Data Governance Frameworks for Smart Cities: Key Considerations for Data Management and Use

By: Jennifer Johnson, Anna Hevia, and Rebecca Yergin, with contributions from Shayan Karbassi, Adira Levine, and Jorge Ortiz.

Cite as: Jennifer Johnson et al., Data Governance Frameworks for Smart Cities: Key Considerations for Data Management and Use, 2022 J. L. & Mob. 1.

I.              Introduction

The proliferation of “smart technologies” has created significant opportunities to leverage data to improve everyday life across sectors.  In cities around the world, local governments and private enterprises, often partnering together, have launched projects that integrate smart technologies with Internet of Things (“IoT”) capabilities into public spaces in order to promote efficiency, safety, mobility, and innovation.  At the same time, smart cities must balance the need for robust data in order to achieve these benefits with public concerns regarding privacy and data use.

This paper examines the key attributes of smart cities, the essential role that data plays in fueling smart cities, and the importance of establishing appropriate guidelines to govern the management and use of the massive amounts of data that smart cities generate.  This paper refers to such guidelines as “data governance” frameworks.  Drawing on case studies from cities in both the U.S. and other countries, the paper discusses trends and challenges in data governance that are impacting the success of smart cities projects.  Based on this analysis, the paper outlines key considerations that should be taken into account to develop data governance frameworks that will promote the success of smart cities and the benefits that they bring.

II.            Background

A.            What Is a Smart City?

“Smart cities” may take a variety of forms, but most “smart cities” share certain key attributes and goals.  In the broadest sense, a smart city is generally understood to encompass a system of technological solutions that a local government and/or private enterprise implement at the municipal level to help advance city governance and development aims.[1] Such technological solutions, which include cameras and sensors (i.e., “smart technologies”), are deployed to collect and analyze data for purposes such as reducing traffic congestion, improving vehicle and pedestrian safety, enhancing public security and emergency services, providing accessible transportation services, improving civic planning and design, and facilitating research and development.

The ultimate aims of such data collection and analysis may go beyond the particular purposes immediately described above.  Two conceptions of a smart city help explain the broader goals (which need not be mutually exclusive):

  • Under the first, the goal of a smart city is knowing and controlling the existing municipal environment and reacting to citizen needs. This understanding of a smart city involves an ecosystem in which a local government and/or private enterprise builds smart technologies into the fabric of the city’s urban environment and uses the technologies to help the city monitor, manage, and regulate—often in real time—city flows and processes.  The resulting dynamic dataset is intended to allow the city to either directly, or through a partnership, model and predict urban processes and needs, providing a local government with the ability to better identify and react to the workings and needs of the city and its citizens. [2]
  • A second understanding of a smart city focuses instead on the use of smart technologies and the data such technologies collect to expand and develop the existing municipal environment. Under this concept, what makes a city “smart” is not so much its physical infrastructure or data collection capabilities alone, but rather the extent to which the city can leverage the smart technologies embedded in the infrastructure in conjunction with human and social capital to grow its economy and manage urban development.

Under both conceptions of a smart city, questions emerge over how to best process and manage available data.  As noted above, in a smart city, the physical infrastructure, analytics, and data capture systems may helpfully create an ecosystem that allows the city administrators and their partners to alter the provision of goods, services, and marketing to match the needs of the existing environment and/or emerging needs of citizens.[3]  Within such systems, data, particularly from residents, forms an essential constituent material of the city’s “digital infrastructure” (i.e., the essential facilities and services that contain information technology, such as fiber optic cable, or the more traditional physical infrastructure that embeds digital components such as sensors).  Within this context, data governance emerges as the response.  As discussed further below, data governance provides the rules and parameters that regulate, either through public authorities or via self-policing by private actors, data collection efforts aimed at producing more efficient and dynamic interactions between local governments, their partners, citizens, and the services upon which those citizens rely.

B.            Key Considerations for Data Governance

Data governance frameworks have varied across smart cities, although many share similar features and challenges.  Data governance frameworks often vary depending on the extent to which public authorities or private enterprise are tasked with modernizing the city’s provision of goods and services.  They additionally often reflect a seemingly inherent tension between, on the one hand, regulation optimized to advance innovation and, on the other, regulation intended to protect public interests and individual rights.

The following overarching principles may be relevant to designing a successful data governance framework for smart cities:

  • Balancing government involvement and privatization;
  • Considering law enforcement aims in light of surveillance concerns;
  • Defining the scope and purpose of the data;
  • Interacting with local laws and regulations; and
  • Garnering public trust through transparency and accountability.

