The EU’s General Data Protection Regulation is bringing smart city data protection flaws into the spotlight.
As cities become “smarter” they retain more and more of their citizens’ data, leading to concerns about the security of smart city data protection measures; particularly in the wake of data breaches in private companies like Yahoo and – repeatedly – Facebook. GDPR has only exacerbated these concerns, as it throws into sharp relief the sheer scale of data collected and stored by smart city technologies.
Eva Blum-Dumontet, research officer at the NGO Privacy International, said: “People should always know that their data is being collected, and that these can be accessed and deleted. All the initiatives developed by a smart city should be carried out in the name of public interest and not in the [interest] of companies providing cities with the technologic infrastructure.”
Many smart cities, having been largely unprepared for the safety and privacy practices introduced with GDPR, are turning to the private sector for solutions. The appointment of a data protection officer, made compulsory for businesses and organisations by GDPR, has been a sticking point; as the role requires an individual with dual skills in IT and data protection law. Also of concern to smart city data protection operators attempting to comply with GDPR is the compulsory implementation of a local cyber security plan, which could cost smart cities hundreds of thousands of euros; but which is considered a necessity for the secure storage of data.
The city of Pamplona, Spain is a “lighthouse” city of the Stardust project, which develops smart energy, mobility and technology solutions to be integrated into urban areas. It has implemented smart city data protection software, under the supervision of a data protection officer, to protect the information it holds on citizens.
Luis Antonio Tarrafeta Sayas, who oversees Pamplona’s IT systems, said: “One of the initiatives is the implementation of an Open City Information Platform, which will combine and exploit all data by different administrative departments for managing urban infrastructure and services. This platform will help us to detect inefficiencies and propose straightforward solutions to citizens, private actors, researchers and other administrations.”
University of Zagreb GDPR specialist Goran Vojkovic said: “From the moment that a smart city wants to use the collected data in a public way, it has the obligation to transform personal data into aggregate anonymous data.” When implemented properly, he added, smart city data protection procedures can improve citizens’ trust in the process.