d6.1 - report on legal and administrative...

ESPRESSO systEmic Standardisation apPRoach to Empower Smart citieS and cOmmunities Co-funded by

GA 691720 the Horizon 2020 Framework Programme of the European Union

D6.1 – Report on legal and administrative impacts File: D6.1 - Report on legal and administrative impacts.docx Page: 1 of 51

DELIVERABLE

D6.1 – Report on legal and administrative impacts

Project Acronym: ESPRESSO

Grant Agreement number: 691720

Project Title: systEmic Standardisation apPRoach to Empower Smart citieS and cOmmunities

Authors: Mario Conci (HIT)

Revision: Giorgio Farina (PwC), Francesco Mureddu (PwC)

Project co-funded by the Horizon 2020 Framework Programme of the European Union Dissemination Level P Public X C Confidential, only for members of the consortium and the Commission Services

Ref. Ares(2017)3190848 - 26/06/2017




1. Revision history and statement of originality

9.1 Revision history

Rev Date Author Organization Description

1 01/12/2016 Mario Conci HIT First draft

2 20/01/2017 Giorgio Farina PWC Revision

3 16/03/2017 Rob Poll-van Dasselaar

ROTTERDAM Input for the regulations in the NL

4 27/03/2017 Mario Conci HIT Second Version

5 24/05/2017 Rene Tõnnisson, Kadri Uus, Rick Klooster, Rob Poll-van Dasselaar

TARTU, ROTTERDAM

Input from the survey

6 31/05/2017 Giorgio Farina, Francesco Mureddu

PWC Revision

7 06/06/2017 Mario Conci HIT New revised version

8 16/06/2017 Giorgio Farina, Francesco Mureddu

PWC Revision

9 21/06/2017 Mario Conci HIT Final version

10 26/06/2017 Irene Facchin TRILOGIS Quality check

9.2 Statement of originality This deliverable contains original unpublished work except where clearly indicated otherwise. Acknowledgement of previously published material and of the work of others has been made through appropriate citation, quotation or both.




2. List of references

Number Full Reference

1 EU Press Release, 2012 http://europa.eu/rapid/press-release_IP-12-760_en.htm

2 Albino, Berardi and Dangelico, 2015, Smart Cities: Definitions, Dimensions, Performance, and Initiatives, Journal of Urban Technology, 2015, vol. 22, issue 1, pages 3-21.

3 BSI, The Role of Standards in Smart Cities, Issue 2 (August 2014)

4 The EU Single Market, EC (2015) - http://ec.europa.eu/growth/single-market/index_en.htm

5 China Academy of Information and Communications Technology, EU-China Policy Dialogues Support Facility II, 2016, Comparative Study of Smart Cities in Europe and China 2014

6 European Data Portal, 2016, Analytical Report 4: Open Data in Cities. https://www.europeandataportal.eu/sites/default/files/edp_analytical_report_n4_-_open_data_in_cities_v1.0_final.pdf

7 An overview of smart sustainable cities and the role of information and communication technologies; ITU-T Focus Group on Smart Sustainable Cities, Technical Report, 10/2014

8 EU COM(2017) 134 final, “European Interoperability Framework - Implementation Strategy” - http://eur-lex.europa.eu/resource.html?uri=cellar:2c2f2554-0faf-11e7-8a35-01aa75ed71a1.0017.02/DOC_3&format=PDF

9 Protregrity Blog, 2017, ENERGY AND UTILITIES INDUSTRY CANNOT AFFORD SLOW RESPONSE TO GDPR http://www.protegrity.com/energy-utilities-industry-cannot-afford-slow-response-gdpr/

10 Frost & Sullivan, 2014, “World’s Top Global Mega Trends To 2025 and Implications to Business, Society and Cultures, https://www.smeportal.sg/content/dam/smeportal/resources/Business-Intelligence/Trends/Global%20Mega%20Trends_Executive%20Summary_FROST%20%26%20SULLIVAN.pdf

11 Shadbolt, N., Berners-Lee, T., & Hall, W. (2006). The semantic web revisited. IEEE intelligent systems, 21 (3), 96–101.

12 Kitchin, R. (2016) Getting smarter about smart cities: Improving data privacy and data security. Data Protection Unit, Department of the Taoiseach, Dublin, Ireland.

http://www.taoiseach.gov.ie/eng/Publications/Publications_2016/Smart_Cities_Report_January_2016.pdf

13 Edwards, Lilian, Privacy, Security and Data Protection in Smart Cities: A Critical EU Law Perspective (January 5, 2016). European Data Protection Law Review (Lexxion), 2016, Forthcoming. http://dx.doi.org/10.2139/ssrn.2711290




14 Source: e-Governance Academy Foundation, e-Estonia, 2016, - http://ega.ee/wp-content/uploads/2016/06/e-Estonia-e-Governance-in-Practice.pdf

15 EU Regulation 2016/679 of the EU Parliament and of the Council, of 27 April 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). http://eur-lex.europa.eu/legal-content/en/TXT/?uri=CELEX%3A32016R0679

16 EU COM(2017) 9 final, "Building a European Data Economy" http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=COM%3A2017%3A9%3AFIN

17 EU Regulation 1025/2012/EU of the EU Parliament and of the Council of 25 October 2012 on European standardization, http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2012:316:0012:0033:EN

18 Smart Grids Task Force Ad hoc group of the Expert Group 1 – Standards and Interoperability, My energy Data, 2016, https://ec.europa.eu/energy/sites/ener/files/documents/report_final_eg1_my_energy_data_15_november_2016.pdf

19 EU Press Release, MEMO/15/6385, 2015, Questions and Answers - Data protection reform http://europa.eu/rapid/press-release_MEMO-15-6385_en.htm

20 EUROPEAN COMMISSION, Directorate-General for Internal Market, Industry, Entrepreneurship and SMEs, 2016, ROLLING PLAN FOR ICT STANDARDISATION, http://ec.europa.eu/information_society/newsroom/image/document/2017-13/grow_rolling_plan_ict_2017_web_170302_C7EC62EB-0196-6C12-45229D71D00B0D6B_43894.pdf

21 ePrivacy Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector, http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex:32002L0058

22 Directive 1999/5/EC of the European Parliament and of the Council of 9 March 1999 on radio equipment and telecommunications terminal equipment and the mutual recognition of their conformity. http://eur-lex.europa.eu/legal-content/EN/ALL/?uri=CELEX%3A31999L0005

23 Creating Value through Open Data, A study on the Impact of Re-use of Public Data Resources, 2015, https://www.europeandataportal.eu/sites/default/files/edp_creating_value_through_open_data_0.pdf

24 Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data. http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:31995L0046

25 Goodbye Cookie Banners? The European Commission Proposes to Simplify the Cookie Law, 2017 http://www.carpedatumlaw.com/2017/01/goodbye-cookie-banners-european-commission-proposes-simplify-cookie-law/

26 Proposal for an ePrivacy Regulation, DG Connect, 2017 https://ec.europa.eu/digital-single-market/en/proposal-eprivacy-regulation




27 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)

28

DG Justice, Reform of EU data protection rules, http://ec.europa.eu/justice/data-protection/reform/index_en.htm

29 Handbook on European data protection law, 2014, European Union Agency for Fundamental Rights, http://www.echr.coe.int/Documents/Handbook_data_protection_ENG.pdf

30 ARTICLE 29 DATA PROTECTION WORKING PARTY, Guidelines on Data Protection

Officers (‘DPOs’) (13/12/2016), http://ec.europa.eu/newsroom/document.cfm?doc_id=43823

31 DPO Network Europe: DPO Decision Tree, https://iapp.org/media/pdf/resource_center/DPO_decisiontree-v2.pdf

32 Fieldfisher publications, 2017, Data Protection: Does the German Implementation Act (BDSG-E) undermine the GDPR? http://privacylawblog.fieldfisher.com/2017/data-protection-does-the-german-implementation-act-bdsg-e-undermine-the-gdpr/

33 M&A Publications, 2017, The European General Data Protection Regulation - Top seven actions companies need to take http://privacylawblog.fieldfisher.com/2017/data-protection-does-the-german-implementation-act-bdsg-e-undermine-the-gdpr/

34 Business Pulse, 2017, European IT leader survey shows GDPR compliance remains a confusing, slow-moving process https://home.kpmg.com/pt/en/home/insights/2017/04/impact-of-gdpr.html

35 CEE Legal Matters Magazine, 2017, Three Major Operational Changes of the New GDPR – Are Greek Companies Compliance-Ready Yet? http://www.ceelegalmatters.com/index.php/greece/6287-three-major-operational-changes-of-the-new-gdpr-are-greek-companies-compliance-ready-yet

36 Corr.com, 2017, Allarme privacy, aziende italiane "borderline" sul Gdpr, http://www.corrierecomunicazioni.it/digital/45362_privacy-aziende-italiane-a-rischio-sanzione-ue-solo-1-su-10-e-pronta.htm

37 PwC US Press room, 2017, GDPR Compliance Top Data Protection Priority for 92% of US Organizations in 2017, According to PwC Survey, http://www.pwc.com/us/en/press-releases/2017/pwc-gdpr-compliance-press-release.html

38 Data Protection Laws of the World: the Netherlands, 2017 http://www.dlapiperdataprotection.com

39 Loenen, B. van, J. de Jong, J.A. Zevenbergen, 2008, Locating mobile devices; balancing privacy and national security, NWO Research report.

40 Loenen, B. van , Welle Donker, F., Kulk, S., Groetelaers, D., De Jong, J., & Ploeger, H. (2011). Databeleid rijkswaterstaat: Deel: Hoofdwatersysteem; een overzicht van de juridische kaders omtrent het omgaan met data (Tech. Rep.). OTB Research for the Built Environment.

41 Data Protection Laws of the World: Estonia, 2017 http://www.dlapiperdataprotection.com




42 eIDAS: Regulation (EU) N°910/2014 - Regulation on Electronic Identification and Trust Services for Electronic Transactions http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv:OJ.L_.2014.257.01.0073.01.ENG

3. Table of Acronyms

Acronym Description

eIDAS Electronic Identification and Trust Services for Electronic Transactions

ANPR Automatic Number Plate Recognition

API Application Programming Interfaces

CCTV Closed-circuit television

CIO Chief Information Officer

DPA Data Protection Authority

DPO Data protection Officers

GDPR General Data Protection Regulation

GVA Gross Value Added

IOT Internet of Things

IT Information Technology

LOD Linked Open Data

OA Open Access

PSI Public Sector Information

UTL Universtiy of Tartu Library

WBP Wet bescherming persoonsgegevens (Law for the protection of personal information)

WOB Wet van openbaarheid bestuur (Law of public access)




4. Executive Abstract

The goal of T6.1 is to analyze the regulatory framework that will characterize the development of tomorrow’s Smart City market and to understand how it fits with the architecture proposed in ESPRESSO and its implementation. It is based upon an analysis of potential legal/regulatory frameworks likely to be introduced as result of technical evolution or societal trends, both at EU level (in terms of foresight of future Communications, Directives etc.) as well as at local level within the pilot cities selected for ESPRESSO.

The activities conducted have been focusing on an extensive desk research including research papers, official EU documentation and grey literature addressing the main European relevant regulatory frameworks concerning the development of Smart Cities. Specifically, following the main technological trends outlined by the Internet of Things, more attention has been put on open data management, access, security, privacy, portability and interoperability.

These results have been included in the first part of D6.1, where currently existing relevant regulation at EU level has been analysed with regard to privacy and data management. In the second part of the report, the focus is on the use cases that have been implemented along the second year of the project. Specifically, a more detailed analysis of national regulations affecting privacy-related aspects explored through the use cases has been carried out.




