An Inflection Point for Smart Cities
New privacy regulations are threatening the full value and promise of smart cities through more stringent requirements for data collection, use and sharing.
The California Consumer Privacy Act, for example, introduces greater privacy requirements relating to undisclosed collection and sharing of information for companies that interact with California consumers. While largely designed to prevent surprises or undisclosed third parties from acquiring and/or misusing personal information in AdTech and target marketing, these requirements will challenge the growth of smart cities and chip away at their technical infrastructure, as these cities rely upon connected buildings, vehicles and other IoT devices, extensive data sharing, and the new information eco-system of private company partners and suppliers. For example, the expanded definition of “Personal Information” under the CCPA includes IP addresses (a provision designed to limit the ability of technology/AdTech companies to target consumers who have not provided consent), which may inadvertently have a material, long-term impact on the ability of companies to collect and/or gain access to the mission critical IP-address-related mobile, geolocation and other data that smart cities depend upon (e.g., behaviors, location) for just-in-time services and information.
This article highlights some of the greatest challenges for smart city companies, which rely upon significant amounts of data to build accurate data models for machine learning and artificial intelligence. We also explain how strong data governance and the application of key data controls are essential to providing the data protection levels necessary to realize the full potential that smart city technologies can offer.
You’re Probably in a Smart City Right Now
A “smart city” amasses a wealth of data from a vast array of technology and communication devices implemented to improve critical city services, from air and water quality to transportation, energy and communication systems. A typical smart city initiative might involve sensors to read vehicle traffic for congestion management or a comprehensive network of CCTV-style cameras to monitor activity for public safety.
Many people consider smart cities as limited to a few newer cities or neighborhoods that have been engineered from the outset (such as Sidewalk Toronto — a 20-year undertaking to develop 12 acres of Toronto’s industrial waterfront). These developments are the exception, however, as thousands of mature cities around the world increasingly deploy devices to collect additional data for analytics. Smart cities are no longer a rarity or a destination: Chances are, you are in one right now. According to the Smart America Challenge, “city governments will invest approximately $41 trillion over the next 20 years to upgrade their infrastructure” to benefit from the Internet of Things. And TechRepublic reports that “smart city growth continues to expand, with 66% of cities reporting that they are investing in smart city technology, and 25% of those without any smart city systems are exploring how to implement it, according to a … report from the National League of Cities.”
The Smarter the City, the Greater the Privacy and Security Risk
Not surprisingly, smart cities pose risks to the privacy and security of individuals, especially where such data is personal, financial or health oriented. Inappropriate or unauthorized access to smart city data might reveal, for example, an individual’s driving habits (which could affect their auto insurance rates) or personal health afflictions (based on frequent visits to a specialized medical professional). Smart cities may have a greater number of suppliers with access to personal information, and data protection is only as strong as the weakest link in this long chain.
Additionally, public governments may lack resources and may struggle to preserve individual privacy and the security of data collected. Further, some recent privacy regulations apply only to certain corporate entities (e.g., based on industry or revenue), and municipalities and public agencies are exempt from these higher standards.
The increased frequency of personal data sharing with cities and other public entities — ostensibly for public benefit — compounds the risk for individuals. For example, certain providers of autos, bikes or scooters share data with the municipalities in which they operate for mobility improvements in the city. In Los Angeles, Bird, Lime and others must provide real-time information about how many of their vehicles are in use at any given time, where the vehicles are and the physical condition of the vehicles. Other information includes operating cost, customer cost and start and end trip data. One of the ride hailing companies shares pick-up and drop-off data with Washington, D.C. for city analysis and to consider whether the city’s street designs or traffic patterns accommodate the new ways of getting around. One on-demand vehicle sharing company is trading car-location data to help city planners refine their computerized traffic flow models in exchange for dedicated parking spots — a rare commodity in certain cities! While this mobility data is typically aggregated and/or de-identified, reidentification is increasingly possible given data availability and technological capabilities.
New Privacy Regulations Mean Complex Requirements for Smart City Stakeholders
The European Union’s General Data Protection Regulation, which took effect last year, requires additional protections for the data of individuals in the EU, including valid legal bases for data processing and enhanced rights for data subjects. More recently, and in the absence of a federal U.S. data privacy law, certain states have proposed or passed regulations that likewise increase the level of protection afforded to consumers. Cities, too, are following suit: A bill was introduced at the end of July that would make it illegal for cell phone companies and mobile app developers to share location data gathered while a customer’s mobile device is within New York City’s five boroughs. These regulations contain provisions that would be exceptionally challenging for many smart cities.
