Data PrivacyPrivacy Implication Of Smart Cities: Safeguarding Citizen’s Data In Urban Environment

INTRODUCTION

The Smart Cities Mission (hereinafter referred to as “SCM”) started in 2015 as a transformative journey to revolutionize urban management via digital advancement. The inception of India’s SCM in 2015 marked a significant shift towards revolutionizing urban management through digital advancements. SCM is one such initiative that has brought forth numerous opportunities within the urban household to leverage Information & Communication Technology (hereinafter referred to as “ICT”) solutions. Post this there has been growing acceptance to the concept of ‘city-as-a-platform’.

The primary objective of the SCM is to offer high quality life to residents along with essential infrastructure while fostering sustainable alternatives through innovative “smart” solutions. In order to streamline this endeavour, it is necessary to establish robust infrastructure to make cities “Data Smart”.

The idea of make “Data Smart” Cities is complementary to “Smart Cities”. With the rapid increase in technologies, Internet of Things (hereinafter referred to as “IoT”) devices and sensors there is an abundance of data that is collected of the residents. The idea of SCM is built around the IoT, which is a term used for physical objects that are embedded with sensors and backed by network connectivity. This facilitates them to act upon the data when received.

In the absence of a data protection mechanism, it would lead to data leakages and privacy implications. Therefore, ensuring data privacy is one of the building blocks for establishing smart cities.

DATA COLLECTION IN SMART CITIES

In smart cities, data is collected with a network of sensors spread across the urban landscape. For example, data is absorbed via IoT operations, street cameras, social media, administrative agencies, and mobile applications. This data is collected and put to use in civic infrastructure.

The data collected through the public transportation networks enables the creation of new bus routes. Installation of street cameras on roads linked to digital networks enables a better understanding of traffic collisions, vehicular movement, and pedestrian activity. This data collected through various sources aids urban planners in managing the civic infrastructure. IoT operations are backed by Information technologies that enable sensors to collect data for future infrastructure needs.

Additional data is collected through mobile applications and social media, which further facilitates the objective of SCM. Data-driven infrastructure helps in the creation of smart buildings, optimizing energy consumption, and improving waste management.

The aspiration of making smart cities is backed by an abundance of data but at what cost?

REGULATION OF DATA PRIVACY IN INDIAN SMART CITIES: CURRENT STATUS QUO

A.Initiatives by Ministry of Housing and Urban Affairs

At present, the Ministry of Housing and Urban Affairs (hereinafter referred to as “MoHUA”) has been taking initiatives to ensure data privacy while recognizing its value for improving the service delivery in smart cities. Among these, the Data Maturity Assessment Framework (hereinafter referred as “DMAF”) has completed its 2nd cycle and developing the Data Smart Cities.

In addition to that, there has been a constant effort for cities to develop a City Data Policy (hereinafter referred as “CDP”). This will serve as a base canon for data management effectively. It will facilitate data governance, innovation and protection in the urban landscape.

According to a press release dated December 21, 2023 from the Government of India, MoHUA highlighted the progress in data management for cities under the heading “Data about Cities”.

The National Data Sharing and Accessibility Policy (hereinafter referred to as “NDSAP”) was highlighted as it ensures easy facilitation of sharing of non-personal data for various developmental purposes.

In addition to this, the Urban Outcomes Framework launched in 2022 has facilitated sharing data across 14 sectors and over 400 parameters for more than 200 cities, through a portal called AMPLIFI (Assessment and Monitoring Platform for Liveable, Inclusive, and Future-ready Urban India).

This further boosts effective urban data management. Furthermore, the SCM has established the India Urban Data Exchange (hereinafter referred to as “IUDX”) which is a secure platform for sharing sensitive data among authorized entities.

B. City Data Policy and its components

In order to ensure privacy and data protection the CDP plays a vital role. This section outlines key components of a CDP which are as follows:

1. Data categorization: In line with the DSC Strategy, data must be broadly categorized into two types: Personal and Non-Personal. Personal data would encompass “Personally Identifiable Information (hereinafter referred to as “PII”) which is the data through which an individual can be identified whereas non-personal data is without PII and it includes anonymous data.
2. Data classification: This involves organizing data into categories to optimize its use effectively and efficiently. The data collected will be divided into four levels. Each level has a different access point. The Four levels include Level I to IV. They are as follows:

• Level I– Public/Shareable Data
• Level II– Negative List which is restricted data listed by departments or organizations and not for public sharing
• Level III– restricted data which is accessible through valid registration and authorization by departments
• Level IV– Sensitive Data, this data is highly confidential and subject to stringent security measures.

3. Data flow/approval framework: Once the data is collected, the CDP must mention the various stakeholders involved in the movement of data from source to destination.
4. Data archival and retention: Data retention will ensure that collected data is stored for a particular time limit. Further, data archives will be made for specific kinds of data. This ensures that data is collected for historical records for long-term use and future reference.
5. Data security and privacy: The CDP must establish protocols ranging across security aspects, network security, application security, citizen privacy and monitoring the databases, among others. Throughout the processes of collection, sharing, and analysis of data, the CDP must prioritize data protection.
6. Standard Operating Procedures (SOPs): The SOPs must be designed with a view to standardize data operation and enhance uniform data management.