5. Table of Content

1. Revision history and statement of originality ........................................................................... 2

9.1 Revision history ................................................................................................................ 2

9.2 Statement of originality .................................................................................................... 2

2. List of references ..................................................................................................................... 3

3. Table of Acronyms ................................................................................................................... 6

4. Executive Abstract ................................................................................................................... 7

5. Table of Content ...................................................................................................................... 8

6. Table of Figures ..................................................................................................................... 10

7. Table of Tables ...................................................................................................................... 10

8. Introduction .......................................................................................................................... 11

8.1 Technology Trends and Smart Cities ................................................................................ 13

8.2 Open Data ....................................................................................................................... 13

8.3 The Internet of Things ..................................................................................................... 14

8.4 Open data and IoT need for new regulations ................................................................... 16

9. The importance of Open Data Management .......................................................................... 19

9.1 Access to Data ................................................................................................................. 19

9.2 Security ........................................................................................................................... 20

9.3 Privacy ............................................................................................................................ 22

9.4 Portability and Interoperability ....................................................................................... 22

10. European framework and main legal issues ......................................................................... 24

European Framework ................................................................................................................ 24

Reuse of Government Open Data .............................................................................................. 26

Data Protection and ePrivacy Directive ...................................................................................... 27

11. General Data Protection Regulation ..................................................................................... 31

11.1 Data protection Officers (DPOs) ................................................................................... 33

11.2 Implementation of GDPR in Europe and beyond .......................................................... 35

12. Focus on the Pilot Cities national regulations ....................................................................... 37

12.1 Rotterdam and the Netherlands .................................................................................. 37

12.1.1 Focus on Rotterdam .................................................................................................... 38




12.1.2 Law of public access (Wob) .......................................................................................... 39

12.1.3 Law for the protection of personal information (Wbp) ................................................. 40

12.1.4 Open Data ................................................................................................................... 40

12.2 Tartu and Estonia ........................................................................................................ 41

12.2.1 Data Protection Law in Estonia .................................................................................... 42

12.3 Discussion of the results from the survey ..................................................................... 44

12.3.1 First section: EU regulations context ............................................................................ 44

12.3.2 Second section: GDPR .................................................................................................. 45

13. Conclusions ......................................................................................................................... 47

14. Annex .................................................................................................................................. 49




6. Table of Figures

Figure 1. DPO Decision Tree. ............................................................................ 34

7. Table of Tables

Table 1. Examples of Smart City Fields and IoT components. ................................ 15 Table 2. Questionnaire GDPR focus. .................................................................. 45




8. Introduction

In the last two decades, urban centres have become the destination of choice for citizens and businesses seeking prosperity, stability and social and educational facilities, leading to the progressive abandonment of rural areas and the rising concentration of population within metropolitan areas. Currently more than 75% of Europeans live in cities; in 2050, this share will be over 80%. High urban density poses many challenges for a sustained and sustainable environment: as the urban population continues to grow, cities are already consuming 70% of the EU’s energy. Congestion costs Europe about 1% of its GDP every year, specifically in urban area. Cities produce the most waste, are responsible for most of the overall greenhouse emission and feature issues such as segregation and unemployment1. Therefore, as global trends are becoming environmentally, economically, and socially unsustainable a heavy load of expectations lies on cities regarding their capacity for innovation as well as their ability to harness transitions towards a sustainable and inclusive post-fossil urban society.

Models and concepts for urban development have been put forward both in literature and practice during the past decade as an attempt to solve the fundamental conundrum: optimizing resource usage, reducing costs and creating economic growth, while at the same time producing sustainability, participation, an acceptable standard of civic services and quality of life. Among these concepts, the one of "smart city" prominently stands out. Smart Cities Initiatives in European cities focus on technological innovations in the field of energy efficiency and low carbon technologies with regard to buildings, energy and transport. Thus, current smart city research is primarily technology-oriented. However, policy-makers are increasingly aware that ICT-driven technological innovation will neither be able to materialize the 'real smart city' nor to create opportunities for continuous learning and innovation. The success of the smart city agenda is more likely if it is part of an integrated process of urban planning and participatory governance, taking into account also place-specific conditions and local institutions2.

These new designs promise a more efficient management of the forces driving the imperative for smarter cities: economic health, poverty mitigation, improved healthcare, better uses of our natural resources, crime reduction, and stewardship of our planet and so on. Thus, technology does have the ability to enable transformation. Nevertheless, these changes will imply that cities in the coming years will install and implement communication infrastructures, owned and managed by multiple vendors, to gather and exchange information3. Cities will therefore face the issue to find a way to harmonize the plethora of standards covering interoperability issues within the context of particular service delivery systems, and across systems. Policy making actions will acquire a crucial importance in addressing harmonization of standards in order to decrease those legal and administrative obstacles that characterize the fragmented context of a smart city and that will foster the implementation of the European single market4.

1 EU Press Release, 2012 http://europa.eu/rapid/press-release_IP-12-760_en.htm 2 Albino, Berardi and Dangelico, 2015, Smart Cities: Definitions, Dimensions, Performance, and Initiatives, Journal of Urban Technology,

2015, vol. 22, issue 1, pages 3-21. 3 BSI, The Role of Standards in Smart Cities, Issue 2 (August 2014) 4 The EU Single Market, EC (2015) - http://ec.europa.eu/growth/single-market/index_en.htm




The report’s structure is as follows:

• Section 1 provides an overview of the main technological trends that have an impact on the implementation of smart city solutions.

• Section 2 highlights the relevance of open data for a smart city and introduces the main issues related to data management.

• Section 3 outlines the European regulations on privacy with a focus on the General Data Protection Regulation.

• Section 4 focuses on the pilot cities describing the regulatory aspects related to the implementation of the use cases with specific focus on privacy-related issues.




8.1 Technology Trends and Smart Cities Smart cities are often described as an urban development model based on the convergence of ICT technology with traditional infrastructures, services and networks, to meet the needs of its different stakeholders: local and international companies; research institutes; international institutions, and the citizens. With the effective management of resources through intelligent management, the supporters of this model hope that cities will drive a higher quality of life, drive down waste, and improve economic conditions. “Smartness” is, in other words, the means for a green, low-carbon and sustainable development5. Breaking the ICT concept further down into specific systems and applications, smart cities can be characterized by the presence of sets of technological phenomenon that are both driving the increasing supply of urban data and enabling opportunities from the data to generate innovative smart city services. A smart city uses information and communication technologies to enhance quality, performance and interactivity of urban services, to reduce costs and resource consumption and to improve contact between citizens and government. Cities understand that a truly ‘smart city’ cannot be built only through top down initiatives, but will need the involvement of its residents. The key to making a city smart is to centre the initiative on people and openness. Two main trends that more than others influence the development of smart cities are Open Data and the Internet of Things6.

8.2 Open Data Today’s technology allows a new way to provide basic data. Applications on smart phones for weather forecasts, navigation, restaurant finders just to name a few, are made based on open data. Open data refers to information that can be freely used, modified, and shared by anyone for any purpose. It must be available under an open licence and provided in a convenient and modifiable form that is machine readable7. Cities collect and generate a wide variety of data and information, ranging from census data to scientific research to healthcare and people increasingly rely – often even while they are unaware of it – on open data in their everyday lives. Open data turns into a valuable source for solving civic problems, improving transparency and linking local government and its citizens. The huge amount of data that cities gather can help solving more efficiently problems and monitor issues that cities face every day. Transportation is for example a sector where open data is already been exploited in mobile applications helping citizens and first aid drivers to plan their journey choosing alternative routes if necessary.

5 Albino, Berardi and Dangelico, 2015, Smart Cities: Definitions, Dimensions, Performance, and Initiatives, Journal of Urban Technology,

2015, vol. 22, issue 1, pages 3-21. 6 China Academy of Information and Communications Technology, EU-China Policy Dialogues Support Facility II, 2016, Comparative

Study of Smart Cities in Europe and China 2014 7 European Data Portal, 2016, Analytical Report 4: Open Data in Cities.

https://www.europeandataportal.eu/sites/default/files/edp_analytical_report_n4_-_open_data_in_cities_v1.0_final.pdf




There are also other benefits brought by open data. Cities are in fact starting to take advantages from open data also with regard to the creation of new jobs, as a way to engage citizens in development of policies, delivering new services and products with higher efficiency. Efficiency is a quite crucial factor for a city since it improves resource allocation and reduce waste. Open data can help public administration to become more efficient while also saving costs for citizens. Despite the opportunities offered by “free data,” this trend also raises new challenges and concerns, among them, personal privacy and security. These topics will be described in the following sections.

8.3 The Internet of Things Highly interconnected with open data, is the Internet of Things (IoT) that is the technology that more than others will affect the development of a smart city, since it is the platform for a series of connecting objects, people, buildings and services. The Internet of Things expands the services and applications provided by the present communication networks and the Internet. Sensing and identifying the physical world by utilizing sensors and intelligent devices built into the physical infrastructure, IoT performs computing, processing and knowledge mining, in such a way as to achieve seamless information interaction between human and objects as well as between objects, thereby serving the purposes of real-time control, accurate management and scientific decision-making8. IoT can be described as a global infrastructure that connects not just humans with things but also things with every other thing9. Thanks to IoT an extent of objects in the world are connected together and autonomously produce data and information that needs to be managed. In response of such a massive production of data, the city should implement ICT infrastructures able to managing data and delivering any crucial information to any relevant actors or departments at any given moment. Examples of using Internet of Things to make a city smarter are linked to streetlights. In order to save energy, the sensor detects movement and is switched on only when someone is moving. It also provides a notification to the municipality to inform about malfunctioning or damages. Another more advanced example of using IoT to develop smarter cities can be found in the automotive industry. Modern cars are equipped with temperature sensors, GPS, traffic block logs, and pollution monitoring levels. If the car manufacturer provides this information to the municipality, it allows cities to develop traffic management and pollution control systems. Public transportations are also a source of data: real-time ticket data systems can be used for

8 China Academy of Information and Communications Technology, EU-China Policy Dialogues Support Facility II, 2016, Comparative

Study of Smart Cities in Europe and China 2014 9 An overview of smart sustainable cities and the role of information and communication technologies; ITU-T Focus Group on Smart

Sustainable Cities, Technical Report, 10/2014

Open Data

It is recommended that data on energy, utilities, transportation, and other basic datasets are to be made public. This is vital in facilitating the cross-scale information sharing component of a smart city. Information sharing allows better operational decisions to be made and implemented. It is equally important to note that all data should be presented in a consistent and standardized manner.




predictive maintenance to identify which vending machines and entrance gates are being used most. Many other personal objects and devices contain intelligent meters or sensors from which data can be combined with open data to improve overall city performance. Table 1 outlines the fields that characterize a city and some examples of related components that will be soon available as a consequence of the Internet of Things.

Table 1. Examples of Smart City Fields and IoT components.

SCC Fields Example of IoT components

Real estate and buildings

• Synergies between energy efficiency, comfort and safety and security • Building as a network: Integration of multiple technologies

(HVAC, lighting, plug loads, fire, safety, mobility, renewable, storage, materials, IAQ, etc.)

• Software: Efficiency, automation and control, analytics and big data management

Industrial and manufacturing

• Data interoperability • Sustainable production and zero emissions • Networked sensors and cloud computing • Factories of the future

Energy and utilities

• Smart grid and smart metering: Generation/distribution/measurement • Wireless communications • Analytics and policies • Load balancing, decentralization and co-generation

Air, water and waste management

• Water information systems (WIS) • Integrated water, waste and energy savings optimization schema • Sensor networks for water and air systems

Safety and security

• Video surveillance and video analytics • Seamless communication during natural and man-made disasters

Health care • Smart hospitals • Real-time health care including analytics • Home and remote health care including monitoring • Electronic records management

Education • Flexible learning in an interactive learning environment • Accessing world class digital content online using collaborative

technologies • Massive open online course (MOOC)

Mobility and transportation

• Intelligent transportation technologies in the age of smart cities: • Traffic management: Monitoring and routing • Real-time linkage to emissions, traffic patterns, reduced fuel

consumption.




8.4 Open data and IoT need for new regulations The natural characteristic of IoT environment is the prevalence of devices, sensors, readers, and applications which have the potential to collect a multiplicity of data types of individuals as they move through such environments. Open data and the Internet of Things pose challenges to public sector, which is not always prepared to fully regulate the implementation of such emerging technologies. Specifically, cities are overwhelmed by data and need to develop the right infrastructure to handle and reuse it.

