Is Your City Smart Enough to Tackle GDPR?

Written by

The impending IoT revolution has the potential to deliver a connected world only once thought possible in science fiction. As we start 2018 with an estimated 11 billion connected devices, Gartner predicts this number will almost double in the next two years, reaching 20 billion connected “things” in the world by 2020.

This means watches, televisions, home appliances and cars sharing data and communicating with one another. The rise in connectivity has changed the way we live personally, but it has also changed the way we live together in communities across the globe.

The success of productivity and efficiency, ushered in by the IoT revolution, has given rise to a new breed of connectivity: the smart city. 

We find ourselves now at a turning point, as officials increasingly look to technology to improve the health and efficiency of their cities. But a modern city must adhere to modern regulations, and officials and city leaders would be remiss if they didn’t begin thinking of the compliance and regulatory challenges they may face in the new era of General Data Protection Regulation (GDPR), which is designed to bring EU data protection legislation more in line with the new ways data is now used. 

As connected cities become more reliant on technology to deliver services faster, cheaper, and with a greater level of satisfaction to ratepayers, their reliance on data will also increase. The logical outcome of this is that data protection will become more important than ever before. Everything from critical infrastructure to smartphone apps that allow people to report on common municipal issues have the ability to both change our cities for the better but also create new data protection challenges.
Municipalities will not be completely exempt from the data protection requirements under GDPR, and neither will the private organizations that cities partner with to provide some of these services (the famous “public-private partnership” or P3). There are provisions under Article 6-1 that exempt some processing if it is in the “public interest” (specifically 6-1(e)), but it would be wise for organizations both public and private to not treat that exemption as a blanket authority to abuse citizen data.

I suspect that entities working with municipalities who play fast and loose with the public interest exemption may find themselves brought to the courts to explain their actions.
It can be incredibly difficult, if not impossible, for cities to obtain free and informed consent (and the relevant right to deletion/right to be forgotten) from its citizens. We also need to ask ourselves what happens to the data that is collected? How is it consumed and processed? Any slow march toward a fully integrated smart city network should discuss these key aspects, and it should happen at the earliest stages of discussion. I also recommend the framework include the following at a minimum:

  • An understanding of whether or not the collected data can be fully anonymized as it is ingested, stripping any and all personally identifiable information;
  • Establishing regular compliance auditing that confirms the anonymous nature of the data and that it not be able to be de-anonymized;

If anonymization is not possible:

  • Cities must have near real-time portals for citizens to review the data that the city and their P3 partners have collected. Cities must also provide information to their citizens on how to take action against that data, should they choose to do so;
  • Cities must provide methods for citizens to implicitly opt-in to the collection and make it simple to opt-out at any time. This should also include specific information on what data is being collected and how it is being used;

  • Any additional use of the data that the citizen did not implicitly approve must not be used by third parties unless it has been completely anonymized prior to it being transferred to a third-party processor; and
  • It would behoove cities greatly to establish a Charter that is publicly available and adhered to by both the city and their partners outlining their commitment to their citizens’ data privacy.

There is a very real and distinct possibility that organizations who are working with cities to help build the smart city of the future will not treat EU citizen data with the levels of care and privacy that the GDPR demands of them.

However, it is also likely there will be many years of battle in the European Courts of Justice as both sides argue the methods in which they collect and use citizen data. Based on the punitive measures built into GDPR, it may be easier for organizations of all types to build that privacy into their systems now instead of waiting for the gavel to fall – with the catastrophic penalties attached.

In the United States, the National Institute for Standards and Technology (NIST) recently issued its new smart cities framework, detailing ways to build safer, smarter cities. It includes the call for greater cybersecurity, but it will be interesting to see how GDPR interacts with some of these initiatives. Will EU citizens be allowed to opt out from data collection in the smart cities of the future? Will they be able to demand to review the data that’s collected, and will they have the “right to be forgotten” as is enshrined in EU legislation? I suspect that we will see challenges in the courts around these specific questions.

Smart cities are rapidly becoming a reality. While they have the potential to change our entire way of life, they must at the same time respect the privacy and security needs of its citizens. As regulations struggle to keep pace with rapidly developing technologies, cracks will undoubtedly appear. 

But if we spell out succinctly how data is to be collected by these cities, what it can and cannot be used for, and how it should be anonymized, stored, and forwarded, then we may just have the right foundation to build a more intelligent, connected world, while at the same time respecting our individual rights to privacy and security. 

What’s hot on Infosecurity Magazine?