
Key to the kingdom: who owns smart city data?
April 2020

Words by DEBIKA RAY
“I think the number one thing that characterizes the data world is immaturity. We’re in an emergent place — a sort of Wild West”
Richard Tyson, Gensler
Knowledge is power, they say — and if that’s the case, we are now more powerful than ever. In 2013, IBM estimated that we were producing 2.5 quintillion (that’s 18 zeros) bytes of data every day and that 90% of the data in the world had been created in the previous two years — set to reach 44 trillion gigabytes this year, according to the EMC Digital Universe study. Over the past decade, the cost of smart technology and sensors has plummeted, while our ability to process and handle information has improved exponentially. The resulting ubiquity of data, and the growing Internet of Things (IoT), offers public bodies and businesses the opportunity to innovate, make better-informed decisions and enhance the quality of our lives. City mobility can be more efficient if we know when and how people need to travel, energy use in buildings can be optimized with biometric data from users, and financial services tailored to spending habits.
With that ability, however, comes a host of practical, ethical and legal concerns: how is this detailed, complex and often personal information being collected and stored? Who owns it and who has access to it? Private data can easily be manipulated from us without full consent or fall into the wrong hands, while the digitization of urban infrastructure makes us vulnerable to new forms of cyber attack — think of the impact if hackers were to target traffic lights on fast, busy roads. The sheer speed at which the context is changing makes it difficult for legislation, governance and corporate practice to keep up. “I think the number one thing that characterizes the data world is immaturity,” says Richard Tyson, director of the Intelligent Places group at architect Gensler. “We’re in an emergent place — a sort of Wild West.”
This emerging space creates an opportunity for governments and businesses to collaborate and adapt, says Lucy Casacia, who leads WSP’s smart solutions business in Canada. She points to the work in Toronto to plan a new kind of smart community on the city’s waterfront. “Discussions between public and private sector teams resulted in the proposal that an independent, government-sanctioned urban data trust control how data is collected and used over the project area. This is a catalyst for advancement, and helped shorten a cycle that might otherwise have taken years.”
One thing to remember is that data itself is neither positive nor negative. “The term ‘smart city’ is nothing more than a marketing tool — it doesn’t actually mean anything,” says Renate Samson, senior policy adviser at the Open Data Institute. The success or failure of our digitally driven future will depend on how we handle the data that’s available to us — not just from a technical point of view, but how we set up the frameworks that govern its use. At the heart of this are three intertwined questions: how data should be gathered, who should own it and who should have access to it. The answers will define whether our cities and buildings work for or against the public good — and whether we feel safe and protected rather than exposed and vulnerable as a result.

Where should data come from?
In recent years, the issue of how and why data can be gathered has received particular attention, thanks to the introduction of the General Data Protection Regulation (GDPR) in the European Union and similar initiatives elsewhere. These rules force organizations to seek unambiguous permission when holding and sharing personal data.
“The term ‘smart city’ is nothing more than a marketing tool — it doesn’t actually mean anything”
Renate Samson, Open Data Institute
One outcome is likely to be the emergence of new ways of obtaining consent. Oliver Larsson, head of telecoms at WSP in the Nordics, is working on a pilot project in Stockholm inspired by the way in which we hand over our information to websites. “We’re looking to create a big-data platform in collaboration with the mobile telecommunications operator and local stores, hotels and real estate owners,” he says. “When citizens visit a web page, they have to accept a cookie in order to get access to free wifi. By accepting the cookie, they share data about themselves such as location and payment interactions. The local businesses also commit to sharing data, for example about their turnover per day or margins on certain products.” In this case, the impetus may be commercial, which comes with its own set of ethical questions, but Larsson believes the model has wider applications: “It could help work out how citizens move around in the case of an emergency, or how a big event could affect parking in the area.”
The question of consent is about more than ease, of course — it’s about whether we feel comfortable giving away ever more personal information. Jaco Cronje, an IoT solution architect at WSP in Houston, cites the ability of building owners to optimize lighting and energy use if they have access to biometric data from tenants: “But it does require employees to make use of wearables and to willingly give away information about their heart rates, for example.” He believes that there has been a shift in attitudes with the advent of fitness apps and other tracking devices. “Medical companies are already offering incentives for access to your biometric data, so we could see that moving into office environments as well.”
SharedStreet spirit

Tech project shows how open mapping data can empower cities
US-based non-profit SharedStreets is seeking to transform the way that maps work by creating a global, open-source referencing system for transport data and urban infrastructure. “We wanted to empower cities with the tools to ingest and output data in a way that was precise and machine-readable but not proprietary,” says co-director Mollie Pelon McArdle. The project is a response to the fact that corporations such as Google invest a lot of money safeguarding the infrastructure on their maps, preventing information being used beyond their own systems. SharedStreets, by contrast, works by attaching a series of numbers and letters to locations without the need for a common map.