First of all, IoT allows the collection of amount of data in a pervasive and many times unaware fashion. Most communications occur automatically: objects decide to exchange data with their environment, potentially without the user being aware of it and depending on the context of their applications10. The amount of individuals’ data collected from various sources is substantially increasing and raises real concerns mainly related to privacy and security. In fact, being able to automatically identify objects may lead to an automatic identification of the person that is related to those objects. The data collected from those different sources, may also allow to infer information about the person that have not been publicly disclosed such as their habits, location, interests and other personal information and other preferences. Moreover, analyses and integration of those data might even lead to know things about persons that might not be revealed by separately examining the underlying data sets.

10 EU COM(2017) 134 final, “European Interoperability Framework - Implementation Strategy” - http://eur-

lex.europa.eu/resource.html?uri=cellar:2c2f2554-0faf-11e7-8a35-01aa75ed71a1.0017.02/DOC_3&format=PDF




The digital hyper-connectivity for everyone makes crucial to have tools for analysing and managing digital data in new and proper ways that respect acceptable levels of privacy for individuals. Governments must take extra caution to protect the privacy and security of citizen data especially when that data are used by a third party. Individuals should be able to remain in control of their personal data and to exercise their rights. All the IoT systems or infrastructures should therefore provide sufficient transparency and allow people to refuse consent to share their data. The crucial issue at this regard is that people are not always aware or lack the fundamental knowledge to understand the consequences of their consent11. Considered the global nature of the IoT, another issue that people have to cope with is the diversity among national and regional data protection laws. Different countries have in fact different laws addressing different levels of data protection. When data controllers systems and individuals affected by these

11 Frost & Sullivan, 2014, “World’s Top Global Mega Trends To 2025 and Implications to Business, Society and Cultures,

https://www.smeportal.sg/content/dam/smeportal/resources/Business-Intelligence/Trends/Global%20Mega%20Trends_Executive%20Summary_FROST%20%26%20SULLIVAN.pdf

Example: IoT and the risks for utilities Sector

The case of utilities sector is particularly relevant for the management of each city. The Internet of Things brings some notable changes in the way utilities will be managed and delivered. IoT provides the foundation for a fundamental re-engineering of the demand and supply ecosystem between prepared energy and utilities suppliers and smart consumers with new opportunities to optimize supply, save money, increase revenue and improve environmental protection, choose suppliers, and enhance personal productivity and quality of life. Using technological intelligence to improve service public administrations have turned utilities into real smart city directors. Water, light, gas and energy are the primary assets for a country's life, as are waste and traffic management, parking and transportation. Mobile solution, linking and connecting objects such as counters, boilers, bins, streetlights, and means of transport have played a crucial influence. This innovation has brought new information transparency into management and delivery processes. The ability to identify and trace and trace real-time data for each single service increases efficiency and speed by improving management and on the other.

All energy and utility companies are engaged in business initiatives that exploit the IoT, big data and cloud so that they can optimize their data. Energy and utility suppliers using cloud services to realise competitive advantages face additional complexities and threats to defend against as their data is no longer always on-premises, instead stored outside the network and territory within which they operate. However, in the wrong hands consuming huge amounts of customer data from a combination of sources poses serious threats to privacy with new, poorly defended on ramps and vectors creating weaknesses for exploitation by cyber criminals.

Risks multiply exponentially in a world where potentially everything can be connected, and privacy protections must be as important as security assurances. Protecting personal information should be one of the most important focus areas in the design, deployment and lifecycle of each and every interconnected device, service, application and system.




systems are, for example based in different countries (within or outside the EU) this potentially leads to lots of different applicable laws12.

Only a sound privacy data protection and information management can guarantee that data protection is guaranteed. To this effect, such a process would need to be defined at the EU level and accompanied by effective and efficient means of data protection enforcement, to ensure a proper and widespread implementation both of the technological solutions (e.g. data minimization, encryption, access control, enhanced control over personal data) and of the legal and regulatory measures. The implementation of a data strategy has been recommended by the EU since 2015. It advocates for a holistic approach in addressing open data requirements by implementing open licenses and open data policies. This strategy has stressed the importance of a legal structure and the definition of standards for the publication of open data. Public administrations are expected to revise their data protection strategies and adopt new detailed legal structure and standards. This will help to open up their data and it will make it easier for publishers of data to conform to standardized formats with benefits also with regard to the interoperability of data. Public bodies should then have the required technical knowledge to implement such features. Public administrations could be helped publishing their data, like in Greece, for example, where the Ministry responsible for the Open Data policy has trained public administrations to publish their data and upload it to the national portal13.

12 EU COM(2017) 134 final, “European Interoperability Framework - Implementation Strategy” - http://eur-

lex.europa.eu/resource.html?uri=cellar:2c2f2554-0faf-11e7-8a35-01aa75ed71a1.0017.02/DOC_3&format=PDF 13 European Data Portal, 2016, Analytical Report 4: Open Data in Cities.

https://www.europeandataportal.eu/sites/default/files/edp_analytical_report_n4_-_open_data_in_cities_v1.0_final.pdf




9. The importance of Open Data Management

ICT-based services and solutions delivered by a city strongly depend on the quality and amount of data collected: access to and availability of data become then vital for the functioning of any smart city. As recommended in the technical report by ITU-T group14 city managers should therefore base the implementation of smart solutions on appropriate policies and governance structures addressing the implementation of data accessibility and data management. By setting up a data management system, cities are able to easily storage and re-use the data they collect15. In order to be used, open data needs to be of high quality and published in a structured and readable format. Standards can help to improve the quality of data when regulating the collection and publication of data.

This section outlines some issues related to Data: Access, Security, Privacy, Portability and Interoperability.

9.1 Access to Data One basic assumption that needs to be highlighted is that availability struggles against privacy. Not all the information collected can be shared, therefore a schema that promote the balance between privacy and accessibility is required and needs to be addressed in the design of smart sustainable cities. Value cannot be added to open datasets if potential users cannot get access to it. As such, it is a given that open data should be available and discoverable. A straightforward and common manner to address this is by publishing open datasets on a central data portal, allowing users to browse through the available datasets with ease. Accessibility should also address inequities in access to certain software. For instance, a user should not need specialist software in order to open a data set. Therefore, it is advised to publish the data in what is called an open format, which are usually established by standards organizations. Open formats are in most cases compatible with free software. Another advantage of many open formats is namely machine readability. That is, the contents of a dataset can be processed by a computer and do not depend on human (mis)interpretation of the data. This is useful for the usability of a dataset, especially if it is large and complex. Computers can simplify these large datasets such that they become interpretable and understandable to humans. Developments in the field of Linked Open Data (LOD) are also gaining traction, referring to a "web" of data in which navigating through and across datasets become highly convenient since datasets can refer the user to other datasets, similar to how hyperlinks on websites connect different documents16. Open data should also be subject to an open license, which grants the free (re)use, modification and (re)distribution of a dataset, regardless of purpose. Modifications entail the separating as well as the compiling of the available datasets, where the former refers to the usage of "parts" of the original datasets into a "new dataset" whilst the latter refers to the combining of (parts of) the original dataset with other ones to create a "new" dataset. An open license is often associated with one of the Creative Commons licenses, each of which are distinguished by certain conditions of use which remain appropriate in the

14 An overview of smart sustainable cities and the role of information and communication technologies; ITU-T Focus Group on Smart

Sustainable Cities, Technical Report, 10/2014 15 European Data Portal, 2016, Analytical Report 4: Open Data in Cities.

https://www.europeandataportal.eu/sites/default/files/edp_analytical_report_n4_-_open_data_in_cities_v1.0_final.pdf 16 Shadbolt, N., Berners-Lee, T., & Hall, W. (2006). The semantic web revisited. IEEE intelligent systems, 21 (3), 96–101.




open data philosophy. A condition might include the requirement for attribution so that a derivative product must credit the source author, or a share-alike requirement, which obligates a derivative product to be redistributed with the same license as the original dataset.

9.2 Security Data security is about maintaining the confidentiality, integrity, and availability of data in every state, from its collection, transmission, and processing to its analysis and storage. It is data security that ensures that unauthorized systems or parties do not access our data and that it stays in an accurate and reliable state. Usually, IoT heavily relies on wireless communications protocols or APIs that, due to the lack of mandatory technical and security standards, are only secured as an afterthought. Because of this, smart cities heavily reliant on wireless sensor networks and integrated communications systems, are especially vulnerable to power failure, software errors and cyber-attacks with devastating effects17. If companies cannot fully manage all levels of security, including malware protection, backups, and governance, they may be better of handing over these efforts to a centralized service. Central management of data saves time in technology provisioning and deployment processes, and it reduces the downtime caused by intrusive cybersecurity. However, it also eases the breadth and depth of a hacker attack once penetration is made, and it greatly simplifies the ability to monitor online activity. Security breaches from centralized locations result in sensitive information like social security numbers, national identification, and credit card numbers being lost to criminals. These crimes then lead to extortion, stalking, harassing, and demands for ransoms for stolen information from computers acquired through property crime, social media accounts, e-mail, and hijacked web cams. The fear is that they might escalate 17 Edwards, Lilian, Privacy, Security and Data Protection in Smart Cities: A Critical EU Law Perspective (January 5, 2016). European

Data Protection Law Review (Lexxion), 2016, Forthcoming. http://dx.doi.org/10.2139/ssrn.2711290

Transparent data policy for London Transportation

Transport for London (TfL) is the local government body responsible for public transport in London, with responsibility for running and overseeing over-ground and underground rail, buses, water services, cycling, taxis and private hire, and dial-a-ride services.250. As a large organisation coordinating travel for millions of passengers daily, TfL generates and manages a massive amount of data from a diverse set of sources including: websites and smartphone apps, CCTV in stations and on trains and buses, contactless and credit card payments, Oyster cards, congestion charging, bike use, lost luggage requests, taxi licensing etc.

TfL has adopted a transparent approach to data privacy and data protection policies, which are published on their website. These policies are short, clear and unambiguous, written in plain English that avoids dense legal language. For each type of data TfL details: what personal information they hold, why they collect that information, how they use the information, the length of time they keep it before deleting, how they secure it, how they share it, if any of the data are processed overseas, how someone can access the data held about them, any relevant privacy notices. Where necessary links are provided to specific pieces of external policy or regulation/law.




into physical threats targeting medical pacemakers, insulin pumps and car brakes, and enable burglars to spot “smart metered” premises as currently unoccupied. An obvious problem is the lack of global harmonization on security legal standards18. A particular solution to the issue is to mandate security breach disclosure.

The European General Data Protection Regulation (GDPR, see next section) legislates notification requirements to both the supervisory authority and affected data subject in case of personal data breach19. Under the GDPR, a “personal data breach” is “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.” As outlined By Edwards, Lilian, a soft law approach to the issue of data security, which has been in the ascendance in the EU, encourages a proactive rather than retrospective approach to security risks. Even complicated systems generate simple patterns and can be considered coherent no matter how the parts interact. This has the side effect of creating a security stance that is reactive in nature instead of proactive, because we are engineering our systems to respond to threatening situations that reflect how the system will be deployed and used. Once behavioral and unexpected deviations occur, the whole defence falls apart. Passive security models continually drive up costs without a coincident level of effectiveness, especially as they create overflow from event monitoring system that can create so much data that it is nearly impossible to detect meaningful events. A more active approach can be achieved by designers by linking events that in solitary seem unrelated, but that in context provide key clues as

18 Edwards, Lilian, Privacy, Security and Data Protection in Smart Cities: A Critical EU Law Perspective (January 5, 2016). European

Data Protection Law Review (Lexxion), 2016, Forthcoming. http://dx.doi.org/10.2139/ssrn.2711290 19 EU Regulation 2016/679 of the EU Parliament and of the Council, of 27 April 2016, on the protection of natural persons with regard

to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). http://eur-lex.europa.eu/legal-content/en/TXT/?uri=CELEX%3A32016R0679

Cyber security and privacy in Estonia

Estonian national cyber security arrangements allow public and private sectors and citizens to interact securely in a common data exchange environment while ensuring confidentiality and privacy. The result is that Estonia has thousands of e-services, which are accessible worldwide. In 2007, the Estonian cyber security concept and implemented technologies were robustly tested in real life. Estonia experienced largescale cyber-attacks against its whole ICT infrastructure. Internet service providers were under attack as well as government websites and e-mail systems, online banking and other electronic services. The whole world witnessed, that Estonia survived without any significant damage. This proved that Estonian cyberspace is well protected and trustworthy.

