Smart cities, privacy and community control: Are we there yet?

Outdated Technology — IBM System 360 Mainframe Computer — Missouri State Archives

A growing number of cities and communities across the globe are embracing the idea of smart cities. According to the National Conference of State Legislators, the aim of a smart city is “to improve quality of life, economic opportunity and security for those who live in cities and surrounding areas.”

Data collection is the back-bone of “smart city” technologies. The deployment of an array of surveillance law enforcement technologies, such as automated license plate recognition and smart cameras, is driven by the promise that the data collected will enable officers to state ahead of crime. The traffic sensors aiding with transportation flow, the smart water meters pinpointing leaks and the trash bins sensors alerting city workers of when it is pick-up time also run on data.

Data driven smart cities have an impact on the privacy of residents and visitors.

Against this background, it makes sense to pause to consider what are the existing legal privacy protections that would apply to the collection, use, and sharing of data by smart cities and municipalities.

In this context it is important to consider not only the requirements that apply to the cities and municipalities, but also those that apply to the developers of the technologies, and to the technologies themselves.

ARE SMART CITIES AND MUNICIPALITIES REGULATED?

Federalism as a limit to the ability of federal laws to regulate smart cities and municipalities

When considering the landscape of local privacy regulations, it is important to be aware of the principle of “federalism.” In a nutshell, federalism means that the governments of the states coexist with the federal government and that this federal government has specifically enumerated powers which are granted by the United States Constitution. The enumerated powers granted on the federal government by the United States Constitution are limited in their scope. Generally speaking federal law is not able to impose restrictions on cities and municipalities implementing smart solutions for this reason.

For example, the US Privacy Act of 1974, which contains important rights and restrictions, applies only to the processing of data held by US government agencies. Therefore, the right to access, correct, or restrict the use or sharing of information provided by the Privacy Act does not apply to data held by cities or municipalities.

States privacy regulations for the public sector: A work in progress

Some states have enacted public sector privacy laws that enshrine principles and requirements like those found in the US Privacy Act.

For example, California enacted in 1977 the California Informational Privacy Act(IPA.) This privacy statute limits the kinds of personal information that California public agencies may maintain, requires agencies to maintain personal information “with accuracy, relevance, timeliness, and completeness,” permits individuals to inspect and request correction of agency-maintained personal information, and generally limits the right of governmental agencies to disclose personal information about an individual. IPA imposes liability on both agencies and individuals for improperly disclosing personal information maintained by agencies. However, the IPA does not apply to information held by smart cities and municipalities.

Therefore, even in states that have enacted regulations similar to the federal Privacy Act, smart cities and municipalities are unlikely to be effectively restricted by these laws.

State new comprehensive privacy laws and the public sector

There is a recent movement toward a more comprehensive approach to regulating personal data that is being led by state legislators. It started with the enactment of the California Consumer Privacy Act of 2018 which was latter strengthen when in November of 2020, California voters approved Proposition 24, the California Privacy Rights Act (CPRA). Several states have enacted similar laws, including Virginia, Colorado, Utah, and Connecticut.

However, these new State laws do not apply to the public sector and therefore do not restrict municipalities and cities that implement and use smart technologies.

ARE VENDORS OF SMART CITY TECHNOLOGIES REGULATED?

Federal sectoral regulations may not apply effective restrictions to vendors of smart city technologies

Historically the US has regulated data privacy with a sectoral approach. This means there is no US overarching law that imposes requirements on how all the public sector and the private sector collect, use, and share data.

In addition, the US has not historically recognized a right to protection of individuals in the context of automated data processing (i.e. computerized personal data) through the enactment of an omnibus law such as the EU General Data Protection Regulation nor has a right to data protection been recognized in the US at the constitutional level.

The sectoral approach was viewed by many as preferable because separately regulating different industries allows for a more nuanced approach that can focus on the needs of those specific industries. It also allows for light-touch regulation for sectors that fall outside of industries with higher privacy concerns such as education or the health care, financial and telecommunications sectors. In practice, the sectoral approach has led to increased complexity of overlapping regulations, and opened the door to inconsistencies while providing limited protections to consumers.

