There may not be an accepted global definition or standard, but one commonality in these gargantuan projects is that, at the heart of its purpose, smart cities aim to advance the quality of life of its residents through the use of technology. The term ‘advance’ is relative to each city as needs and challenges are remarkably different. A marginal improvement in Bangalore’s access to drinking water (a city that is facing a drinking water crisis) could be seen as a far greater success than a large crime rate reduction in Abu Dhabi, one of the safest cities in the world. It is, therefore, the case that uniformed benchmarks are counterproductive to an assessment of a smart city’s development. 

Still, we have seen undeniable successes in components of a number of smart cities such as reductions in energy consumption (Adelaide), significant reduction in non-revenue water (Singapore), increased efficiency in public transportation (Barcelona), increased public service accessibility through remote virtual kiosks (Hafencity) and increased safety through public live security updates (New York). 

Amidst the success stories, critics of the smart city movements tend to highlight the non-monetary cost of politically driven agendas when developing policies for implementation which oftentimes favour speed of deployment over long term beneficial outcomes to the stakeholders.

In late 2018, the Toronto smart city development plan came under (and continues to be under) severe scrutiny due to the questionable nature of its partnership with Sidewalk Labs, a sister company of Google. The leading issue is related to the collection, processing and use of personal data from the various deployments within the city. The matter garnered international attention especially when a lead privacy consultant resigned on the basis of serious concerns regarding the use of personal data which was apparently going to be made available to third parties in an identifiable state upon collection. 

The level of smart city development that we see now has only been made possible by the unprecedented increase in data production and collection coupled with computer processing power. Simply put, each person’s individual data is almost literally the fuel for the smart city’s machines. A recent worldwide push for implementation of data protection legislation even in states where the law of privacy is not fully established is evidence of recognition that data privacy is an immediate concern.   

Since Dr. Cavoukian’s resignation, the scale of the Toronto project has reduced to a learning site before full implementation but many questions remain unanswered on this issue of privacy in a smart city.   

As Malaysia courses ahead in this pursuit having identified at least 4 cities to be in the pipeline for implementation of smart city projects we should be questioning the policy (or absence of policies) relating to personal data collection and treatment and at the very least, attempt to steer clear of lessons learnt from abroad. This post aims to highlight three areas for concern specifically on the issue of privacy within smart cities in Malaysia.

DATA OWNERSHIP

The national framework on smart cities deals very briefly with the issue of privacy and data protection. It does, however, recognize that “Robust information and data protection are necessary for stakeholders buy-in and support for the smart city agenda” It further states that “Information collected must be protected, and used in accordance to its owners’ wishes.”

Indeed, from a conceptual standpoint this is what citizens should expect. However the looming question remains - Who is, in fact, the owner of the data? Many jurisdictions have struggled with this question and there are split opinions even in privacy mature states. For example, in Germany, the act of writing data or "Skripturakt" allows the person who generates the data to have the right to the data, even if the data is subsequently used for business. In the UK the case of Oxford v. Moss (1979) held that data was intangible and thus incapable of being stolen. 

Malaysia certainly has not begun asking this question from a legal standpoint and as such cannot clearly assign ownership rights to personal data at any stage of the data lifecycle. If data is collected in the course of an interaction, does that individual give up their so-called ownership to the collecting entity or does that entity become a trustee of the data with limits to its usage? How far can those limits be pushed? 

“Anonymisation” has been brandished as the solution to the issue of personal data use however a 2018 study by researchers in MIT showed that deanonymisation of personal data through the process of matching two datasets is far simpler than first anticipated. Noting these concerns, should utilization of anonymized data possibly be subject to more stringent regulations?

The Malaysia Personal Data Protection Act 2010 (PDPA) offers a basic level of protection to individuals but seems inadequate to deal with the multi-faceted issues that will arise from heightened levels of integration in a smart city through ICTs and IoTs. In addition, there are no previous cases (common law) to fall back on for guidance.

Considering these circumstances and in the absence of legislative initiative on data ownership, both local governments and private sector collaborators may wish to preempt privacy concerns of citizen relating to smart cities by facilitating the formation of independent privacy watchdog groups that assess smart city initiatives and highlight privacy related concerns alongside the city’s developmental phases. Government initiatives should also be developed, such as seen in Seattle, where the government mandates privacy impact assessments and reports that are accessible by the public to avoid undue surveillance. 

TRANSPARENCY

The conversation on data ownership stems primarily from the use of personal data and this problem may be exacerbated by the obvious lack of transparency in the processing and use of personal data. Private sector entities are usually blamed as the culprits on this issue however Malaysia needs to address the elephant in the room. The PDPA does not apply to the largest collectors and processors of personal data, the government. As the smart city initiatives are being led by the government in Malaysia, many concerns arise as to how exactly the data collected will be used in the immediate future and the long run as well as who exactly will have access to the said data.

It is important to highlight that in a smart city, the information collected using various sensors including ambient (immediate environmental conditions) sensor equipment can be unnervingly detailed. Combined datasets of an individual’s online and physical activities can be a potent mixture ripe for the practice of ‘nudging’ i.e. manipulating an individual’s choice architecture - the physical, social, and psychological context that influences decision making - to promote preferred decisions. Without diving into the legal and ethical debate surrounding nudging, we should bear in mind that with a predominantly political agenda, behavioural data of this magnitude could pose a risk in the hands of any government that has few accountability measures. 

The government does seem to be taking steps towards consolidation of data with the launch of the MyGDX platform, an aggregating service of data by the government. Naturally, the next step should be a comprehensive national data sharing policy however there is no official news on anything on this front. Anticipating such a policy we may wish to further explore ideas such as open access systems such as found in Barcelona where citizens can view the type of data collected about them and change specific privacy settings online. The bottom line is that citizens should know exactly how their data is being used at any given time and whether they have consented to use of that particular purpose.       

RIGHT TO ACCESS THE CITY

As a final consideration of this post is an individual’s right to continue uninhibited use of a city without being forced to give up their privacy. Essentially this is a question of choice i.e. can we continue to use the city and its facilities if we make the choice to refuse access or opt out of giving up our privacy.  

As an example, many cities in China, the UK and Australia are exploring the use of payment systems on public transportation utilising facial recognition software (FRS). This is of course to increase overall efficiency in a sector where speed and turnaround are critical. Public opinion in the various cities are split with some surveys showing that over 50% of the public are not comfortable with the implementation of such a system due to privacy concerns. 

If a government deployed an FRS system against public opinion and without providing an alternative payment method option, use of a public system becomes contingent on giving up privacy and thus may be argued to be a denial of access to a core facility in the city. 

Australia also experimented with providing rebates better rebates on solar panel purchases if verification for payment was done through an FRS system. The scheme failed as citizens were hesitant in trusting the technology but the larger question is whether it was even ethical for a government to disadvantage a class of citizens who choose not to give up the right to privacy.

There are certainly no clear answers but we must begin asking these questions and many more like these as smart city technology continues to be deployed or we run the risk of having to revamp entrenched systems and structures at a significant cost.