The False Choice between Privacy and Participation: human rights in a digital age and what they mean for smart city planning
Cities need a clearer understanding of how to share data without risking people’s and company’s privacy, and citizens need real choices about how, when and with whom their data is shared.
A new right to the city in a digital age?
If you’ve used the internet lately, it’s likely that you’ve tried to access a website and seen a message that looks something like this:
It’s also likely that you wanted to access that site quickly and didn’t have the time or patience to wade through legal documents, so you clicked ‘allow’, and were subsequently followed around the internet by ads for that pair of shoes you decided not to buy. In the age of the Internet of Things (IoT), the choice is often acceptance of data-sharing, or denial of service.
Take the company Nest for example. Owned by Google’s parent Alphabet Inc., Nest offers a variety of smart devices that monitor you and your home. It makes thermostats that learn their owners’ behaviour, carbon monoxide and smoke alarms, cameras, video doorbells, and home monitoring systems that features facial recognition. All of its devices are designed to share information with each other and with other connected products, like cars, ovens, fitness trackers and beds. Allowing Nest to access your data means allowing a host of third party partners access as well.[i] A 2016 analysis conducted at the University of London found that someone who purchases a Nest Thermostat would need to read close to 1,000 legal documents to understand with whom and how her data is shared and used.[ii] Should a proactive consumer have the time and legal knowledge for such an undertaking and find that she disagrees with some of the stipulations, she would be hard pressed to do anything about it. The Nest Terms of Service indicate that if a user does not accept, the thermostat’s functionality and security will be compromised, leading to possible negative consequences ranging from frozen pipes, to failed smoke alarms. In essence, without agreeing to share data with an untold number of third parties, the Nest Thermostat is useless.
These examples underscore a reality about privacy in the digital age: more often than not, we are faced with a dichotomous choice between sacrificing privacy to take part in the digital world, and sacrificing participation in modern society to protect privacy. It may be reasonable to suggest that individuals who don’t want to share their data with Nest’s partners should simply not purchase a Nest. What happens, however, when the thing collecting and sharing your data is not a website you visited or something you purchased, but instead the street you walk on? Sidewalk Labs, another Alphabet Inc. company, is planning the development of a 12-acre swath of Toronto’s waterfront, called Quayside, where sensors will be used ubiquitously.[iii] Although Sidewalk Lab’s business model will likely have more to do with licensing the technology it creates than selling the data it collects, last year the company refused to unilaterally ban personal data collection, saying that it couldn’t because it did not have authority over all the private-sector entities that may one day come to operate in Quayside.[iv]
Sidewalk Labs seeks to be a trailblazer in the area of responsible urban data governance, but if they don’t provide real choice for city-dwellers about how data is collected and shared, they run the risk of presenting the same false choice as Nest and other IoT companies, but with graver consequences. The ‘share your data or do not participate’ paradigm, if applied to cities, sets up a false choice in which citizens are made to pick between sharing their personal data or avoiding parts of the city. In addition to hindering the right to the city, this type of ubiquitous data collection impinges on the human right to privacy. You should not have to choose between your right to use a public space, and your right to privacy. This is part of a new understanding of the right to the city.
Privacy, data sharing and legal protection
Privacy has been recognised as a human right since 1948, when the United Nations included it in the Universal Declaration of Human Rights.[v] When the declaration was first adopted, delegates weren’t likely thinking about data privacy, but in 2013 the UN affirmed that people’s right to privacy applies online, just as it does offline.[vi] Several years after the UN recognised the human right to privacy, the Council of Europe followed suit with the European Convention on Human Rights in 1953, which also affirms that privacy is a human right.[vii] Later, the UK adopted legislation recognising privacy as a human right in the Human Rights Act, 1998. Most recently, in 2018, the UK passed legislation to enact the EU General Data Protection Regulation (GDPR), which stipulates the ways in which personal data must be treated, providing further protection for privacy in a digital age. The table below lays out the language from just some of the legal documents and declarations designed to ensure the human right to privacy.
As this table makes clear, there is national and international consensus that the right to privacy is a human right, and that it applies in the digital age. What’s less clear is exactly how it applies in practice. As the Sidewalk Labs example shows, there is no set consensus on how urban data can be used and collected, which can make it hard for cities that want to digitalise. The implementation of GDPR in the European Union illustrates the increasingly complex challenges that local governments face when trying to use data and digital tools. To give one example, Murphy notes that as “data collected as part of a smart city apparatus is likely to disperse in complex ways, it will be particularly challenging to ensure that a data subject’s right to withdraw consent ‘at any time’ will be as easily exercised as the giving of consent”.[xiv] Smart city benefits usually arise from processing interrelated data from a multitude of sources. This presents a challenge to cities, as they want the benefits that result from using multiple data sources, including citizen data, but also must figure out how to safeguard personal privacy.