This paper describes each of these principles and provides real world examples that illustrate the benefits and challenges of incorporating such principles into a data governance framework.

III.          Smart City Governance Framework Considerations in Practice

A.            Principle 1: Balancing Government Involvement and Privatization

The extent to which traditional city government versus private enterprise should develop and operate a smart city generally represents a threshold consideration for any smart city initiative.  Different approaches exist along a spectrum that on one end prioritizes innovation and economic growth by deferring to the private sector and, on the other end, reserves a greater role for public regulation.  The majority of governance frameworks attempt to strike a balance between these two ends.

Academic literature identifies several potentially overlapping archetypes of public-private relationships along this spectrum.  Below is a list of such archetypes from least private involvement to most.  An architect of a smart city initiative may elect to follow one or more of these archetypes:

  • “Tech Justice,” which emphasizes the need for the local government and the public to use and manage technological infrastructure jointly, with little or no private control, to protect and advance human rights in the city and, in particular, to grant vulnerable minorities and disadvantaged populations access to the benefits derived by technological innovation.[4]
  • “City-Centered, Democratic Approach,” which focuses on the city as the central authority best able to balance technological innovation with the protection of private rights, and which requires the city to build its own internal data science capacity to manage new technologies in order to proactively create applications, build digital infrastructure, and control data flows.[5]
  • “Smart Enough Cities,” which envisions the city harnessing the innovation promised by technology companies and directing it specifically and solely towards addressing community needs and advancing social policy goals.[6]
  • “Public Oversight Over Private Innovations,” which promotes privacy innovation, but also implements systems of public oversight that ensure the city—rather than the private company—is in control of the data governance; the archetype seeks to avoid the backlash resulting from what advocacy groups have considered “excessive deference” to private innovation that they fear may lead to “corporate control” over individual rights.[7]
  • “Smart Regulations,” which rejects regulations that are too rigid or burdensome on private businesses and instead promotes a framework that allows private businesses to deploy new technologies broadly as part of a smart city, limiting public involvement if it would hamper private companies’ delivery of benefits to the community.[8]

Key Example: Toronto

A recent smart city project in Toronto provides an example of a data governance framework that deferred significantly to the private sector, most similar to the “Smart Regulations” archetype discussed above.  The project, however, resulted in public backlash when some residents and privacy advocacy groups perceived the project as moving forward at the expense of public oversight and individual control over rights.  (“Public Oversight Over Private Innovation,” described above, represents a response to this situation.)

In 2017, Sidewalk Labs, a subsidiary of Alphabet Inc., announced a plan to turn a waterfront area in Toronto into a smart city to be known as “Quayside.”  The property was owned by a development corporation called “Waterfront Toronto,” which was established in 2001 by the Government of Canada, the Province of Ontario, and the City of Toronto “to assist in the renewal of Toronto’s waterfront.”[9]  The project area spanned 12-acres, but documents revealed plans to develop a total of 350 acres.[10]  Waterfront Toronto initially released a four-page summary of the agreement, with the full 29-page agreement confidential by contract.[11]  After public pushback about the perceived secrecy of the project,[12] the parties released a Master Innovation and Development Plan (“MIDP”), comprising more than 1,500 pages, which displayed background information, plans for the project, priority outcomes, and partnership details.[13]  The MIDP provided for the creation of an “independent, government-sanctioned steward” of citizen data titled the “Urban Data Trust.”[14]  This trust was intended to be responsible for balancing various considerations, such as personal privacy, public interest, and innovation.  In essence, the data trust was designed to oversee matters of “digital governance” and address issues relating to data use.[15]

The project subsequently published a 482-page “Digital Innovation Appendix” (“DIA”) to address further privacy concerns[16] and elaborate on the data governance approach for Quayside.[17]  The DIA attempted to shift the public’s perception of the balance between private and public involvement, clarifying that Waterfront Toronto through its government stakeholders, and not an independent entity, would take the lead on data governance.  The document also contained guidelines for responsible data use, which would apply to all data activities under the smart city project.  The implementation mechanism for the guidelines was the Responsible Data Use Assessment (“RDUA”), a multi-step, multi-member privacy compliance process, which aimed to ensure the project incorporated privacy and data ethics.

