By providing citizens with a bigger power and control over their personal information, the EU General Data Protection Regulation (GDPR) represents a challenge to smart cities, which use also personal data to offer intelligent services.
As the number of smart cities increases, the heavier are their responsibilities towards citizens. Several questions rise spontaneously: are they smart enough when it comes to using big and personal data? If even technology’s giants, such as Facebook, cannot guarantee the absence of leaks in their systems, are we sure that nothing will ever touch the smart cities’ precious data?
Eva Blum-Dumontet, research officer at the NGO Privacy International, underlines the fact that “people should always know that their data is being collected, and that these can be accessed and deleted. Moreover, city’s services should not be accessible only to citizens willing to surrender their data: “All the initiatives developed by a smart city should be carried out in the name of public interest and not in the one of companies providing cities with the technologic infrastructure.”
The way smart cities deal with data may cause troubles to administrations if adequate measures are not adopted. This case is particularly true as General data protection regulation (GDPR) became effective since May 2018; it was designed to harmonise privacy laws across Europe.
The appointment of a new professional figure, the data protection officer, is one of the responses that companies and governments put in place to comply with the regulation. The DPO provides different departments and offices with advices on how to implement and maintain the GDPR, and increases awareness within the organisation on data protection. It is however not easy to find someone who has this required mix of IT and legal skills.
“The DPO has to guarantee that the law is executed. Cities can be hugely affected if they don’t have enough competent staff, “says Ingrid Reynaert, expert on smart cities from the Belgium-based business association Agoria.
In most cases, cities have not yet developed an appropriate cyber security plan at a local level. Although this may cost hundreds of thousands of euros, it is a compulsory step as data must be stored in a secured manner. “For this reason, they may choose to work with a third party, a private actor, which will treat data in accordance to the GDPR,” Reynaert adds.
An example is Water Link, a smart solution developed in Antwerp, Belgium, where data on water consumption are stored by a private company, which signed a contract with the City. “With the consent of citizens, the company collects data related to consumption and eventually transfer it to the City which will invoice citizens.” explains Reynaert. This allows cutting bureaucracy. “Once the collection is done, the company has the obligation to destroy those data. On the other hand, the City’ departments in charge of invoicing citizens may still store them.”
Another example comes from Pamplona, Spain, one of the “lighthouse” cities of the European project Stardust, which is developing smart solutions for energy, mobility and ICT to be integrated in urban areas.
Luis Antonio Tarrafeta Sayas, in charge of the IT systems of the city, explains: “One of the initiatives is the implementation of an Open City Information Platform, which will combine and exploit all data by different administrative departments for managing urban infrastructure and services. This platform will help us to detect inefficiencies and propose straightforward solutions to citizens, private actors, researchers and other administrations,” says Tarrafeta Sayas.
All data will be integrated in the above mentioned platform under the monitoring of the DPO, who will ensure that citizens are always informed and that their consent are sought out on the treatment of their personal information. "In cases when private actors are involved, we will include clauses that oblige them to comply with current EU legislation" concludes Tarrafeta Sayas.
Goran Vojkovic, GDPR expert from the University of Zagreb Faculty of Transport and Traffic Sciences, says: “One of the advantages brought about by the new rules is linked to the data anonymisation. From the moment that a smart city wants to use the collected data in a public way, it has the obligation to transform personal data into aggregate anonymous data. This process can also reduce citizens’ potential mistrust.”
Carlo Ratti, architect and engineer, director of the MIT Senseable City Lab in the United States, shares his view on the ethic dimension of smart cities: “As the late historian of technology Melvin Kranzberg once said, ‘technology is neither good nor bad; nor is it neutral’. The same is true of smart city technologies, it depends on how we use them.”
“Big data essentially means a better knowledge of the urban environment, and its applications can be various. It can be used to empower people, for instance, supplying them with information and thus a greater ability to affect their environment. But it can also be used as an instrument of control, like the one possessed by the super-powerful secret police - a scale never seen before by humanity.”
To preserve our privacy, he proposes an original way of addressing the issue, which goes beyond the data protection officer and the new GDPR. It consists of encouraging the widespread adoption of hacking itself.
“Familiarity with hackers’ tools and methods provides a powerful advantage in diagnosing the strength of existing systems, and even in designing tighter security from the bottom up, a practice known as ‘white hat hacking’. This type of ethical infiltration works by identifying the flaws in a digital network. This thereby enables a security team to render the network more resistant to attack.” Ratti thinks that such infiltration could become routine practice for governments and local authorities to develop better technical safeguards as time progresses.