By Jo Kwon
Last week, the Center for Urban & Regional Studies (CURS) at UNC hosted a roundtable on Governance and Smart Cities. This offered a perfect preview of the topics that will be addressed in Volume 48 of the Carolina Planning Journal, entitled Urban Analytics: Capabilities and Critiques. The roundtable included Prof. Päivi Korpisaari from the University of Helsinki, Prof. Anne Klinefelter from the UNC School of Law, Dr. Arcot Rajasekar from UNC School of Information and Library Science, Kevin Webb from Open Transportation Partnership & SharedStreets, and Prof. Nikhil Kaza from the UNC Department of City and Regional Planning.
Prof. Korpisaari ‘s presentation on “How to govern & process personal data in Smart Cities?” gave an overview of possible solutions and outstanding questions like who takes control of the data, and how citizens participate in data governance. She shared that, in the European Union (EU), this conversation revolves around the General Data Protection Regulation (GDPR). This data protection law, adopted in 2016, gives EU citizens the “Right to be Forgotten” . It also defined ‘pseudonymisation’ as personal data that is not associated with any specific data subject, and that ensures personal data cannot be traced to an identified or identifiable natural person . In this way, the GDPR has created a provisional compromise in this fast-evolving field, shaping European countries’ laws around data. The law regulates corporations and cities but also enables them to use data with pseudonymization. The GDPR’s reach also appears to be expanding, with more tech companies being fined and new countries joining and leaving the EU.
Appropriately, this roundtable on European law hosted at a US university quickly evolved into a conversation about the differences between the US and EU approaches to data privacy. While the EU countries have a unified law, the US has a variety of laws—or, in some realms, no laws—addressing aspects of data protection. By way of example, Prof. Klinefelter mentioned an Illinois court’s April 2022 decision on biometric data. The US District Court for the Northern District of Illinois ruled that photographs of faces are biometric identifiers and will be regulated . But this decision affects only Illinois, while biometric data laws otherwise differ from state to state. California, Florida, Kentucky, Maine, Maryland, Massachusetts, Missouri, New York, and North Carolina all regulate biometric data, but even these states have different understandings of the term and its applications .
All of these regulatory discrepancies among states and countries can create immense challenges for organizations that want to process data for Smart City applications. With no unification of rules, some jurisdictions may be favored by businesses, while others may be isolated. For example, states without or with flexible biometric laws can collect more data with photos, build more accurate records or use the data for research. Stricter states may miss out on advancing technology or research, but may benefit from precaution in other ways. Moreover, in this dynamic field, even a unified rule—nationwide or globally—may not ensure that data will be protected. As planners or future planners, how can we think critically when it comes to data usage, data processing, and newly built Smart Cities? These are some places to start:
- Acknowledge the importance of protecting personal information;
- Understand the differing definitions of terms such as data, data processing, transparency, and smart cities used by various cities, states, and countries;
- Recognize that these new regulations will have to be versatile with the imperfect foresight of the constant changing technology;
- Consider the desirability or necessity of a unified regulatory approach such as the GDPR that could be applied globally;
- Reflect on how cultures of privacy and of data usage differ among states and countries; and,
- Explore the role of city governments in data protection in smart cities.
If you’d like to learn more about CURS, check out the CURS website. If you’d like to explore some examples of smart cities and urban analytic posts, check out the previous post on Chapel Hill as the Next Smart Town and Machine Learning and Planning Research: How Each Can Push the Other’s Frontiers.
 European Union. n.d. “General Data Protection Regulation (GDPR) Compliance Guidelines.” GDPR.Eu. Accessed September 28, 2022. https://gdpr.eu/.
 European Union. 2016. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Text with EEA relevance) 88.
 Baker Botts LLP. 2022. “Photographs No Longer Excluded under BIPA, Illinois’ Biometric Law.” Baker Botts. May 31, 2022. https://www.bakerbotts.com/thought-leadership/publications/2022/may/photographs-no-longer-excluded-under-bipa-illinois-biometric-law.
 Frost Brown Todd. 2019. “Collecting Biometric Data: What You Need to Know – Frost Brown Todd | Full-Service Law Firm.” Frost Brown Todd. August 9, 2019. https://frostbrowntodd.com/collecting-biometric-data-what-you-need-to-know/.
Jo (Joungwon) Kwon is a fourth-year Ph.D. student in the Department of City and Regional Planning. She is interested in using visuals in plans, specifically in environmental planning. She has been a part of CPJ since 2019. With a background in Statistics and English Literature, she received her M.A. in Computational Media at Duke University. In her free time, she enjoys watching indie films, going to live performances, and drinking good coffee.
Edited by Lance Gloss
Featured image: Roundtable Presentation