Data Protection Day is the perfect excuse to take stock of the situation and see what challenges and successes cities have in walking the thin line between guaranteeing data protection and promoting a culture of data sharing to improve their digital services. To do so, we enlisted the help of Bart Rosseau, Chief Data Officer at the City of Ghent.
Data protection day celebrates the signing of the Convention for the Protection of Individuals concerning Automatic Processing of Personal Data. Can we say that people’s data is protected? Why?
No. I think that we achieved an agreement on what personal data is and that it needs to be protected. We have established that we need to think about it.
That’s a success, but I wouldn’t go as far as to say that personal data is protected. There’s still a big difference between your legal rights and what’s being applied — for example, not everyone who could take their case to the European courts does.
We are making progress. Companies and governments alike are realising that this is an essential issue and that they need to consider it and how to treat it.
Interestingly, you mentioned companies and governments together. So, is it not governments vs businesses for data protection?
It’s more about the scale than it is about private companies versus governments.
In general terms, people may think of national governments as on the same level as Google in terms of potential data abuse. But they tend to have more trust for a local start-up or the local government.
So, I think it has to do with size and distance. The local dimension is closer to people, and it might feel easier to monitor and trust.
When talking about privacy, people realise that the risks lie with organisations with the breadth of control to combine data and process it. But I believe that governments and companies need to work together to make progress.
You mentioned that users have certain rights, but that they might not always exercise them or know how to do so. This is linked to the fact that users often feel powerless in front of organisations. Is this a collective case of digital resignation? Are we giving up on exercising our digital rights?
There are some technical solutions on the way to face digital resignation — for example, the personal data vaults. But I think most people don’t care until it’s too late. We haven’t hit the critical mass yet where enough people have experienced the risks to care.
Convenience trumps everything. If it’s easy to buy or makes access to a service easier, people won’t think of the risks of consenting to give away their data in exchange. This is an issue to tackle, and there will be solutions.
On the other hand, people expect digital services to be accessible, but for that to be the case, the service provider needs your data and that of many other users. People tend to be more lenient towards private companies than the government, although the government also offers better and more accessible services when using data proactively.
There’s a tension between being very cautious and protective of our data versus wanting a smooth delivery of digital services.
You mentioned that solutions are being tested to make data protection more accessible to users. I can think of the MyData project example. What is Ghent doing regarding this issue specifically?
We have this living lab to measure and monitor how crowded certain streets are. This is an innovative project where we test different types of technology, and we scrutinise what data is collected and how it is processed and used.
For example, can we avoid using cameras? Can we use them ethically? One of the project’s technologies are cameras, but they delete the images as soon as the counting has been done. Other devices we are testing are not recording.
The project follows the principle of transparency. For this, we put QR codes on each device that measure and monitor crowd density. People can scan it, and they will get all the information about the device: what type of device it is, what it’s recording, what it’s measuring, what’s the reason for the measurement and the purpose of the data collected, etc.
Being transparent and proactive in your communication can help establish a dialogue with the people.
We are also working on the data processing registry to allow people to see what data they give to the city and its use.
Can you give an example of how businesses and governments can work together to build more trust?
When you need to share data and you are in the contract drafting phase, there’s often a dialogue between Data Protection Officers (DPO) of both parties. We build a common understanding of each other’s challenges during this dialogue. There’s a lot to be learned there.
We see exciting developments in the way companies are developing their products, be IT sensors or how they deal with data. More and more, we see that companies realise that developing products with privacy by design will boost their market share.
As a local government, you can offer to test innovations and get people’s feedback on a large scale. You can offer the knowledge learned through use cases that have already introduced a solution developed by a private company in the existing landscape.
It’s important to keep sharing our experiences, not just between local governments but also with the regional and the national level, because they are the watchdogs when it comes to privacy.
There has been a difference in European legislation regarding how data sharing was regulated for governments and businesses. The upcoming Data Act will change this; what are your expectations for the Data Act?
It’s a big step in creating a joint base for dialogue between governments and businesses. It will give some guidelines on creating a dialogue and what we can expect and ask from private companies.
We expect that it will help create a standardised way to exchange with businesses, so we don’t have to renegotiate every single time.
We don’t know yet what kind of data will be helpful to get. We will need to test what is working and feasible and collect use cases to share.
Cities often feel like they aren’t involved enough in the EU legislative process. Is there anything we can take as learning points from the Data Act?
I think Eurocities did everything they could to get cities around the table.
One of the lessons would be to be more prospective. We shouldn’t start from the draft of the legislation but rather from where the issues and the tensions are.
The second lesson is that cities can be at very different stages of maturity regarding a specific issue. For instance, there’s a big difference between cities that feel the negative effects of not having data on temporary rentals of rooms. We need to build a shared understanding of the issues and what they mean for different cities.
Is there anything I haven’t asked but that you want to highlight?
Yeah, we are struggling with finding skilled and experienced people when competing with the private market. We have a DPO who follows data protection issues, but it’s a lot of work. Luckily, some people chose to contribute to the public good and are joining us.
We also need to think about the cost of this effort. At the moment, it is extra work that we have to do without an extra budget, and that’s a challenge. So the more benefits we can highlight, the easier it becomes to justify the efforts.