Ontario's information and privacy commissioner is calling on the provincial government to review and modernize its privacy laws to prepare for the "risks inherent" with smart cities.
In his recent annual report, Brian Beamish said smart city projects have many potential benefits, but they must not come at the expense of privacy. The technology involved is able to collect and use massive amounts of data, including personal information – and measures to ensure people's privacy and security must be at the forefront of these public-private partnerships, he wrote.
"While (the law) provides a foundation for privacy protections, it is outdated in the face of current digital technologies and practices such as sensors, big data analytics, and artificial intelligence," Beamish wrote.
"Therefore, I recommend that the Ontario government lead a comprehensive review of our privacy laws and modernize them to address the risks inherent in smart city technologies."
The relevant laws came into effect in the 1980s and '90s, at a time when smart city projects were not on the horizon, Beamish said. The principles are solid, but there has never been a complete overhaul to make them more relevant to the digital age, he said. Needed updates include stronger oversight and enforcement mechanisms, Beamish said.
"I think it would be very difficult for my office to provide proper oversight of the smart city projects without having a significant upgrade in our powers," he said in an interview.
A spokesman for the Ministry of Government and Consumer Services said it will review the privacy commissioner's recommendations as part of its ongoing data strategy. The government recently released framework principles for smart cities, which include guaranteeing the protection and privacy of personal data.
Beamish's report comes shortly after Sidewalk Labs, a subsidiary of Google's parent-company, released its ambitious vision for a smart city project on Toronto's eastern waterfront. It would incorporate numerous types of sensors, cameras, and other monitoring systems to make the area run more efficiently.
Beamish said strong safeguards are needed so the technology isn't used to track people, and so it doesn't get released in a cyberattack.
Sidewalk Labs has proposed that data collected in public spaces be overseen by an independent data trust. It has proposed stripping personal information before the data is used.
Ontario's former information and privacy commissioner, Ann Cavoukian, resigned from her consulting role with Sidewalk Labs last year after she said it told her it could not force other companies to de-identify data the moment it's collected.
"Our freedom from surveillance is really at risk here," she said in an interview. "Personal information is a treasure trove. Everybody wants to collect data in personally identifiable form."
She is now working with Waterfront Toronto – a partnership involving the City of Toronto, Ontario and the federal government to oversee waterfront development that will vote on the Sidewalk plan in December or January – who she said agrees with her.
"It's all about the technology and the sensors, which are going to be on 24/7. They're not being turned off so there's no opportunity for people to consent or revoke consent to the collection of their personally identifiable data," Cavoukian said.
The laws do need to be updated, she said, but the strictest privacy protections should be "baked in" to these projects so citizens don't have to rely on laws, which often lag behind technology and take years to revamp, for their privacy.
Sidewalk Labs said it hopes the independent data trust will address the "unique issues presented by our digital world."
"This project has generated an active and healthy public discussion about data privacy, stewardship, and governance in cities," Alyssa Harvey Dawson, the company's general counsel and head of legal, privacy and data governance said in a statement.
"We hope that our project will set a new standard for responsible data use in cities by pushing for strong data use guidelines and assessments that add to requirements under existing privacy laws."
Sidewalk Labs' proposal says data must be used for a beneficial purpose, that organizations should tell people how and why data will be collected, and that data should be de-identified by default.