Over the past year and a half I have worked on an exciting project solicited by NESTA, the Cities’ Coalition for Digital Rights (CC4DR) and the City of Amsterdam. This blog entry represents a summary of the resulting report which has been published on NESTA’s web pages. It sheds light on a recent development that runs under the radar in many urban areas: the usage of privacy infringing sensors by commercial actors in what is increasingly becoming known as “the digital public space”.
This term seeks to highlight how physical public areas – town squares, pedestrian zones, but also shopping centres and bus stops – are increasingly subject to unfettered digitalisation, with commercial sensors tracking eye-movements looking for feedback on digital advertisements or cameras recognising faces in shopping centres. One main focus of lies on publicly used spaces in private ownership, also known by the abbreviation “POPS”. I make this distinction because it has repercussions on how well the EU General Data Protection Regulation (GDPR) as the relevant regulation is realistically being followed, given that there is a well-known enforcement gap of the regulation in the private sector.
As mass production and technological innovation leads to ever sinking cost, companies have increased their use of sensors in physical spaces in the past years. New services based on augmented reality applications, or the virtualisation of real physical spaces (“Metaverse”) require precise 3D data of city spaces that are costly to produce. As the internet increasingly turns into the screen on which physical cities are being rebuilt, high quality data on public spaces are in high demand. Consequently, making maps of the physical space has become the business model of a sizeable number of companies. With the afore mentioned implementation deficit of the GDPR in the offline world many companies do not properly comply with the GDPR or perform the self-critical assessment the EU legislation foresees for such cases, but “bend” their use case to fit the legal criteria. As one interviewee put it: “Companies are making 3D maps of our city without city hall knowing it.”
Where such “renegade” sensors are installed by commercial actors without making sure citizen, or at least their city administrations, can properly consent to such services, they become unwitting objects of pervasive privacy infringements that they don’t have chance to opt out from. This can not only pose a potential violation of a basic human right but can also damage trust in public representation as there is very little accountability regarding private monitoring in public space. As things stand, there are no formal procedures cities can follow to alleviate these problems as they neither have a say about such practices, nor even know about them in the first place.
For this report I have interviewed a number of smart city representatives from all over Europe to learn about their approaches and experiences in dealing with this and similar problems. Not to spoil the tension too much, but many smart city leaders are not yet aware of these potential privacy risks to their citizens.
The landscape of private sensors in public spaces
In order to enable and empower cities to actively shape how technological progress plays out in their public spaces, I briefly illustrate two particularly pertinent technological developments that have recently seen widespread adoption, following the maturing of the underlying technologies.
Interactive advertising
Generating feedback on advertisements allows ad producers to better target them to certain audiences, increase efficiency and thereby improve return on investment. Feedback is generated primarily through cameras. These are used to read spectators’ glance, faces or body movements in reaction to the exhibited ad content. Newer applications integrate photo or live video from spectators’ faces or bodies into a (moving) image or a scenery on electronic billboards. The reactions, through retina tracking or analysis of body movements, are then analysed by algorithms drawing conclusions on the reactions to the ad content. These forms of augmented reality advertisement or “interactive advertising” can be found on street furniture, pedestrian lanes, in bus shelters or shopping malls and the ad-centered use of retina tracking and facial recognition has proliferated Europe wide and over the world. With an outdoor advertising market poised to eclipse that of newspapers it stands to reason that such forms of feedback generating digital billboards will only increase in the future.
Producing digital images of faces or the retina in high resolution are the raw material of algorithmic analysis that can identify people, tie them to places at certain times and thus be used to produce movement profiles. There are numerous techniques that can, to varying degrees of reliability, use such footage to draw conclusions on what the EU calls “sensitive data”, such as eye tracking data.
Eye-tracking enabled advertising had on several occasions been made use of, among others, in the Netherlands and Belgium. Billboards were put up in (underground) train stations or other spaces which once used to be publicly owned, but have been privatised in many countries in past decades. It cannot be reconstructed if the company had filled out data protection impact assessments in which they could have argued to what extent the operating company had a “special interest” justifying the usage of this technology. The city administrations, among others in Ghent and Amsterdam, were neither informed nor asked for permission. No signs referenced the existence of cameras to passers-by. Only after a public outcry and media attention did the responsible company remove these billboards.
Integrating such eye-tracking capabilities into digital billboards is not particularly new. First applications are as much as 15 years old. This technique makes a great use case for advertisers since it makes visible what viewers are seeing. Eye tracking “makes the subconscious gaze visible and can reproduce gaze data even if the poster was just viewed for a split second”, as a company marketing this technology lays out.
Collecting such precise and highly valuable data comes at a price: Eye tracking data can also be used to reconstruct implicit information about a person’s “biometric identity, gender, age, ethnicity, body weight, personality traits, drug consumption habits, emotional state, skills and abilities, fears, interests, and sexual preferences.” Certain eye tracking measures may even “reveal specific cognitive processes and can be used to diagnose various physical and mental health conditions”. Even where third party actors collect just the images, such techniques can always be applied ex-post to them. Should such information regarding specific individual persons become public, it can potentially be devastating on a personal level.
