The Dutch DPA issues recommendations for smart cities
The Dutch Data Protection Authority (DPA) has issued recommendations regarding the development of ‘smart city applications’. The recommendations are intended for municipalities which collect or intend to collect data in public spaces using smart sensors and measuring devices. The DPA’s advice is needed because municipalities do not always give sufficient consideration to privacy legislation, even though this is essential for smart city applications that process personal data of citizens. Using poorly developed applications can infringe on the freedom of local residents and visitors. This can occur, for example, in situations when individuals are monitored in a public space in a way that is not necessary or permitted.
A municipality that uses this kind of technology can process personal data. For example, sensors or other types of measuring equipment can be used to keep an eye on traffic flows and visitor numbers, or entertainment areas are monitored to improve mobility and safety. The General Data Protection Regulation (GDPR) protects individuals against unnecessary or unauthorised collection or use of their personal data in public spaces.
Data in public spaces
‘The danger is that we are heading towards a surveillance society where you can’t walk down the street anymore without being monitored,’ says Monique Verdier, Deputy Chair of the Dutch DPA. ‘While the use of technology can give municipalities a better understanding of the use of public spaces, we need to be mindful of the price local residents and visitors pay for this. What impact does the collection of their data in a public space have on their freedom? Who can access the data and what can it be used for? What types of information can be linked to each other? The technical possibilities are infinite, but there are ethical and legal limits.’
Major differences between smart cities
The DPA looked at the extent to which municipalities use smart city applications and how they protect the personal data of residents and visitors when developing and implementing them. The use of such applications varies greatly from city to city. Some municipalities are at the forefront of the development of smart city applications and are using new technologies to this end. But there are also municipalities that use few of these applications, if any at all. This difference is determined, among other things, by the size of the municipality and the particular challenges it faces.
The Municipal Council
Municipal councils should also be alert to issues relating to digitalisation and the use of smart city applications. They need to have sufficient knowledge and information about smart city applications in order to be able to properly perform their oversight task. For example, municipal councillors can ask their internal privacy supervisor – the Data Protection Officer (DPO) – how privacy can be safeguarded and what risks are there for people visiting, living, or working in their municipality.
The Netherlands has a lot of technological knowledge and innovative strength. Municipalities can make good use of this in order to develop privacy-friendly smart city applications; provided this technology is truly necessary for solving a problem in the public space. Because, if a problem can be solved without the use of technology and data, then the municipality should explore these less intrusive options.
Monique Verdier: ‘Technology can help us solve our problems and make cities more inhabitable and safer. But we have to organise it in such a way that it does not cause all kinds of new problems and create a sense of insecurity. Administrators and officials must treat the public’s rights and freedoms with the utmost respect. This means taking their privacy into consideration every step of the way when developing a smart city. Let privacy be the starting point of innovation, not the end point.’
In order to safeguard the privacy of residents, the DPA recommends taking the following aspects into account with respect to the development of smart city applications:
- Ensure that the basic principles of the GDPR are respected.
- Often, it is mandatory to draw up a risk analysis, known as a data protection impact assessment (DPIA), for smart city applications. A DPIA helps assess whether the data processing is lawful and what potential risks there are. Consider publishing the DPIA; that way, members of the public know what is being done to safeguard their privacy.
- Create policies for the development and use of smart city applications and translate them into practical tools that can be used for implementation.
- When purchasing products and services, be critical about whether they comply with the GDPR. A supplier may claim that they do, but in the context of your municipality, is that really the case?
- As a municipality, investigate how to gain insight into the sensors placed in public spaces by third parties and share this information with citizens.
- Provide enough staff and resources in order to organise privacy within the municipality. Ensure that the internal privacy supervisor, the DPO, can perform their role properly.
- Use the knowledge of citizensmembers of the public in identifying risks. They know their own neighbourhoods the best and can help reflect on the effects of a technical application.
These recommendations were made with the help of various experts and independent reflections from Waag, imec-CiTiP/KU Leuven and imec-SMIT/Vrije Universiteit Brussel (SPECTRE Project/Smart City Privacy: Enhancing Collaborative Transparency in the Regulatory Ecosystem).