Sharing personal data to build the smart city:

legal barriers and enablers

Athena Christofi Legal researcher (CiTiP)www.spectreproject.be

THREE DECADES @ THE CROSSROADS OF IP, ICT AND LAW

OVERVIEW

1

2

3

SPECTREPROJECT AND

PARTICIPATORY DPIAs

SHARING PERSONAL DATA: VIEWS FROM (SMART

CITY) STAKEHOLDERS

LEGAL FRAMEWORK: CHALLENGES & SOLUTIONS

SPECTRE and participatory DPIAsEnhancing data protection in the smart city

Smart-city Privacy: Enhancing Collabora tive Transparency in the Regula tory Ecosys tem

Funded by the Flemish Research Associa tion (FWO)

Law, Communica tion s tudies and Economics - CiTiP (KU Leuven), SMIT and BUSI/APEC (VUB)

Interdisciplinary research on the potentia l of DPIAs to enhance privacy and da ta protection in the smart city

The smart city data protection complexity

Why a smart city case study?

• The public space cha llenge

• Transparency for diverse groups

• Data sharing adds an extra layer of (lega l) complexity

What do we understand as ‘smart city’, and what as (persona l) da ta ‘sharing’?

Smart city : no s ingle accepted definition, more a moving targe t.

“A smart city is a place where traditional networks and services are mademore efficient with the use of digita l and te lecommunica tion technologiesfor the benefit of its inhabitants and bus iness .” -- EC

Data sharing : no formal definition in the GDPR – certa inly a form ofprocess ing

“the disclosure of persona l da ta by transmiss ion, dissemina tion orotherwise making it ava ilable ” – ICO, Data sharing code of practice

Sharing personal data – views from s takeholders

“An entity wanted to take certa in da ta from a federa l se rvice for a project tha t would benefit the public. It was imposs ible as there a re secrecy and

confidentia lity requirements . A federa l se rvice could give the da ta to the federa l government but not the loca l government.”

“Sometimes we a re the party tha t could give da ta , but it’s very difficult because there a re a lot of procedures . We are in be tween the two, we

want to he lp but we cannot.”—Persona l da ta protection in Smart Cities

Roundtable Report (Sept. 2019)VUB-SMIT Data Protection on the Ground

Sharing personal data – views from s takeholders

“Common concerns about da ta sharing:The code a lso clears up misconceptions about da ta sharing and barrie rs

to sharing. The a rriva l of the GDPR and DPA in 2018 appears to have

caused some concern amongs t organisa tions about da ta sharing.”—Information Commiss ioner's Office (ICO)

Data sharing code of practiceDraft code for consulta tion (July 2019)

• Privacy vs utility, or in other words, individual vs the collective need for ba lance

• Need to diffe rentia te among diffe rent scenarios :

• Public entity public entity• Private entity public entity• Public entity private entity• LE purpose non-LE

purpose

Does the lega l framework provide a ba lanced approach?

Legal frameworkArticle 8 of the Charter: a fundamental right to data protection

Mind the Charte r!• Hierarchica l pos ition, tool for the ‘correct’ inte rpre ta tion of secondary laws• Standa lone right to the protection of persona l da ta in Article 8• The right’s essence or core is control

CONTROLIndividua l control

Control a rchitectures

Dilutes when persona l da ta a re

shared

The GDPRLawfulness principle

There needs to be a lawful bas is for the da ta sharing (assessment by the ‘sender’organisa tion)

o Obta ining consent for the sharing is idea l, but can be unworkable in asmart-city context

o What about public task and legitimate inte res ts?

“Processing is necessary for the performance of a task carried out in the public interest or in the exerciseof officia l authority ves ted in the controlle r” The bas is for the process ing […] sha ll be la id down byUnion law or MS law

Stra ightforward when it comes to the collection and use of persona l da ta within a certa in (s ingle)authority: tax authority, whose lega l powers are provided by (na tiona l) law processes da ta on income& tax re turns and crea tes a database .

Sharing is more complex: public task of Authority (x) –tax- and public task of Authority (y) –municipality- diffe r

• Express s ta tutory powers to share can be ra re

• Implied lega l powers?

Need to cons ider foreseeability!

The GDPRPublic task (Art. 6(1)(e) GDPR)

Legitimate interests (Art. 6(1)(f) GDPR)

Legitimate interests: processing is necessary for the purposes of thelegitimate interests pursued by the controller or by a third party

Legal basis does not apply to processing carried out by public authorities inthe performance of their tasks:

o Public authority Public authority = Noo Public authority Priva te entity = ?

The GDPR

Art. 6 (2) GDPR enables MS to mainta in or introduce more specific provis ions to adaptthe applica tion of the public task lega l bas is .

UK Digita l Economy Act (2017)

• Gives public authorities powers to share pe rsona l information across organisa tionalboundaries to improve public se rvices trans form the digita l trans formation ofgovernment, enable be tte r public se rvices , world leading research and be tte rs ta tis tics

• Concepts of ‘specified person’ and ‘specified objectives ’ scrutiny but a lsoflexibility on the sharing entities and sharing objectives

Could na tiona l law he lp address the uncerta inties?The example of UK ’s Digital Economy Act

ANPR data for the smart city

ANPR data – the Belgian caseLaw ’s limitations in practice

Sharing can enable many useful smart city use cases , but does the law a llow it?

• As process ing of ANPR data by the police is embedded in a law enforcement context,the s ta rting point is Directive (EU) 2016/680

• Under the LE Directive and its BE implementa tion, further process ing of data initia llycollected for a law enforcement purpose , for a new purpose that is not law enforcementre la ted mus t be authorized by na tiona l law (Art. 29(2) Data Protection Act)

When it comes to the lega l bases to process personal da ta and the purpose limita tion principle , the Directive is more res trictive than the

GDPR, given the sens itivity of process ing in a police context

Belgian Act regulating the powers of police

Art. 44/11/7: permits the disclosure to administrative police authorities , if thedisclosure is needed for them to exercise the ir legal missions .

Legal miss ions are defined within the Police Act (Art. 14): In the exe rciseof the ir adminis tra tive policing duties , (the police services ) ensure themaintenance of law and order, including compliance with police laws andregula tions , the prevention of offenses and the protection of persons andproperty (Public Order functions)

Art. 44/11/10: permits disclosures for research purposes to certain researchinstitutes . It requires however a Royal decree to define which are these ins titutestha t can process the da ta .

ANPR sharing restrictions• Sharing only to the loca l (police ) authorities what if a smart city project is

implemented collabora tive as PPP?

• Sharing only for ‘public order’ purposes , a concept tha t is more narrow thanthe concept of ‘public inte res t’ would this cover smart city projects a imeda t improving livability, the environment or improving the city’s economicprosperity?

The way forward?

• Public acceptance of the ‘smart city’ idea is growing – see results of SmartCity Meter 2019 (imec – Flanders & Brusse ls )

• Nationa l law can he lp provide more certa inty for sharing among publicauthorities express lega l ga teways

• Data sharing codes of practice by DPAs, templa tes of da ta sha ringagreements

• Trus ted third parties for pseudonymisa tion/ anonymisa tion

Thank you!

Please, share your thoughts – this is work in progress