Urban growth, combined with the development of digital technology, has led to the recent boom of smart cities worldwide. Smart cities make use of all available information and communications technology in the built environment to control their operation and in this way to enhance the quality of life and to drive economic growth. This phenomenon also raises legal issues regarding data protection. The key questions that smart cities already face concern the rights and treatment of data. Currently, further to the Data Protection Directive 95/46/EC, each Member State of the EU has in place its own legislation to govern data protection. This translates into a lack of harmonisation within the European Union, which does not contribute towards uniting even more the various Member States. This is something that the introduction of the EU General Data Protection Regulation 2016/679 (GDPR) on 25 May 2018 aims to change, as it shall be directly applicable as is and shall not require different legislation in each country, thus requiring all smart cities and related businesses throughout the EU to ensure their treatment of data complies with the same set of provisions. Therefore, since smart cities are the cities of the future and legal compliance shall be a cornerstone of their operation, the objective of this paper is to examine the relationship between smart cities and data protection under the emerging common EU legal framework and the effect it has upon them.
Choosing the Right Business Structure for Your Small Business in Texas
Data protection in smart cities application of the EU GDPR
1. 4th Conference on Sustainable Urban Mobility – CSUM2018
24-25 May, 2018, Skiathos Island, Greece
Sponsors: Media Sponsor: With the support of:
Data Protection in Smart Cities:
Application of the EU GDPR
Maria Stefanouli & Chris Economou
2. Skiathos Island, GREECE
24-25 May 2018
THE SKIATHOS PALACE HOTEL
Data Protection in Smart Cities: Application of the EU GDPR
Introduction
Information and
technological
revolution
Smart devices
and Internet of
Things
Huge volume
data exchange
Smart cities –
great production
of data
Concerns for the
respect and the
protection of privacy
3. Skiathos Island, GREECE
24-25 May 2018
THE SKIATHOS PALACE HOTEL
Data Protection in Smart Cities: Application of the EU GDPR
Data Protection Directive 95/46/EC
• Aim:
harmonize the different European frameworks
on this area,
protect individuals in personal data processing
situations.
• Did not achieve harmonization, as it is only a
Directive.
• By all accounts, it is outdated and redundant.
4. Skiathos Island, GREECE
24-25 May 2018
THE SKIATHOS PALACE HOTEL
Data Protection in Smart Cities: Application of the EU GDPR
EU General Data Protection Regulation 2016/679
• Simply known as “GDPR”.
• Will replace Directive 95/46/EC on 25 May 2018.
• Looks to the future:
open inclusive wording,
clearer rules & solid requirements.
• Overall, improves data protection.
• As a Regulation, offers harmonization.
• Such good news that even UK will adopt its
principles.
5. Skiathos Island, GREECE
24-25 May 2018
THE SKIATHOS PALACE HOTEL
Data Protection in Smart Cities: Application of the EU GDPR
LEGAL FRAMEWORK CHANGES BY THE GDPR (1/5)
• Greater geographical coverage:
EU-based controllers/processors carrying out
processing outside EU.
Controllers/processors outside EU processing
data regarding goods/services provided to EU
data subjects.
Controllers/processors outside EU monitoring
the behavior of EU data subjects.
• New and improved definitions: e.g. pseudonymization
and location data.
6. Skiathos Island, GREECE
24-25 May 2018
THE SKIATHOS PALACE HOTEL
Data Protection in Smart Cities: Application of the EU GDPR
LEGAL FRAMEWORK CHANGES BY THE GDPR (2/5)
• Processors will also be covered, aside from
controllers.
Both are liable for damage.
In cases of joint controllers/processors, each
one is held liable for the entire damage.
• Must provide transparency of processing.
• Need to demonstrate compliance.
• Provide easy access to understandable information
regarding processing and controller/processor.
7. Skiathos Island, GREECE
24-25 May 2018
THE SKIATHOS PALACE HOTEL
Data Protection in Smart Cities: Application of the EU GDPR
LEGAL FRAMEWORK CHANGES BY THE GDPR (3/5)
• Data Protection by Design and by Default
Designing and constructing systems with privacy in
mind.
• Notification of:
supervisor authority of any breach to any personal
data (within 72 hours from becoming aware of the
breach),
concerned data subject (however, exceptions exist,
e.g. if data lost poses no risk),
the controller of any data breach, by the processor.
8. Skiathos Island, GREECE
24-25 May 2018
THE SKIATHOS PALACE HOTEL
Data Protection in Smart Cities: Application of the EU GDPR
LEGAL FRAMEWORK CHANGES BY THE GDPR (4/5)
• Data Protection Impact Assessment
Must be carried out prior to risky operations in
order to evaluate those cases better.
• Consultation with supervisory authority needed
only if:
the Data Protection Impact Assessment shows
that a high risk is present,
the supervisory authority requests it.
9. Skiathos Island, GREECE
24-25 May 2018
THE SKIATHOS PALACE HOTEL
Data Protection in Smart Cities: Application of the EU GDPR
LEGAL FRAMEWORK CHANGES BY THE GDPR (5/5)
• Data Protection Officer
Liaises with supervisory authority and advises on
compliance.
Required to have one if:
― processing is carried out which requires regular
and systematic monitoring of data subjects,
― special categories of data processed,
― the processing is carried out by a public body.
