How will Europe’s new data laws affect cities?

Jonathan Andrews spoke to three smart city leaders from across Europe about the possible impact the new GDPR laws could have on their data collection and operation

Do you view the new GDPR rules as a positive for cities?

Jamie Cudden, Smart City Program Manager, Dublin City Council

Yes. Overall, GDPR rules are a positive development for cities and citizens. They provide much-needed clarity around the purpose of personal data collection, how data is used and how long data will be retained for. They give citizens more control over their personal data and the ability to opt out at any time. These rules will put in place much better safeguards and rights for citizens.

From a city perspective, being GDPR-compliant builds consumer confidence in the organisation. Similarly, engaging with companies that are GDPR-compliant provides trust that an organisation is a good data custodian. Having a GDPR-compliant framework lays the groundwork for improving data security throughout the organisation.

Data inventories conducted for GDPR compliance will highlight legacy data, duplicated data and inconsistent data which can be consolidated or discarded by the organisation. This will reduce data storage and maintenance costs.

In addition, cities will have a much more comprehensive and up-to-date catalogue of data which can be utilised to drive innovation, decision-making and improve services throughout the organisation.

Konstantinos Champidis, Chief Digital Officer, City of Athens

It is legitimate for large organisations to treat data protection as a threat or even as a headache. However, I have a completely different approach. Yes, compliance with the new regulation will be tortuous and painful for large organisations, but we will now be able to operate within a clear legal framework, without ambiguity.

In the past, amendments and ex-ante interventions on projects were required because of the complex or inadequate national data protection framework. Both in Germany and Greece, problems have been caused by the arrival of Google’s Street View service. This was, of course, due to both the modernity of the service and the different national data protection frameworks across Europe.

We will now have a unified and predetermined process for protecting personal data in Europe. This is something positive for cities.

To put it another way: it is better to know beforehand how strict a framework is, rather than to ascertain the need for compliance afterwards.

Francesca Bria, Chief Technology and Digital Innovation Officer, City of Barcelona

We clearly see that business models that rely on the collection and commercial exploitation of personal data are broken. They can have a negative impact on democracy, transparency and citizens’ trust. We need alternative digital infrastructures that are privacy enhancing and can guarantee data sovereignty of citizens, giving them back control over their data.

In this way, cities can develop data commons and become custodians of the digital rights of citizens. The GDPR is a huge step forward in this direction since it is based on important principles such as privacy by design, data portability, and the right to be forgotten.

How have the new GDPR laws affected the way you collect data and your ‘smart city’ strategies?

Cudden

The laws have certainly changed the conversations that we have with smart city solution providers–especially in relation to their business models, monetisation strategies and their data processing procedures.

For the city, this means being transparent about what data we are collecting, how we are using it and what the benefit is for the citizen or the city. However, there is a concern that innovation may be inhibited due to greater restrictions on the purposes for which data is being collected, for example, with the creation of applications or use cases for new applications that weren’t initially considered at the outset of the data collection process. Companies will need to improve anonymisation and pseudo-anonymisation techniques as part of their data processing protocols.

Each smart city project will now be evaluated to identify any personal data management risks and necessary mitigation strategies before the project has begun. Data protection impact assessments will be conducted where information processes involve personal information to ensure compliance with GDPR.

From a technology perspective, GDPR will help drive growth in edge computing, particularly in video analytics and anonymisation algorithms across a whole range of use cases.

Champidis

The truth is that they really affect our city and the way we collect data. All possible information and data that we collect is subject to GDPR laws: registry numbers, email accounts, photos from traffic cameras, or even MAC addresses through Wi-Fi networks. The regulation certainly does not prohibit the collection of all this data, but does affect the way it is collected, maintained or deleted.

Smart city strategies are inherent in data, private or public. They relate to how we collect data, how we open up the data we use, and the data we produce. So smart cities are affected in many ways by the GDPR laws. The big challenge is not just to comply for the day-to-day running of cities, but to incorporate GDPR rules into the strategy for the digital transformation of the city. Therefore, the key point is that we need to incorporate GDPR into our strategy.

Bria

We are very proactive in the application of the GDPR. For us it represents an opportunity to create a city data infrastructure that puts citizens’ rights to data at the centre. I have created a new Municipal Data Office that responds directly to the mayor of Barcelona and is led by a new Chief Data Officer.

We have also appointed a Chief Data Protection Officer and introduced a new data directive that is implemented across city hall that includes transparency, ethics, security and privacy as fundamental principles. This helps us to have all the processes in place and align the organisation to be able to make sure the GDPR laws are properly implemented. We are also starting to look at accountability of automated decision systems and algorithmic processes. We need robust practical frameworks to strengthen ethics and accountability of automated systems.

What uncertainties still remain over the interpretation of the new laws?

Cudden

There are many legitimate reasons that cities collect and store personal data: for safety and security purposes, to provide customised services, or to help better understand movement and flows across the city. We will have to see what the impact is of GDPR on these legitimate data collection purposes. For example, will cities be able to continue to leverage Wi-Fi networks and beacons to measure flows of people and traffic?

There will need to be more discussion and clarity on the rules of processing and anonymisation in this regard. As mentioned earlier, new innovations in pseudo-anonymisation and anonymisation will need to be validated as being GDPR-compliant. Who will take on this role?

There are certainly going to be some landmark cases across European cities that will bring clarity on some of these less obvious areas that involve high technology innovation.

Champidis

It is not easy to note all the uncertainties that still exist. I think the challenge is not just compliance with the regulation but the change of culture in large organisations such as cities. Changing culture is not only about public officials or executives, but also citizens–the big challenge is for citizens to understand the need to protect their personal data, and to understand the necessity of GDPR rules.

Bria

There are always open questions on laws and norms. We need to make sure that GDPR doesn’t hinder innovation, but promotes data-driven innovation while making sure citizens’ rights are respected. The competitive advantage of Europe in the future world of AI and data should be this rights-based democratic framework, a new deal on data that can shape a people-centric digital future and make GDPR a global standard.

How is GDPR affecting your open data policy and the opportunity to open datasets for developers?

Cudden

It’s brought data management to the fore and increased awareness around the organisation. Audits conducted by each department have provided a detailed catalogue of data collected by the organisation. This catalogue can be used to further drive the open data policy if given the chance.

Open data by its nature contains no personal data, however GDPR has made people and departments think twice before they release datasets. A frustrating trend relates to a small but increasing minority hiding behind the legislation as an excuse not to open data. Through increasing awareness, education and building use cases to highlight the value Open Data can bring to the organisation, Smart Dublin will continue to push the open data agenda to enable innovation.

Champidis

I am optimistic. In Greece there is a fairly good and effective open data framework, and Athens Open Data is already fully aligned. Therefore, I do not think we will face a major problem.

Bria

We are clearly promoting open data, open standards, free software and interoperability. We see data as a critical common infrastructure of the city that should be open for local entrepreneurs and citizens that can access it and use it to create future data-drive and AI-driven solutions that can deliver long-term public value.

At the same time, we want to make sure the data is collected and used guaranteeing the data sovereignty of citizens. That’s why through the DECODE project (https://decodeproject.eu) we are implementing a decentralised data infrastructure based on blockchain with enhanced cryptography so that citizens are able to control their data and decide what data they want to keep private, what data they want to share, with whom and on what terms.