Nevertheless, despite the information the MIDP and DIA provided, public concerns from citizen groups persisted: they continued to argue that the data gathered from this “high-tech neighbourhood” would lead to democratic and surveillance issues.[18]  Ultimately, the project was cancelled, with the project’s leadership citing the “unprecedented economic uncertainty” of the COVID-19 pandemic.[19]

The trajectory of the Toronto project highlights the importance of considering and establishing the appropriate balance between government and private sector involvement, and socializing this balance with the public, especially at the outset of a smart city initiative.[20]  Although the Quayside project published extensive resources describing its plans over time, citizens and advocacy groups continued to raise privacy and transparency concerns with the project.  The example suggests that, in some communities, information disclosures alone may not be sufficient to assuage concerns resulting from perceived restrictions on individual rights.  Residents may seek further opportunities for democratic participation in the development and ongoing management of such a project.

Additional Example: Bristol

A public-centered smart city project in Bristol, England, provides an example that comports more with the “City-Centered, Democratic Approach” archetype described above.  Beginning in 2013, the city of Bristol received funding from the UK Government to conduct smart city research and development.  This funding precipitated the 2014 Bristol is Open (“BiO”) joint venture between the Bristol City Council and the University of Bristol.[21]  BiO has since deployed city-wide infrastructure on which to test and evaluate new digital technology for smart cities.  To date, BiO projects include: (1) evaluating IoT and “big data” applications[22]; (2) rolling out efficiency and mobility solutions in cities[23]; and (3) deploying 5G, closed-circuit television, and IoT sensors to control events.[24]

BiO is now under sole government control, and has moved past research and development to advance “Connecting Bristol.”[25]  Connecting Bristol is Bristol’s official smart city strategy, and a part of the “One City Plan” that aims to make Bristol the UK’s “most digitally connected city.”[26]  Current projects include hosting open data hackathons and expanding the region’s electric vehicle charging network.[27]  The city integrates new projects through its “CityOS” open source operating system.[28]

One of the central principles of Connecting Bristol is public service innovation, which centers on the Bristol City Council’s ability “to deliver frictionless, well-designed, effective services and infrastructure.”[29]  As part of this public service innovation, the Bristol City Council is seeking to develop with its IoT strategy “a citizen-centric approach to data management” with the intention that “people provide their data once to Bristol City Council and it is reused many times as agreed with the owner.”  The council promises to store the data “securely,” share “only with permission,” and share in compliance with privacy law.[30]

This “citizen-centric” approach need not be limited to projects that involve significant government engagement, but Connect Bristol demonstrates how government involvement may facilitate the kind of citizen buy-in that the Toronto project failed to attract. Public-centered smart city initiatives, however, face other challenges.  For instance, general resource constraints that already impede many city governments may further limit the ability of a local government to develop a smart city initiative.  In Bristol, financial difficulties and loss of staff have hindered implementation of the Bristol IoT strategy[31] and, as a result, many developments have thus far been modest.[32]  Private involvement, in contrast, may bring the benefit of additional resources and technological capabilities (even though in recent years COVID-related constraints appear to have impacted both private and public sector initiatives).

B.            Principle 2: Considering Law Enforcement Aims in Light of Surveillance Concerns

Any architect of a smart city should also consider how data is collected and how the data is put to use—including in the law enforcement context.  Smart cities vary in their approaches toward using data for law enforcement purposes.  The public safety benefits of using technological innovation to support law enforcement must often be weighed against general surveillance concerns, as well as fairness and equity concerns.

First, depending on the legal and cultural landscape surrounding a smart city, the amount of data that a smart city collects in order to achieve its goals may appear to be at odds with individual privacy rights.  For example, a smart city initiative may amass significant data about an individual’s actions over time, revealing personal habits or practices in a way that some may believe infringes on individual privacy rights and results in unwarranted surveillance.  The public may more readily trust public authorities whose specific purpose is protecting individual rights such as privacy to ensure that both public and private platforms sufficiently protect these interests.

Second, large data collection platforms may appear to have inadvertent biases and blind spots that either exclude a particular subset of society or over- or under-emphasize the data for the subset in any given data stream.  These distortions may in turn impact public or private allocations of goods and services and shape the governance framework of a city based on incomplete or otherwise skewed baseline data, raising concerns over fairness and inequities.

These surveillance and other equity concerns are especially pronounced in the law enforcement context, which has prompted some smart cities to proactively address the boundaries of their use of IoT capabilities in the public safety space.