• Increased fines: max
€20 million
4% of the annual global turnover
10. Skiathos Island, GREECE
24-25 May 2018
THE SKIATHOS PALACE HOTEL
Data Protection in Smart Cities: Application of the EU GDPR
SMART CITIES
75% of European population lives in urban areas
Transition from the digital city to the smart city
Smart cities: Cities which widely use Information
and Communication Technology (ICT)
11. Skiathos Island, GREECE
24-25 May 2018
THE SKIATHOS PALACE HOTEL
Data Protection in Smart Cities: Application of the EU GDPR
SMART CITIES
The data derived from
smart cities: Big Data,
high volume, variety,
velocity and value
Various smart
transportation
services are delivered
(provision of real
time and multi-modal
public transportation
information, smart
traffic lights,
intelligent traffic
management etc.)
Commuting is a
real challenge of
smart
transportation
Smart mobility
initiatives well
presented in non-
Nordic Northern
Europe, Spain,
Hungary, Romania
and Italy
12. Skiathos Island, GREECE
24-25 May 2018
THE SKIATHOS PALACE HOTEL
Data Protection in Smart Cities: Application of the EU GDPR
PRACTICAL IMPLICATIONS OF THE GDPR (1/6)
13. Skiathos Island, GREECE
24-25 May 2018
THE SKIATHOS PALACE HOTEL
Data Protection in Smart Cities: Application of the EU GDPR
PRACTICAL IMPLICATIONS OF THE GDPR (2/6)
• Keep processing to the minimum necessary.
Decide exactly what data is needed, whether it is within
the scope of the GDPR and in what format it will be
stored.
Pros: savings in storage, speedier use and easier and
more complex analysis.
Smart card/pass: biometric data (photograph, height),
Smart traffic lights & real time driving guidance: only
location data.
• Purchase/develop/amend measures and systems according
to Privacy by Design and Default.
Smart systems: invest in new systems designed with
privacy in mind and as a default
14. Skiathos Island, GREECE
24-25 May 2018
THE SKIATHOS PALACE HOTEL
Data Protection in Smart Cities: Application of the EU GDPR
PRACTICAL IMPLICATIONS OF THE GDPR (3/6)
• Develop processes to:
quickly find any breach,
find what has been damaged,
find which user has been affected,
notify affected user/supervisory authority/controller,
identify potentially risky situations,
effectively undertake Data Protection Impact
Assessments.
Smart card/pass: required Data Protection Impact
Assessments because of sensitive personal data.
• Provide training through seminars and exercises.
15. Skiathos Island, GREECE
24-25 May 2018
THE SKIATHOS PALACE HOTEL
Data Protection in Smart Cities: Application of the EU GDPR
PRACTICAL IMPLICATIONS OF THE GDPR (4/6)
• Draft/revise codes of conduct.
• Join organizations promoting data security, which will start
emerging.
• Seek seals of approval, certificates and advice from relevant
organizations.
Data Protection Officer certification.
• Decide on the appointment of a Data Protection Officer.
Smart traffic lights and real-time driving guidance: Data
Protection officer since processing involves systematic
monitoring (usually by a public body such as the municipality).
Same for smart card/pass
16. Skiathos Island, GREECE
24-25 May 2018
THE SKIATHOS PALACE HOTEL
Data Protection in Smart Cities: Application of the EU GDPR
PRACTICAL IMPLICATIONS OF THE GDPR (5/6)
• Data subjects:
Adopt processes so they have easy access to data held, e.g.
dedicated section.
Draft data so it is understandable to them.
Adopt processes so they can exercise their rights.
Easy application to organization handling smart cards/passes
requesting erasure, quick procedure to erase upon request.
• If consent is required, it should be fully informed consent.
Fully inform data subject.
Have easy consent form to be completed.
During issuance of smart card/pass, consent should be requested
and provided.
17. Skiathos Island, GREECE
24-25 May 2018
THE SKIATHOS PALACE HOTEL
Data Protection in Smart Cities: Application of the EU GDPR
PRACTICAL IMPLICATIONS OF THE GDPR (6/6)
• Review/draft contracts with processors to ensure GDPR
compliance.
Smart traffic lights: the municipality (controller) assigns
processing to outside agency and reviews/drafts contracts
accordingly.
• Document all systems/procedures/incidents.
Electronic application for each request for erasure or guide as to
what to do in a breach.
• If data is to be transferred outside EU, additional safeguards
should be in place.
Safeguards: who will carry out an audit beforehand and what will
be taken into account, possible authorization by supervisory
authority and who/when will request it.
18. Skiathos Island, GREECE
24-25 May 2018
THE SKIATHOS PALACE HOTEL
Data Protection in Smart Cities: Application of the EU GDPR
Conclusions
Each of the big cities needs to leverage smart technology solutions
Great amount of produced and shared data raise an
increasing focus on privacy protection
The GDPR will affect every organization that controls or
processes data, as well as the data subjects
Smart city services have to comply with the GDPR
The GDPR increases obligations for entities that process personal
data, but it also aims to encourage a Digital Single Market across
the EU
The GDPR plans to promote innovation, as long as organizations
use the suitable shields.
19. Contact Details
Maria Stefanouli, MSc Civil Engineer, PhD student UTH
mstefanouli@gmail.com
Chris Economou, LL.M, Lawyer
chris.economou@outlook.com
If you are interested to read more papers:
https://www.researchgate.net/profile/Maria_Stefanouli/publications