Smart cities by design

Safe and secure; easy to get around; environmentally sustainable: Smart cities promise a future of better living to their residents by embracing the use of data and connected technology.

But there is more to building smart cities than overcoming technological challenges. As modern infrastructure advances — with embedded sensors and software that collect and analyze data — we will also need legal and governance structures that meaningfully address public concerns about privacy and data security.

"Our laws aren't there," according to Brenda McPhail, the Technology and Surveillance Project Director at the Canadian Civil Liberties Association. A panelist at the CBA's privacy law symposium last month, McPhail said that the rules governing how we acquire user consent are "fundamentally flawed." For example, privacy regulations don't specifically address how personal information should be collected from personal devices where infrastructure is designed to interact with those devices.

The CCLA is suing Waterfront Toronto, and three levels of government, over plans by Sidewalk Labs, owned by Google parent company Alphabet, to turn the Quayside waterfront area into a high-tech smart neighbourhood. It alleges that Waterfront Toronto has no jurisdiction to take on an electronic and data surveillance project of this scope, and that the collection of personal data infringes Charter rights.

Also sitting on the CBA panel were David T. Fraser, a partner at McInnes Cooper in Halifax, who represents Sidewalk Labs, and Chantal Bernier, who leads Dentons Canada's privacy and cybersecurity practice. Bernier represents Waterfront Toronto in the same project.

Sidewalk Labs' plans for a smart neighbourhood have drawn controversy since they were announced in 2016. In October 2018, Ann Cavoukian, a former Ontario privacy commissioner, resigned from her role as advisor to the company over worries about insufficient privacy protection. Sidewalk Labs has since scaled back its ambition somewhat with a promise not to sell the data of its users, including to other Alphabet companies, without their explicit consent.

Privacy concerns have taken on added significance in an environment in which public trust in the internet is at an all-time low. According to a survey by the Office of the Privacy Commissioner of Canada earlier this year, 45 per cent of respondents disagreed that businesses respect their privacy. Sentiment is more optimistic towards government. Twenty-nine per cent disagreed that the federal government respects their privacy. Still, more than eight in ten Canadians said news reports about privacy breaches have affected how willing they are to share personal information. Headlines about Big Tech not caring about their users' privacy surely doesn't help either.

Still, there are ways to sure that smart cities avoid becoming "tools of discipline and surveillance," as McPhail put it.

The first is addressing transparency concerns. "What's happening right now in most municipalities is things are just being deployed, and without any input, without any transparency," Fraser said during the symposium.

Instead, he told CBA National in an interview, we need to make sure that any project that involves collecting personal or even non-identifiable information in the urban environment first undergoes a rigorous privacy impact assessment. The purpose of this would be to assess whether data collection is "proportional to the public benefit to be gained" and whether there are any risks to people's privacy rights that can be "managed, mitigated or eliminated prior to the project going live."

Ultimately, these assessments would serve the purpose of implementing the principles of privacy-by-design, a concept developed by Cavoukian in the 1990s, and which calls for embedding privacy protection measures in the design of products before they're released. The European Union later made it a legal requirement when it adopted its General Data Protection Regulation – or GDPR.

The second concern to address is accountability. Part of the challenge with smart cities is that the deployment of smart technology is made possible by the private and public sectors working together. Those partnerships help deflect some costs from the public purse in updating city infrastructure and using data efficiently in the delivery of public services.

Still, there are sharp differences between the private and public sector approaches to accountability, and the interests of the government and corporations aren't always aligned. "There's a tension there," said McPhail. "It's a longstanding tension, but it's very real – between a company that has accountability to shareholders and a public body that has accountability to its residents and citizens."

To improve transparency and accountability, we will need a more sophisticated legislative or regulatory structure. According to both McPhail and Bernier, our laws are hardly fit for purpose, since the rules governing how organizers acquire user consent are fundamentally flawed. "There's not enough at the moment to regulate any pervasive and cumulative data collection that would be envisioned in this kind of project," says McPhail.

Bernier says we need to re-enforce our "laws for all of the internet because, frankly, they have not provided the architecture of enforcement that we need to stand up to the tech giants."

That won't be easy. In Canada, different laws apply to the collection and use of data, depending on who is fronting the project. When a municipality hires a private company to deliver a service, that private contractor will be captured under the privacy regime of the public sector agency that hired it.

But the lines aren't always clear. It's conceivable, for example, that a contractor gets hired by the city, but also does work that falls outside the scope of that mandate. "You could have a situation where two laws might apply," Fraser says. "If a slice of what they're doing is for their own activity and not simply acting as an agent or contractor of the municipality, then those private-sector laws will apply to that slice. And you might have overlap, and you might find yourself with some contradictions between the different legal regimes."

One way to address this would be to adopt data protection rules that apply to both private and public organizations, as they do in Europe under GDPR. But as Fraser points out, it's difficult to merge the two regimes into one because privacy laws that regulate the public sector are not typically based on consent. They're based on the notion of "legitimate purposes," whereas our private sector privacy laws are based entirely on consent. "You have to find a middle ground if you want to make that work," says Fraser.

Simply tweaking our privacy laws likely won't be enough. For Bernier, the answer lies in rethinking the governance framework for privacy in our lives more generally. She wants to see a mechanism put in place that would ensure what she calls "mediated accountability."

"It means that the regulator is strong enough and has the proper powers to hold business and the state accountable, in the name of individuals and in the face of the complexity and the opacity of the internet, which disempowers the individual." She points to aviation safety, food inspections and drug approvals as examples of mediated accountability in other industries. "We need to have that in privacy law."

One thing is certain. As our aging infrastructure gets upgraded, smart technology will one way or the other become part of the fabric of our cities. But will it be done in a way that demonstrates a real commitment to the well being of their residents?