Vendors of smart city technologies are likely to fall outside of the industry sectors that have been historically regulated in the US. Therefore, federal privacy sectoral laws do not generally impose restrains on smart cities and municipalities.

How about the new State privacy laws?

As mentioned above, there is a recent movement toward a more comprehensive approach to regulating personal data. Several states have enacted more comprehensive privacy laws. Vendors of smart city technologies are likely directly or indirectly regulated by these laws.

They are directly regulated in that these laws contain a limited number of obligations that apply directly to service providers that vendors would have to account for.

They are indirectly regulated in a more stringent manner when they provide their technologies to the private sector. This is because the private sector organizations purchasing the technologies are likely to be subject to the full spectrum of restrictions imposed by these new state privacy laws and will contractually require assurances from the vendors of smart city technologies.

However, when the technology is sold to cities and municipalities the scope of the restrictions that apply is limited at best. The new state laws do not regulate the public sector and therefore do not apply to cities and municipalities. There is an argument to be made as to whether these new state laws may partially be effective because the direct applicability component but, at best, the effect will be limited.

HOW ARE SMART CITY TECHNOLOGIES REGULATED?

There is several issue specific privacy laws that restrict some forms of collection, use and sharing of information in the public local sector.

For example, officer camera surveillance (recordings of images and/or voices through devices attached to the officer body) are currently subject to very specific requirements under California law (see (See, Cal. Penal Code 832.19). In addition to imposing specific processes, California law provides for a private right of action for any violation of the prohibition against biometric surveillance but only for equitable or declaratory relief. (i.e. you can sue the agency/officer) California law also requires that officers that violate access restrictions on information recorded through officer body cameras be sanctioned. However, those restrictions do not apply were images are capture through systems other than a body-worn camera (e.g. a camera mounted on a policy vehicle.)

Another example is the California law regulating the collection of automated license plate information. Automated/automatic license plate readers (ALPRs) capture computer-readable images that allow law enforcement and others to compare plate numbers against plates of vehicles subject to repossession, stolen vehicles or vehicles driven by individuals wanted on criminal charges. The devices are typically mounted on cars (including police cars), road signs or traffic lights and capture thousands of images of plates. These technologies raise concerns about accuracy and may infringe on individuals’ right to privacy. The California law on ALPR imposes privacy protection requirements on entities that use ALPR information; prohibit public agencies from selling or sharing ALPR information; and require operators of ALPR systems to use that information only for authorized purposes.

Despite of the existence of these laws, there is no strong track record of enforcement.

COMMUNITY CONTROL: ARE WE THERE YET?

In a nutshell:

• Public sector privacy federal laws such as the US Privacy Act of 1974 do not apply to the state level public sector. Even in states that took the initiative to enact regulations similar to the federal Privacy Act, the processing of personal data by cities and municipalities is likely out of the scope of those laws as they would typically apply only to state public agencies.
• Providers of smart technologies in many cases will not be regulated by the existing web of federal sectoral privacy laws. The new more comprehensive state laws may apply to them, but because those laws target the private sector their effectives is likely limited.
• There could be specific privacy regulations for concrete technologies used by smart cities, like the ones imposing limitations on officer camera surveillance or automated license plate readers, but there is no strong track record of enforcement and the protections offered are limited.

What this means is that, absent solutions implemented at the municipal level requiring controls over surveillance technologies, the collection and use of data through smart technologies in the US tend to operate in a regulatory vacuum.

The proliferation in local surveillance technology, which as mentioned above will be subject to few regulations and in most places takes place without community input or control, has raised awareness about the threats to civil rights and civil liberties. There is also a growing awareness that these threat tend to disproportionately impact communities of color and low-income communities. This awareness is fueling a nationwide “Community Control Over Police Surveillance” effort that seeks to ensure that local communities have a meaningful opportunity to review and participate in all decisions about if and how surveillance technologies are acquired and used locally.

In a selected number of cities and municipalities these types of community control processes are already in place.