C. Current Status Quo: Data Maturity Assessment Framework (DMAF) Cycle 2

In this section, we will briefly understand the status quo from the DMAF Cycle 2 Policy:

1. City Data Policies: Currently 45 cities have developed their own City Data Policies, with 35 of them approved and currently undergoing implementation.
2. Allocated Data Budget: In the fiscal year 2020-21, allocated budgets for data-related activities have been designated for 32 cities. These activities include capacity building, workshops, skill enhancement, and the procurement of data tools.
3. City Data Officers (CDOs): The total number of appointments of City Data officers has been 100, with 13 holding permanent positions to lead data-driven activities. In addition to that, 61 cities have been appointed. Data Coordinators to facilitate departmental data tasks under CDO guidance.
4. Capacity Building: In total 25 cities have conducted capacity building, training and sessions on data-related subjects.
5. Data Alliances: In total 12 cities have formed data alliances for data sharing and addressing the urban challenges. In addition to this, 10 cities have organized data hackathons to address the urban issues through smart solutions. 

COMPLIANCE UNDER DIGITAL PERSONAL DATA PROTECTION ACT, 2023 – SMART CITIES

The Digital Personal Data Protection Act, 2023 (hereinafter referred as “Act”) plays a vital role in safeguarding data involved in data processing within smart cities. Specifically, the Act defines the role of a “Data Fiduciary,” in Section 2(i) which refers to “any individual or entity responsible for determining the purpose and methods of processing personal data, either alone or in collaboration with others”.

Section 8 of the Act entails the “General obligations of Data Fiduciaries”, which include processing personal data and ensuring its accuracy, completeness, and consistency. In addition to this, it is mandatory to implement appropriate technical as well as organizational measures to secure an effective observance.

Data Fiduciaries must safeguard personal data either in its possession or under its control and prevent data breaches. They are also responsible for erasing such data, when the legitimate purpose of such data is over or when the data principal withdraws consent whichever is earlier. This encompasses all stages of data handling, including collection, storage, and any other operations involving personal data.

Additionally, the Act outlines the rights and duties of “Data Principals” under Sections 11– “Right to access information about personal data” and Section 12– “Right to correction and erasure of personal data”, among others. Data Principals are those individuals whose personal data is being processed. These sections grant the right to the data principals to correct, complete, update, and erase their personal data. It ensures that Data Principals have control over their personal data and can rectify any inaccuracies in their data.

In essence, the Act serves as a legal framework to regulate the processing of personal data within smart cities. The Act plays a critical role in maintaining trust and accountability within various stakeholders involved in data handling practices within smart city environments.

POTENTIAL RISK MODELS:

The potential risks involved include a diverse urban population with varying levels of literacy, which adds another layer of complexity to implement SCM. The potential risks are discussed below:

1. Digital Awareness: One potential risk is the lack of digital literacy among stakeholders involved and contributing data to SCM. If stakeholders including residents, city officials are not adequately trained about the right and obligations regarding data policies and data protection. It raises a potential risk of non-compliance with data regulations and to group within lower levels of digital literacy.
2. Transparency and Accountability: Lack of transparency and accountability will adversely affect the CDP. If data policies are not transparently communicated or enforced it leads to detrimental effects on public trust on data governance policies.
3. Proper Classification and Categorization: Inadequate classification and categorization of data serves as a potential risk to city data policies. The data classification must be clearly defined in the CDP. In case, it lacks transparency it will lead to improper handling, storage, or sharing of data. This will lead to data breaches, data leakage, or misuse of sensitive information without proper disclosures.

MITIGATING THE RISKS: THE WAY FORWARD

1. Establishing City Data Alliances: Inclusive governance structures, such as City Data Alliances which will act as an advisory body to the administrative authorities should be established. The body must have representation from diverse socio-economic backgrounds to ensure that it caters to the needs of every group.
2. Transparent Mechanism: The authorities must disclose the objective to collect such data collection. Along with that, they must provide detailed information on what data is being collected and how long this data will be retained by them. This will ensure a transparent mechanism for users to make informed decisions.
3. Cultivate Data Culture: MoHUA must focus on initiatives to cultivate data culture. It can be done by focusing on building data-driven governance at the city level. Promote participation of the public in initiatives such as Smart City Data Alliances, Data Networks, and Open Data initiatives. It will further boost collaboration, innovation, and knowledge within stakeholders.
4. Prioritizing CDP to ensure Privacy and Security: As per DMAF Cycle 2, the aspects can be improved include capacity building, collaboration, promotion of digital literacy. As per the data, City Data Policies are made by only 45 cities and there is a huge gap between our aspirations and the reality. It is evident that CDP forms an essential part for protecting the data in the SCM.
5. Establish proper channels of data dissemination of privacy and security: Developing security controls and standards, such as API calls and data dissemination only by data fiduciaries to authenticated stakeholders. It will ensure that potential risks are mitigated.

AMLEGALS REMARKS

The SCM holds immense promise turning aspirations into tangible reality in urban landscapes. As discussed above, DMAF Cycle 2 highlights that there are several areas to work upon in order to bridge the gap between aspirations and reality of SCM. These include enhancing capacity building initiatives, fostering collaboration among stakeholders, and promoting digital literacy.

The CDPs play an essential role in safeguarding the rights of individuals. However, as per the data, only 45 cities have formulated their CDPs. In order to realize the objectives of SCM we must ensure that we are “DataSmart” to protect our rights. We must establish effective data management capacity building, collaborative partnerships, and enhanced digital literacy. Through this, we can pave the way for a more inclusive, transparent, and data-driven approach to urban development under the SCM.

– Team AMLEGALS assisted by Ms. Srishti Dwivedi

For any queries or feedback feel free to reach out to mridusha.guha@amlegals.com or jason.james@amlegals.com