Definition of Smart Cities and Smart City Applications

'Smart city applications' are to be defined as 'the collection and processing of (personal) data on or in a public space through the use of sensors, technology, or other applications'. These techniques can be used to gain insight into public spaces, analyse development possibilities, or enable new techniques for managing public spaces.

A wide range of smart city applications fall under this definition, such as Wi-Fi or Bluetooth tracking, both mobile and worn cameras, and sensors for the collection of data such as traffic or noise.

As for the term 'smart city', the AP finds this to encompass all public spaces in the Netherlands, including villages, nature, and agricultural areas, that make use of smart city applications.

Recommendations

In its report, the AP issues its recommendations for those municipalities planning to and currently making use of smart city applications. These recommendations can be grouped into the following:

GDPR Compliance/h3>

Municipalities must ensure that all processing of personal data by means of smart city applications is necessary, proportionate, and complies with the data protection principles of the GDPR. This means, amongst other things, that municipalities must ensure that:

• all processing is lawful and fair;
• personal data is only processed for legitimate, specified, and explicit purposes;
• only adequate, accurate, and relevant personal data is collected and used which is strictly necessary for the purposes for which it is collected; and
• data subjects are adequality informed of the processing of their personal data.

The AP cautions against using smart city applications for purposes other than initially envisioned. They stress that municipalities must make sure that for each new purpose there is a review of whether that purpose is specified, explicit, and legitimate in compliance with the GDPR.

Data Processing Impact Assessment

The AP stresses that a Data Protection Impact Assessment ('DPIA') must be performed prior to implementing smart city applications and should be periodically reviewed and amended. The use of these applications satisfies several of the criteria that the European Data Protection Board's DPIA Guidelines indicate may necessitate an assessment. These criteria include data processing on a large scale, innovative use of or the application of new technological solutions, and systematic monitoring.

Preparing a DPIA is an important undertaking that assesses whether the processing of personal data through smart city applications is lawful, necessary and proportionate, determines which risks are present and which measures must be taken to mitigate these risks, and acts as a tool to provide internal and external accountability for the choices made in regard to the use of the applications.

The AP sets out that when performing a DPIA, municipalities should:

• keep in mind that GDPR compliance also needs be reviewed in pilot phases, including performing a DPIA if necessary;
• pay attention to anonymised data if it is used, and critically review whether the data cannot identify a data subject;
• be transparent to the data subjects regarding which parties are considered the controller and processor when the processing is conducted by multiple parties;
• publish the DPIA and related policies if possible; and
• involve the data subjects by seeking out their opinions, especially when the potential risks are considered high.

Policy

The AP recommends that municipalities develop policies for the deployment of smart city applications in their cities as opposed to establishing data protection frameworks for each smart city application individually. These policies should include concrete steps to be taken in practice.

In addition, when developing such policies, the municipalities should consider if the goals that they want to achieve by employing smart city applications can be achieved through another (possibly non-digital) manner. The thoughts and opinions of citizens should also be included in such considerations.

Similarly, municipalities should gain insight into the sensors placed in public spaces by third parties and consider the possibility and desirability of implementing conditions prior to the deployment of such sensors. These insights should be shared with the relevant citizens.

Role of the City Council

The AP encourages municipalities to involve the City Council. The Council should be given sufficient knowledge and information on smart city applications, and other aspects of digitalisation, so that they may effectively carry out their democratic task (to supervise the College of mayors and alderman). In order to achieve this, municipalities can consider involving experts on the topic.

The AP further suggests that municipalities explore the possibility of appointing a specific alderman for digitalisation.

Sufficient Resources

It is essential that municipalities dedicate sufficient people and resources to organising and implementing a privacy framework. They should ensure that the privacy professionals, especially the data protection officer, can fulfil their roles properly. The AP is assured that this will aid in contributing to a positive development climate in which applications are developed according to the principle of Privacy by Design.

Developments in practice

The AP singles out Mobility as a Service ("MaaS") projects as a current practice in need of review. MaaS refers to mobility projects that seek to improve transport and mobility to better serve local residents. These projects often employ smart city applications as a digital means to facilitate mobility. As a result, digital infrastructure may record potentially personal data such as transport movement which has the capability to identify individuals.

With this in mind, the AP advises municipalities to outline necessary standards for personal data practises when selecting technology suppliers and issuing licences to MaaS providers. The AP proposes rejecting applications where the provider lacks an easily accessible privacy statement, has not implemented right to be forgotten mechanisms, or provides insufficient clarity on the purpose and necessity of data processing. Further considerations may include a supplier's commitment to Privacy by Design. Such permits should be reviewed periodically, as should the requirements themselves.

Conclusions

The AP highlights a municipality's responsibility at every stage of the development and implementation of smart city applications. The AP also emphasises the role of the citizen, in particular the need to consult and include local residents on the deployment of smart city applications. Finally, the AP reiterates the obligations of municipalities under the GDPR. This includes, but is not limited to, a continuous assessment of privacy implications, implementation of Privacy by Design procedures and adherence to data protection principles.

Chantal van Dam Senior Associate
[email protected]
Femke van der Eijk Paralegal
[email protected]
Hogan Lovells, Amsterdam