of the fact that you are carrying a tagged item. It can also be the case that the tag is connected to everyday necessities such as money in your wallet and your identity card, items you cannot leave at home for practical or even legal purposes. An illustration of the far reaching consequences that a RFID system* (or better environment) can have is given with the scenario described in section 3.6 on the security risks of RFID-enabled profiling.

So the foregoing illustrates the vast variety of damages that can occur regarding RFID systems*. However, illustrating possibilities of damage is something completely different from proving the damage. Even though damage can be eminent, it may still be very hard to put a price tag to the damage caused, which can be grounded on material evidence. As already mentioned, proving the fault, and proving the link from the fault to the damage might already be a bridge too far, due to the complexity and opacity of a RFID system*.  

In this respect the SWAMI research proposes three possible solutions. First of all the SWAMI research mentions the burden of proof as one of the biggest problems in the liability action. It is stressed that the unawareness of data processing within the complexity of the AmI environment creates an inequality of the information flow which often makes it impossible for users to prove the fault and who is responsible for it, and thus the causal link between the fault and the damage. Therefore the SWAMI research recommends reversing the burden of proof, which solution is also adopted in the field of antidiscrimination and intellectual property laws, as well as in national tort systems (Magnus, Micklitz, 2004). Again this recommendation is aimed at privacy and data protection in particular, while such a reversal can be interesting in a much broader context. With regard to directive 95/46/EC implicitly another solution is proposed by SWAMI. The principle of article 23 Directive 95/46/EC, stating that any person who has suffered damage as a result of an unlawful processing operation is entitled to receive compensation from the controller for the damage suffered, could be explained as meaning that any act of unlawful data processing gives the right to damages, even if no (eminent and measurable) damage is inflicted. However, this explanation might be outside the boundaries of what is actually meant by Article 23.  

Secondly it is proposed to introduce fixed damages which would provide clarity as to the damages to expect and therefore could possibly have a deterrent effect.  

A third solution, mainly given with regard to claims that, due to the limited amount of damage, are not suitable to bring to court, concerns the option to allow consolidation of small claims of individuals, for example group consumer actions.

State of the art defence

In article 7 of the Directive on defective products several exemptions are listed to exclude producers from liability. One of these exemptions concerns the so called state-of-the-art defence: The producer is freed from all liability if he proves: 

“that the state of scientific and technical knowledge at the time when the product was put into circulation was not such as to enable the defect to be discovered.”

The SWAMI research indicates that it is argued that such a defence, which is at the discretion of the Member States according to article 15, will always be possible since, due to the complexity of the ‘code’, software will never be defect free.

Joint and several liability

One of the advantages of the Directive on defective products is that it establishes joint and several liabilities of all operators in the production chain in favour of the injured party, so as to provide a financial guarantee for compensation of the damage. Where the producer of the product cannot be identified, each supplier of the product shall be treated as its producer unless he informs the injured person, within a reasonable time, of the identity of the producer or of the person who supplied him with the product. The same shall apply, in the case of an imported product, if this product does not indicate the identity of the importer referred to in paragraph 2, even if the name of the producer is indicated.

The Directive does not provide for a cause of action. This is left to the Member States. Product liability cases are tried in national courts under national laws (Delaney, Van de Zande, 2001: p. 1). From article 13 of the Directive it becomes clear that the Directive shall not affect any rights which an injured person may have according to the rules of the law of contractual or non-contractual liability or a special liability system existing at the moment when the Directive is notified. The producer’s liability is not altered when the damage is caused both by a defect in the product and by the act or omission of a third party. However, when the injured person is at fault, the producer’s liability may be reduced. From article 12 it becomes clear that the provisions of the Directive on defective products are mandatory in nature as producers may not, in relation to the injured person, limit or exempt liability arising from this Directive.

Conclusion

As illustrated by the scenarios in Chapter 3, RFID systems* can cause substantial damage. The current legal framework regarding liability does not seem to provide an adequate system to compensate for inflicted damages caused by (the use of) a RFID system*. Not only the technicalities play an important role, but also the lack of legal uniformity. From a technical perspective interesting questions arise with regard to the predictability of malfunctions and the probability of these occurring. Also the traceability of malfunctions and responsible parties within the system are important factors regarding the allocation of legal accountability. Another important technical issue to address is the possibility to ‘turn off the system’. As mentioned before, today’s RFID tags* do not stop to respond to readers* when the product was bought by a customer and leaves the supply chain unless special measures to destroy or deactivate the tags are taken. An illustration of far reaching consequences this can have is given by the scenario on the burglary of Clair as described in section 3.6. 

In this respect interesting questions from a legal perspective arise. For example the question as to whether there is a right to ‘withdraw from the system’ and questions relating to consent to ‘living’ within the system. For example, can mere ‘participation’ in an AmI environment be viewed as ‘permission’ by the users of RFID-technology to submit persons to this environment or technology? 

The foregoing supports the conclusion that further research into liability and RFID systems* and AmI-environments is needed from different scientific angles. The legal research could start with the fundamental problems described in this contribution that arise from the lack of unified liability rules or from the lack of unambiguous harmonization or interpretation of existing liability rules.