- Data Selling/Sharing. The CCPA, set to take effect on January 1, 2020, requires the identification of categories of third parties with whom the personal information of California consumers is shared and mandates that consumers have the right to restrict such sharing. This risk is higher than in the past given that the CCPA broadens the definition of personal information to include geolocation, unique identifiers (e.g., device identifiers, IP addresses) and biometric information, among other data elements. Under this requirement, smart city companies (e.g., those providing cameras, parking meters and sensors) will need to employ controls for greater visibility and management of the personal data that these devices collect and/or process. Contractual provisions mandating adequate data protection and capabilities to restrict data processing and data deletion will become table stakes.
- Data Subject Access Rights. The GDPR and CCPA provide individuals with rights to access, correct, delete and/or move (port) their data to another provider. These requirements pose technical and operational challenges for smart city companies that must collect and store data in an organized manner, be capable of retrieving the data within a reasonable time period and present it to the individual in a readable format. As with data selling/sharing, smart city companies will need to implement repeatable processes to identify the vast troves of data held for each individual and respond to data subject requests.
Using Old Dogs to Teach New Tricks
To address these new or heightened regulatory requirements, smart cities and their stakeholders need to implement robust data governance mechanisms and leverage and strengthen traditional safeguards for data accountability, monitoring and auditability.
- Clear Data Oversight and Accountability. One approach for controlled data use and ownership for smart cities is to employ data trusts, which may be independent of the city. These data trusts have a variety of responsibilities, including vetting companies in the supply chain who provide products and services to the smart city, defining and enforcing minimum standards throughout the data lifecycle (data collection, storage, use, sharing and disposal), and conducting periodic assessments to evaluate compliance with these standards. Chicago has developed an Executive Oversight Committee that must approve any proposed privacy changes, such as additional image processing algorithms or sensors that could potentially have privacy implications. The EOC is governed by dedicated privacy policies for the city’s Array of Things project.
- De-Identification. The Federal Trade Commission advises that, given the risk of reidentification, it is important to have accountability mechanisms in place. Owners should take reasonable steps to prevent reidentification, including de-identifying the data whenever (and as soon as) possible, publicly committing to not reidentify, and having enforceable contracts in place that prohibit reidentification by any third parties with whom the data is shared.
- Data Aggregation Rules. The adoption of deliberate, risk-based approaches for data analytics and marketing provides another safeguard. Establishing rules to de-identify personal information decreases risks of inappropriate data use while increasing the ability to share data with third parties. For example, for a smaller dataset, the “rule of 25” mandates that data analysis may be conducted only on a dataset that contains a minimum of 25 individuals. The “rule of 76+” grades age selection and filtering into tiered ranges with the maximum age tier set to 76+, which ensures that octogenarians cannot be explicitly selected and filtered. Location-based de-identification standards are also particularly relevant in smart cities, where limitations on the granularity of location data (e.g., to the street or neighborhood level instead of precise GPS coordinates) or limitations based on the type of location (e.g., a residential address) help protect the privacy of individuals, especially when the data is analyzed in conjunction with other activity or behavioral information. Often, many rules are needed for the same dataset to prevent reidentification.
- Transparency and Notice. Providing notice and choices to users about the collection and use of personal data will be a challenge. Smart cities and their downstream partners must be creative and develop a well-planned suite of just-in-time and other notices that convey clearly and comprehensively (but concisely) the necessary information for users to make informed decisions about their personal data. They may also explore innovative concepts such as affiliated consent, whereby the parties approved or trusted by an individual curate experiences or make decisions for them and the individual’s data is shared accordingly. For more on affiliated consent and privacy law as it relates to connected cars, see co-author James Koenig’s TEDxWilmingtonSalon talk “Navigating Privacy to Realize the Promise of Connected Cars.”
Five Steps Smart City Companies (and Others) Should Take Now
- Review & Enhance Data Governance. Ensure accountability through designated roles/teams, data governance committees or independent oversight bodies, data ethics frameworks and periodic audits to engage internal and external stakeholders regarding the sufficiency of data governance and related controls.
- Conduct Privacy Impact Assessments. New privacy laws and regulations are quickly raising the bar for privacy (and with it, consumer and regulator expectations). Use privacy impact assessments to analyze how information is collected, used and shared to identify privacy and security risks early and often.
- Improve Data Sharing Visibility and Controls. The use or sharing of personal data for safety or for value requires smart cities to maintain greater visibility of data movement (internal and with third parties) and more granular technical controls/capabilities to restrict sharing and use. Building trust requires greater individual and community input and choices.
- Identify & Segregate Different Use Cases. Review data collection and uses, and segregate data flows and data storage for those use cases requiring personal data from those that do not. Leverage de-identification techniques wherever possible (preferably at the time of data collection), data aggregation rules, and data access controls to minimize risk related to unauthorized use and disclosure. Consult industry resources on these approaches such as those from NIST and the FPF.
- Limit Data Access. Limit data access to designated individuals who understand the relevant risks and who have a legitimate business purpose. Establish robust provisioning and de-provisioning processes with periodic access reviews to identify and remove any individuals who no longer require such access or whose access has been abused.