Key Example: San Diego

San Diego introduced a “Smart Streetlights” project in 2016 in order to replace high energy use streetlights in favor of streetlights containing light emitting diode (“LED”) lights.[33]  The new streetlights also served as smart city sensor platforms, collecting pictures, sound, and other data.[34]  San Diego’s “Department Instruction” document specified that, while the director of the city’s Sustainability Department would oversee the data and metadata collection, the San Diego Police Department (“SDPD”) would have exclusive access to the camera feeds.[35]  The Department Instruction further detailed that any sensor-collected information made public would be anonymized data devoid of personally identifiable information and biometric information.[36] 

Criticism of the Smart Streetlights project focused on the exclusive ability of the SDPD to access certain data, with some critics describing the project as “officially and exclusively a tool for local police”[37] and the streetlights as “surveillance bulbs.”[38]  Although the SDPD created specific procedures to govern the use of the data collected by the streetlights, advocacy groups argued that the city never engaged the public about using the streetlights for law enforcement purposes and that the Sustainability Department “could not be trusted to self-regulate.”[39]  Public backlash increased with the rise of Black Lives Matter protests and reports of the SDPD using the streetlights to monitor such protests in a way that were perceived to violate norms of fairness and equity.[40]  The San Diego Mayor at that time eventually announced a pause in the project until the adoption of a surveillance ordinance by the San Diego City Council.[41]  The San Diego City Council passed such an ordinance in the fall of 2020, but the current mayor has not yet directed its implementation.[42]

San Diego’s Smart Streetlights initiative illustrates some of the concerns that may arise when a project involves minimal private involvement if the purpose of the project and the use of the data appear to raise surveillance concerns or otherwise infringe on individual rights.  In San Diego, the apparent lack of broader oversight over the SDPD’s exclusive use of the data may have also exacerbated surveillance concerns.

Additional Example: Chicago

In contrast to San Diego’s initiative, Chicago’s Array of Things (“AoT”) project, launched in 2013, explicitly ruled out involvement by the police from the beginning.  The program operators—the University of Chicago and Argonne National Labs, along with the City of Chicago—have explicitly stated that AoT “does not have a law enforcement component; it is designed to collect and publish data about the city’s environment, infrastructure, and overall activity.”[43]  Furthermore, the program operators have stated that, where AoT intersects with public safety, the program makes efforts to improve traffic safety, including by using pedestrian, bicycle, and automobile traffic counts at busy intersections to develop safer streetlight patterns or crosswalks.[44]

To address possible surveillance concerns, engineers for the project spent six months collecting comments from the community and the program operators sought input from privacy policy experts, industry experts, and the American Civil Liberties Union (“ACLU”).[45]  Section III.E below on “Public Trust” further discusses AoT; for this section, AoT’s efforts generally illustrate the proactive steps that program operators took in order to prevent the public from perceiving AoT as a law enforcement surveillance tool.

C.             Principle 3: Defining the Scope and Purpose of the Data

Another key theme arising from smart city initiatives is the importance of defining the scope and purpose of data collected through smart technologies (i.e., what data will be collected and why).  In particular, a plan to define the scope and purpose of data collection should consider timing and specificity. 

First, projects such as Toronto’s Quayside initiative (discussed above) demonstrate the risks that smart cities run if they wait until public groups request additional information before providing details on data collection and use, as well as the risks of deferring to a private partner the task of sharing project information with the public.  In the case of Toronto, neither public authorities nor their private partner appeared to have communicated the scope and purpose of the data collection to the public in a way the public found satisfactory.

Second, and as discussed in this section, smart city governance models defining the scope and purpose of data collected through smart technologies vary in their specificity, with some offering broad principles and others establishing very specific policies and details for implementation.  As with other considerations described in this paper, most definitions of scope and purpose fall within a spectrum of specificity, attempting to balance the flexibility of broad data governance frameworks with the transparency and organizational benefits of specific regulations.

Key Example 1: Columbus

Columbus’ smart city initiative provides an example of specificity in defining the scope and purpose of data collection.  By way of background on the initiative, in 2016, the U.S. Department of Transportation (“USDOT”) selected Columbus as the winner of its “Smart City Challenge” and pledged a $40 million grant to Columbus after the city presented its vision for using technology to enhance transportation and address mobility challenges for all residents.[46]  The city used the funds to support its “Smart Columbus” program and invest in eight projects ranging from development of a connected vehicle environment and smart mobility hubs to operation of self-driving shuttles and prenatal trip assistance.[47]  These initiatives, and relevant projects, depended on the Smart Columbus Operating System (the “Operating System”).[48]  The city developed the Operating System and launched a beta test of the system in 2017 .[49]  The goal of the Operating System was to be a nexus for the data collected by the city, allowing both public sector officials and private sector innovators to use the data.

