Smart laws: exploring data and privacy regulation in smart cities

Posted: 17 December 2018 | | No comments yet

Smart cities are on the rise, with the Internet of Things (IoT) and rapid tech developments making us – and our built environments – more connected than ever. But, while systems monitoring traffic flow and parking are certainly making our environments smarter, what legal regulations govern the data that they use? Stuart Pearson, Construction, Energy & Projects Lawyer at Capital Law, explores how data and privacy laws affect smart technology.


Before analysing what data smart cities use – and tackling any respective privacy issues this uncovers – we first need to understand, clearly, what smart cities are and how they work.

At its core, a smart city is all about gathering information to create actions that generate positive change. This positive change varies in intention from city to city. Some aim to use resources more efficiently, reduce pollution, improve public safety or even enhance the wellbeing and happiness of visitors and residents. However they all have the desire to drive economic growth by utilising technology to create smart outcomes, and the aim to improve the quality of life for the city’s inhabitants by promoting local development – change that is driven by the residents, rather than dictated by the vision of a few in positions of power.

This could be as simple as wirelessly managing streetlights to lower energy costs, or using sensors to monitor water mains for leaks, and air quality for high pollution. It could also be more complex; creating smart parking initiatives that track available parking spaces and vehicle movement. But, for these smart solutions to be successful, they all rely on gathering and interpreting data, consequently placing smart cities directly under the microscope of the General Data Protection Regulation (GDPR).

Working efficiently under GDPR

The most significant areas of concern to do with smart cities relate to the ownership, processing, use and security that IoT devices and smart city infrastructures generate. As cities develop and utilise new and disruptive technology, they’ll gather and store all types of data – from an individual’s location, to their daily activities – all in the name of making a city smarter.

This gives rise to several legal questions: who’s responsible for this data? Could it be exploited? How can citizens be protected – and whose responsibility is it to do so? And, in our post-GDPR landscape – what about consent? Smart cities give rise to significant issues relating to consent about capturing and processing data.

The main data protection laws in place to prevent data breaches are the Data Protection Act 2018 and the GDPR, although these probably don’t go far enough to protect the specific uses of data that apps and mobile devices use in the context of smart cities.

Data that identifies a living individual belongs directly to said person, but can be legally shared, processed or accessed if the entity receiving it has a legitimate reason to do so. In practice, individual companies, local authorities or councils might be viewed as data controllers or processors and will have to make sure they’re complying with all the associated obligations to avoid being successfully challenged on their data use. GDPR and the Data Protection Act weren’t implemented with smart cities in mind, so regulators will likely issue more guidance in time to make the reach of new tech clearer and explain how individuals can protect themselves against inappropriate use.

Regardless of the data protection laws, device hacking and cyber-attacks remain a real risk. Unfortunately, as advances in technology are made, those looking to exploit weaknesses in emerging systems are often close behind with new and inventive schemes to obtain users’ data.

So, how could smart cities – either the tech itself, or as a result of hackers – exploit personal data, and what measures need to be put in place to stop that from happening?

In theory, smart cities could end up exploiting personal data by deliberately sharing it with other organisations that could benefit from understanding how the city’s services are used (which could impact on marketing campaigns or users’ access to services), or inadvertently via a publicly-available Wi-Fi connection.

Using data within a smart city concept

It’s difficult to see how key GDPR concepts, like ‘privacy by design or default’ would work in the context of a smart city drawing on immense volumes of surveillance and behavioural data, gathered from a myriad of IoT sensors, stored in the cloud and subjected to sophisticated analysis. For example, big data (which, in a smart cities context, offers the potential to obtain valuable insights from a large number of sources) is still a relatively new and unexplored concept. It clashes with GDPR in the fact that its aim, in the first instance, is to collate as much data as possible, irrespective of its ultimate use. This can then be used to identify opportunities for change.

We already have tech that works in this way – like apps that allow us to monitor our household energy usage – but it could also be used to identify other trends, like how often, and when, we turn the kettle on. On a community basis, this information could be used for lots of reasons: to inform a large hot beverage producer of the peak time to advertise its products; to let the emergency services know that an elderly resident hasn’t had their usual elevenses, which could be because of a fall; or to provide energy suppliers with more specific information about energy use, rather than generic usage numbers generated by meters.

Any updated GDPR guidance needs to coexist with innovation, rather than act as a red flag. While our control over our own data is, of course, imperative, it shouldn’t disrupt systems that are designed to make us, and our infrastructure, work more innovatively and efficiently.

Where consent is concerned, the meshing of young technology with old infrastructure in commercial partnerships, or public-private joint ventures, also creates challenges and gaps in legal responsibility. Those in control of a city’s tech will need to make sure it has contracts in place, binding all relevant bodies to their obligations under the law (which will, in itself, need to be updated to accommodate these emerging areas).

Given that the ethos of smart cities is to put citizens in the driving seat – and that any change is incapable of being truly smart unless it offers a real benefit for citizens – they should be keen to opt in. But, any ‘opt in’ requirements for things like location services should be reviewed at regular intervals, rather than a one-click acceptance giving an entire city permission to track an individual’s data indefinitely. It should also be made as easy as possible for citizens to withdraw that consent.

What do we want to achieve?

The way that data is ultimately used and analysed will depend on the solution that the smart city is trying to achieve. Consider this: the highways authorities collate data about the volume of traffic on the roads. They could use that data to inform users of issues across road networks, or they could sell it to commercial car manufacturers to design engines that work more efficiently in today’s driving conditions. Most people would likely opt in to the first use of their data, but not necessarily the second.

How this data is controlled and protected across smart cities is the biggest challenge. One solution could be to adopt a ‘Pokémon Go’ approach. The game worked on the premises that it depended on categories of information, rather than specifics. It would identify nearby green areas, populated areas, waterways and points of interest, and the game would place relevant Pokémon for the user to find in the relevant area – rather than providing specific personal information. In effect, the data is anonymised and categorised, meaning the game could work without storing unnecessary information. If this approach was widened out to general data storage, it would allow community data to be analysed, while reducing that data’s availability to commercial bodies looking to utilise it.

To keep up with the innovative and technology led nature of smart cities, we all – citizens, businesses and regulators alike – will need to share best practice and knowledge to make sure that we’re proactive, rather than reactionary, to this everchanging and ultimately exciting area of development.

Related organisations

Related people

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.