Modality Mix of RFID Regulation
| Author | Daniel Ronzani |
| Position | CBS, Centre for Applied ICT, Howitzvej 60, 2000 Frederiksberg, Denmark dr.inf@cbs.dk |
| Pages | 222-232 |
-
This article was first published in Kierkegaard, Sylvia, (2008) Synergies and Conflicts in Cyberlaw, IAITL,pp. 108-122.
Page 222
The Internet of Things is a network of communicating devices that can interact in the context of the physical world (Buckley, 2006). In this realm, radio frequency identification (RFID) is one step "towards ubiquitous computing which together with technology-convergence may lead to seamless integration of the physical world with cyberspace" (Van de Voort, Maarten & Ligtvoet, 2006). Because (i) RFID is one of the interfaces to cyberspace and (ii) the European Commission's Directorate General Research Centre suggested that a closer look at existing legal framework for RFID along with the development of processes for establishing guidelines and best practices is needed (Van Lieshout & et al., 2007), it is justified to recall Judge Frank Easterbrook's speech titled "Cyberspace and the Law of the Horse" (Easterbrook, 1996). In his speech, Easterbrook argues that the best way to learn the applicable law to specialized endeavours is to study general rules. He strongly criticizes the implementation of a specialized law for new technologies:
"We are at risk of multidisciplinary dilettantism, or, as one of my mentors called it, the cross-sterilization of ideas. Put together two fields about which you know little and get the worst of both worlds. [...] Beliefs lawyers hold about computers, and predictions they make about new technology, are highly likely to be false. This should make us hesitate to prescribe legal adaptations for cyberspace. The blind are not good trailblazers." (Easterbrook, 1996)
One of Easterbrook's arguments is that if legislators are too far behind in matching law to well-understood technology such as photocopiers (copyright), then what chance will one have for fast-living computer technology? In his opinion, it makes no sense to match an imperfect legal system to an evolving world that is understood poorly. His advice is - in a nutshell - to stick to existing laws (Easterbrook, 1996).
Lessig (1999) disagrees with Easterbrook and argues that interdisciplinary thinking is important. He offers techniques for escaping the limits of a regulator by "recognizing the collection of tools that a society has at hand for affecting constraints upon behaviour" (Lessig, 1999). According to Lessig, the tools are: law, norms, market and architecture. Many authors suggest regulating RFID with a multi-spectral approach that includes, for instance, changes in law, furthering of guidance and self-regulation, implementation of technical measures or improvement of education (Van de Voort, Maarten & Ligtvoet, 2006; Hustinx, 2007; Hübner-Fischer, 2000). However, to date there seems to be little effort to move away from enacting new laws towards embracing the other three regulatory tools envisioned by Lessig. Hence, the claim in this paper is that the regulation already enacted in Europe sufficesPage 223 and that the focus needs to shift towards norms, market and architecture. There is no need for additional legal regulations, such as the draft recommendation on the implementation of privacy, data protection and information security principles in applications supported by RFID in February 2008 (hereinafter "Draft Recommendation").
The debate on the applicability of Lessig's four tools concerns many new fields, in which a new technology is prevalent. The dispute is not RFID technology specific. However, RFID is a good proxy to discuss this debate since it is very topical. This discussion is organized as follows: Section 2 structures the problem as to why a mix of modalities is necessary. Section 3 offers an overview of the four modalities. In section 4, the key topics of the Draft Recommendation are first analysed and then supplemented with tentative solutions. Section 5 concludes that the Draft Recommendation by the European Commission should not be implemented because it is redundant with enacted legislation. Instead, a trade-off in favour of the modalities is proposed.
In 2006 the European Commission conducted several workshops and a public consultation process on RFID (ICS, 2007). The European Commission noted that although most stakeholders are still unaware still being unaware of the potential and risk of RFID, opposing camps had already formed. The scope of the 2006 consultation process was to advance the debate on RFID objectively and to provide a balanced overview of the necessary action on RFID issues (Van de Voort, Maarten & Ligtvoet, 2006). In general, the survey showed that two-thirds of the 2190 respondents of the 2006 RFID consultation feel that the current legislation is inadequate and that existing laws should be modified in order to strengthen the protection of personal data and privacy. Specifically on security and privacy issues, more than half of the respondents report that some kind of legislation regulating RFID should be considered (___, 2006; COM (2007)96).
Lessig states that law alone can neither enable nor guarantee legal values. He therefore proposes four modalities of regulation (Lessig, 1999): law, norms, markets and architecture. He notes that these modalities regulate together and that, depending on the context to be regulated, there is a trade-off between them. Thereby a modality can influence either an individual directly or another modality that subsequently influences the individual. The goal is to find the optimal mix which depends on the plasticity of these four different modalities (Lessig, 1999).
The problem is not that Lessig's modality mix is not used today. As Table 1 shows Lessig's concept is used, albeit with different terminology. The problem is that from a holistic perspective, we risk over-regulating with law if we do not consider the trade-off between the four modalities. As noted earlier, the claim in this paper is that if norms, market and architecture are considered, this will result in less need for laws. This trade-off is possible and affordable because the technology-independent legislation enacted at European level is already sufficient to protect the stakeholders (with some limitations).
[ GRAPHICS ARE NOT INCLUDED ]
Following the first public consultation on RFID held in 2006, the European Commission issued the Draft Recommendation. In this paper the Draft Recommendation will be analysed based on Lessig's modality mix. The next section outlines the four modalities in more detail.
The four modalities-law, norms, market and architecture-of Lessig's concept of behavioural constraints regulate together and the net regulation of any policy is the sum of the regulatory effects of the four modalities (Lessig, 1999). It is important to distinguish between the four modalities.
Law typically regulates behaviour by statutes. Law is regulated, controlled and enforced by government authorities. Mostly there will be a constitutional mandate to enact statutes. The statutes can envision further delegation to ordinances or regulations. The European Commission, for example, has enacted directives that need to be implemented into national law of EU member states. The protection of personal data, for instance, is covered by the technology-independent Directive 95/46/EC regardless of the means of procedures used for data processing (COM(2007)96). But there are also less enforceable regulations, such as the Draft Recommendation.
Page 224
Norms regulate similarly as, but not equal to law (Lessig, 1999). Norms are non-legal rules that certain individuals feel compelled to follow despite the lack of formal legal sanctions; or stated positively, they are non- legal rules that certain individuals follow because they benefit from doing so (Carlson, 2001). Both modalities, law and norms, threaten punishment ex post. But whereas the regulation of law is centralised at authority level, the regulation by norms is decentralised by and to a community (Lessig, 1999). The sanction to be imposed by the community can be extended to third parties. Thereby, codes of conduct are created by imposing requirements on an entire community rather than merely on the interested (private) parties (Bendor & Swistak, 2001). EPCglobal, the leading standardization body for the development of industry-driven standards for the electronic product code to support the use of RFID, for instance, has issued guidelines on RFID. These are regulations that are followed and sanctioned as norms by the members of EPCglobal.
Market regulates behaviour by different influences, such as demand and supply that is reflected in price. Prices can constrain access. Lower RFID tag costs and improved RFID tag performance have opened new markets and applications for RFID (Van de Voort, Maarten & Ligtvoet, 2006). Industrial entities, for instance, are bringing RFID to market and many small- and medium-sized entities have successfully deployed RFID (COM(2007)96). However, mass implementation is price-driven and it is generally assumed that a cost reduction of passive RFID tags to...
To continue reading
Request your trial