As of the summer of 2021, when the Smart Columbus program ended, the Operating System had collected and stored more than 3,000 datasets, including traffic characteristics, city infrastructure inventory, crash records, and emergency response times .[50]  The Operating System collected data from multiple inputs, such as public, nonprofit, education-based, and private sector contributors,[51]  and ran on an open source platform to “ensure replicability, sustainability and portability.”[52]  Since data is crucial in developing smart transportation or other smart city projects, the Operating System was the “backbone” for the entire Smart Columbus program.[53]

As part of the Smart Columbus project, Columbus created a comprehensive Project Management Plan (“PMP”) that provided specificity with respect to the scope and purpose of the data collected by the Operating System.[54]  The PMP initially described data governance as “the overall management of the availability, usability, integrity, and security of data used in . . . a large scale program.”[55]  The PMP then explained that the data that the Operating System contained was limited by a Data Management Plan (“DMP”)[56] and a Data Privacy Plan (“DPP”),[57] which together created the data governance components. 

  • The DMP created a set of guidelines for ensuring the proper management of data from smart projects. In addition to providing the technical information regarding the data format language, storing of metadata, and overall data storage methods, the DMP included policies for sharing, re-use, and archiving of da  For data sharing, public data was available to all users but only authenticated users could access restricted data.  Regarding re-use, since the data was usually collected outside of the Operating System, the members of the Operating System team were limited to administrative roles and were not able to change the meaning of the data.  The archiving strategy relied on using readily available and redundant services for all the data in the Operating System.  Generally, whenever a change or update occurred to the Operating System, a copy of the original data would be saved to an archive.
  • The DPP’s principles aimed to protect the privacy of users and participants, protect the Operating System against breaches, and prevent unauthorized use of personally identifiable information (“PII”) and other data. The DPP imposed ten data stewardship principles that USDOT grant-funded Smart Columbus projects must follow, which principles included, among others, principles guiding consent, minimization, retention, and accessibility features.  The privacy controls adopted by the DPP included: notice and consent, which aimed to provide timely and clear notice to individuals when PII data was involved; data minimization, which advocated for using and collecting only the data required to fulfill objectives; transparency, which involved being open about information collection and use practices; de-identification of data; and data curation.  Specific to data curation, the DPP established a four-step program to ensure the data entering the Operating System was free of PII.  The DPP also attached a Privacy Impact Assessment to the appendix, which helped to identify and mitigate privacy risks associated with each project.[58]

Smart Columbus ended in June 2021 amid criticisms regarding ineffectiveness and bureaucratic friction.[59]  Some projects failed to attract public interest or use, and in one case the autonomous shuttle project was cancelled after a shuttle’s sudden break caused injuries to a rider.[60]  Columbus has indicated that the city will continue a version of the project as a “collaborative innovation lab,” continuing to use some of the new technology the city brought in through the project,[61] and building on five of the eight projects Smart Columbus initiated.[62]  Critics have nevertheless argued that Smart Columbus’ relatively limited impact fell short of its plans to deliver “revolutionary” data integration and autonomous vehicle deployment.[63]  This example shows that specificity in framework and goals can lead to criticism if the project does not achieve these goals.

Key Example 2: Amsterdam

On the other end of the spectrum on specificity, the Amsterdam “Smart City” project provides an example of a governance structure based on broader principles rather than intricate processes.  The Amsterdam Smart City is a major digital city initiative and public-private partnership by the Amsterdam Economic Board.  It is an “open innovation platform”  that aims to foster collaboration between the public sector, private sector, and citizens.[64] On the initiative’s website, social entrepreneurs, founders, and other interested parties post about dozens of pilot projects, which often involve partnerships between startups and the Amsterdam government.[65]

In view of data’s potential to help address problems within cities, Amsterdam developed a manifesto of six principles for digital governance.  The framework arose from an invitation by the Amsterdam Economic Board in 2017 for a group of experts and citizens to examine data governance in digital cities.  The resultant manifesto is entitled “Tada – clear about data,” and its developers intended for Tada’s principles to apply to smart cities around the globe. Governments and organizations in the public and private sector may become signatories to the manifesto.[66]

The six principles of the Tada manifesto are:

  • “Inclusivity,” which the manifesto characterizes as recognizing differences “without losing sight of equality”;
  • “Control,” which communicates the belief that data ought to serve the population and that individuals should maintain control over their own data;
  • “Tailored to the people,” which involves room for change and the right to be forgotten;
  • “Legitimate and monitored,” which the manifesto uses to highlight the importance of civil society’s role in the development of digital cities;
  • “Open and transparent,” which pertains to visibility about the data collected and its uses; and
  • “From everyone — for everyone,” which emphasizes the role of “mutual agreements” to ensure that the use and benefits of data apply to all.[67]

