Update: Smart City & Data Protection in 2020
Cybersecurity and Data Privacy go hand in hand as privacy cannot exist without security. For Smart Cities solutions, the case for privacy is sometimes not clear, because much of the data gathered are anonymized, that is, you cannot identify individuals from the data. Smart Cities solutions include new approaches to traffic management, infrastructure monitoring and emergency services management.
Fundamental technologies supporting Smart Cities include 5G networks, Internet of Things (IoT) devices, Edge computing and non-IP local area networks. The data gathered can include traffic flow from in-ground sensors, environmental conditions such as temperature, wind, or presence of certain gases, gunshot detection or auto crash detection. None of these data sets taken discretely involve Personally Identifiable Information (PII) as described by privacy laws such at the California Consumer Privacy Act (CCPA), which will be enforced in July of this year (2020). So what are the privacy considerations, and how are cybersecurity and data privacy solutions in smart cities going to be implemented without impacting these new solutions ability to function as required?
Cybersecurity and Privacy Law in a Nutshell
How are cybersecurity and privacy law related? Under CCPA, penalties for non-compliance can be substantial. For a data breach, the California Attorney General can assess a penalty of up to $750 per violation per user. For a California company with more than 25,000 user entries, this adds up quickly. In addition, CCPA allows for Private Right of Action, which means any individual consumer can sue a company when the consumer has reason to believe that the consumer’s PII has been displayed outside of the company’s protection and viewed by unknown third parties as a result of the company’s failure to implement “reasonable security procedures” to protect the data.
How are Smart City Solutions Involved with Privacy?
The most high-profile application in Smart Cities that involves PII is facial recognition for purposes of identifying individuals. Image systems installed for traffic management or public safety can be repurposed or dual-purposed to acquire facial images and push those data into the cloud where they can be analyzed and compared to known data for individuals. Long the purview of law enforcement, these capabilities are highly desirable to operators of critical infrastructure and others with very valuable facilities to protect. Large retailers are also interested in tracking high-value customers during their in-store shopping experience. The French CNIL outlined their position in a discussion paper where they proposed to take applications from commercial interests on a case by case basis, emphasizing the need to prove that another less-invasive approach would not provide the same value. California has not taken a position on how such applications should be handled. CCPA simply identifies biometric data as personally identifiable, and subject to CCPA.
Other Smart City applications can also stray into collecting PII, often as a result of so-called “Mission Creep” where a system built to keep data anonymized might be upgraded to make better use of sensor capabilities. The real danger here is that the responsible party may not even be aware that such data is now being recorded and stored.
Cybersecurity and Privacy Solutions
To prevent breaches that expose PII, it is important to control Mission Creep with strong and consistent project management over development projects and system upgrades. Even if applicable law does not currently address some applications directly, companies need to take a note from the CNIL and ask if these invasive applications are really necessary, and is there a risk that they will ultimately be illegal. Companies who are managing applications with the potential to gather PII data should consider investing in advice from privacy or legal professionals with experience in these scenarios who know how to surface current and future potential problems. Given the sensitive nature of identifiable facial features and the ramifications of a breach, such an investment can be a very sound one.
- French CNIL: cnil.fr/en/facial-recognition-debate-living-challenges
Companies are required to appoint a Data Protection Officer. The question is which companies are affected? When do you need to do this?Opt In vs. Opt Out
There is changing viewpoint over the practices of opt-in and opt-out email marketing. Here we explain the difference between opt-in & opt-out and what is the preferred approach today.How Does a Consent Management Platform Help With Data Privacy?
A comprehensive privacy management software platform for managing CCPA compliance includes core elements such as consent manager, cookie banner, and policy notice generators.