Smart Cities in North America: How can Informed Consent work? (Part 2)

The emergence of new technologies is promising to help local government better manage urban environments, as well as deliver services in more efficient and effective ways. But what about the cost of making these communities more sustainable, comfortable, and fair?

Living in a digitally connected “smart city” inevitably involves the collection and processing of large amounts of data – including citizens’ personal information. How will this impact the privacy rights of its residents?

In this second part, we look at how smart cities affect citizens’ privacy – and what can be done to minimize risks to personal privacy.

Most people living in North America today are already interacting with internet-connected devices, both at work and in their homes. But it’s the devices in our homes which represent the most potentially intrusive threat to our personal privacy.

On the surface, the rapidly expanding array of smart devices available can provide convenient and easy ways to remotely control our homes, from smart speakers that enable us to ‘ask’ for our favorite music to be played – to dimming or changing the colors of the lights. We can turn up the heating or air conditioning while on our way home, and we can record our route, performance and body stats with a fitness tracker.  A friend of mine who has a home in France can even open up the pool and set the water temperature to coincide with their arrival for summer vacation.

But here’s where a problem lies. No matter how cool we think they are, these new technologies do not provide privacy notices and the opportunity to decline consent to the collection of data, in the same way as when we’re surfing the web.

When we engage with online platforms, particularly social media services, there is at least a vague awareness of crossing the threshold into the domain of that platform. This awareness provides a vital ‘alarm bell’ that helps us decide whether or not we wish to give our consent to the collection and use of our personal data – and also to consider the possible consequences.

Lilian Edwards is an academic in internet law at the University of Strathclyde, UK. Ms. Edwards notes that smart cities actually decrease the level of consent in the Internet of Things (“IoT”):

“While consumers may at least have theoretically had a chance to read the privacy policy of their Nest thermostat before signing the contract, they will have no such opportunity in any real sense when their data is collected by the smart road or smart tram they go to work on, or as they pass the smart dustbin.”

Introducing her 2015 working paper titled 2015 paper titled, Privacy, security and data protection in smart cities: a critical EU law perspective, Edwards makes the following opening statement:

“Smart cities” are a buzzword of the moment. Although legal interest is growing, most academic responses, at least in the EU, are still from the technological, urban studies, environmental and sociological, rather than legal sectors, and have primarily laid emphasis on the social, urban, policing and environmental benefits of smart cities, rather than their challenges, in often a rather uncritical fashion. However, a growing backlash from the privacy and surveillance sectors warns of the potential threat to personal privacy posed by smart cities. A key issue is the lack of opportunity in an ambient or smart city environment for the giving of meaningful consent to processing of personal data; other crucial issues include the degree to which smart cities collect private data from inevitable public interactions, the “privatisation” of ownership of both infrastructure and data, the repurposing of “big data” drawn from IoT in smart cities and the storage of that data in the Cloud.

Many writers on this subject are saying that if city dwellers are expecting their interactions in smart cities to mirror the interactions they already experience when visiting websites and using social media platforms, they will likely have a rude awakening. Sadly, many people will be grossly misinformed about the level of control they have over the personal information they unwittingly share.

Does your right to choose what personal information you exchange
for services disappear once you enter a smart city?

In early 2015, the Spanish city of Barcelona was ranked the “world’s smartest city” and hailed as “an exciting model of success” that other cities can learn from.

UK research company, Juniper Research, ranked Barcelona based on an analysis of each city’s ‘smart’ capability, with a particular focus on:

  • smart grid

  • smart traffic management

  • smart street lighting

Other aspects such as technological capability and social cohesion were also taken into account.

According to Juniper, Barcelona “performed consistently well across all metrics and serves as an exciting model of success from which others can learn, bolstered by strong environmentally sustainable initiatives.”

Following Barcelona in the 2015 Juniper rankings were:

  • New York City (Ranked 2nd)

  • London (Ranked 3rd)

  • Nice (Ranked 4th)

  • Singapore (Ranked 5th)
    (However, this accolade didn’t last long, as Singapore claimed the top spot one year later.)

At first glance, Barcelona seems like a typical Mediterranean city, with nothing unusual, that is, until you spot the curved plastic shields fixed to the 30ft high lampposts, each containing some metal boxes.

These boxes are not what they might appear, i.e. regular electricity meters. In actual fact, they are cleverly configured computer systems, set up to measure noise levels, traffic, pollution, crowds and even the number of selfies posted from the street.

