The world has been experimenting with smart cities since they were introduced during the IBM Smarter City Challenge in 2010. Although there is an absence of a global consensus on the definition of smart cities, we can safely describe them as cities that utilise sustainable technological solutions to address urban development challenges 

It is only recently, with the unprecedented increase in computer processing power, that smart city initiatives are beginning to see their potential. However, alongside the success stories, smart cities globally have been inundated with numerous ethical concerns - none greater though than the issue of privacy. 

The clearest example of such concerns was seen in 2018 when Toronto attempted to launch its smart city plan. The project, a partnership between Sidewalk Labs and the city, fell under immediate public scrutiny after concerns that Sidewalk intended to use data collected to ‘nudge’ consumers in the direction of its products. Concerns evolved into allegations leading to resignations and even legal actions - progress has been made but the matter remains unresolved with the tech giant recently being asked to justify its collection and use of data in the project following questions of appropriateness and necessity. 

These concerns are valid when individuals are told that their smartphones and wearables can record precise location, time and duration of an activity, domestic habits, medical information, biometric data, and even various social interactions - with the aim of developing profiles of the said individuals, consumer trends that may be exploited or sale of the said data. However, this concern must be balanced against the reality that the technological tools of a smart city require data to operate and deliver the benefits we desire. How then do we find a solution to this conundrum?

The concern of smart cities developing into ‘surveillance cities’ with the enormous volume of personal data collected stems from the limited understanding of the collection and use of the said data. In the case of Malaysia, overreliance is placed on our Personal Data Protection Act 2010 (PDPA) which is limited in application and is far from reflective of international standards. 

As an example, under the Act, once consent for use of personal data is obtained from an individual, the responsibility is then thrust upon the individual to decipher, record and track the ever-increasing number of systems they are subscribed to. This is a near-impossible task for the average person. Nevertheless, once obtained, the consent operates as a ‘license’ for a private entity to process and in many cases transfer the said data across platforms and jurisdictions. Without a national data sharing policy, private entities seem to be intent on pushing the limit of regulatory compliance. Further, should data be collected or transferred to the government it enters an unregulated void. The PDPA does not apply to the government and Malaysia does not have dedicated legislation for privacy. Thus there is in real legal terms no statutory protection of privacy. 

Considering Malaysia’s clear intent to develop numerous smart cities throughout the country, I would propose that an immediate solution to the privacy conundrum is the implementation of data transparency principles in smart city development. Data transparency is not a novel concept and has been codified in legislation such as the Illinois Data Transparency and Privacy Act 2020 and the European Union’s General Data Protection Regulations (GDPR). It refers to the requirement that data subjects (persons from whom data is collected) must be informed of the type of data is collected and how it is being used clearly and concisely.

This principle has often been cited in the context of government collection and use of public data and has led to various initiatives even Malaysia’s open data initiative. However, in the context of smart cities where there is an overlap of responsibility between the government and private entities, the concept must take a broader application with the ultimate objective being the openness and shared control of personal data between private entities, government, and the data subject.

The first step towards data transparency would be the recognition of the role of the government as a ‘trustee’ of data collected in a smart city. On this premise, the government must then consolidate the data and limit access to it. One of the measures explored in Toronto amidst the privacy concerns is the development of an independent Data Trust which serves as both a repository and a single access point for all data in the smart city. This trust may be bound by already established principles of trust law and act as a steward for all personal data beyond the scope of the PDPA.

Next, with a single consolidated storage point, data subjects must be able to identify how their data is being used and where they so please, opt-in or out of usages. Such a platform is being tested in Barcelona on the concept of shared control. The system democratises data and attracts accountability. For example, should a project raise controversial questions of ethics, data subjects will have a direct say by choosing to opt-out of having their data used in such a project.

Further accountability can be imposed on private entities by the use of publicly available privacy impact assessments or data transparency reports that force companies to set out the scope and actual usage of personal data collected each year. Some benefit has already been seen with similar initiatives in Seattle.

These examples are merely starting points in addressing the larger issue of data privacy in smart cities. Smart cities are independently unique and so these solutions may work for us or not at all. However, the only way we will know is if we begin the conversation as our continued apathy on the matter only ensures an ominous gap in the smart city framework.