At present, it is primarily partnering with transport apps such as Uber and Lyft, which share their pick-up and drop-off data, but it is also interested in data produced by city authorities, for example about construction projects and street closures — it is currently in partnership with the Port Authority of New York and New Jersey. In 2020, it plans to focus on kerb regulations, such as parking and loading information. Ultimately, the hope is that cities can be empowered to shape themselves in a manner that is not directly controlled by private entities. “We think cities need to own the data about the rules and regulations that are attached to their infrastructure as well as the infrastructure maps themselves,” McArdle says.
Similar aims are at the heart of the Open Transport Partnership, a global initiative led by the World Bank with open-mapping platform Mapzen that aims to make traffic data — from drivers working for several rideshare companies — open to the world. It builds on a pilot project in Manila, where many residents spend hours stuck in traffic every day. The platform drew on anonymized data from the smartphones of 500,000 drivers operating as part of rideshare company Grab, to analyze peak congestion and travel times. The Open Transport Partnership intends to expand to cities in Malaysia, Brazil and Colombia.
Who should own it?
The issue of who owns data after it is collected is also in flux. Gensler’s Tyson is concerned by the implications of the oversaturated digital start-up market: “What happens to the data when these companies go out of business or get acquired?” In the context of construction, he says, data-driven insights are informing how buildings are designed and operated, via collaborative systems such as building information modelling (BIM) and digital twins. “But when you sell the building, who gets that data?”
As the traditional dichotomy between public and private becomes increasingly simplistic, the involvement of private actors in governmental activities is blurring the boundaries. Who owns data that is generated by a contractor managing traffic light sensors for a municipality? WSP researcher Joel Burton encountered this dilemma on the oneTRANSPORT project in the UK, when studying the feasibility of granting public access to transport data held by local authorities. “When contracts come up for renewal, hopefully they will have somebody clever enough to say where, for a service that is generating data, there need to be clauses that explicitly pull ownership of that data back to the council. Don’t sign away your rights.”
In smart cities, the waters are further muddied by the fact that so much data is generated by public-private partnerships, says Teresa Scassa, a researcher in information law and policy at the University of Ottawa. As a result, alternative models are emerging — on one hand, a drift towards greater individual control; on the other, the idea of independent or collective ownership. “The notion that the individual has agency over their personal data is gaining popularity,” she says, “though it’s further developed in Europe than North America because of GDPR.”
“Just because people can have control over their data, it doesn’t mean that they’re going to share it wisely”
Teresa Scassa, University of Ottawa
In many cases, the focus has been on consumer data rights in particular sectors, such as financial services, energy and telecommunications. Smart cities are more tricky because of the multitude of overlapping services, apps and players involved, but the concept is gaining currency. “A model that puts the individual at the centre helps to prevent data monopolies, which helps innovators and start-ups,” explains Scassa. “It also gives individuals more control and choice, because their data is not stuck with one company — it makes moving service provider easier.”
In practice, though, the level of control an individual can have is limited, she adds. “Notionally, we’re in control of our data right now, in that we can consent to it being collected and used, but that isn’t very meaningful. People may have control over who to share their data with, but companies will compete hard to get that information from you, so there’s always a risk that individuals are exploited and targeted by fraud, poor-quality services or privacy breaches. Just because people can have control over their data, it doesn’t mean that they’re going to share it wisely.”
Data trusts appear to get around some of these issues, in that they cede control to an independent body managing data for the common good and making it publicly available, rather than it being hoarded in silos. From a political perspective, the logic is that data paid for by taxes — for example, transport data gathered from publicly funded infrastructure — should not have to be paid for again and that we should all reap the benefits of, say, the improvements in commuting times that can be derived from it. In theory, this could be combined with forms of licensing and revenue sharing. “There is a sense that individuals and the collective interest are protected by this model, where a body sets parameters over the ethical use of data,” says Scassa.
Eindhoven's smart society

The Dutch city is piloting a data governance charter that aims to protect citizens’ privacy while making data more freely available
The Dutch city of Eindhoven has long been a technology hub, as the home of global electronics giant Philips. More recently, it has become a testbed for data governance, one of ten cities funded by the European Commission’s SmartImpact project to develop the structures and processes needed to plan, finance, develop and manage a smart city.