This is the future of Barcelona, and in many ways, this could be the future for us all. The lamppost hard drives are just one “unusual” feature of the street. When you cast your eyes down, you might even notice the digital chips plugged into garbage bins, or maybe the circular-shaped sensors embedded in the road surface of parking spaces.

Not all cities playing ‘follow the leader’

Interestingly, two years earlier, in 2013, the City of London, UK, asked a company to cease using recycling bins to track the smartphones of passers-by.

BBC News published a story revealing that Renew London had fitted devices into 12 “pods”, which feature LCD advertising screens, to collect footfall data by logging nearby phones.

The City of London Corporation took the issue to the Information Commissioner’s Office (“ICO”). The action followed concerns raised by privacy campaign group Big Brother Watch, after details of the technology used in the bins emerged in the online magazine Quartz.

The bins, which are located in the Cheapside area of central London, log the media access control (MAC) address of individual smartphones – a unique identification code carried by all devices that can connect to a network. A spokesman for the corporation said:

“Irrespective of what’s technically possible, anything that happens like this on the streets needs to be done carefully, with the backing of an informed public.”

This example illustrates the fact that local government is not always in control of the technologies that might be installed as part of a smart city project. Private companies often play a major role in the design, operation and maintenance of smart cities. Contractors with the relevant knowledge and expertise are needed because city corporations and local authorities simply do not have these skills in-house.

Tech companies that are brought in to build new infrastructure stand to make a killing financially. Big names like IBM, Cisco, and Microsoft, who have invested heavily in developing and manufacturing pieces of the infrastructure, view cities as a significant key to growth. It is estimated that by 2023 technology companies will turnover approximately $27.5 billion per year in smart-city business.

Unsurprisingly, as a result of their deep involvement in the delivery of smart city solutions, private companies will continue to assume a great deal of control over the volume and type of data being captured, stored and used. So, how can citizens know for sure whether their personal information is being controlled by the local authority, or a private company, which could potentially identify individuals and then share, or sell, the collected data to third parties.

Controlling the data controllers – and minimizing privacy risk

Major areas of concern regarding smart cities are to do with the ownership, processing, use, and security challenges that connected devices and smart city infrastructures create. As cities continue to develop and utilize new technologies, it is inevitable that they will collect and store many different types of data, from an individual’s movements and preferences, to their daily activities – all in the name of making cities increasingly smarter.

This prompts a fundamental question:

How will this data, which we unwittingly share, be exploited? – both now, and in the future?
… and most importantly, how can citizens be protected from such exploitation?

When the average person enters a smart city, they are unlikely to know a) what personal information is being collected?, and b) who is collecting it?

Knowing precisely what information is being collected about us is an established requirement of informed consent. Knowing who is collecting and using our personal information was not such an issue, until the rising development of smart cities.

As yet, current protection laws such as California’s Consumer Protection Act (“CCPA”) and the EU’s General Data Protection Regulation (“GDPR”) do not go far enough to, a) protect data which is collected via mobile devices and apps within the context of smart cities, and b) protect the privacy of individuals who could be adversely affected by intrusive target-marketing, or much worse, a data breach.

It is therefore incumbent on every country’s data privacy regulators to determine how their own privacy legal systems will respond to these issues, as smart city projects continue to emerge.

Do you live in a smart city? Submit your comments and opinions on this topic.

Sources: Fortune.com, iapp, SmartCitiesCouncil,

Contact the author
Peter Borner
Executive Chairman and Chief Trust Officer

As Co-founder, Executive Chairman and Chief Trust Officer of The Data Privacy Group, Peter Borner leverages over 30 years of expertise to drive revenue for organisations by prioritising trust. Peter shapes tailored strategies to help businesses reap the rewards of increased customer loyalty, improved reputation, and, ultimately, higher revenue. His approach provides clients with ongoing peace of mind, solidifying their foundation in the realm of digital trust.

Specialises in: Privacy & Data Governance

Peter Borner
Executive Chairman and Chief Trust Officer

As Co-founder, Executive Chairman and Chief Trust Officer of The Data Privacy Group, Peter Borner leverages over 30 years of expertise to drive revenue for organisations by prioritising trust. Peter shapes tailored strategies to help businesses reap the rewards of increased customer loyalty, improved reputation, and, ultimately, higher revenue. His approach provides clients with ongoing peace of mind, solidifying their foundation in the realm of digital trust.

Specialises in: Privacy & Data Governance

Contact Our Team Today
Your confidential, no obligation discussion awaits.