Over the past years, the issue of ensuring the privacy of individual users on the Internet has become a hotly debated topic in Estonia, with a particular focus on the privacy policies of global service providers. The Digital Agenda 2020 for Estonia, formulated by the Ministry of Economic Affairs and Communications, outlines how both technological and organizational conditions will be developed to ensure that people will always know and be able to decide when, by whom, and for what purpose their personal data is being used in the public sector.




to what the next step might be instead of what the last step just was. Finally, an extra-legal key may be also found in the years ahead in an adequate global cybersecurity insurance market20.

9.3 Privacy According to Article 8 of the European Convention on Human Rights which acts as a benchmark against which both European Data Protection rules and nation state laws can be judged, privacy relates to the right to respect for one's "private and family life, his home and his correspondence". The zone of privacy has been largely interpreted heretofore in a spatial sense: it begins with our bodies, embraces our homes and then extends to private communications.Today, the growth of the information society and especially ubiquitous computing has recognizably undermined our conception of privacy as relating to this spatially delimited “bubble.” Personal data that would have once have stayed safely at home, is carried around or stored without much, if any, thought outside the home: on smartphones or other portable devices; on webmail servers; or in the cloud generally. As to cities’ public spaces, such as roads, squares and mass transit, where expectations of privacy have historically been low to zero, people were once able to rely on practical obscurity for privacy protection (hence, arguably, not need legal protection). But in smart cities, the prevalence of surveillance via inter alia smart CCTV systems, ANPR (number plate) recognition, GPS and wi-fi network tracking and cheap, reliable facial recognition software means that obscurity-in-public is pretty much at an end. Furthermore, a key point in the “publicness” of smart cities is that data disclosures (to government-operated sensors) by residents in a “smart” city simply cannot be avoided. Citizens will only have one smart grid, one subway system and so on. Thus, how and when we exert our preferences over the way data is gathered and analyzed has become overwhelmingly complicated. For a European, the likelier danger seems to be that such data will fall via Public-Private-Partnerships into the hands of private providers and from there to the open market, with negative impacts if it reaches insurers, employers or law enforcers. In fact, access to personal data can create an unfair advantage in contract negotiations or other partner relationships. What is more, personal information in one context can be used to discriminate against an individual in another context, especially in matters of healthcare21.

9.4 Portability and Interoperability Other emerging issues related to data are the portability of non-personal data and the interoperability of services to allow data exchange. Both need appropriate technical standards for an effective implementation.

Data portability allows consumers and businesses to easily shift their data from one system to another at a very low switching costs, and hence with low entry barriers, in the data economy. In line with the GDPR, data portability, gives individuals the right to receive the personal data provided to the service provider, in a structured, commonly used machine-readable format, and the right to transmit it to another provider. Nevertheless, portability of non-personal data is not guaranteed at present. This means that there are no obligations that rule the portability of non-personal data. One of the 20 Edwards, Lilian, Privacy, Security and Data Protection in Smart Cities: A Critical EU Law Perspective (January 5, 2016). European

Data Protection Law Review (Lexxion), 2016, Forthcoming. http://dx.doi.org/10.2139/ssrn.2711290 21 Edwards, Lilian, Privacy, Security and Data Protection in Smart Cities: A Critical EU Law Perspective (January 5, 2016). European

Data Protection Law Review (Lexxion), 2016, Forthcoming. http://dx.doi.org/10.2139/ssrn.2711290




reasons behind this could be that implementing data portability is still technically demanding and costly, due to the fact that there are no standards that define how data should be organized and consequently each data providers stores the data differently. Secondly, portability for non-personal data need to take into account broader data governance considerations such as transparency for users, managed access and interoperability to link different platforms together22.

Interoperability turns out to be a key feature for the implementation of data portability. Data interoperability defines appropriate technical specifications and enables a seamless data exchange between multiple digital services. Such data interoperability facilitates the switching of data between online platforms, but also allows using simultaneously several platforms and widespread cross-platform data exchange.

22 EU COM(2017) 9 final, "Building a European Data Economy" http://eur-lex.europa.eu/legal-

content/EN/TXT/?uri=COM%3A2017%3A9%3AFIN

Ways to Data Portability

The EU COM(2017) 9 "BUILDING A EUROPEAN DATA ECONOMY" identifies possible ways forward to address data portability and interoperability:

• Developing recommended contract terms to facilitate switching of service providers: as data portability and switching of data service providers are mutually dependent, the development of standard contract terms requiring the service provider to implement the portability of a customer's data could be examined. • Developing further rights to data portability: building on the data portability right provided by the GDPR and on the proposed rules on contract for the supply of digital content, further rights to portability of non-personal data could be introduced, in particular to cover B2B contexts. • Sector-specific experiments on standards: develop a robust approach to portability rules encoded through standards, sector-specific experimental approaches could be launched. These would typically involve a multi-stakeholder collaboration including standard setters, industry, the technical community, and public authorities.

The Commission has committed itself to support the appropriate standards to improve interoperability, portability and security of cloud services, by better integrating the work of open source communities into the standard-setting process at European level.




10. European framework and main legal issues

European Framework As reported in the European Commission’s website, standards ensure interoperability and safety, reduce costs and facilitate companies' integration in the value chain and trade. Standards do have an influence on innovation, the competitiveness of industry, the functioning of the Single Market, the protection of the environment and of human health. Standardisation and interoperability will be key requirements for the widespread adoption of technologies and services for both the private and public sector. The Regulation 1025/2012/EU on European Standardisation23 highlights the vital importance of creating European standards and asserting them as international standards in those areas where Europe is recognized as the driving innovation force in developing new types of tradable goods, services and technologies (such as electric vehicles, security, energy efficiency and smart grids). By means of standardization policies, the EU strives for the creation of the so-called single market.

The Single Market24 is what the EC is aiming at by strengthening opportunities for people, goods to move and for services to be implemented freely around Europe. The single market is based on the removal of restrictions and applications of standards. It offers opportunities for professionals and businesses and allows people and goods to move freely around Europe with the result of increasing choices and discovering new potential markets. Some of the benefits carried by the single-market are: standardization of prices, sales conditions, or delivery options; support to start-ups and SMEs promoting ease access to finance, simplification of regulation, reduce the cost of company registration and clear and SME-friendly intellectual property rules. The single market is guaranteed by the so-called “harmonised standard” which are developed by the ESOs as requested by the EC and ensure product compliance with the basic requirements set out in EU harmonisation legislation. Standards may set forth the basic requirements for the free circulation of information that is also related to the single market. Standard can promote and support the protection of privacy ensuring a common approach throughout different EU countries.

23 EU Regulation 1025/2012/EU of the EU Parliament and of the Council of 25 October 2012 on European standardization, http://eur-

lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2012:316:0012:0033:EN 24 The EU Single Market, EC (2015) - http://ec.europa.eu/growth/single-market/index_en.htm




The European data protection reform wants indeed on the one hand to foster a more efficient single market and on the other to give citizens back the control over their personal information25. Security and privacy emerge as particularly urgent and are currently being explored and discussed worldwide. Security, by which we commonly mean the susceptibility of data to either accidental or deliberate breaches as a result of technical or organizational failures; and privacy, which is more closely related to the law and policy and refers to the control of the collection and processing, including further re-uses, of personal data.

As described in the Rolling Plan for ICT Standardization by the European Commission26 data processing products and processes should follow the “Privacy by design” approach. It means that legal requirements should be kept in mind since the beginning of the design process. In particular, at European level the ePrivacy Directive27 is one of the fundamental tools to be considered. Article 14(3) states that “Where required, measures may be adopted to ensure that terminal equipment is constructed in a way that is compatible with the right of users to protect and control the use of their personal data, in accordance with Directive 1999/5/EC[22] on standardisation in the field of information technology and communications”. Furthermore, the Data Protection Directive 95/46/EC includes provisions, which indirectly, in different situations, suggest the implementation of privacy by design. In particular, Article 17 requires that data controllers implement appropriate technical and organization measures to prevent unlawful data processing.

25 EU COM(2017) 9 final, "Building a European Data Economy" http://eur-lex.europa.eu/legal-

content/EN/TXT/?uri=COM%3A2017%3A9%3AFIN 26 EUROPEAN COMMISSION, Directorate-General for Internal Market, Industry, Entrepreneurship and SMEs, 2016, ROLLING PLAN FOR

ICT STANDARDISATION, http://ec.europa.eu/information_society/newsroom/image/document/2017-13/grow_rolling_plan_ict_2017_web_170302_C7EC62EB-0196-6C12-45229D71D00B0D6B_43894.pdf

27 Creating Value through Open Data, A study on the Impact of Re-use of Public Data Resources, 2015, https://www.europeandataportal.eu/sites/default/files/edp_creating_value_through_open_data_0.pdf

Denmark: Central DataHub for electricity market

Denmark has developed a central DataHub, which through uniform communication and standardised processes handles the interaction between the players in the electricity market. The DataHub is owned and operated by Energinet.dk that is the Danish transmission system operator. Energinet.dk has established codes that set the rules for the use of and the access to the DataHub. Actors (DSOs, suppliers or third parties) who want access to the DataHub must sign agreements in which they warrant to comply with applicable legislation, including, in particular, the Danish Act on Processing of Personal Data. The DataHub handles electricity meter data and business processes for all 3.3 million metering points in Denmark of which around 2 million are smart meters, and the market players exchange information about customers' consumption, move-in, move-out, etc. through the DataHub. The customers do not have direct access to the DataHub, but can access their data through a web portal which is set up by the supplier or by using a web portal common for all suppliers, called eloverblik.dk. Electronic authentication called NemID1 , must be used to get access to the data. Through these web portals the customers can also grant third party access to their data by using NemID, therefore DataHub (i.e. Energinet.dk) acts as consent manager.




Reuse of Government Open Data Governments have a huge amount of data which represent an economic and social value for the society. This open data is the link between government and citizens in terms of information. To maximize the value of this data, the European Union has adopted legislation that are aimed at fostering the re-use of open data. The ultimate goal of this EU legislation, combined with the development of data portals, is to drive economic benefits and further transparency. In doing so, the European Commission aimed at creating a “data value chain friendly” policy environment.

The objective is to put in place the “systemic” prerequisites for effective use and re-use of data through legal and soft law measures28. Benefits of open data re-use can be:

• Direct benefits are monetised benefits that are realised in market transactions in the form of revenues and gross value added, the number of jobs involved in producing a service or product, and cost savings.

• Indirect economic benefits are i.e. new goods and services, time savings for users of applications using Open Data, knowledge economy growth, increased efficiency in public services and growth of related markets.

Open data in the European Union are regulated since 1998, by an open data policy formulated by the European Commission via a Green Paper on Open Data. The paper, acknowledged for the proper functioning of the European internal market, was designed on an assessment of the state of play of Open Data in the EU Member States and the situation in the United States. Initial goal of the Green Paper on Open Data was to improve the quality of data already available by making them more clear and easily accessible via electronic media.

Open Data policy have been further improved in 2003 with the Public Sector Information Directive 2003/98/EC29 when the EU issued legislation to govern the publication of Open Government Data in Member States. The main objective was to enable better access to Open Data by:

• Stimulating the further development of a European Market for Open Data based services

• Enhancing the cross-border use and application of Open Data in business processes

• Encouraging competition in the internal market

• Addressing the differences in rules and practices between Member States

The European PSI Directive was established on a minimum harmonisation basis allowing Member States leeway in the interpretation and implementation of the framework. The European Directive established framework rules regarding availability, accessibility and transparency of Open Data in Europe. In addition, it was recommended to have a standard electronic licence for the re-use of Open Data and to have a tool to find the relevant data sets via a list of portal websites. As for the payment regime, the European Directive stated that it does not prevent differentiated charging policies.

