Securing access to large volumes of personal data from city inhabitants and establishing a clear framework for its use sits at the core of many smart city projects. Significant aspects of the smart city concept rely on the collection and analysis of mass data from citizens, their devices, urban sensors and utilities. Such data in turn can be used to manage traffic, transport networks, power supply and public services more efficiently.
A recent in-depth, global survey by White & Case of senior professionals and investors working in the smart city space found that opinion is still split when it comes to data sharing. The research indicates that the COVID-19 pandemic has prompted many to rethink their attitudes toward sharing personal data when it is used to manage public health and provide essential services and infrastructure. However, hesitancy to share personal data remains an obstacle to smart city adoption and data protection laws are a minefield that must be navigated.
Post-Brexit: how has data protection compliance changed?
Data sharing is the foundation of smart cities implementation
Access to the types and volumes of data required to deliver many smart city projects is an ongoing challenge. Data privacy laws, such as the EU’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), have put tight restrictions in place on consent and the usage of personal data.
In highly regulated jurisdictions like the EU or the UK, the situation is particularly complex. Even when individuals are willing to share data, companies may be unable to use such data to the fullest extent, as regulations are often highly prescriptive and the use of personal data is frequently limited to specific purposes. In the US, the sector specific and disjointed nature of the framework, with varying requirements at both the state and federal level, create overlapping and sometimes inconsistent obligations on companies in providing notice and choice to individuals regarding the use of personal data.
White & Case’s research suggests that we are still some way off the universal buy-in required for smart city projects to be able to take full advantage of the available data. Only 40% of respondents say they would be comfortable sharing personal data to see improvements in this area. Meanwhile, 17% of those surveyed identified the sharing of data to enable the use of new technology as the largest obstacle to smart city rollout.
COVID-19 catalyst for attitude shift
The urgency of the COVID-19 crisis has seen governments, companies and individuals reappraise the balance of personal privacy and serving the wider public good. COVID-19 has given all stakeholders the impetus to use and share data more frequently and widely than before the pandemic.
Government agencies, for example, have been more willing to share sensitive, proprietary data with each other to fight the virus. Data sharing between the private and public sector has also been more fluid. The UK government shared National Health Service patient records with tech groups Google, Amazon, Palantir and Faculty, who were contracted to collate data from healthcare and social care groups and build a COVID-19 data store. In Australia, ANZ Banking Group fed anonymised transactional data into the New South Wales Government’s Data Analytics Centre, which was used to understand the economic and social impact of COVID-19. In the US, active regulators such as the Department of Health and Human Services explicitly declined to enforce certain notice and consent requirements under existing health information laws such as the Health Insurance Portability and Accountability Act (HIPAA) to encourage the sharing of critical health data to facilitate the response to COVID.
Indeed, the sharing of data during the pandemic has been an essential pillar of the defence against the virus, creating more awareness among the public of how data sharing can benefit society. The UK COVID Symptom Tracker used data shared by just under four million individuals to discover that loss of taste and smell were among the main symptoms of infection.
White & Case’s survey reveals that 42% of respondents said they would now be willing to accept reduced privacy for better services. One respondent to the White & Case survey said, “COVID-19 has brought to the fore the debate around data sharing for the public good. For many, this is the kind of extraordinary event that warrants relaxing policies in an attempt to keep people safe.”
The challenge will be to capitalise on the momentum behind data sharing and put the legal frameworks in place to facilitate mass data transfer and availability, in order to enable smart city initiatives to fulfil their potential.
Smart cities are coming: getting ahead by reducing software vulnerabilities
Navigating data sharing protocols
Clarifying exactly which aspects of city management and planning can be addressed with data-led smart city methodologies is an important step when assessing what data is required. Urban planners may find that many smart city solutions can be delivered without the collection of personal data, avoiding the need to invest huge sums of capital in complex data handling protocols. To the extent that the necessary data can be collected without any links to individuals, that would avoid many of the compliance hurdles that apply to the use of personal data. However, due to the increasingly broad definitions of “personal data” and equivalent concepts in emerging privacy laws around the world, the collection of genuinely anonymous datasets is a significant legal and technological hurdle – and in some cases is simply not feasible.
Setting precise parameters for how data can be used and how long it will be available is one option moving forward. For the COVID-19 datastore, for instance, the NHS made it explicit that data could only be used for COVID-19 purposes, and it would be returned or destroyed by contracted firms upon the project’s completion.
There is also scope for personal and sensitive information to be scrubbed from data sets. Mobile phone companies in Italy, Germany and Austria supplied anonymous, aggregated pools of location data to health authorities to help them gauge compliance with lockdowns and restrictions on movement.
Governments could also facilitate easier data flow between organisations, as observed when competition authorities eased rules for inter-company information sharing to sustain supply chains through the COVID-19 disruption period. This approach is consistent with other approaches taken during COVID-19 to relax data privacy restrictions, often justified on the basis that such actions are in the interest of the public. The open banking initiative, which has allowed for the opening of customer account information and transactions to trusted third parties, and relaxed data privacy restrictions during COVID-19 could serve as a future framework under a “public interest” justification for data sharing.
Opinion is still divided on whether such initiatives would be sufficient to sustain data sharing at the scale needed for smart city projects, or whether a re-assessment of some existing data rules is necessary. White & Case found that 43% of participants believed data privacy laws would have to be relaxed to proceed with rollouts, with 39% saying this wouldn’t be necessary.
In either scenario, winning public trust that data will be used appropriately and for wide public benefit will be essential for smart city buy-in.