Smart cities, planning and data protection
Through our project, “Future Cities in the Making”, we’ve been talking to stakeholders across the built environment, from local authorities to housing developers. One of the things we’ve noticed throughout these discussions is how a lack of clarity around legal data sharing practices is a blocker for digital innovation in planning. Sometimes, departments in the same local authority are not sure what they’re legally allowed to share even with other collaborating departments. This has to change if cities are going to reap the benefits of digitalisation.
Cities need a clear understanding of how to share data without risking people’s privacy, and citizens need real choices about how, when and with whom their data gets shared. It’s crucially important that, as cities become smarter, they do not follow Internet of Things paradigm of share data or be excluded. Because the digital revolution is still relatively new in the realm of the built environment, frameworks and norms are still fluid. It’s important that we get these right as urban digitalisation increases, which is why we will continue working with stakeholders to uncover the barriers that cities face to digitalisation, and help develop the concepts and frameworks that ensure citizens’ rights are protected. In discussions around smart cities, multiple ideas about “smart citizens” and “netizens” are developing. We believe these debates need to include ideas on how to educate citizens about how their data is collected, shared, and used. This equips citizens with the knowledge they need to decide how they are willing to share their data to participate in the process of making cities smarter. However, it can also complicate smart city development by making it harder for cities to use big data generated by citizens.
Future research needs to shed light on how cities can operate in a digital age, using data while respecting privacy, because uncertainty in this area is hampering authorities’ and cities’ ability to capitalise on opportunities for positive change in the built environment.
[i]Zuboff, Shoshana. “Surveillance Capitalism and the Challenge of Collective Action.” New Labor Forum28, no. 1 (January 2019): 10–29. https://doi.org/10.1177/1095796018819461.
[ii]Noto La Diega, Guido, and Ian Walden. “Contracting for the ‘Internet of Things’. Looking into the Nest.” Queen Mary University of London, School of Law Legal Studies Research Paper219 (2016). https://papers.ssrn.com/sol3/papers.cfm?abstract_id=2725913.
[iii]Woyke, Elizabeth. “A Smarter Smart City.” MIT Technology Review. Accessed April 1, 2019. https://www.technologyreview.com/s/610249/a-smarter-smart-city/.
[iv]Fussell, Sidney. “The City of the Future Is a Data-Collection Machine.” The Atlantic, November 21, 2018. https://www.theatlantic.com/technology/archive/2018/11/google-sidewalk-labs/575551/.
[v]Diggelmann, Oliver, and Maria Nicole Cleis. “How the Right to Privacy Became a Human Right.” Human Rights Law Review14, no. 3 (September 1, 2014): 441–58. https://doi.org/10.1093/hrlr/ngu014.
[vi]United Nations. “68/167. The Right to Privacy in the Digital Age,” 18 December 2013. https://www.un.org/ga/search/view_doc.asp?symbol=A/RES/68/167.
[vii]Council of Europe. “European Convention on Human Rights,” June 1, 2010. https://www.echr.coe.int/Documents/Convention_ENG.pdf.
[viii]United Nations. Universal Declaration of Human Rights, Article 12 (1948). https://www.ohchr.org/EN/UDHR/Documents/UDHR_Translations/eng.pdf.
[ix]Council of Europe. European Convention on Human Rights, Article 8 (2010). https://www.echr.coe.int/Documents/Convention_ENG.pdf.
[x]UK Government. Human Rights Act, Article 8 (1998). https://www.legislation.gov.uk/ukpga/1998/42/pdfs/ukpga_19980042_en.pdf.
[xi]United Nations. “68/167. The Right to Privacy in the Digital Age,” December 18, 2013. https://www.un.org/ga/search/view_doc.asp?symbol=A/RES/68/167.
[xii]European Commission, General Data Protection Regulation (2018).
[xiii]UK Government. “Data Protection.” GOV.UK, 2018. https://www.gov.uk/data-protection.
[xiv]Murphy, Helen Maria. “Pseudonymisation and the Smart City: Considering the General Data Protection Regulation.” In Creating Smart Cities, edited by Leighton Evans, Liam Heaphy, Rob Kitchin, and Claudio Coletta, 1 edition., 182–93. Abingdon, Oxon ; New York, NY: Routledge, 2018.