28 Creating Value through Open Data, A study on the Impact of Re-use of Public Data Resources, 2015,

https://www.europeandataportal.eu/sites/default/files/edp_creating_value_through_open_data_0.pdf 29 Creating Value through Open Data, A study on the Impact of Re-use of Public Data Resources, 2015,

https://www.europeandataportal.eu/sites/default/files/edp_creating_value_through_open_data_0.pdf




Data Protection and ePrivacy Directive The Data Protection Directive 95/46/EC30 is the central legislative instrument in Europe on the protection of individuals with regard to the processing of personal data and on the free movement of such data. It is a European Union directive adopted in 1995 which regulates the processing of personal data within the European Union and is an important component of EU privacy and human rights law. It will be replaced by the General Data protection Regulation expected to be enforceable starting on May 2018 ensuring modernised rules fit for the digital age. The European Commission realised that diverging data protection legislation amongst EU member states impeded the free flow of data within the EU and accordingly proposed the Data Protection Directive. The directive defines Personal data as "any information relating to an identified or identifiable natural person ("data subject"); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity;" (art. 2 a). Following this definition, personal data are those that allows one to link them to a specific person e.g. address, credit card number, bank statements, criminal record, etc. The directive regulates the processing of personal data regardless of whether such processing is automated or not. The notion processing means "any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction;" (art. 2 b).

Personal data should not be processed at all, except when certain conditions are met. These conditions fall into three categories: transparency, legitimate purpose, and proportionality. In a few words, whenever the data is processed the person has to be informed of the purpose (transparency) and release their consent. Personal data can only be processed for specified explicit and legitimate purposes and may not be processed further in a way incompatible with those purposes (e.g. public interest, legal obligation). Finally, personal data can be processed at an extent that is adequate in relation to the purposes for which they are collected and/or further processed (proportionality).

The controller is the actor responsible for checking the compliance with the directive. It can be a person, public authority, an agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data (art. 2 d). The controller is responsible not only within EU, but also whenever the data are processed through any equipment settled in EU. This means that controllers from outside the EU, processing data in the EU, have also to comply with the EU data protection rules. In particular, in the case of non EU countries, transfer of personal data is allowed only if those countries provides a proper level of protection. Being a directive, each member state must find a national supervisory and independent authority in charge of monitoring the data protection, give advice to the government and in case of data violation, start legal procedures.

30 Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to

the processing of personal data and on the free movement of such data. http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:31995L0046




The ePrivacy Directive31 integrates the directive on data protection32 and is aimed primarily at regulating traditional telecom providers’ practices and new providers of electronic communications services. Other issues not specifically addressed in the ePrivacy Directive are covered by the directive on data protection for example, the rights of individuals to get 'access, correction or deletion of their personal data.

31 ePrivacy Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal

data and the protection of privacy in the electronic communications sector, http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex:32002L0058

32 Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data. http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:31995L0046

Simplifications of Cookie rules

Article 5(3) of the current ePrivacy Directive requires websites to obtain prior informed consent from a user before storing cookies and similar technologies or accessing information stored on the user’s terminal equipment. For consent to be valid, it must be informed, specific, freely given, and must constitute a real indication of the individual’s wishes. Certain cookies are exempt from the consent requirement, including user-input cookies, authentication cookies, user-interface customization cookies, and third-party social plug-in content-sharing cookies.

To comply with the ePrivacy Directive, beginning in May 2012, websites operating in the EU have been using cookie banners displayed at the top or bottom of the screen on all pages of a site using cookies that require informed consent. Some banners are in the form of notice only, with the presumption that continued use of the site signifies user consent, and some require active interaction by asking a user to click on a choice between “I accept” and “I refuse” the site’s cookies. When these banners first started popping up, many users saw them as irrelevant or irritating, particularly when trying to browse mobile sites.

The new proposed rule clarifies that no consent is needed for non-privacy intrusive cookies improving internet experience. The new rule also proposes to centralize user consent in software, such as internet browsers, and to prompt users to choose their privacy settings across the board. The European Commission believes this would allow a significant proportion of businesses to do away with cookie banners and notices, thus leading to potentially significant cost saving.

This benefit, while great for first-party businesses, however, will be diminished for online targeted advertisers should a large proportion of users opt for rejecting third-party cookies in their settings. At the same time, the European Commission notes, centralizing consent does not deprive website operators from the possibility to obtain consent by means of individual requests to end-users and thus will allow these operators to maintain their existing business model.




The ePrivacy directive sets up specific rules relating to the processing of personal data in the electronic communications sector, such as requiring users’ consent before their traffic and location data may be used for commercial purposes. It introduced the obligation to notify the competent national authorities, and in specific cases, to take legal action against spammers. The most visible issue introduced by the ePrivacy directive is probably the right for consumers to be better informed about ‘cookies’33.

The ePrivacy Directive was last updated in 2009 to provide clearer rules on the rights of the customer to privacy and confidentiality of on-line communications. However, it-based services have by then developed, changing people's habits. Many Europeans use the Internet-based services and voice messaging instead of, or in addition, their mobile phones or fixed connections. The EU has therefore embarked on a modernization of the data protection framework process, which ends with an agreement on the regulation on the general data protection (GDPR). Here below the key points34 of the latest consultation launched by the European Commission in order to reform the ePrivacy Directive:

• New players: privacy rules will in the future also apply to new players providing electronic communications services such as WhatsApp, Facebook Messenger and Skype. This will ensure that these popular services guarantee the same level of confidentiality of communications as traditional telecoms operators.

• Stronger rules: all people and businesses in the EU will enjoy the same level of protection of their electronic communications through this directly applicable regulation. Businesses will also benefit from one single set of rules across the EU.

• Communications content and metadata: privacy is guaranteed for communications content and metadata, e.g. time of a call and location. Metadata have a high privacy component and is to be anonymized or deleted if users did not give their consent, unless the data is needed for billing.

• New business opportunities: once consent is given for communications data, content and/or metadata to be processed, traditional telecoms operators will have more opportunities to provide additional services and to develop their businesses. For example, they could produce heat maps indicating the presence of individuals; these could help public authorities and transport companies when developing new infrastructure projects.

• Simpler rules on cookies: the cookie provision, which has resulted in an overload of consent requests for internet users, will be streamlined. The new rule will be more user-friendly as browser settings will provide for an easy way to accept or refuse tracking cookies and other identifiers. The proposal also clarifies that no consent is needed for non-privacy intrusive cookies improving internet experience (e.g. to remember shopping cart history) or cookies used by a website to count the number of visitors.

• Protection against spam: unsolicited electronic communications by emails, SMS and automated calling machines should be banned. Depending on national law people will either be protected by default or be able to use a do-not-call list

33 Goodbye Cookie Banners? The European Commission Proposes to Simplify the Cookie Law, 2017

http://www.carpedatumlaw.com/2017/01/goodbye-cookie-banners-european-commission-proposes-simplify-cookie-law/ 34 Proposal for an ePrivacy Regulation, DG Connect, 2017 https://ec.europa.eu/digital-single-market/en/proposal-eprivacy-regulation




to not receive marketing phone calls. Marketing callers will need to display their phone number or use a special pre-fix that indicates a marketing call.

• More effective enforcement: the enforcement of the confidentiality rules in the Regulation will be the responsibility of data protection authorities, already in charge of the rules under the General Data Protection Regulation.




11. General Data Protection Regulation

The General Data Protection Regulation (GDPR)35, due to come into effect on 25 May 2018, will provide a modernized, accountability-based compliance framework for data protection in Europe. By means of the General Data Protection Regulation, the European Commission intends to strengthen and unify data protection for individuals within the European Union to give citizens back the control of their personal data and to simplify the regulatory environment for international business. The GDPR is an essential step to protect fundamental rights in the digital age and also facilitate business by simplifying rules for companies in the Digital Single Market. A single law will do away with the current fragmentation and costly administrative burdens, leading to savings for businesses of around €2.3 billion a year. The regulation was adopted on 27 April 2016. It enters into application 25 May 2018 after a two-year transition period. When the GDPR takes effect it will replace the data protection directive (officially Directive 95/46/EC) from 1995.

The new General Data Protection Regulation introduces one, single, technologically neutral and future-proof set of rules across the EU. This means that regardless of how technology and the digital environment develop in the future, the personal data of individuals in the EU will be secure, and their fundamental right to data protection respected. The new Regulation will also reinforce the ‘right to be forgotten’, so that if an individual no longer wants their personal data to be processed, and there is no legitimate reason for an organisation to keep it, it must be removed from their system. Citizens will also have a right to data portability, i.e. the right to obtain a copy of their data from one Internet company and to transmit it to another one without hindrance from the first company. These proposals will help build trust in the online environment and create fair competition, which is good for individuals and businesses36.

This trust will enable consumers to engage with innovative technologies and purchase online in full confidence that their personal data will be protected. Increased demand for privacy friendly products and services will foster new investment and the creation of new jobs and release the single market’s potential to provide a greater choice of goods at lower prices. This increase in economic activity will also help businesses, especially small and medium-sized businesses (SMEs) grow to their full potential within the single market. By having future-proof, technologically neutral regulations, the Commission’s proposals will give long-lasting certainty to data protection issues online.

The data protection reform package builds a single, strong, and comprehensive set of data protection rules for the EU. It will boost innovation in sustainable data services by enhancing legal certainty and strengthening trust in the digital marketplace. This way it fosters a virtuous circle between the protection of a fundamental right, consumer trust and economic growth.

EU data protection rules will apply not only to European companies, but also to foreign companies offering products and services to EU citizens, or monitoring their behavior. In other words, the same rules will apply to all companies operating in the EU regardless of where they come from. This will level the playing field between European and non-

35 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with

regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)

36 DG Justice, Reform of EU data protection rules, http://ec.europa.eu/justice/data-protection/reform/index_en.htm




European companies. Start-ups from other world regions will have to play by the same rules as start-ups from Europe. This is about fair competition in a globalized world37.

37 Handbook on European data protection law, 2014, European Union Agency for Fundamental Rights,

http://www.echr.coe.int/Documents/Handbook_data_protection_ENG.pdf

What is the EU Data Protection Reform about?

The new General Data Protection Regulation introduces one, single, technologically neutral and future-proof set of rules across the EU. This means that regardless of how technology and the digital environment develop in the future, the personal data of individuals in the EU will be secure, and their fundamental right to data protection respected.

What will be the key changes?

• Guaranteeing easy access to one’s own personal data and the freedom to transfer personal data from one service provider to another.

• Establishing the right to be forgotten to help people better manage data protection risks online. When individuals no longer want their data to be processed and there are no legitimate grounds for retaining it, the data will be deleted.

• Ensuring that whenever the consent of the individual is required for the processing of their personal data, it is always given by means of a clear affirmative action.

• Ensuring a single set of rules applicable across the EU.

• Clear rules on when EU law applies to data controllers outside the EU.

How will this help?

These proposals will help build trust in the online environment, which is good for individuals and businesses. The new rules will create fair competition: all non-EU companies will have to apply the same rules as EU companies when offering goods or services in the EU.

This trust will enable consumers to engage with innovative technologies and purchase online in full confidence that their personal data will be protected. Increased demand for privacy friendly products and services will foster new investment and the creation of new jobs and release the single market’s potential to provide a greater choice of goods at lower prices. This increase in economic activity will also help businesses, especially small and medium-sized businesses (SMEs) grow to their full potential within the single market.

The EU Data Protection Reform will be an enabler for Big Data services in Europe by promoting the adoption of principles such as data protection by default and by design, enhancing transparency and fostering consumers’ trust. It will boost competition through the new right of data portability as well as the creation of a level playing field for all companies active in the single market.




