The smart city is a broad term. From the sensor in the rubbish container to crowd-control via security cameras; technology today offers municipalities many opportunities to make the best use of public space. With many of these kinds of smart city solutions, personal data are processed and therefore there is an effect on the privacy of the 'user'. In practice, municipalities do not always have the necessary knowledge and skills to deploy new technologies in a proper and privacy-friendly way. A recent example is the municipality of Enschede. This municipality was fined by the Personal Data Authority (AP) in April this year for improper use of WiFi tracking.
To support municipalities, the AP published recommendations on smart city applications this summer. In this article, we discuss the main recommendations.
The AP already sees many municipalities going wrong when determining the legal basis. For example, when using personal data in public spaces. Municipalities often use the basis "performance of a task of general interest or exercise of public authority" (Art. 6(1)(e) AVG). In many cases, the legal task a municipality has is not sufficiently specific to use personal data on that basis. The general statutory task 'management of public space' does not give a municipality carte blanche to process an extensive set of personal data.
Municipalities will always have to consider what processing of personal data citizens can expect (foreseeability) and whether this is actually necessary data. In addition, municipalities are expected to be more transparent in the development and application of smart city solutions. In concrete terms, this means that municipalities will have to better inform residents about the processing.
A second problem identified by the AP is the 'reuse' of personal data for new or different purposes. Example: Cameras used for enforcement purposes are also used for pressure measurements. There is then 'continued processing'.
Based on privacy laws, continued processing is allowed under conditions. The 'new' processing must then fit within the original purpose for which the personal data is initially processed. Municipalities must therefore always test new processing of personal data already present. The AP indicates that 'foreseeability' also plays a role here. For example, to what extent can citizens expect their personal data to be processed for the new purpose?
The (non-)conduct of Data Protection Impact Assessments (DPIAs) are also an issue for municipalities. By municipalities, a DPIA is often still seen as a 'paper tiger'. If used properly, a DPIA can actually contribute to quickly and efficiently gaining insight into (i) what exactly the concrete processing involves, (ii) the interests that need to be considered and (iii) the risks. In addition, it is important to periodically review a DPIA if the processing or the technology involved in a processing changes.
Another important point described in the AP's report is the timing of a DPIA. Often, it starts with a pilot. This is followed by a review of any privacy risks. This is an incorrect sequence, unless the pilot phase only involves working with fictitious data.
Municipalities are often active in partnerships. Think, for example, of collaborations with youth welfare organisations, housing associations or police. The parties working together often fall under different legal frameworks under which they are allowed to process different types of personal data.
However, organisations cannot simply exchange this collected personal data, but this does happen in some cases. There is often a lack of knowledge about whether data exchange is lawful and which parties are processors/controllers. In projects like this, it is important to be clear in advance to all parties which personal data may and may not be shared. This may also differ for each party in the partnership.
The AVG includes many provisions aimed at increasing transparency. This also applies to personal data processed in public spaces. However, municipalities will not always be the processing party for this data (think, for example, of camera surveillance on a business park, which films part of the public road). For residents, however, the municipality is the logical first point of contact. In this regard, the AP notes that municipalities currently do not have a good overview of where personal data in public space is processed by private parties.
Sensor register
One initiative deployed by a number of municipalities are so-called 'sensor registers'. These are public registers that residents can access to see what sensors and applications (such as cameras) are present in public spaces. These include sensors from both private and public parties. The register is maintained by the municipality. By keeping such a register, it is clear to residents where personal data is processed. Several municipalities are investigating the possibility of establishing a sensor register by law. The AP's study shows that, for example, the municipality of Amsterdam intends to introduce a notification requirement for sensors in the apv, and the municipality of Utrecht has a notification requirement to report cameras in public spaces. The national police also offers a national camera register (on a voluntary basis).
In brief, the concerns raised above boil down to two issues:
In an increasingly digitised society, these are key questions that municipalities must continue to address. A (very appropriate) final recommendation from the AP that ties in with this is that residents should be more involved in decision-making on smart city applications. Ultimately, the smart city should not only work for the municipality, but also for the resident.
Questions or need guidance on privacy issues? We are happy to be your discussion partner. Do not hesitate to contact us.