Automatic number plate recognition
Systems that scan and recognise number plates are ubiquitous and are applied in several use case scenarios, by private companies all over Europe. One particular use is a case in point since it has been used without knowledge of City Hall until it was forbidden.
There have been cases of debt collecting companies using automatic number plate recognition in order to get a hold of people who have for instance defaulted on their loans and are not responding to efforts to contact them. For this purpose, cars of the company were fitted with camera sensors to circle entire cities and to film and process number plate data of encountered cars to identify the debtor. Such cases have been prevalent in the US so far, with Amsterdam being a notable example in Europe. The city has since banned the service, so the details of the company’s approach are unclear. From a technical standpoint, it must have collected at least tens of thousands of registration images and the location of the corresponding cars, even if some filter had been applied and deleted non-relevant data.
According to the GDPR, license plate data is not only personal data, but personally identifiable information (PII). PII is any data that can be used to clearly identify an individual such as passport numbers, fingerprints, or number plates. The practice of licence plate scanning is allowable in the context of parking garages (again, in terms of the GDPR) provided costumers are adequately notified that their registration plates will be scanned and processed through appropriate signs. In contrast to parking garages, companies indiscriminately scanning all available number plates with the intention to identify the car holder including those of uninvolved bystanders, without notification, is unlawful according to the GDPR.
In terms of lawfulness, a case could be made that if only fragments of the registration plates would be scanned, this would not constitute PII. At the same time, this argument seems unlikely to be claimed, given that these techniques are usually applied to identify car holders, especially for use cases such as debt collecting. Such use cases have been rarer but certainly need to be mentioned as they are a violation of a sizeable number of citizens’ privacy. Given that despite the clear unlawfulness of this practice there are so far no means to stop these surveillance practices from taking place, this is a case in point that illustrates the need for cities’ attention to this field.
Cities increasingly need to act as enforcers, but still lack important resources
These examples go to show that cities are stuck in a conflict: given the proliferation of private sensors in the public space, they increasingly need to act as enforcers of the GDPR since companies will keep making use of them where it suits their needs. At the same time, though, cities lack (1) the information, (2) the remit, and (3) the capacity to properly respond to this development.
Firstly, there are no European level rules that prescribe that cities get notified when commercial actors put up sensors in POPS. Bart Rosseau, the Chief Data Officer of the city of Ghent told us: “Is this a task for the police? Should we ask citizens to alert us? If they [the sensors] are well-hidden we will never know. It’s tricky and the technology is evolving faster than the regulation.” (Bart Rosseau, DPO of Ghent, 2021). In short: since there is no proper monitoring process to systematically find and identify sensors, cities have no way of detecting unwanted sensors in publicly accessible spaces.
Secondly, municipalities only have processing assignments when it comes to the GDPR, but they do not have the remit to carry out implementation tasks. Execution and implementation usually lie with the national or regional level. Municipal data protection officers (DPOs) cannot issue bans for eye-tracking billboards – that would be the remit of their national level colleagues.
Thirdly, cities do not have the capacity (yet) to address sensors in POPS. “We already have a lot of problems identifying our own data processing, so we haven’t gotten around to the private parties who do this”, the DPO of a large European city told us.
Smart cities censor the sensors: new ideas on a difficult topic
Using municipal permissions as leverage for privacy
As has become clear, cities do not have the remit to ban or prohibit new sensors on POPS. Given that the GDPR as the main piece of legislation governing privacy of EU citizens does not involve city halls, those cities most affected improvised in order to get a grip on these detrimental developments.
In this vein, London City Hall published in October of 2021 what is called the “Public London Charter”, a document which sets down principles and guidance on how new public spaces (including POPS) should be operated. These principles apply as a condition of planning consent for future developments, by building on existing powers in the area of urban planning and urban development. Whenever developers seek to obtain permission to build in cities, they will have to sign up to the Public London Charter which will be inserted into the condition part of planning agreements.
The Charter contains a number of principles that constitute a code of good practice in the management of new public spaces. A section on privacy and data builds on the Surveillance Commissioner’s code of practise (a national code of practise), the 2018 Data Protection Act and an UK ICO’s opinion. It mandates that “Data Protection Impact Assessments (DPIAs) should be shared with City Hall so they can be published on the London Datastore to promote transparency, compliance and good practice across the city.”
This addresses one of the most crucial limitations of cities dealing with sensors in POPS. Cities not only lack the remit to prescribe or mandate rules regulating sensors in publicly accessible spaces, they are also kept in the dark as they mostly do not get notified about the existence of new sensors. The Public London Charter, even though only regulating new developments, tackles both these limitations of municipal policy making by leveraging the city’s power to withhold permission to new developments on city ground. Essentially, it creates a “supercharged planning authority”, meaning a sizeable amount of the city’s power comes from the planning law used as a lever.
While this example from London is the most far-reaching and developed we have encountered in our interviews, other cities are already using similar “municipal permission leverage” to get commercial actors to subscribe to a set of principles. The City of Amsterdam has started a process that is very similar to the London example in that the “Tada” manifesto contains principles about the ethical use of data. The manifesto developed a number of principles that govern the usage of data which ought to be: (1) inclusive, (2) controlled, (3) tailored to the people, (4) legitimate and monitored, (5) open and transparent, (6) from everyone – for everyone. Tada has become ingrained in the local administration, its decisions and processes.