11.1 Data protection Officers (DPOs) The GDPR makes it mandatory for certain controllers and processors to designate a Data Protection Officer (DPO). DPOs will be at the heart of this new legal framework for many organisations, facilitating compliance with the provisions of the GDPR. This will be the case for all public authorities and bodies (irrespective of what data they process), and for other organisations that - as a core activity - monitor individuals systematically and on a large scale, or that process special categories of personal data on a large scale. Even when the GDPR does not specifically require the appointment of a DPO, organisations may sometimes find it useful to designate a DPO on a voluntary basis.

The concept of DPO is not new. Although Directive 95/46/EC38 did not require any organisation to appoint a DPO, the practice of appointing a DPO has nevertheless developed in several Member States over the years. In addition to facilitating compliance through the implementation of accountability tools (such as facilitating or carrying out data protection impact assessments and audits), DPOs act as intermediaries between relevant stakeholders (e.g. supervisory authorities, data subjects, and business units within an organisation).

DPOs are not personally responsible in case of non-compliance with the GDPR. The GDPR makes it clear that it is the controller or the processor who is required to ensure and to be able to demonstrate that the processing is performed in accordance with its provisions (Article 24(1)). Data protection compliance is a responsibility of the controller or the processor.

The controller or the processor also has a crucial role in enabling the effective performance of the DPO’s tasks. Appointing a DPO is a first step but DPOs must also be given sufficient autonomy and resources to carry out their tasks effectively. The function of the DPO can also be exercised on the basis of a service contract concluded with an individual or an organisation outside the controller’s/processor’s organization.

Following the guidelines by the Working Party 2939 the designation of a DPO is mandatory in three specific cases:

• where the processing is carried out by a public authority or body;

• where the core activities of the controller or the processor consist of processing operations, which require regular and systematic monitoring of data subjects on a large scale;

• or where the core activities of the controller or the processor consist of processing on a large scale of special categories of data or personal data relating to criminal convictions and offences.

The GDPR leaves some open issues that still need to be defined. For example, The GDPR does not define what constitutes a ‘public authority or body’. The WP29 considers that such a notion is to be determined under national law. Accordingly, public authorities and bodies include national, regional and local authorities, but the concept, under the applicable national laws, typically also includes a range of other bodies governed by

38 Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to

the processing of personal data and on the free movement of such data. http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:31995L0046

39 ARTICLE 29 DATA PROTECTION WORKING PARTY, Guidelines on Data Protection Officers (‘DPOs’) (13/12/2016), http://ec.europa.eu/newsroom/document.cfm?doc_id=43823




public law. In such cases, the designation of a DPO is mandatory. Figure 1 shows a decision tree that clarifies when a company has to appoint a DPO40.

Figure 1. DPO Decision Tree.

Again, with regard the core activities of the DPOs, the GDPR (Article 37(1)(b) and (c)) specifies that the core activities of a controller relate to ‘primary activities and do not relate to the processing of personal data as ancillary activities’. ‘Core activities’ can be considered as the key operations necessary to achieve the controller’s or processor’s goals. However, ‘core activities’ should not be interpreted as excluding activities where the processing of data forms an inextricable part of the controller’s or processor’s activity. For example, the core activity of a hospital is to provide health care. However, a hospital could not provide healthcare safely and effectively without processing health data, such as patients’ health records.

Main tasks of DPO is to monitor compliance with the GDPR, particularly:

• collect information to identify processing activities

• analyze and check the compliance of processing activities

• inform, advise and issue recommendations to the controller or the processor

Finally, the DPO is not personally responsible where there is an instance of non-compliance. The GDPR makes it clear that it is the controller, not the DPO, who is required to ‘implement appropriate technical and organisational measures to ensure 40 DPO Network Europe: DPO Decision Tree, https://iapp.org/media/pdf/resource_center/DPO_decisiontree-v2.pdf




and to be able to demonstrate that processing is performed in accordance with this Regulation’ (Article 24(1)). Data protection compliance is a corporate responsibility of the data controller, not of the DPO.

11.2 Implementation of GDPR in Europe and beyond The GDPR is the attempt of EU to reform Data Protection regulation into a EU-wide framework rather than a set of laws specific for each European country. The current legislation on data protection in the Member States derives from a directive that has introduced each country in its national legal order with a certain degree of flexibility to lead to country-to-country differences. The new regulation is expected to be homogenously applied throughout the EU. Each member state has to ‘translate’ this regulation into national law up to May 2018, deadline for the implementation of changes. For example, the Netherlands has already made changes to the data protection laws. In Germany, the Federal Government submitted a draft law (BDSG-E) for adapting the GDPR. The BDSG-E has gone through the examination of the Federal Parliament and a pool of experts on data protection. The German government wants to follow an individual national strategy trying to use certain opening clauses in the GDPR aiming at deviations from the original text of the GDPR41.

Although the core data protection rules remain broadly the same, there are important changes with impact on day-to-day business and for which companies should be aware of and prepare in advance. In Portugal, according to a study promoted by KPMG42, organizations are starting to understand the importance of the new regulation, but the process will not be a short one especially to be compliant with the GDPR, and to converge their personal data protection processes with international best practices. Goal of the study that involved more than 100 Portuguese organizations, was to assess their level of readiness for copying with the challenges and changes settled by the new GDPR. Portuguese law may also contain specific rules regarding the processing of employees' personal data, especially for the purposes of recruitment, performance and termination of the employment contract, which will apply together with the GDPR. Particular attention will be devoted to specific fields related to the processing of sensitive data, such as genetic data, biometric data or data concerning health.

In general terms, the GDPR comes as a comprehensive legislative text that aims at defining a secure and harmonized framework of data protection, but also imposes significant penalties to companies that do not comply with it. While many organizations have already begun this process with a range of compliance efforts, many are still in the assessment phase. According to a survey by NetApp43 European Companies are not much informed about GDPR. The study involved 750 CIOs and IT managers from France, Germany and the UK and highlights the gaps between the sense of urgency regarding how to prepare and what to do in view of the expiration date. The most striking figure regards the 70 percent of CIOs worried that their companies may not be able to meet the deadline of May 25, 2018. Furthermore, only 37 percent of the respondents would

41 Fieldfisher publications, 2017, Data Protection: Does the German Implementation Act (BDSG-E) undermine the GDPR?

http://privacylawblog.fieldfisher.com/2017/data-protection-does-the-german-implementation-act-bdsg-e-undermine-the-gdpr/ 42 M&A Publications, 2017, The European General Data Protection Regulation - Top seven actions companies need to take

http://privacylawblog.fieldfisher.com/2017/data-protection-does-the-german-implementation-act-bdsg-e-undermine-the-gdpr/ 43 Business Pulse, 2017, European IT leader survey shows GDPR compliance remains a confusing, slow-moving process

https://home.kpmg.com/pt/en/home/insights/2017/04/impact-of-gdpr.html




have invested extra funds to meet the requirements for compliance with the data. In particular, 27% in Germany have already hired specific personnel with data protection expertise, 20% in France and only 17% in UK. Furthermore, it is alarming that 14 percent of respondents still has no preparation. The report highlights in fact how responsibility for data compliance is not always clear, there is not a complete understanding of procedures, actors and what should be done to comply with the regulation. This result into a very slow process of implementation at least in the countries surveyed. The situation is not different in Greece, where more than 50% of companies have yet to commence any procedure related to the new GDPR, due also to a lack in the market of basic factors and elements, such as management and organizational infrastructure that would enable them to comply with at least the minimum requirements of the new legislation44.

In line with the rest of Europe, also in Italy there is a lack of attention with regard to GDPR. According to a study by the Security and Privacy Observatory of Politecnico Milan45, only 1 company out of 5 knows in detail what implications of GDPR are. Very few companies have started a process for complying with it. In conclusion, the GDPR is not an EU issue only. US companies consider the compliance with EU GDPR a priority in 2017. According to a PwCUS study46, US companies are willing to spend one million dollar on GDPR action plans. The reasons behind this is that GDPR will also have an impact on US companies delivering services and goods to EU citizens. Noncompliance with GDPR will mean a potential 4% fine of global revenues.

44 CEE Legal Matters Magazine, 2017, Three Major Operational Changes of the New GDPR – Are Greek Companies Compliance-Ready

Yet? http://www.ceelegalmatters.com/index.php/greece/6287-three-major-operational-changes-of-the-new-gdpr-are-greek-companies-compliance-ready-yet

45 Corr.com, 2017, Allarme privacy, aziende italiane "borderline" sul Gdpr, http://www.corrierecomunicazioni.it/digital/45362_privacy-aziende-italiane-a-rischio-sanzione-ue-solo-1-su-10-e-pronta.htm

46 PwC US Press room, 2017, GDPR Compliance Top Data Protection Priority for 92% of US Organizations in 2017, According to PwC Survey, http://www.pwc.com/us/en/press-releases/2017/pwc-gdpr-compliance-press-release.html




12. Focus on the Pilot Cities national regulations

As described in D2.3 and D2.6, both the pilots address as an overarching use case the development of a 3D city platform, based on integration of various data regarding urban management (parking availability, energy efficiency of buildings, solar potential, groundwater levels, etc.). There is an obvious focus on exploitation of public data that are highly interconnected and should be accessible online for e-government purposes. Rotterdam and Tartu’s use cases main issues are related to data management.

Tartu:

• Use Case 1: Energy - Increasing Energy Efficiency in Buildings

• Use case 2: CIM: City Information Model – Facilitating Data Interoperability

Rotterdam:

• Use Case 1: Parking space availability

• Use Case 2: Ground water level monitoring

Even though, the implementation of the pilots will not foresee the collection of sensitive data, in the sections below a description of the regulations on data protection for each country has been reported.

12.1 Rotterdam and the Netherlands Rotterdam’s use case is part of the project Digital Rotterdam. In this project, it is the aim of the city of Rotterdam to create a digital copy of the city. This model should be as close to the reality as possible and real-time up-to-date. The data can be visualized in a 3D city model. The data are collected in a datahub. Include in the datahub other data that has been collected from the municipality. Rotterdam is in the process of setting up a Data Marketplace open from public and private sources. The (end) goal is to organize an independent open data exchange platform where all kinds of data can be exchanged under negotiated conditions. It concerns big, open, linked and other kinds of data. At this moment people within the organization are working on an open data platform for the own data of the Municipality. The objective is to make all kind of information which is there for the city available in an easy, open and transparent way for both the internal municipal organization and external stakeholders. By setting up an open infrastructure to make available all kind of smart information like for example sensor data, 3D models, and geospatial data in a standardized way, the data can be used for multiple purposes and applications. The Netherlands implemented the EU Data Protection Directive 95/46/EC on 1 September 2001 with the Dutch Personal Data Protection Act (Wbp). Enforcement is through the Dutch Data Protection Authority (Autoriteit Persoonsgegevens). The box below outlines the data protection law in the Netherldans47.

47 Data Protection Laws of the World: the Netherlands, 2017 - http://www.dlapiperdataprotection.com




12.1.1 Focus on Rotterdam

In the Netherlands, government data may already be public under a law that obligates polities to disseminate data to an individual should they request access to certain datasets (Wet Openbaarheid van Bestuur). Although this data might be public, it is not

Data Protection Law in the Netherlands REGISTRATION: Unless an exemption applies, data controllers who process personal data by automatic means must notify the Autoriteit Persoonsgegevens so that their processing of personal data may be registered and made public. Changes to the processing of personal data will require the notification to be amended. DATA PROTECTION OFFICERS: Companies, industry associations, governments and institutions can appoint a data protection officer. There is no legal requirement in the Netherlands to do so. The data protection officer ensures that processing of personal data will take place in accordance with the Wbp. The statutory duties and powers of the data protection officer gives this officer an independent position within the organisation. TRANSFER: Transfer of a data subject’s personal data to non EU/European Economic Area (EEA) countries is allowed if the countries provide ‘adequate protection’. SECURITY: Data controllers and processors must implement appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access. BREACH NOTIFICATION: Since 1 January 2016, a data breach, i.e. any security incident that leads or may lead to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data transmitted, stored or otherwise processed, must be reported to the Autoriteit Persoonsgegevens, if such data breach has or may have serious disadvantageous consequences for the protection of personal data. ELECTRONIC MARKETING: Electronic marketing is partially regulated in Article 11.7 of the Dutch Telecommunications Act (Tw). In the context of this Article electronic marketing could be defined as SMS, e-mail, fax and similar media for the purposes of unsolicited communication related to commercial, charitable or ideal purposes without the individuals’ prior express consent. TRAFFIC DATA: Traffic Data is regulated in Article 11.5 of the Tw. Traffic Data held by a public electronic communications services provider (CSP) must be erased or anonymised when it is no longer necessary for the purpose of the transmission of a communication. COOKIE COMPLIANCE: The Netherlands implemented the E-Privacy Directive through the Dutch Telecommunications Act in Article 11.7a (hereinafter: Article 11.7a). The Authority for Consumers and Markets ("ACM") is entrusted with the enforcement of Article 11.7a. The main rule is that the website operator needs to obtain prior consent from a user before using cookies (opt in) and needs to clearly and unambiguously inform the user about these cookies (purpose, type of cookie, etc). Implicit consent is accepted under Dutch law.




open in the sense that information is difficult to access and may have restrictions for reuse and redistribution48.

