Ensuring data protection in the smart city: accountability in the data-intense, multi-actor smart city environment

All over the world the phenomenon of cities resorting to Information Technology and data analytics to improve efficiency, security, transport etc. continues to rise. ‘Smart cities’ have the potential to improve quality of life, but also bring along significant risks to the fundamental rights of citizens, especially privacy and data protection. The EU enjoys a comprehensive framework on data protection aimed precisely to protect individuals against the risks of processing: data protection is recognised as a fundamental right in the Charter and TFEU, and also regulated in detail in secondary law – the General Data Protection Regulation (GDPR). This legal framework revolves around the accountability principle. With accountability, the GDPR places to those who decide to process personal data (known as ‘controllers’) important responsibilities that go beyond mere record keeping and compliance ticks. Because the GDPR is an omnibus act operating on the basis of open principles, controllers are called to interpret and apply such principles to on-the-ground measures, thereby dealing with issues of legality, legitimacy, balancing of interests. The proposed research aims to evaluate the application of this accountability-based legal framework in the complex, data-intense and multi-actor smart city environment. It will investigate the difficulty of assigning responsibilities for the processing and fundamental rights protection due to the presence of both public and private actors in the processing, as well as challenges in defining the scope of actors’ responsibility given the potential for aggregated effects on fundamental rights arising from the combination of different smart city initiatives.