Legal Chronicle of a Smart City (Part 2) : Legal Challenges of Smart Cities in the Era of GDPR
Par Nicolas Lellouch
Posté le: 22/09/2023 14:40
In recent years, the fusion of city life with digital technologies has been finding its place in the 21st-century landscape. Smart cities are connected urban areas that integrate advanced technologies to enhance the quality of life for their residents, promote environmental sustainability, and improve the efficiency of urban services. These initiatives aim to address numerous contemporary urban challenges such as traffic congestion, pollution, energy management, security, and much more. However, the development of smart cities raises complex legal issues, particularly regarding the protection of personal data. The definition of a 'smart city' remains highly conceptual and evolving. Initially, the 'smart city' aimed to infuse artificial intelligence into urban life, making the city connected through various processes derived from new technologies and the development of digital tools. The goal of the 'smart city' is to enable more efficient regulation of urban infrastructure, improve the comfort of residents, and enhance information dissemination to the public. The scope of this new mode of management is broad, and the French Data Protection Authority (CNIL) has attempted to delineate its boundaries, including public infrastructure (buildings, urban furniture, home automation, etc.), networks (water, electricity, gas, telecommunications), transportation (public transportation, smart roads and vehicles, carpooling, soft mobility - cycling, walking, etc.), e-services, and e-administrations. Perfect illustrations of what a 'smart city' taken to its extreme could look like can be found in popular culture through numerous science fiction films, novels, and video games such as the highly successful title 'Watch Dogs®' by Ubisoft, immersing players in a globalized 'smart city' context. The smart city thus emerges as a city requiring active collaboration from its residents through citizen participation guided by territorial governance. Its objective is more comprehensive, encompassing environmental and social concerns within the framework of digital and technological densification. It is therefore relevant to ask:
How does the GDPR influence the way personal data is collected, used, and protected in the context of 'smart cities'?
This second column draws inspiration from or synthesizes the insights of Adèle de Mesnard in Human Rights Review No. 21, specifically focusing on the concept of consent to data collection.
We will first see that I) Citizen consent is, in principle, required for data collection in a smart city, but II) it is limited and not always necessary in terms of legality of processing.
I) Citizen Consent in Data Collection in a Smart City
As a reminder, the French Data Protection Authority (CNIL) was established under the Data Protection and Freedom of Information Act of January 6, 1978. Its main mission is to protect personal data stored in computer systems or on paper, whether they belong to the public or private sector. Furthermore, it must ensure that information technology serves the citizens and does not infringe upon human identity, human rights, privacy, or individual and public freedoms. Regarding the issue of smart cities, it rightly questions the uncertainties and potential deviations associated with smart cities and calls on the state to 'develop new forms of data regulation, respecting individuals and their freedoms.'
Indeed, smart cities employ numerous sensors, cameras, IoT devices, and other technologies to collect a multitude of data, from traffic patterns to consumer habits and citizen behaviors. Obtaining informed and explicit consent for each type of data collection in such a complex environment can prove challenging. However, adherence to this principle is essential to prevent potential abuses. For example, in several Chinese cities, facial recognition cameras are used to display photos and personal information of pedestrians crossing at a red light.
In the European Union, the General Data Protection Regulation (GDPR) serves as a safeguard for the protection of personal data to prevent abuses. So, how can we reconcile smart cities and the GDPR?
Let us recall that the GDPR 'clearly identifies the risks associated with the capture and processing of personal data, emphasizing data security and establishing the principle of accountability for data controllers.'
Article 5(1) of the GDPR outlines the key principles that data processing must adhere to (processing personal data lawfully, fairly, and transparently, collecting data for specified, explicit, and legitimate purposes, etc.).
Article 5(2) of the GDPR, on the other hand, states that 'the data controller is responsible for compliance with paragraph 1 and must be able to demonstrate compliance.' Therefore, the data controller bears the burden of proof.
The validity of consent in the context of 'smart city' projects faces several challenges. Article 7 of the GDPR not only requires that 'the data controller must be able to demonstrate that the data subject has consented,' but also that the consent request must be presented 'in a manner that is clearly distinguishable,' 'comprehensible and easily accessible, and formulated in clear and plain language.' These criteria are difficult to meet given the diversity and complexity of data collected in the context of smart cities. Moreover, concerns arise about the re-identification of individuals from aggregated data, reducing individuals to data without a clear understanding of the purposes, and the opacity of secondary data processing. Furthermore, ensuring the informed nature of consent is complicated by the uncertainty about identifying the data controller and the specific purposes of processing, as well as the difficulty of tracking the data collected to enable the exercise of data subject rights, such as the right of access, the right to rectification, the right to erasure, the right to restriction of processing, the right to object, and the right to data portability, as stipulated in Article 13 of the GDPR.
Finally, ‘Recital 42 of the GDPR specifies that 'consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment.' How can we define this freedom of choice when the entire urban landscape and public spaces are saturated with sensors continuously collecting data?’
II) Consent Not Always Necessary in Terms of Lawfulness of Processing
However, today, these principles of systematic consent are much more limited because, "except in cases where consent must be obtained in advance (particularly in the case of 'sensitive data') stated in Article 9 of the GDPR, Article 6 establishes a dual regime for the processing of personal data: processing with consent and processing without consent."
The article introduces a new rule that explicit consent is no longer the sole legal basis for the processing of personal data as long as one of the conditions mentioned in the article is met, such as: (non-exhaustive list)
- "The processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority;"
The concept of public interest used in the GDPR, which differs from the notion of general interest in public law, raises questions. It remains vague because the text does not provide a precise definition of what constitutes a public interest task. The CNIL provides some examples, specifying that this legal basis mainly concerns processing carried out by public authorities and can apply in particular to processing related to their users. However, this ambiguity can make the understanding and application of this concept complex.
- "The processing is necessary for the purposes of the legitimate interests pursued by the data controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject, particularly when the data subject is a child." Note: "Point (f) of the first subparagraph shall not apply to processing carried out by public authorities in the performance of their tasks."In addition, "although it is expressly stated by the CNIL that legitimate interests can only be claimed in exceptional cases by public authorities in the performance of their tasks, the question of its definition still arises." The GDPR mentions that public authorities can invoke legitimate interests in exceptional cases for the performance of their tasks, but there remains uncertainty about its definition. The CNIL, in its documentation on legitimate interest, does not provide a clear definition, contenting itself with proposing a methodology for its evaluation. Similarly, the GDPR itself only gives a vague example of what legitimate interest could be, as in the case where the data subject is a customer of the data controller. It is up to the data controller to justify the existence of this legitimate interest, taking into account the reasonable expectations of the data subjects. This situation raises complex questions, especially in the context of the smart city, where the definition of what constitutes a legitimate interest can vary depending on the actors involved, both public and private, and the objectives of the project. The question of what citizens can reasonably expect in this context remains open, and it can be problematic to leave the decision of what constitutes a legitimate interest to the data controller. This raises complex issues because public and private actors may have divergent objectives, and the definition of what constitutes a legitimate interest remains unclear, especially in the context of smart city development.