The Municipality of Rotterdam (hereafter referred to as the Municipality), particularly the Department of Urban Management (Stadsbeheer), has made a commitment to pursue a more active open data policy. Indeed, Stadsbeheer, like most if not all other polities, already collect a wide range of data to carry out their duties49. However, preliminary research must be done on how an open data policy can effectively (and legitimately) be materialized. Datasets might be subject to privacy and intellectual property rights. Additionally, they might be subject to national security concerns as well. Moreover, effective data policy also implies appropriate institutional and technical frameworks.

Here below the two main laws relevant to public data are described.

12.1.2 Law of public access (Wob)

Under the law of public access (Wet van openbaarheid bestuur, Wob), government data is already public on a de facto basis. As such, the Wob decides whether datasets can be publicized in the first place. In short, primary indicators of public datasets are that the information describes a polity, including its duties and the processes performed to carry its duties out; and that they can be accessed by the polity in question under the condition that they hold the rights to access it. However, some datasets are exempt from the Wob. There are two types of exemptions, namely an absolute exemption and a discretionary exemption. The former refers to datasets that are subject to:

• Threats to the unity of the Crown. That is, information about disagreements between the monarch and their cabinet.

• Threats to national security.

• Non-disclosure agreements between government and businesses regarding information about a firm.

• The Law for the protection of personal information.

The discretionary exemption obligates the polity in question to outweigh the benefits for data dissemination against concerns regarding:

• International relations.

• The financial or economic interests of polities.

• The degree to which its publication would hinder the investigation and prosecution of illegal offenses.

• The degree to which its publication would hinder inspection and oversight activities of certain polities i.e. information that describes the methodology in which the inspectorate SZW performs its inspections on labor conditions.

• Concerns regarding privacy and personal affairs.

48 Loenen, B. van, J. de Jong, J.A. Zevenbergen, 2008, Locating mobile devices; balancing privacy and national security, NWO

Research report. 49 Loenen, B. van, J. de Jong, J.A. Zevenbergen, 2008, Locating mobile devices; balancing privacy and national security, NWO

Research report




• Individuals or organizations to which the information is originally intended for i.e. if a dataset was created to address a specific organization, that organization should have exclusive access to the information before others.

• The disproportionate disadvantaging of others upon the publication of the dataset.

12.1.3 Law for the protection of personal information (Wbp)

The Law for the protection of personal information (Wet bescherming persoonsgegevens, Wbp) is usually the most conclusive (and contested) in terms of deciding whether or not a dataset is public. In Dutch law, personal information is referred to as "every piece of information concerning an identified or identifiable natural person". As such, it is easy to imagine how geographic data can be considered personal information, since they can tell us something about a person. For instance, a feature class "houses" with attribute data which describes the owner of the house. Additionally, it is alarming as to how much of a person’s unique characteristics can be revealed with disproportionate effort by combining data as "simple" and accessible as census data. Note that a dataset does not necessarily need to describe a person for it to be considered private-sensitive data. Another "houses" feature class with the attributes that describe the material a house feature is made out of can be used to estimate the value of a single house. This is personal information, since that house is most likely owned by a natural person, and that this information could affect the way in which that owner is judged and treated in society. Finally, new technological modes of geodata acquisition and representation such as satellite imagery and panorama photos are also subject to privacy [38], since identifiable characteristics such as individual faces and license plate numbers can be visible.

12.1.4 Open Data

The above-mentioned laws describe the characteristics of a public dataset. In order to make those data open to the public, first thing is to determine that doing so does not infringe any Intellectual Property rights. The collection and management of data can cost large sums of money50, and (parts of) the data may not be owned by the polity in question. In any case, entities may own intellectual property rights over a dataset, and as such reserves the rights to decide whether the dataset may be disseminated under a license. If the copyright is held by a polity, the law for the reuse of public data (Wet hergebruik overheidsgegevens, Who) obligates a polity to allow for the redistribution of their data. If not, explicit permission is needed from the copyright holder to disseminate the dataset, and agreements must be made with respect to licensing.

Copyrights are established if two conditions are satisfied. Firstly, the dataset must be perceptible (that is, it can be viewed, heard, smelled, tasted or touched). Secondly, the dataset must have its "own character" in the sense that it reflects the creativity of the creator51. In geodata for example, creativity might be materialized by the use of certain visualization methods (i.e. symbols, colours and stylistic features). However, creativity

50 Loenen, B. van , Welle Donker, F., Kulk, S., Groetelaers, D., De Jong, J., & Ploeger, H. (2011). Databeleid rijkswaterstaat: Deel:

Hoofdwatersysteem; een overzicht van de juridische kaders omtrent het omgaan met data (Tech. Rep.). OTB Research for the Built Environment.

51 Loenen, B. van , Welle Donker, F., Kulk, S., Groetelaers, D., De Jong, J., & Ploeger, H. (2011). Databeleid rijkswaterstaat: Deel: Hoofdwatersysteem; een overzicht van de juridische kaders omtrent het omgaan met data (Tech. Rep.). OTB Research for the Built Environment.




does not apply in many large scale maps which compile data conforming to supralocal standards, since it becomes subject to an absence of "uniqueness"52. The database right was set up to attach intellectual property rights to datasets which entities have invested labour and money for its collection and management. According to the Who, polities are permitted to demand dissemination costs if not doing so will inhibit the financial well-being of a polity. However, these costs must not exceed the process dissemination itself, and must not include the costs of other processes such as data collection and management. Polities exempt from this rule are the Cadastre, the Road Authority and the Chamber of Commerce.

The public sector has certain "codes of conduct" when it comes to the offering of goods and services. If the public sector would engage in commercial activities that other private parties could do, it would lead market distortion. When it comes to the dissemination of geodata, this means that data must be presented and shared in the same way as it would be used to carry out the public sector duty. That is, data must not be processed for the purpose of disseminating data. The publication of processed data is only reserved to data which has to be processed to carry out the public sector duty that it was intended for, or to prevent infringements with regards to intellectual property or privacy rights. This is because private parties might have business models which involves the selling of data that they process themselves. Nevertheless, it is important to note that because of the Wob, polities are obliged to publicize data (for viewing only) despite its similarities to other products on the market.

12.2 Tartu and Estonia Since 2009, the University of Tartu Library (UTL) has been developing open access (OA) initiatives in Estonia. The „Open access and Open Data in Estonia” project aimed to formulate national OA policies and broaden OA discussions to include opening access to research data. The project also focused on educating researchers about the benefits of publishing in open access and making more research output available in the UTL repository. As a result, the OA principles have been added as underlying basis of the national Research Development and Innovation (RD&I) strategy "Knowledge Based Estonia 2014-2020”. Furthermore, an infrastructure set for researchers to share open research data has been set up, by UTL joining Data Cite and receiving funding from the Estonian government to improve the quality of research data. Now, the city council is in the process of changing platforms and migrating data, also creating data bundles and Tartu Open Data could be accessed starting from 2018.

Tartu has shown a strong focus on the key sectorial systems of IoT, e-government and e-participation, sustainable mobility and energy transition. Tartu currently implements the lighthouse project SmartEnCity, which will be the focus of the piloting in ESPRESSO and will yield the requirements for smart city standardization. The main objective is to contribute to the increase of energy efficiency in the new smart district developed in Tartu City centre where a number of old Soviet-era residential buildings will be renovated to meet the contemporary smart city standards in various fields but primarily in terms of energy. The goal is to reach energy consumption level 90 kWh/m2/year -

52 Loenen, B. van , Welle Donker, F., Kulk, S., Groetelaers, D., De Jong, J., & Ploeger, H. (2011). Databeleid rijkswaterstaat: Deel:

Hoofdwatersysteem; een overzicht van de juridische kaders omtrent het omgaan met data (Tech. Rep.). OTB Research for the Built Environment.




decreasing the energy consumption level three times from the current 270 kWh/m2/year.

The foci for future piloting have been identified based on the Lighthouse project SmartEnCity in March 2017: 1) Increasing Energy Efficiency in Buildings via better visualization, specifically in what concerns the new smart city district developed in Tartu City centre which will be redeveloped through SmartEnCity; 2) Tartu City Information Modelling (CIM), a data integration pilot targeting data currently existing separately in different databases and formats, to be integrated into a state-of-the-art 3D city information model based on open standards, facilitating interoperability and data exchange among different platforms. Interesting findings pertaining to the local situation address the issue of the open e-platforms used by the Estonian and local government for a range of services such as paperless government, e-voting, e-prescriptions.

12.2.1 Data Protection Law in Estonia As a member of the European Union, Estonia has implemented the EU Data Protection Directive 95/46/EC with the Personal Data Protection Act in force from 1 January 2008 ('Act'). Certain topics relating to protection of personal data and privacy are regulated under the Electronic Communications Act and the Information Society Services Act which implement Directive 2002/58 on Privacy and Electronic Communications (as amended by Directive 2009/136/EC). Data retention requirements are established under the Electronic Communications Act, based on Directive 2006/24/EC. Even though this Directive has been declared invalid by the CJEU no relevant changes have been made in the Electronic Communications Act as a result. The box below describes a more detailed overview of data protection regulation in Estonia53.

53 Data Protection Laws of the World: Estonia, 2017 - http://www.dlapiperdataprotection.com




Data Protection Law in Estonia

REGISTRATION: There is no general requirement to register data processing activities in Estonia. Registering is required only if the data processor processes sensitive personal data. Alternatively to the registration obligation, the data processor may appoint a Data Protection Officer (DPO). DATA PROTECTION OFFICERS: There is no requirement to appoint a data protection officer stipulated by the Act. Data Protection Officer may be appointed as an alternative to the registration of sensitive data processing (see previous section). The Data Protection Inspectorate must be immediately informed of the appointment of such person and termination of such person's authority. Upon appointment of a person responsible for the protection of personal data, the Data Protection Inspectorate must be informed of the person's name and contact details. TRANSFER: Cross border transfers of personal data from Estonia are allowed only to countries with adequate level of data protection (ie EU/EEA member states and country whose level of personal data protection has been evaluated as adequate by the European Commission). If personal data is transferred to a country whose level of personal data protection has not been evaluated as adequate by the European Commission, a prior authorisation has to be obtained from the EDPI for such data transfer. SECURITY: Pursuant to the Act, the processor of personal data must implement appropriate organisational, physical and information technology security measures for the protection of personal data against accidental or intentional unauthorised alteration of the data, in the part of the integrity of data; against accidental or intentional destruction and prevention of access to the data by entitled persons, in the part of the availability of data and against unauthorised processing, in the part of confidentiality of the data. BREACH NOTIFICATION: There is no general obligation to notify data breaches. Where the data processor is processing sensitive personal data and has appointed a person responsible of the protection of personal data (Data Protection Officer), this person has to inform the processor of personal data of a violation or breach discovered. ELECTRONIC MARKETING: Electronic marketing is regulated by the Electronic Communications Act. As a general rule, the data subject must be able to consent to the electronic marketing. The requirements for this consent depend on whether the addressee is a natural or a legal person, and whether there is an existing client relationship between the parties. Real time non automated phone calls and regular mail are not considered electronic marketing under Estonian law. TRAFFIC DATA: Traffic data retention requirements apply only to communications undertakings. Providers of telephone or mobile telephone services and telephone network and mobile telephone network services, as well as providers of Internet access, electronic mail and Internet telephony services are required to preserve for a period of one year network traffic data, location data and associated data thereof which is necessary to identify the subscriber or user in relation to the communications services provided. COOKIE COMPLIANCE: Due to opt out system consent to cookies is not needed. The law does not refer specifically to browser settings or other applications to be adopted in order to exercise the right to refuse.