Eindhoven’s Smart Society Charter, drafted over a series of citizen-led workshops and consultations, is intended to be a “living document” and sets out seven data principles for smart city agents to “adopt, extend and reflect on”. The first principle is a guarantee of privacy for citizens and users, giving everyone insight into what is being collected and how it is to be used. The others prioritize accessibility, open standards, shared infrastructure and software, modularity for flexible growth, rigorous security, and the acceptance of social responsibility. The aim is to stimulate the market to deliver new business models and services, lowering barriers to entry, while protecting citizens from exploitation and unforeseen consequences, now and in the future.
The charter was adopted by all Dutch municipalities in November 2019, but new legislation will still be needed, says a spokesperson for the municipality: “We are still developing the tools, as technology is moving faster than laws and regulations can keep up with.”
The city is now focusing on converting data collected in the public realm into a form that is actually useful for potential partners — simply making it available isn’t enough. To this end, it has established a data inventory and appointed a data steward, responsible for classifying data for reuse and setting its value. “In Eindhoven, we have stated that data collected in public space is also open data,” he adds. “What’s already been collected is not collected again, and we reuse where possible. This demands something from the companies that work with the municipality. When you want data to be reused, you have to first classify it by privacy, security, quality and usability.”
Ensuring that municipalities retain control over how their data is exchanged is a growing challenge, according to Alanus von Radecki, lead expert on the SmartImpact project and head of urban governance innovation at the Fraunhofer Institute for Industrial Engineering in Germany. He is working with the International Data Spaces Association, which develops digital sovereignty standards, to support local authorities to act as data brokers.
“We’re developing so-called ‘connectors’ that attach the conditions for data sharing to the individual data sets,” he explains. “That means that when you share it, it comes with a condition that you can only use it for that purpose — it’s not attached as a document, but hard-coded in.” This, he says, would factor data sovereignty into the urban environment, enabling organizations to buy and sell data in the certainty that it will only be used as prescribed.
Pilots are taking place in Eindhoven and other cities, but are still at an early stage. Developing contracts that work for everyone is difficult, as is balancing the value of open data with the costs of collecting and processing it: “The question is how we can provide as much data as openly and freely as possible, without jeopardizing these opportunities for our local community of start-ups and businesses.”
Von Radecki believes that data governance is crucial to smart cities: “With urban data platforms you can enable a lot of different services and applications, and these things need to be steered by connected systems that aggregate data, increasingly in real time in one platform. So the way you set up that platform, who you set it up with, and how it’s financed, managed and operated becomes a core question.”
Who should have access to it?
So far the value of data as a commodity has led to a somewhat proprietorial attitude. Scassa suggests, however, that businesses are starting to see the advantages of pooling information with competitors — not least because this may become inevitable. Cities too might have reason to keep certain types of information to themselves to secure an edge in the competition to attract talent and tax revenues — but they may be far more willing to share it in the interest of tackling problems such as climate change. The Open Data Institute’s Samson also points to the transport app CityMapper as an example of how open data can benefit everyone. “We believe non-personal data — for example, movements around hospitals, parks and schools — should be made as openly available as possible in order to generate opportunities for more start-ups to help governments make better decisions and improve society,” she says.
Henry Okraglik, global director of WSP Digital in Melbourne, has noticed a sharp rise in public bodies seeking to open up their data. “Over the last four or five years, there has come an expectation that governments will publish data and make it available to citizens freely and in a format that makes it digestible and usable. Pretty much every tier of government is producing some degree of open data for their citizens now.”
Of course, there will continue to be a need to protect information that’ s vital to national security. This is becoming increasingly complicated in an era where data has no fixed location. Scassa warns of the unintended consequences of governments storing their data in foreign jurisdictions — for example, data stored in the US is subject to government access under the Patriot Act. “What happens if your national security authorities need access to data in order to investigate crimes, and there are problems between the two countries and they are refused access? Or if data about your city’s infrastructure is stored by a private sector company in another country, and it goes bankrupt?”
Questions of data sovereignty are now forming part of trade negotiations, and some innovative solutions are emerging — among them, Estonia’s creation of the very first “data embassy” in Luxembourg (see boxout, below). “Estonia’s economy has been targeted by major cyber attacks from within Russia, so they have backed up their data in Luxembourg, but in servers that are considered Estonian territory, so aren’t subject to local laws.”
“A Netscape 1.0 world”
Not all barriers are abstract. Some are practical. There is, for example, the challenge of bringing legacy systems up to date. The advent of cheaper cloud computing has made it easier to integrate separate data sources, but there is still some way to go when it comes to common standards. The World Council on City Data is striving to develop an international ISO standard for all cities to follow, which should facilitate compatibility.
At a building level, Gensler’s Tyson says that the UK, the EU and China are making strides towards national standards for the use of BIM, enabling better collaboration on design and construction. “But we’re in a kind of Netscape 1.0 world when it comes to digital transformation,” he says. “We have put a lot of technology into buildings that can collect data, but to create truly adaptive buildings, data designers need to be at the front of the process.”