These principles speak to not only the scope of data collected but also to the purpose of collecting the data.  For instance, the “open and transparent” principle urges users of data like companies, governments, and communities to reflect on “[w]hat types of data are collected” (i.e., scope of data) and “[f]or what purpose.”[68]  The “control” principle also speaks to purpose, as it provides that data is meant to “be used as seen fit by people to benefit their lives, to gather information, [and] to develop knowledge.”[69]  Having completed development of the manifesto, Tada’s focus has shifted toward examining how to best implement its principles.[70]

Critics of the Amsterdam Smart City have expressed concerns that the Tada manifesto is “deliberately broad” and “lacks details” about implementation.[71]  While it aims to advance broadly applicable principles, the Tada manifesto’s absence of detail about how to put its ideas into practice may threaten the potential of its approach.

D.            Principle 4: Interacting with Local Laws and Regulations

When developing internal data governance frameworks, architects of smart cities should design such frameworks to comply with applicable federal, state, and local laws.  Regarding the latter, smart cities are in a unique position to build frameworks that productively interact with local law, and in some cases drive modifications to local law that will facilitate and better implement IoT initiatives.  For example, local laws may be amended to establish data privacy and security safeguards, streamline public engagement processes, or enhance collaboration between different local departments.

Key Example: New York City

New York City’s efforts to “build a smart and equitable city”[72] involve interactions with local laws that can be helpful to similarly situated cities.  Currently, New York City appears to have various projects that involve smart technologies, mentioned in different websites and documents.  As part of the Connected Vehicle Project (“CVP”), New York City adopted its Data Management Plan,[73]  which describes the principles and procedures the city will follow relating to data storage, privacy, access, and preservation, and imposes requirements to ensure that data that is accessed or shared is free of PII and complies with the specified procedures.[74]

The Data Management Plan works in conjunction with recently developed local law.  In 2017, New York City implemented Local Laws 245 and 247, which established a Chief Privacy Officer (“CPO”), a citywide privacy protection committee, and a new privacy protection framework.[75]  The CPO has authority to, among other things, promulgate policies for the use of identifying information, review agency reports containing identifying information, and describe when disclosure of identifying information is routine or not routine.  The citywide privacy protection committee is composed of at least 12 members, and the mayor has the option to appoint deputy mayors or commissioners not explicitly listed.  The committee chair is the director of the mayor’s office of operation, unless the mayor declares otherwise.  The committee reviews city agency reports and issues recommendations in collaboration with the CPO.[76]  The privacy protection framework adds new definitions and procedures with the objective of better protecting privacy.  Such procedures include, for instance, actions that privacy officers must take to ensure data is free of identifying information and notification plans in the event of unauthorized disclosure of citizen data.

New York City has also developed an IoT Strategy[77] and IoT Guidelines,[78] which apply to the CVP and other projects using IoT devices.  The IoT strategy describes the efforts the city has made to increase local governance and coordination.[79]  Such efforts include, in addition to Local Laws 245 and 247, the Open Data Law, the creation of the Mayor’s Office of Data Analytics, and the creation of the Algorithms Management and Policy Officer. These efforts collectively provide a framework to use connected devices in a “coordinated, consistent, and responsible manner,” and are intended to supplement existing laws, rules, and regulations.[80]  There are five guidelines. The first guideline concerns “Privacy + Transparency,” or the “who, what, where, when, why and how” of data collection, processing, and use.[81]  The second guideline covers “Data Management,” which advocates for the collection and storage of data in ways maximizing public benefit.[82]  The third guideline focuses on “Infrastructure” and includes details on how city agencies should ensure that the city and its partners are using connected devices and public assets in an efficient, secure, and responsible manner.[83]  The fourth guideline, “Security,” explains the security measures that city IoT systems must incorporate and the city’s responsibilities related to security monitoring and protection.[84]  The last guideline concerns “Operations + Sustainability” and advocates for equity, risk management, and flexibility.[85]

In January 2022, Mayor Eric Adams signed Executive Order 3 consolidating technology-related agencies, including the Mayor’s Office of Data Analytics, under a new Office of Technology and Innovation.[86]  Adams cited his work as a programmer at the New York City Police Department as inspiring his effort to overhaul the city’s technological resources, bringing it closer to the goal of building a smart and equitable city.  Some stakeholders have described this reorganization as responsive to criticism that, although New York City has ample technology at its disposal, it fails to deploy such technology efficiently and smoothly; for instance, New York City struggled during the imperfect rollout of the COVID-19 vaccine sign-up system in 2021.[87]