12.3 Discussion of the results from the survey A short survey was administered to both Rotterdam and Tartu to explore their awareness about the regulatory context in which they will implement their respective use cases and the level of readiness and awareness concerning GDPR. A copy of the survey is attached in Appendix.

12.3.1 First section: EU regulations context

Goal of the first section of the survey was to analyse the regulatory context that may affect the implementation of the use case. It collected a list of questions that aimed at elicit regulatory aspects related to the use cases in relation to the European and national laws. The questions were:

• What are – in the context of your ESPRESSO use case – the main fields/topics that will be explored? For each field/topic, could you point out any issue that may need particular attention with regard to regulations (e.g. usage of open data)?

• What are the main European regulations that you have to consider for the implementation of your use case?

• What are the main national and local regulations that you have to consider for the implementation of your use case?

Results from the first section, have shown a very advanced framework for Smart City topics based on collection, management and exploitation of data interoperability of sensors pertaining for example to water management, energy transition, mobility, healthy environment, housing, and business innovation.

Rotterdam and Tartu are aware of the importance of managing data correctly and they have dealt with it by putting more attention on specific constraints. There is no sensitive personal data involved in conducting the pilot activities (all data will be used in a generalized way, no tracking back to the individual level) and any permissions, if needed, will be covered. Both the cities have listed national and European regulations that will have to be complied with, specifically:

• The EU General Data Protection Regulation

• Public Information Act

• Personal Data Protection Act

• Electronic Communications Act

Rotterdam will use specific sensors (e.g. underground parking sensors), to avoid privacy issues, since they do not transmit personal data but only a neutral signal occupied/free. Whether combining the sensor data with other datasets results in potential privacy issues has not been researched yet. On the other hand, in the pilot of Tartu key regulatory and administrative issues have been carefully considered in the context of the SmartEnCity lighthouse project. In fact, the participating building associations have agreed to certain terms and conditions in the context of this large-scale retrofitting and urban development project and are aware that they have to provide some data about their buildings to enable progress review and impact assessment after the project is completed.

Particularly with regard to data management, no conflict with local and national regulations has been identified. The Institute of Baltic Studies is aware of GDPR and will




ensure the compliance of its activities with the regulation once a need to comply with GDPR is identified. Tartu is in touch with the Estonian Data Protection Inspectorate who outlined that domestic implementing legislation for GDPR is currently being developed by the Ministry of Justice. Once this becomes available, they will analyse the need for potential changes in internal processes and procedures.

12.3.2 Second section: GDPR

The second section of the survey addressed Rotterdam’s and Tartu’s awareness of GDPR and their readiness to its implementation. Results from this section, show that with regard to GDPR both Rotterdam and Tartu show a more optimistic view respect to the situation at European level as described in section 10.2. In fact, the pilot cities are perfectly aware of the application of the GDPR and they are designing actual actions for its implementation. The main problem is that old procedures have to be redesigned and aligned with the new regulation’s constraints. With regard to the use cases, both Tartu and Rotterdam are not going to manage personal or sensitive data, but if needed, they have the proper competences and have identified measures to respond to specific issues related to privacy.

Table 2. Questionnaire GDPR focus.

QUESTION ROTTERDAM TARTU

The GDPR is the new General Data Protection Regulation (GDPR, 2016/679) that will enter into force on May 2018. How much do you know about it?

Full and comprehensive information

We are very aware of data protection and privacy. We have procedures for data

classification, privacy information assessment and data leakage on all levels in

the organization.

Enough information

Based on your knowledge about GDPR, do you think your organization will have to comply with it?

YES The city of Rotterdam by law

owns datasets containing personal data (among other

datasets) which are a potential hazard when used in the wrong way. But also a combination of two datasets that individually are free of personal data might form a hazard. Therefore we are

already aware that we have to comply to GDPR

DON’T KNOW IBS does not process

large amounts of personal data but if there will be e.g a

future research project in the context of which

this would be necessary, we will naturally have to

comply with GDPR

Does your organization conduct systematic monitoring (including employee data) or process large amounts of personal data?

YES The city of Rotterdam owns many datasets and some of them contain personal data. There is a procedure for the

registration of datasets containing personal data so these datasets are known

NO




Has your organisation already identified / is planning to identify a Data Protection Officer or a similar figure?

YES There is a CISO (concern

information security officer) And there are different

information security officers, all connected to one of the

departments Every department in the

municipality of Rotterdam has advisors for data

protection. In addition, there are different information

lawyers.

NO We have not yet

identified a specific Data Protection Officer but if need be, we will contact the Estonian

Data Protection Inspectorate for

guidelines

In the case of a data breach, the organization has to notify a data protection supervisory authority within 72 hours. Do you think your organization has in place all the needed procedures to detect and report a data breach?

YES The procedure to report a data breach is already in use. And there are also

procedures for data classification and privacy information assessments

YES

Is your organization designing data protection and privacy requirements into the development of their processes and systems?

YES There are procedures (in

concept) ready that have to prevent a data breach like the agreements on data

delivery, agreements on data management and the privacy

protocol.

YES In case there are sensitive issues

regarding privacy, we plan adequate data protection measures

into the processes and systems

Note: Respondents to this survey are not legal expert. They belong to the organizations that are in charge of the implementation of the use cases in each city. For this reason, results do not want to be representative of the policy related to data management adopted by the municipality, but should be interpreted concerning the use cases only.




13. Conclusions

In recent decades, European public administrations have invested in ICT to modernise their internal operations, reduce costs and improve the services they offer to citizens and businesses. Despite the significant progress made and benefits obtained already, administrations still face considerable barriers to exchanging information and collaborating electronically. These include legislative barriers, incompatible business processes and information models, and the diversity of technologies used. More, technology improvements IoT, open data and social platforms pose further crucial challenges to public administration that have to deal with management and reuse of data. Specifically, open data and IoT bring substantial challenges ‘for personal data protection. Technology architectures with security built in from the beginning and adopting measures for privacy protection are more and more necessary. Those architectures should also be accompanied by precise legal policies, that have to identify and regulate any barrier to digital data exchange and assess any consequence technology tools may have on citizens. At this regard, security and privacy are primary concerns in the provision of public services. When public administrations and other entities exchange official information, the information should be transferred, depending on security requirements, and following some principles:

• privacy-by-design and security-by-design approach to secure their complete infrastructure;

• services resistant (not-vulnerable) to attacks which might interrupt their operation and cause data theft or data damage;

• compliance with the legal requirements and obligations regarding data protection and privacy acknowledging the risks to privacy from advanced data processing and analytics

Those principles are also emphasized by the General Data Protection Regulation (GDPR) that promotes transparency, security and accountability by data controllers, while at the same time standardising and strengthening the right of European citizens to data privacy. In fact, as data from different member states may be subject to different data protection implementation approaches, common requirements for data protection should be agreed. Each public administration contributing to the provision of a European public service works within its own national legal framework. This might require that legislation does not block the establishment of European public services within and between member states and that there are clear agreements about how to deal with differences in legislation across borders, including the option of putting in place new legislation. Under the GDPR there will be one single pan-European set of rules contrary to 28 national laws today. GDPR will ensure that one data protection authority (DPA) will be responsible for the supervision of cross-border data processing operations carried out by an organization or company in the EU. Consistency of interpretation of the new rules will be guaranteed. In particular, in cross-border cases where several national DPAs are involved, a single decision will be adopted to ensure that common problems receive common solutions. This will facilitate interoperability between public services and increase the potential for reusing data across borders while maintaining the legal value of any information exchanged between member states, and data protection legislation in both originating and receiving countries.




In addition, the GDPR creates a common playing ground between EU and foreign companies since companies based outside the EU will have to apply the same rules as European companies if they are offering goods and services or monitoring the behaviour of individuals in the EU. These obligations putting in place by the GDPR may be considered by many as a source of constraints to business. Nevertheless, many of the principles in the GDPR have been already put in place by the current data protection law that all the EU member states have adopted. This means that there may not be many changes for business if already compliant with the current law. However, GDPR introduces new elements and significant enhancements, which will require detailed consideration by all organisations involved in processing personal data.

At this regard, is important to mention that since July 2016 all member states have also adopted the Regulation on Electronic Identification and Trust Services for Electronic Transactions in the Internal Market (eIDAS - electronic IDentification and Authentication Services). Aim of eIDAS54 is in fact to ensure the ability to safely conduct electronic transactions online when dealing with businesses or public services, guarantying to both the parties a higher level of convenience and security. This way in all EU countries where these systems have been updated, it gets easier and more secure for citizens to accomplish online activities such submitting tax declarations, enrolling in a foreign university, remotely opening a bank account, setting up a business in another Member State, and authenticating for internet payments to name a few. With eIDAS the European Union has managed to create a European internal standardized market for the so-called electronic transaction systems such as electronic signatures, electronic seals, time stamp, electronic delivery service and website authentication, and ensures that citizens and companies can use their national electronic schemes to access public services in other EU countries.

54 eIDAS: Regulation (EU) N°910/2014 - Regulation on Electronic Identification and Trust Services for Electronic Transactions

http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv:OJ.L_.2014.257.01.0073.01.ENG




14. Annex

Survey

Pre-normative analysis and assessment of legal impacts.

1. What are – in the context of your ESPRESSO use case – the main fields/topics that will be explored?

1 2. For each field/topic, could you point out any issue that may need

particular attention with regard to regulations (e.g. usage of open data)? 2

3. What are the main European regulations that you have to consider for the implementation of your use case?

3 4. What are the main national and local regulations that you have to

consider for the implementation of your use case?




The GDPR The EU General Data Protection Regulation (entering into force in 2018) is one of the main regulatory conditions that will affect the provision and activities of future Smart Cities services. All the organizations dealing with personal data will have to comply with it. Answering to the following questions, you will help us to have an EU-wide image of the extent at which cities and organizations are aware and ready for adopting the GDPR.

Question Your answer

The GDPR is the new General Data Protection Regulation (GDPR, 2016/679) that will enter into force on May 2018. How much do you know about it?

1= nothing, 2=few incomplete

information, 3=basic

information, 4=enough

information, 5=full and

comprehensive information

Based on your knowledge about GDPR, do you think your organization will have to comply with it?

YES/NO/ DON’T KNOW

Does your organization conduct systematic monitoring (including employee data) or process large amounts of personal data?

The GDPR defines personal data as "any information relating to an identified or identifiable natural person, that is everyone who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity.

YES/NO/DON’T KNOW

Has your organisation already identified / is planning to identify a Data Protection Officer or a similar figure? The GDPR defines a Data Protection Officer as the person responsible for facilitating compliance with GDPR through the implementation of accountability tools (such as facilitating or carrying out data protection impact assessments and audits), and who acts as intermediary between relevant stakeholders (e.g. supervisory authorities, data subjects, and business units within an organisation).

YES/NO/DON’T KNOW




In the case of a data breach, the organization has to notify a data protection supervisory authority within 72 hours. Do you think your organization has in place all the needed procedures to detect and report a data breach?

The GDPR defines a data protection supervisory authority as an independent authority, appointed by each member state, in charge of monitoring the data protection, give advice to the government and in case of data violation, start legal procedures. The GDPR defines a personal data breach” as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.

YES/NO/DON’T KNOW

An underlying concept of the GDPR is Privacy by design, which requires that data processing products and services are designed and built keeping legal requirements in mind from the beginning. Is your organization designing data protection and privacy requirements into the development of their processes and systems?

YES/NO/DON’T KNOW