Smart cities pose 'fit for purpose' questions for data regulation
Published on 17th Aug 2022
The EU and UK need to balance the protection of individual rights and allowing for innovation in data-intense environments
Often described as "the new oil", the significance of data has long been recognised in many industries – and the built environment is no exception. Although the sector has been slower to realise the value of data and adopt data-driven technologies, these are now hugely significant in urban dynamics, particularly in relation to smart cities. This increasing reliance on data and technology raises questions about whether data regulation is "fit for purpose" and whether the law helps or hinders smart cities.
Smart cities rely heavily on innovative data-driven technologies like digital twins and the Internet of Things, and leverage data-driven insights to gain efficiencies. A recently published report, commissioned by Osborne Clarke in partnership with the European Company Lawyers Association, found that over 70% of respondents in the built environment sector already offer data-driven products and services and that nearly 70% of them plan to collect, analyse, process and sell raw data as a commodity.
Internet of Things devices and digital twins in cities constantly capture data about the building or area in which they are installed in an attempt to gain insights about how it operates and identify ways in which its performance or efficiency can be improved. These machine-to-machine technologies draw data from sensors that can be embedded into assets such as buildings, vehicles, objects, infrastructure and gather information about anything from traffic flows and footfall to pollution and electricity outages.
However, there are technologies that are considered more intrusive due to their use of personal data. These can prove controversial. In 2019, plans to use facial recognition technology at the King's Cross development met with public protest and were scrapped. In July this year, the UK privacy rights group Big Brother Watch lodged a complaint with the Information Commissioner's Office against Southern Co-operative's "Orwellian" use of facial recognition technology in some of its supermarkets. Days seem numbered for these technologies, however, with plans for a complete ban on facial recognition in public spaces in the European Union.
Non-personal data use
While the use of non-personal data is generally significantly less regulated than personal data, the European Commission has presented a proposal for an EU Data Act, which seeks to establish a cross-sector governance framework for data access and use. This could fundamentally change the regulation of data-driven business models in the EU.
The outlined proposals aim to foster innovation and create complementary data-driven business models – and significantly, would apply to personal and non-personal data. It would apply to manufacturers of connected products and providers of related services sold in the EU, including movable items incorporated in an immovable object and has clear relevance to sensors, the Internet of Things, smart buildings and other connected machinery infrastructure.
The legislation would require manufacturers of these products and providers of related services to make data generated through their use easily accessible to the user (whether a business or consumer). Users can then provide the data to third parties or use it for their own purposes.
As this is only a proposal, its effect and any unintended consequences are yet unknown. It could act – depending on the business – as an opportunity or an obstacle in the built environment. Companies that rely on data stemming from connected products will be able to provide better services, while those that try to leverage proprietary knowledge and data about their products or services to lock out competitors may face new challenges. What is certain is that if it comes into force then businesses, even where non-personal data is being processed, will be subject to constraints or will face, at the least, new considerations about how they use data.
Personal data: the 'usual' rules
A lot of data generated from smart cities is non-personal; however, inevitably, much of it will be personal. The processing of personal data has been heavily regulated for years, including by the General Data Protection Regulation (in both EU and UK law), the UK's Data Protection Act 2018 and the European e-Privacy Directive (and the regulations implemented under it).
There are a number of important tenets to this suite of laws governing personal data with which smart cities operators need to comply. These include:
- Data must be processed lawfully, fairly and in a transparent manner. In practice, this means that a privacy notice must be published that gives individuals sufficient and adequate information about the way in which their personal data will be used.
- Data must be processed for a specific purpose.
- The data processed must be minimised as far as possible, must be accurate and kept up to date, and must not be retained for longer than is necessary.
- Organisations must have a lawful basis for processing personal data; for example, consent, that the processing is necessary for the performance of a contract or that the organisation has a legitimate interest in processing the data. Any organisation carrying out "high-risk processing" (which would include the processing of biometric data, such as CCTV recordings) must conduct data protection impact assessments (DPIAs) to identify and minimise the risk of the processing activity.
- Individuals have certain rights in respect of the data being processed; for example, the right to be informed about the processing and the right to access the data.
Developments in Europe
In the Netherlands, for example, the Dutch Data Protection Authority (DDPA) recently found, following extensive investigations, that municipalities do not always give sufficient consideration to privacy legislation when using or developing applications for smart cities. The municipalities were found to use poorly developed applications that infringe on the privacy and freedom of local residents and visitors. The DDPA has, therefore, issued recommendations regarding the development of smart-city applications, intended for municipalities that collect or intend to collect data in public spaces using smart sensors and measuring devices. The DDPA has encouraged municipalities to create specific policies for the development and use of these applications and to publish their DPIAs.
CCTV is another prevalent technology in smart cities and is used to capture biometric data, which has special protection under EU and UK data regulation. A recent report published by the Ada Lovelace Institute considers in detail the use of surveillance and access systems, including CCTV and facial recognition, and the collection of biometric data. It sets out various policy recommendations regarding the use of such data, including the introduction of new laws and regulatory oversight and enforcement. Last month, France's data protection authority (CNIL) implemented a specific regulation in relation to augmented CCTV technologies. As well as compliance with existing GDPR obligations, CNIL also requires strict technical safeguards regarding, for example, automatic deletion of personal data, anonymisation of images, short retention periods and irreversible blurring of images.
IP rights, ethics and security
While compliance with such data regulation is critical to avoid heavy penalties, businesses also need to be sure that they have the necessary intellectual property (IP) rights to use the data. Much of the data generated will be proprietary (especially data generated from the energy and transportation sectors), but will often then be sold or licensed to third parties. Anyone using data in this way, whether the licensor or the licensee, must ensure that they are granting or being granted valid rights to use the IP rights in the data (typically, this is likely to be copyright or, in some cases, database rights).
Real estate businesses involved in smart cities have historically been reluctant to share data and IP generated from their projects. However, through better governance and specific agreements with, for example, energy providers, local transportation and other authorities, and other smart cities businesses, there is certainly scope to overhaul this traditional, more cautious model relating to IP and access to data.
Aside from these legal considerations, there are ethical considerations to the processing of personal and non-personal data. The question of data ethics has come into sharp focus in recent months and businesses ignore that at their peril. Society is increasingly data conscious and "reputation is king", so businesses should ask themselves whether it's fair to gain competitive advantages using data obtained from users without their knowledge. Consent has been touted as a highly ethical lawful basis for data processing in the built environment sector, but there are some significant practical challenges. Implementing robust data security protocols will also be vital to guard against cyber-security attacks, which in turn will have reputational benefits.
Osborne Clarke comment
There is a balance to be struck between allowing businesses to be nimble and innovative and protecting the rights of individuals and preventing businesses unethically profiting from data. Some businesses may see the regulatory regime as stifling their ability to use data freely. But most will acknowledge and accept the intention of data regulation, which is to protect the rights of people whose data is being used and ensuring businesses are accountable for their data-processing activities.
The current suite of data regulation sets out a comprehensive and relatively clear, if somewhat bureaucratic, framework for the way in which data can be used in a smart cities context. If implemented, the EU Data Act will doubtless present challenges and opportunities for those in the built environment sector. The UK government has recently outlined its vision for data protection reform, which would, ostensibly, aim to reduce barriers to responsible innovation and create greater flexibility and more proportionate and targeted compliance measures.
It will be interesting to see whether divergence from the EU regime will allow for further innovation and support in the UK market or whether the UK will find itself drifting further away from its European neighbours. And will divergence have an impact on the existence of the Commission's current adequacy decision for the UK and, therefore, on the legal basis for European businesses to transfer personal data to the UK?