It is also at the heart of a programme Amsterdam has assigned the Institute for Information Law at the University of Amsterdam, which explores conditions that can be added to the municipality’s policy instruments regulating the behaviour of private companies with regards to collecting sensor data. Such instruments include licensing, subsidies, concessions, or contracts private companies. E-mobility service providers for instance have to fulfil certain conditions before they are allowed to run their services in the city space. They for instance have to serve commercially potentially less attractive parts of the city in order to safeguard inclusiveness from less privileged areas. Part of this programme is also a more recent development of rules formulated by the city administration on how mobility providers have to treat the data they collect and which data they have to share with City Hall.
It is important to note that cities’ leeway to add conditions to certain permits is limited. Permits, for instance, which have an impact on public spaces and safety can legally only be used to add conditions that are related to the policy area the permit seeks to address. This means in turn, that for cities not to become liable for abuse of authority, only conditions related to the regulative intent may be inserted into such authorisations. Even where this is not yet possible, applicants receive points if they fulfil conditions on privacy and data handling as part of a “soft” conditionality.
Introducing a notification obligation for new sensors
In December 2021, the city of Amsterdam has introduced a public register for sensors. Companies and other stakeholders must now notify Amsterdam City Hall insofar as they wish to install sensors in publicly accessible spaces. The “Sensors Notification Requirement Regulation” states that it is prohibited to place a sensor on street furniture, publicly accessible buildings or on moving vehicles accessible to the public without notifying the City Council within at least five days in advance. The notification also needs to indicate which data will be collected and when the sensor will be removed again. If, after a grace period of six months, sensors are still placed in public spaces without a notification to the city, the sensor will be removed (after several warnings) at the cost of the owner. Location and type of the sensors are published in a publicly available map. The municipality will inform citizens, but also industry organisations and large companies such as Google about the sensor register.
Cities react as regulation proves to be toothless
These examples show that there are creative ways cities can employ to manage, and somewhat compensate for, their lack of enforcement powers. What these examples also show is that cities got creative, because the national level did neither have the resources nor the direct experience from having to deal with new developments “on the ground”. One digital leader in larger European city told us: “Our DPA is not in a position to sufficiently monitor developments and provide the necessary oversight. I do not think they are close enough to the ground. They can steer the conversation and they can implement, work with government to implement legislation but again, what do you do in terms of stopping somebody from actually mounting a sensor in the streets?”
This is also the reason why several interviewees told us that the national level increasingly looks to City Halls when it comes to dealing with new technological developments. Several interviewees thought that local government was more advanced in many of those questions than their national counterparts.
While national governments have the powers to pass legislation where they see fit, some respondents thought that in many instances they become active too late and were in danger of letting technological progress happen without setting the norms to shape and govern it. Cities come into it this power vacuum as they can address practical aspects of applied technological change in a way that users can understand.
At the same time, the challenge with regulating emerging technologies lies in the fact that the full scope or penetration is not known yet, meaning that any prospective regulation would have to be set at an abstract level in order to cover the full suite of activity. The challenge for cities is therefore to come up with meaningful principles, that have wide application, that are not too abstract as to be impractical, but also not too detailed as to actually stifle genuinely good innovation.
Recommendations
Based on these examples of how cities successfully improvised to fill the gaps the GDPR leaves, in the full report I discuss possible policy avenues cities can take to alleviate the privacy-infringing developments outlined above. Here and in all brevity, I want to focus on the most important of them: cities need to use the powers they already have – smartly.
Perhaps the most effective tool cities can use to push the boundaries – and regulate what is not yet regulated – is to more effectively use the levers they already have at their disposal. We have seen that cities do not have the remit over classical sanctions and (in GDPR terms) enforcing mechanisms. Such sanctions happen after the fact and are therefore not an ideal tool to change behaviour proactively. Setting behavioural rules ex-ante, by inserting conditions for commercial actors’ access to city resources, could prove to be much more effective.
The examples from Amsterdam and London have shown that cities have abundant powers at their disposal, in the realm of urban planning, setting economic incentives, organising traffic, and setting procurement conditions. Cities can use such powers over permits or other forms of agreements commercial actors require from municipalities. Giving out such permits can be made conditional on approval seekers incorporating norms, or more concrete prescriptions on how to handle data collection, what data to share with the municipality, make public their data collection, to hand over DPIAs to cities and more. Given that arbitrary conditions cannot be tied to permits regulating specific domains (abuse of authority), these conditions need to be specific to the purpose of the permit.
Therefore, instead of suggesting a one-size-fits-all approach, cities should ask themselves: What are our core powers? What are our core experiences? And then use these powers and experiences. If one of the few powers they have is urban planning, then that could be an effective avenue to use conditionality to initiate behavioural change. In this, cities should follow a principled approach based on their experiences and goals, as discussed in the examples above.
The full report can be downloaded here.