Keeping Track

An overview of track-and-trace technologies

By Michael Butterworth

Track-and-trace solutions in all their various  forms  are  currently  all  the  rage. Retailers are increasingly looking to use metrics to demonstrate supply chain efficiencies and provide transparency over things like delivery times and sustainability information.

In this article, we take a look at some of the different technologies deployed in traceability schemes, key strategic questions to consider when structuring your contracts and some of the different legal aspects to the data generated in the process.

Technology

Bar codes or QR codes feeding into a centralized database

Retailers may want different partners to input data or scan an item at various stages in the production process. By maintaining a centralized data repository, the retailer can use the data to oversee the various stages in the production process.

However, the production line needs to be updated to apply the codes, and manufacturers will need to think through the impact on the production process: If supply chain partners need to apply or generate a code (potentially from a third-party source, such as the ultimate retailer), how will this new “raw material” fit into the production timeline?

The  European  Commission  imposed  this  type  of  solution for verifying the authenticity of medicinal products and tobacco products under the Falsified Medicines Directive and the Tobacco Products Directive, requiring the industry to establish data repository systems allowing data to be generated and tracked at all stages from manufacture to point of sale.

Interestingly, the commission decided not to use this solution for medical devices where the requirement is simply to apply a unique ID number to each device and log that number with the regulator, but there is no end-to-end tracking system in place.

Similarly, for customs tracking purposes, shippers only need to provide their container status messages (an existing code used in the shipping industry) to the European Anti- Fraud Office (OLAF), which itself maintains a directory.

Connected devices/internet of things

These are used for tracking larger assets (e.g., shipping containers or delivery vehicles). A connected internet of things solution can provide real-time data on the location of products or other key status indicators, like temperature or shock. This type of solution can be used to provide data streams to end users where the design and functionality of the user interface will be important for establishing a brand and recognition.

Organizations purchasing this type of solution may therefore want to own or have exclusive rights in the user interface. They will then need to make sure that the connected devices meet the technical requirements to operate with the user interface and that the contract with the hardware vendor includes the necessary rights for interoperability if the user interface is procured from a separate vendor.

If you’re tracking devices using a global connectivity solution, you will also need to check that your solution is suitably “future-proofed” for countries switching off their 2G and 3G networks and those with more plans to do so (www.emnify. com/blog/global-2g-phase-out).

Blockchain

Distributed ledger technology has been generating a lot of excitement for a while and has been developed for track-and-trace applications in a number of situations, often for tracking high value or unique assets, such as diamonds, jewelry or artwork.

The key advantage of a blockchain is that each transaction is verified across the blockchain, so there is no single authority that could manipulate the transaction records. For many track-and-trace scenarios, that is not necessarily a concern. However, for high value or unique assets, there is a clear vulnerability that a blockchain could help address.

The difficulty then is linking up the asset to the blockchain. This would also require a system of unique IDs. Then the vulnerability shifts from ensuring the integrity of the single authority  to  the  various  players  seeking  to  first  register  a unique ID on the blockchain.

Whatever the relationships between the players in the particular market, there will need to be a comprehensive system of contractual relationships to set out what the legal effect of a particular transaction would be and how that relates to activities on the blockchain.

Structure

Third-party integrations

It’s important to consider the key stakeholders in the ecosystem. The real value from track-and-trace solutions often comes from integrations with third parties—for example, if a retailer provides a platform for suppliers to input their data or if a logistics company allows customers to access and view data on their deliveries.

Centralized authority

If you’re tracking delivery vans, containers or other items where the real interest is in what’s inside them, who will have access to the manifest data? If you’re tracking larger or more valuable assets, do you need verification that the manifest matches the contents? If so, who will do this?

Ownership of the solution

One of the key strategic questions to consider before embarking on a track-and-trace project is whether you require exclusive use of the solution to establish a brand name—for example, if you want to differentiate your core product by providing a unique data service on top, or, alternatively, if you simply want something off the shelf that can be more easily swapped out for a competing product further down the line. A hybrid strategy could be to use different vendors for different components, which can prove more challenging from a contractual/operational risk perspective as a systems integration role may be required.

Data

Commercialize and exploit

Track-and-trace solutions generate vast amounts of data. It’s key at the outset to consider what value you want to derive from the data. What rights will you give customers and business partners to access the data? Will you generate any analytics using the data, and what sort of data products do you want to generate? You should make sure you have license terms in place with any third parties accessing the data, making sure you retain the rights you need for any future commercial exploitation.

Your supply contracts should make clear who owns the rights to the data, who backs up the data and whether you need any support with data portability on termination.

Personal data

If you’re tracking people, such as delivery drivers, then you will need to think about your EU General Data Protection Regulation (GDPR) obligations. Have you checked if you need to do a data protection impact assessment? Even if you’re not tracking people, the GDPR is likely to be engaged given most solutions will collect personal data for the users logging into the system. Have you thought about how the GDPR will affect the contracting structure and transfers of personal data overseas?

Nonpersonal data

You may have missed it, but there’s now a regulation on the free flow of nonpersonal data (https://ec.europa.eu/digital-single-market/en/free-flow-non-personal-data). Initially, this will mainly impact buyers in the public sector who need to think carefully before imposing any restrictions on the territory of data storage. Look out for the codes of conduct envisaged under this regulation, which the commission will encourage service providers to develop by Nov. 29, 2020, and implement six months later.

Michael Butterworth

Michael Butterworth

Michael Butterworth is senior associate of technology, outsourcing and privacy at Fieldfisher, an international law firm headquartered in London.