More often city developers and engineers are turning to smart technology to protect the quality of urban living and working environments. In The Netherlands several projects of this type have been initiated, for example in the city of Eindhoven where sensors are monitoring public safety in nightlife districts. It is just one of the many ways in which ‘smart cities’, using smart technologies, can help solve major social issues. But in order to do so, the smart city relies on large volumes of information, including data of a personal or confidential nature. So, what does this mean for our privacy? In this blog, we will take a look at privacy risks in the smart city context.
What are ‘smart cities’?
Smart cities use enormous amounts of data (‘Big Data’), in combination with algorithms and specialised technology, for purposes of city management and urban governance. In these data-driven environments, sensors and many other types of connected devices are linked in a comprehensive infrastructure aimed at helping to improve the quality of daily life. To do so, the smart city heavily relies on ICT and the ‘Internet of Things’ (IoT), the latter having several areas of application, such as:
- Smart homes
The concept of smart homes is all about the integration of multiple technologies and the connection of different devices throughout the house, allowing for communication through a cloud-based server often with links to various apps. The data collected by these smart devices are used to enhance living comfort. By now, a large majority of Dutch households is equipped with one or more smart home products.
- Smart energy
As city populations grow, the challenge of energy management also increases. This is where smart meters come in, allowing for energy optimisation by collecting household-specific consumption data including peak hours and off-peak periods. In 2006, the EU launched a plan for smart electricity. Ultimately, the EU wants to replace all conventional electricity gauges with smart meters.
- Smart transport
On a global scale, there are numerous initiatives based on the use of smart technology as a solution to traffic congestion and for creating cleaner (inner)city atmospheres. One example is smart parking, with special apps directing drivers to convenient parking spots as a way of smoothing out traffic problems. At the same time the app also allows individual car owners to be linked to specific locations – in this case, the place where they parked their vehicle.
The combined use of major systems that form the true heart of a modern city – systems that provide information on infrastructure, energy and water consumption, waste disposal and many other metrics – is rapidly becoming vital to city management. And there is no doubt that these data, if appropriately collected, analysed and shared, can contribute to positive city development.
Privacy risks in the smart city
So, the benefits are clear. But at the same time, the concept raises a number of legal questions with respect to the protection of privacy and personal data. Smart cities, after all, are (continuously) collecting data – personal data in many cases. What is more, the devices involved are connected through the IoT, which means that data can be combined and linked in all sorts of ways. And as the very data of its citizens are essential to any smart city’s functioning, there is an inherent privacy risk.
For instance, face recognition applications may be a legitimate component of crime investigation procedures, but can also be used for monitoring of ‘innocent’ civilians. Subsequently, smart meters may lead to privacy violations as a result of their susceptibility to identity theft and the potential for profiling. Smart devices may also be used for listening in on private interactions and offer readily available options for information exchange because of their inter-connectivity and connection to the internet. These are just a few of the privacy risks of smart cities.
Data protection regulation (GDPR)
For responsible further development of smart city applications, according to the Dutch Data Protection Authority (AP), cities will have to become more aware of the possible effects of smart cities on citizens’ rights and freedoms and the protection of personal data. AP-commissioned research on smart city applications in 12 Dutch municipalities shows a more than incidental lack of foundation for and documentation of decisions on the legitimacy of data processing operations involved, thus constituting an infringement on citizens’ freedoms. Article 5 of the GDPR, in any case, specifies that the collection and use of personal data should be, among other things, lawful and proportionate.
Furthermore, as expressed in Article 13 of the GDPR, citizens should be informed on the means and purposes of personal data collection. The GDPR also explicitly mentions, in Article 15, the data subjects’ right of access to the data collection. The practical smart city reality, in contrast, seems to be that citizens are hardly informed, if at all, on which data is being collected, in which ways and for which purposes.
Apart from the fact that smart cities collect huge volumes of data, it is also common for these data to be combined. Based on this, predictions can be made for example in support of the prediction of hazardous situations within the city. An even more far-reaching stage is that data can be used for automated decision-making.
The GDPR is especially strict when it comes to these types of data processing. Regarding such processing, data subjects for example have to be informed, in understandable language, on the logic and criteria governing the process of decision-making (Article 13(2)(f) GDPR). Furthermore, the general principle applies that no one should be subject to a decision based solely on automated processing which may produce significant (legal) effects for the person involved (Article 22 GDPR).
Apart from privacy concerns, the smart city also raises several ethical issues, like the question as to whether the interest of public safety outweighs the right to individual privacy.
The AP calls for more ethics in the smart city. In its research report on smart cities, the organisation points out the importance of a public space in which citizens can move freely and unobservedly. To this end, the AP encourages municipalities to establish ethical frameworks with every technological proposal.
What smart city initiatives have in common is, on the one hand, their objective, which is finding ways of meeting the key challenges of our time (like climate and energy control) and on the other hand, the method of choice for this purpose, which is the implementation of smart technology. Smart cities use information, algorithms and technology to manage and govern the urban environment. They collect large amounts of data, including personal data, which in many cases can (and will) be used for risk profiling and (automated) decision-making. This introduces the danger of systematic disadvantaging or stigmatisation of specific segments of the population. At the same time, smart city applications have to comply with the requirements of the GDPR which are particularly strict in relation to automated decision-making. However, in the practical conditions of smart city scenarios it will be difficult to (properly) inform citizens about exactly what sort of information is being collected, by what means and for what purposes. What this means is that in designing smart cities, the protection of privacy has to be among the basic priorities. There is nothing wrong with data driving added value in the public space if there are sufficient privacy safeguards. It is up to the cities themselves to create ethical frameworks for new technology in order to keep our data safe and our privacy secured.