In the context of digitalization, the smart city is also being addressed in addition to the smart home. The Federal Ministry of the Interior, Building and Community (BMI), for example, launched a model project for this in 2019. According to the Federal Office for Information Security (BSI), a smart city is a city in which “intelligent information and communication technology (ICT) is used to increase participation and quality of life and to create an economically, ecologically, and socially sustainable community Data protection in smart cities.
The Berlin Group, the International Working Group on Data Protection and Technology (IWGDPT), recently published a working paper on smart cities . The Berlin Group’s chair is Prof. Ulrich Kelber, the Federal Commissioner for Data Protection and Freedom of Information (BfDI). This article describes the data protection requirements mentioned in the working paper that must be observed in smart cities.
Areas of application
The working paper outlines possible application areas in a smart city. Along the data flow, the steps “data collection,” “data analysis,” and the resulting “decisions” are listed.
Data collection and processing Data protection in smart cities
Data collection could occur, for example, in the usa business fax list following cases: through the use of sensors and communication networks such as Wi-Fi devices or other technologies that detect pedestrians’ mobile phones, video cameras, drones, and bicycle or scooter rentals. It is also conceivable that citizens’ data processed by public authorities could be processed for a purpose other than that originally intended. The BSI lists further areas of application on its “Smart City” overview page .
Data analysis
According to the working paper, the collected data could be used, for example, for intelligent traffic control or intelligent management of urban resources, including through artificial intelligence (AI). This would allow us to identify how people move through the city and where traffic volumes are high. It also states that the energy consumption of buildings could be determined.
Decisions Data protection in smart cities
After analyzing the data, buses and trains could be used more frequently during (expected) high traffic volumes. If it is determined that rental bikes and scooters are being used frequently, providers could procure more vehicles or the city could set up additional rental stations. Traffic light control could also be adjusted to the traffic volume.
Data protection requirements
To ensure the rights and freedoms of the data subjects are protected and to prevent unauthorized tracking of pedestrians, the processing operations this is very different from must be designed in compliance with data protection regulations. A review and, if necessary, a data protection impact assessment pursuant to Art. 35 GDPR (usually when using AI) is required before deployment. The recommendations in the working paper are aimed particularly at cities, system manufacturers, and supervisory authorities.
A negative example is Wi-Fi tracking in Enschede, where only a small portion of the MAC addresses were anonymized. The Dutch supervisory authority therefore decided that identification was still possible using time and location information, meaning the project was only carried out from 2017 to 2020. You can also read more about Wi-Fi tracking in our blog post .
Data protection principles
To prevent a data protection breach, data protection principles according to Art. 5 GDPR must be observed.
The procedures used should be fair and not discriminate against any population group .
The principles of data minimization and storage limitation are essential . During process development, it must be defined which personal data are required to fulfill the purpose so that the personal data can be limited to the necessary minimum. Collected data must be anonymized or deleted as quickly as possible, since often only the aggregated data is required for decision-making, e.g., traffic flow control. In London, for example, the organization Transport for London wanted to track how pedestrians moved through stations. The data was automatically anonymized immediately after collection.
In light of integrity and confidentiality, authorization concepts should describe which individuals and their roles are authorized to access personal data. Processing activities should be reviewed regularly, for example, when new IT components are added. Furthermore, the tools must be updated and should not have universal passwords. Finally, it is recommended that vendors provide a vulnerability detection policy.
The principle of transparency is also emphasized as important. Data subjects could be informed about data processing through various means, such as public discussion forums, local news, information points, and notices at squares and bus stops. A reference to additional information on the website is also recommended.
Further data protection aspects
Further points that must be observed include procedures that are designed to be data protection-friendly in accordance with the privacy-by-design requirement under Art. 25 GDPR. Appropriate technical and organizational measures must be marketing list implemented and constantly updated in accordance with Art. 32 GDPR. The Helsinki agreement plans to allow data subjects to manage consents for various applications via a platform.
At the organizational level, the drafting of guidelines is recommended.
The necessary contracts for order processing pursuant to Art. 28 GDPR or, if applicable, contracts for joint controllership pursuant to Art. 26 GDPR must be concluded with the service providers used.
The cities must be able to respond to inquiries from those affected, such as requests for information, within the deadlines .
Before the city can process personal data collected in the context of administrative work for other purposes, it must check whether this is compatible with the principle of purpose limitation or whether a change of purpose could be considered in accordance with Art. 6 (4) GDPR.
All processing operations involving personal data must be described in a register of processing activities in accordance with Art. 30 GDPR.