Taken together, the Data Management Plan, local laws, and IoT Strategy and Guidelines constitute a detailed framework that helps govern the city’s CVP.  While the Data Management Plan is specific to the CVP, the local laws and IoT Strategy and Guidelines are broadly applicable to other city projects involving smart technology.  New York City has thus been able to implement smart city systems and controls in various types of ways, including local laws and regulations, to support a more cohesive and coordinated implementation of IoT.  The development of coordinated systems, however, has not yet convinced the public of the coordinated deployment of those systems.

E.            Principle 5: Garnering Public Trust Through Transparency and Accountability

Smart cities depend on citizen data to function, which is why scholarly discussions often characterize the public as part of the infrastructure of a smart city.  The public’s role in providing the necessary data to enable smart city development in turn creates the need to ensure broad buy-in for the data collection platforms.[88]  For this reason, both public authorities and private enterprises should consider how to build public trust and engagement to promote the success of the smart technology platforms that they seek to establish.  Public hearings and engagement with local communities to better understand their specific needs can be one way to foster trust.[89]  In addition, ensuring transparency of data collection programs and accountability for any abuses can help mitigate public fears about the potential for infringement of privacy interests.

Key Example: Chicago

In the fall of 2013, Chicago released its “Technology Plan,” outlining 28 initiatives to enable Chicago to “realize its vision of becoming a city where technology fuels opportunity, inclusion, engagement, and innovation.” [90]  The plan outlines two “Foundational Strategies”: building next-generation infrastructure and making every community a smart community.  Three “Growth Strategies” supplement the Foundational Strategies: efficient, effective, and open government; civic innovation; and technology sector growth.  All of these strategies aim to propel Chicago as a “national and global center of technological innovation.”[91]

One key initiative of the innovative infrastructure is the Array of Things or “AoT” project, briefly described in Section III.B above, “Principle 2: Considering Law Enforcement Aims in Light of Surveillance Concerns.”[92]  The AoT project created a network of modular devices (“nodes”) that collect real-time environmental measures for policy, city operation, and research initiatives, such as development and education.  This system has been analogized to a “fitness tracker” for Chicago because the nodes include sensors that can collect livability data, such as climate, air quality, and noise.[93]  The goal of AoT is to help Chicago operate more efficiently and proactively address challenges, such as flooding and traffic safety.

The AoT has dedicated governance and privacy policies that address data use, collection, and access concerns.[94]  The core of these policies is to promote privacy, transparency, accountability, and openness.  The AoT governance policy created four governance bodies, consisting of program operators, who manage the program and leverage strategic partnerships; an executive oversight council, which establishes system operation processes and procedures; a technical security and privacy group, which oversees security and privacy; and a scientific review group, which evaluates proposed changes to hardware and software.  The AoT privacy policy provides that data that does not contain PII will be published online and, further, that any access to PII data is restricted to certain employees or approved partners.[95]  The privacy policy also specifies that individuals with access to PII will be subject to strict confidentiality agreements and can face discipline and even termination for violations.  For images, the nodes conduct the image processing, transferring over raw data and deleting the image files.[96]  In some cases, however, the system randomly saves some images which, similar to information containing PII, the public cannot access.  Any proposed publication involving image processing is subject to approval from the scientific review group.  The governance and privacy policies state that each will be periodically reviewed at minimum annually.

The specificity of the governance and privacy policies reflect the AoT’s emphasis on engagement with experts and citizen groups.  Recognizing that “privacy is by far the biggest challenge with such a pervasive governmental data project,”[97] as well as the emergence of surveillance concerns immediately following the announcement of the project,[98] engineers for the project spent six months collecting comments from the community, most of which focused on privacy and data protection.[99]  To help ease these concerns, the AoT group sought input from privacy policy experts, industry experts, and the ACLU to help with the privacy policy and ethical oversight committee.  The overall goal of the governance and privacy policies is to make residents feel that they are “watching the city” and not that “the city [is] watching [them].”[100]  The AoT project has installed many nodes around Chicago and is working on expanding the project to migrate functions to new devices.[101]

