Blog details

Smart Cities and Privacy

Smart Cities and Privacy

At its core, smart cities involve tons of data and an intelligent network of connected devices transmitting this data. This creates big privacy challenges and risks.

Simply put, smart cities are described as a town, district or area which incorporates digital technology and data across all municipality functions in order to improve government services and enhance the way of life of its citizens..

Categories of data that a Smart City may collect are presented as follows:


Traffic data, waiting times, crowd management, smart cars, parking


Climate and weather, pollution, waste management

Citizens civil information

Census, elections, work

Education and health

School grades, absenteeism, number of doctor appointments/year, most common illnesses

Entertainment and consumption

Shops, theaters, cinemas (most/less popular ones, time and money citizens spent)

Security and surveillance

CCTV, police data

The collection, usage and interconnection of this level of data is exactly why Smart Cities creates big privacy challenges and risks, says Aphaia Partner, Cristina Contero.

Presenting at the 8th International Conference on Fibre Optics in Access Networks (FOAN2019) in Sarajevo last week, Cristina highlighted two significant data privacy issues:

Legitimate basis for processing;
and Security measures to protect information.
Identifying the legitimate basis to process data

While most of the data collected and used in smart cities will be aggregated data, Cristina says that there is a riskhigher so in small citiesthat individuals may be indirectly identified in smart cities due to the sheer amount of data and crossed sources.

How many citizens of 28 years, with a red car, who lives next to this particular neighborhood, have two small children and is diabetic there might be in a city with 20.000 inhabitants? Maybe not that much as we could imagine,she offered.

As a result, in the set up of Smart Cities, compliance with the GDPRs requirement for a lawful basis is essential.

According to the GDPR, there are six lawful bases:

(a) Consent.

(b) Performance of a contract.

(c) Legal obligation.

(d) Vital interests.

(e) Public interest.

(f) Legitimate interest.

According to Cristina, it is most likely that a governments legitimate basis regarding the set up of a smart city will fall under public interest.

Public interest can apply either when:

It is a specific task carried out in the public interest which is laid down by law; or
official authoritys activity (for example, a public bodys tasks, functions, duties or powers) which is laid down by law.

Cristina also explained that in order to rely on public interest the Government has to previously:

document the decision that the processing is necessary for them to perform a task in the public interest or exercise their official authority;
identify the relevant task or authority and its basis in common law or statute; and
include basic information about the purposes and lawful basis in the privacy notice.

Security Challenges

Big amounts of data, multiple stakeholders, and the gathering/sharing of data in real time are all privacy risk sources in Smart Cities.

To this end it is imperative that the economic resources to prevent or address security breaches are identified and secured even before a smart city is developed says Cristina.

Setting up an insecure Smart City structure will be much more costly in the long term than doing it properly from the very beginning. And if you do not have the resources to do it at the beginning, then do not do it.

In keeping with the GDPR, Governments will also have to implement technical and organizational measures to ensure a level of security appropriate to the risks.

Meanwhile, Cristina offered that the adoption of a three-layered security approach can go a long way in further helping Smart Cities secure their networks and prevent/minimize security breaches such as hacking.

Helpful security models include a layered approach, which features a system where all smart network devices have a unique identifying number and they operate within three layers of security:

data protection application for the server (to identify malicious content);

data scrutiny layer (as a firewall to protect servers); and

secure smart software for devices (to prevent malicious software from being installed on the devices).”

Do you require assistance with GDPR and Data Protection Act 2018 compliance? Aphaia provides both GDPR adaptation consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing.

Prev post
Aphaia attends FOAN2019
September 6, 2019
Next post
Facial Recognition and GDPR
September 13, 2019

Leave a Comment