Legal aspects of the new Smart Cities

Written on 4 Nov 2014

The growing importance of Big Data compels us to speak not only about the advantages that this phenomenon brings to society but also about the risk it could pose in relation to some fields such as privacy or data protection. Smart Cities present a significant challenge to current legislation and provide a framework in which the use of Big Data will become a common concept for our society.

By Big Data we refer to a concept encompassing the handling and analysis of sets of data so large and complex that it becomes difficult to process them using traditional data processing tools.

The term Big Data is becoming more popular worldwide and it is gaining increasing importance and presence in various areas. Forms of communication such as the M2M “machine-to-machine” or those used by individuals generate huge amounts of data, which because of their volume, variety and speed, essential features of any Big Data project, are difficult to classify and store using traditional tools. Information contained in these communications encompasses more than just acts of communication between individuals, such as communications within the IT architecture of a company, communications necessary for the processing of payments with credit cards, etc.

Thus, the information and communication technologies (ICT) are essential to respond to the daily challenges of the cities, allowing us to manage the information generated by citizens more efficiently. In other words, Big Data has become the “Rossetta Stone” of the Smart Cities since it is expected to allow an effective management of them.

However, the development of Big Data may pose major challenges to privacy and data protection issues and, therefore, certain key points must be borne in mind when analysing this concept and the information processing it entails.

In principle, data subject’s consent shall not be required when data is processed in a dissociated and anonymous fashion, that is, in those cases where such personal data cannot be associated to any identified or identifiable individual. Reference is made in the Spanish Data Protection Act and the regulations developing it (Ley Orgánica 15/1999 de Protección de Datos de Carácter Personal (LOPD)) to what they call “anonymisation process”. This regulation also defines what is understood as dissociated data. Nonetheless, questions in this regard usually arise as to whether a process to make personal data anonymous exists, that is to say, if there is a real anonymisation of an individual’s personal data that allows a proper disassociation of those data and ensures that such data cannot be associated back to any individual. The Spanish Data Protection Agency and the Article 29 Working Party ruled on this issue, the latter highlighting the fact that it is really difficult to create a truly anonymous dataset. The Spanish Data Protection Agency considers that, for an anonymisation process to be regarded as sufficient in the light of the Spanish Data Protection Law, it is necessary that no data can be re-associated to an identified/identifiable individual without making disproportionate efforts after the anonymisation process. Therefore, data controllers shall bear in mind that a set of anonymous data may entail inherent residual risks for data holders.

It must be borne in mind that, unless personal data are properly disassociated, the rules on data protection shall be fully applicable to the personal data processing carried out, from their collection to their deletion.

It is important to establish how the personal data are going to be collected and how the duty of information and the process of obtaining consent are going to be carried out. If data are collected directly from the data subject, mechanisms to inform him or her about the processing and purpose of the personal data, the party responsible for the data processing, whether the data are going to be transferred to third parties or how he/she may exercise his/her rights of access, rectification, opposition or cancellation, shall be implemented. Additionally, the data controller shall gain the data subjects’ consent by means of mechanisms ideally capable of evidencing that the consent was properly obtained. Smart cities projects will usually require the consent from personal data subjects insofar as the data processing (e.g. for statistical or analytical purposes) will tend to go beyond the legitimate purpose which motivated the collection in the first place (e.g. provision of a service, sale of a product).

Moreover, it shall be taken into account that if special categories of personal data are collected (e.g. data relating to eating habits, trade union membership, religious beliefs, ideology, sexual life) their processing will require implementing high level security measures and the express consent of the data subjects.

Other issues such as the data quality principle, according to which personal data should be relevant and proportionate to the purposes for which they are to be used, or the adoption of security safeguards principle must be borne in mind.

Pending of specific regulation on this issue, data controllers undertaking projects of the kind shall rely on the current legislation on data protection to address the specific particularities.