The Personal Data Authority (AP) publishes recommendations for the development of so-called smart city applications. The recommendations are intended for municipalities that collect or plan to collect data in public spaces with smart sensors and measuring devices. The AP's recommendations are necessary because municipalities do not always give sufficient consideration to privacy laws while this is essential precisely for smart city applications involving the processing of citizens' personal data. After all, poorly developed applications can be at the expense of the freedom of residents and visitors to that municipality. For example, when citizens are followed in public space in a way that is not necessary or not permitted.
A municipality that deploys technology may process personal data in the process. With sensors or measuring devices, for example, traffic flows and visitor numbers are measured or entertainment areas are monitored to improve mobility and safety. The privacy law - the General Data Protection Regulation (AVG) - protects people from unnecessary or unauthorized collection or use of their personal data in public spaces.
Monique Verdier, AP vice president: "There is a danger that we are moving toward a surveillance society where you can no longer walk the streets unconstrained. While the use of technology can give municipalities more insight into the use of public space, this should not be done without considering the price paid by the residents and visitors of that municipality. How does collecting their data in public space relate to their freedom? Who can access all that data and what can it be used for? What information may be linked together? The technical possibilities are endless, but there is a limit to what is ethically and legally permissible."
The AP looked at the extent to which municipalities use smart city applications and how they protect the personal data of residents and visitors when developing and deploying them. The differences in the deployment of smart city applications are great. Some municipalities lead the way in the development of smart city applications and deploy new technologies for this purpose. But there are also municipalities that use no or very few smart city applications. This difference is determined in part by the size of the municipality and its issues.
City councils must also be keen on digitization and the deployment of smart city applications. They must have sufficient knowledge and information about smart city applications to properly perform their monitoring task. For example, city council members can ask their internal privacy supervisor - the Data Protection Officer (FG) - how privacy is safeguarded and what risks there are for people living, working or visiting their municipality.
The Netherlands has a lot of technological knowledge and innovation power. Municipalities can make good use of this to develop privacy-friendly smart city applications. At least, if that technology is actually needed to address a problem in public space. Because where a problem can be solved without the use of that technology and data, a municipality should explore this often less intrusive option.
Monique Verdier: "Technology can help us solve our problems and make the city more livable and safer. But we must arrange it so that they do not themselves create all kinds of new problems and feelings of insecurity. Administrators and officials must take citizens' rights and freedoms extremely seriously. That means that they actually include their privacy in every step of the development toward a smart city. Let privacy be the starting point of innovation, not the capstone."
To ensure the privacy of residents, the AP points out the following aspects, among others, when developing smart city applications:
Make sure the basics of the AVG are in place.
Preparing a risk analysis, called a data protection impact assessment (DPIA), for smart city applications is often mandatory. A DPIA helps assess the lawfulness of data processing and potential risks. Consider publishing the DPIA; citizens will then know how their privacy is safeguarded.
Create policies for the deployment of smart city applications and translate them into practical tools for implementation.
When purchasing products and services, be critical of whether they are AVG compliant. A supplier may claim that, but in the context of your municipality, is it really?
Explore how you as a municipality can gain insight into sensors placed in public spaces by third parties and share this information with citizens.
Provide sufficient people and resources to organize privacy within the municipality. Pay particular attention to ensuring that the internal privacy supervisor, the FG, can properly perform his or her role.
Use the knowledge of citizens when identifying risks. They know their own living environment best and can contribute ideas about the consequences of a technical application.
The recommendations were created with thanks to various experts and independent reflections from Waag, imec-CiTiP/KU Leuven and imec-SMIT/Free University Brussels (SPECTRE Project/Smart-city Privacy: Enhancing Collaborative Transparency in the Regulatory Ecosystem).
Download the research report here.