This is something Okraglik’s team sought to do on a project in New South Wales. “A lot of smart cities go down the path of picking solutions, such as smart parking or security,” he says. “Here, we’ve approached it from the point of view that you need a unified data platform and all of those applications come later. Unless you can get all the data from your moisture sensors, garbage bins and so on correlated and interpreted, they are always going to be siloed and you’ll never derive the wider benefits.”
As part of this project, Okraglik encountered another problem: the need, as data becomes ubiquitous, for non-specialists to be able to handle it. “The client wanted to work with data without assistance, but most local governments don’t have that expertise, so we had to build a user interface that was foolproof for a non-technical person.”
Meanwhile, legal and compliance structures are failing to keep up with contemporary demands. Cronje worked on a project where combining medical records and patient movement data could have improved the hospital experience, but rules prohibited medical data from being connected to any other system. “Data means nothing in isolation — it’s when you cross-correlate it with other sources that it becomes valuable. A lot of the regulations that dictate which types of data can be shared were created in the 1970s, 80s and 90s, when our current processing power was not in place, and they are in some ways a stifling factor.”
Amid all the practical questions, there remains the issue of how amenable both citizens and organizations will be to the realities of the information age. Cronje points to the overwhelming volume and complexity of data being generated. “I think there will be a pullback in the opposite direction to the point that clients are going to keep doing business the way they always have done,” he says. “Part of the challenge for engineers is to ensure that technology has not been implemented in such a way that it is too far ahead of what the client actually needs.” His job entails a certain amount of “right-sizing” — so that when systems are handed over, they are manageable yet scalable.
And getting the public on board remains critical for success. “People are concerned about the idea that their actions are going to be monitored and controlled,” says Casacia. She thinks that better communication will be the key. “If city authorities are more transparent about who is getting the benefit of sharing data, then people may be more ready to adopt something that’s different.” It’s not about chasing technology for the sake of it, she adds: “You need to have a real purpose and make meaningful use of the data in a way that benefits more than one party, that gives users choices and offers improvements in quality of life.”
“We needed to find like-minded countries that were willing to sign an interstate contract based on the principles of the Vienna Convention”
Allan Allmere, Ministry of Economic Affairs and Communications, Estonia
The world's first data embassy

Estonia’s emergency back-up is housed in Luxembourg but remains sovereign territory
A pilot project by Estonia could prove to be a model for countries seeking to retain sovereignty over their data, even if it is stored on servers on the other side of the world. Over the past 20 years, the Baltic state has developed into what Wired magazine called “the most advanced digital society in the world” — 46.7% of Estonians now use internet voting and 99% of its services are online. Alongside this cyber-security risks have grown. In 2007, attacks originating from Russia took 58 of its websites offline at once, including those of the government, newspapers and banks. Since Russia’s annexation of Crimea in 2014, concerns have been amplified.
In response, the Estonian government considered backing up its data in two forms to ensure continuity in the case of an emergency: a virtual embassy for data in a privately owned public cloud, and a physical embassy for data in a friendly foreign country. The former was piloted in partnership with Microsoft, but was deemed to offer insufficient control to the state. After discussions with several countries, it settled on an alternative: the world’s first “data embassy” in a high-security data centre in eastern Luxembourg, which has long stored data for NATO and the European Union. “We needed to find like-minded countries willing to sign an interstate contract based on the principles of the Vienna Convention,” says project director Allan Allmere. “That meant a location where the embassy would be intact and part of the country’s territory, as is the case with ordinary embassies. But the hardest part was creating a legal document that no one in the world had done before.” The centre has the same protections as a traditional embassy, so the host country cannot access the data. The hardware was purchased and is managed by the Estonian authorities to mitigate some of the risks of losing control to another nation.
Allmere says that several countries have been in touch with his team about adopting the model, some because they face potential security breaches, others wanting to protect their data in case of earthquakes or floods. He has also been approached by countries considering offering data embassy services within their borders.
According to Teresa Scassa, information law researcher at the University of Ottawa, it’s difficult to know whether such projects, with no legal precedent, will face barriers in international law. “It is an approach that depends upon the stability and trustworthiness of the country in which the data embassy is located,” she says. In practical terms, she points out that vital government data can change quickly — for example, entries in land title registers are made many times a day. “So one challenge for a data embassy that essentially functions as a secure back-up of domestic government systems is remaining up-to-date. If anything happened to the principal systems, for example, what confidence could there be in the version maintained in the data embassy? There may be technological solutions for this, and I understand that blockchain may be part of it. But it is an important issue.”
Leave a comment