Sharing personal data to build the smart city: legal ... · Interdisciplinary research on the...
Transcript of Sharing personal data to build the smart city: legal ... · Interdisciplinary research on the...
Sharing personal data to build the smart city:
legal barriers and enablers
Athena Christofi Legal researcher (CiTiP)www.spectreproject.be
THREE DECADES @ THE CROSSROADS OF IP, ICT AND LAW
OVERVIEW
1
2
3
SPECTREPROJECT AND
PARTICIPATORY DPIAs
SHARING PERSONAL DATA: VIEWS FROM (SMART
CITY) STAKEHOLDERS
LEGAL FRAMEWORK: CHALLENGES & SOLUTIONS
SPECTRE and participatory DPIAsEnhancing data protection in the smart city
Smart-city Privacy: Enhancing Collabora tive Transparency in the Regula tory Ecosys tem
Funded by the Flemish Research Associa tion (FWO)
Law, Communica tion s tudies and Economics - CiTiP (KU Leuven), SMIT and BUSI/APEC (VUB)
Interdisciplinary research on the potentia l of DPIAs to enhance privacy and da ta protection in the smart city
The smart city data protection complexity
Why a smart city case study?
• The public space cha llenge
• Transparency for diverse groups
• Data sharing adds an extra layer of (lega l) complexity
What do we understand as ‘smart city’, and what as (persona l) da ta ‘sharing’?
Smart city : no s ingle accepted definition, more a moving targe t.
“A smart city is a place where traditional networks and services are mademore efficient with the use of digita l and te lecommunica tion technologiesfor the benefit of its inhabitants and bus iness .” -- EC
Data sharing : no formal definition in the GDPR – certa inly a form ofprocess ing
“the disclosure of persona l da ta by transmiss ion, dissemina tion orotherwise making it ava ilable ” – ICO, Data sharing code of practice
Sharing personal data – views from s takeholders
“An entity wanted to take certa in da ta from a federa l se rvice for a project tha t would benefit the public. It was imposs ible as there a re secrecy and
confidentia lity requirements . A federa l se rvice could give the da ta to the federa l government but not the loca l government.”
“Sometimes we a re the party tha t could give da ta , but it’s very difficult because there a re a lot of procedures . We are in be tween the two, we
want to he lp but we cannot.”—Persona l da ta protection in Smart Cities
Roundtable Report (Sept. 2019)VUB-SMIT Data Protection on the Ground
Sharing personal data – views from s takeholders
“Common concerns about da ta sharing:The code a lso clears up misconceptions about da ta sharing and barrie rs
to sharing. The a rriva l of the GDPR and DPA in 2018 appears to have
caused some concern amongs t organisa tions about da ta sharing.”—Information Commiss ioner's Office (ICO)
Data sharing code of practiceDraft code for consulta tion (July 2019)
• Privacy vs utility, or in other words, individual vs the collective need for ba lance
• Need to diffe rentia te among diffe rent scenarios :
• Public entity public entity• Private entity public entity• Public entity private entity• LE purpose non-LE
purpose
Does the lega l framework provide a ba lanced approach?
Legal frameworkArticle 8 of the Charter: a fundamental right to data protection
Mind the Charte r!• Hierarchica l pos ition, tool for the ‘correct’ inte rpre ta tion of secondary laws• Standa lone right to the protection of persona l da ta in Article 8• The right’s essence or core is control
CONTROLIndividua l control
Control a rchitectures
Dilutes when persona l da ta a re
shared
The GDPRLawfulness principle
There needs to be a lawful bas is for the da ta sharing (assessment by the ‘sender’organisa tion)
o Obta ining consent for the sharing is idea l, but can be unworkable in asmart-city context
o What about public task and legitimate inte res ts?
“Processing is necessary for the performance of a task carried out in the public interest or in the exerciseof officia l authority ves ted in the controlle r” The bas is for the process ing […] sha ll be la id down byUnion law or MS law
Stra ightforward when it comes to the collection and use of persona l da ta within a certa in (s ingle)authority: tax authority, whose lega l powers are provided by (na tiona l) law processes da ta on income& tax re turns and crea tes a database .
Sharing is more complex: public task of Authority (x) –tax- and public task of Authority (y) –municipality- diffe r
• Express s ta tutory powers to share can be ra re
• Implied lega l powers?
Need to cons ider foreseeability!
The GDPRPublic task (Art. 6(1)(e) GDPR)
Legitimate interests (Art. 6(1)(f) GDPR)
Legitimate interests: processing is necessary for the purposes of thelegitimate interests pursued by the controller or by a third party
Legal basis does not apply to processing carried out by public authorities inthe performance of their tasks:
o Public authority Public authority = Noo Public authority Priva te entity = ?
The GDPR
Art. 6 (2) GDPR enables MS to mainta in or introduce more specific provis ions to adaptthe applica tion of the public task lega l bas is .
UK Digita l Economy Act (2017)
• Gives public authorities powers to share pe rsona l information across organisa tionalboundaries to improve public se rvices trans form the digita l trans formation ofgovernment, enable be tte r public se rvices , world leading research and be tte rs ta tis tics
• Concepts of ‘specified person’ and ‘specified objectives ’ scrutiny but a lsoflexibility on the sharing entities and sharing objectives
Could na tiona l law he lp address the uncerta inties?The example of UK ’s Digital Economy Act
ANPR data for the smart city
ANPR data – the Belgian caseLaw ’s limitations in practice
Sharing can enable many useful smart city use cases , but does the law a llow it?
• As process ing of ANPR data by the police is embedded in a law enforcement context,the s ta rting point is Directive (EU) 2016/680
• Under the LE Directive and its BE implementa tion, further process ing of data initia llycollected for a law enforcement purpose , for a new purpose that is not law enforcementre la ted mus t be authorized by na tiona l law (Art. 29(2) Data Protection Act)
When it comes to the lega l bases to process personal da ta and the purpose limita tion principle , the Directive is more res trictive than the
GDPR, given the sens itivity of process ing in a police context
Belgian Act regulating the powers of police
Art. 44/11/7: permits the disclosure to administrative police authorities , if thedisclosure is needed for them to exercise the ir legal missions .
Legal miss ions are defined within the Police Act (Art. 14): In the exe rciseof the ir adminis tra tive policing duties , (the police services ) ensure themaintenance of law and order, including compliance with police laws andregula tions , the prevention of offenses and the protection of persons andproperty (Public Order functions)
Art. 44/11/10: permits disclosures for research purposes to certain researchinstitutes . It requires however a Royal decree to define which are these ins titutestha t can process the da ta .
ANPR sharing restrictions• Sharing only to the loca l (police ) authorities what if a smart city project is
implemented collabora tive as PPP?
• Sharing only for ‘public order’ purposes , a concept tha t is more narrow thanthe concept of ‘public inte res t’ would this cover smart city projects a imeda t improving livability, the environment or improving the city’s economicprosperity?
The way forward?
• Public acceptance of the ‘smart city’ idea is growing – see results of SmartCity Meter 2019 (imec – Flanders & Brusse ls )
• Nationa l law can he lp provide more certa inty for sharing among publicauthorities express lega l ga teways
• Data sharing codes of practice by DPAs, templa tes of da ta sha ringagreements
• Trus ted third parties for pseudonymisa tion/ anonymisa tion
Thank you!
Please, share your thoughts – this is work in progress