Additional Example: Barcelona

The development of Barcelona’s “Ethical Digital Standards” and “Open Digitisation Plan” in 2017 is an additional example of a project that aimed to build trust through community involvement and transparency.  As part of Barcelona’s Open Digitisation Plan, the city developed an open source Ethical Digital Standards toolkit. The standards aim to make government more transparent and center citizens in the development of digital policies.[102]  The city released a “Manifesto in favour of technological sovereignty and digital rights for cities,” which establishes core values of digital governance, including: technological and data sovereignty, citizen digital rights, interoperability and accessibility, collaborative development, stakeholder participation in technological development and governance, and transparency and privacy.[103]  The manifesto lays out steps for cities to pursue to achieve the goals it establishes. The Ethical Digital Standards elaborate on values in a separate document entitled “Essential values of the programme,” which directs projects that utilize city data to follow specific principles to guide the ethical use of data, including transparency, tracing, diligence, privacy, trust, responsibility, and benefit.[104]

While Barcelona’s smart city initiatives have been heralded as pioneering citizen-centered IoT innovation, the city’s projects have also attracted criticism for not always working as intended.  For instance, electromagnetic sensors to alert drivers to available parking spaces have not served their desired function.  Most spots fill in under a minute, obviating the value of the sensors.  The metal sensors are also inadvertently triggered to show spots as full due to the passage of trains beneath the spots.[105]  Additionally, the city has gaps in its ability to optimize the value of the troves of data it receives.[106]  These criticisms suggest that a smart city project premised on public engagement during the development phase will be subject to—and may benefit from—continued public engagement during the implementation phase, as stakeholders evaluate whether the stated goals have been met.  Lessons will be learned through implementation, and once the public feels that it has a direct stake in the project, it is likely to expect that its concerns will continue to be considered once the project has launched.  In other words, public involvement at the outset will not shield a smart city from public feedback or criticism as the project is implemented.  Barcelona has encouraged such feedback—it has leveraged the innovative citizen participation data platform “Decidim” to promote citizen input across a wide range of issues, suggesting that public participation structures can be integrated into the city’s management framework.[107]

Conclusion – Building Blocks for a Successful Smarty City Data Governance Framework

This paper explores attributes and data governance frameworks that facilitate the deployment of smart technologies and creation of smart cities.  In particular, the foregoing sections discuss and provide examples of the following considerations for any smart city project:

  • Balancing the innovation and resources of private investment with public oversight and control;
  • Considering surveillance and equity concerns from citizen groups for projects that involve law enforcement;
  • Communicating with partners and other stakeholders about the scope and purpose of data use and collection;
  • Assessing how local laws and regulations could impact or support the project; and
  • Establishing a strategy for transparency and accountability to build public trust.

These considerations are intended to highlight the components of a “successful” smart city initiative.

“Success,” however, is not easy to define within the context of smart cities.  As no single definition or conception of a smart city exists, no one measure of “success” dictates the way that particular considerations should weigh on the planning of a smart city initiative.  For instance, one could measure the “success” of a smart city initiative based on its continued duration—but with a host of factors affecting the continuation of any project (e.g., resources, the pandemic, etc.), the continued existence is neither sufficient, nor indicative of the overall health of the project.  A few key ideas emerge on how to define success and the role of a data governance framework in achieving such success.

  • Defining the goal of a smart city from the outset provides critical guidance. To the extent that a smart city initiative has a clearly defined goal (e.g., providing certain benefits through control of the landscape, or further developing aspects of the landscape), “success” can—and should—be measured against that goal.  A data governance framework can provide the medium for articulating that goal and the structures that need to be in place to meet that goal—and provide the project with a blueprint for evolving in service of such broader aims.
  • While no one principle from the paper emerges as the most important for an architect of a governance framework to consider, a salient trend emerges from each of the case studies above: the importance of stakeholder buy-in. The ability for the public to meaningfully engage with the project is an undercurrent of the principles discussed in this paper—whether the project is under public control, run by the private sector, or operated in a hybrid mode.  Given that smart city projects are broadly aimed at bringing benefits to an urban landscape, the individuals who live and engage with the relevant urban environment are key stakeholders in any form of “success.”  Where projects have faced the greatest criticism, the public has often expressed concerns over transparency and an opportunity to provide meaningful feedback.
  • To the extent that public input is a component of a smart city’s data governance framework, the framework should envision that input being available at multiple stages of the smart city initiative. Initiatives that are constantly seeking to balance innovation with protecting public confidence must contemplate flexible and iterative ways to gather stakeholder input and incorporate it into the fabric of the relevant environment.  Smart city projects should be concrete enough to facilitate a goal and anticipate some challenges, but nimble enough to address emerging and unanticipated developments—whatever technology is used.

The principles and case studies in this paper suggest that, in designing a governance framework for data in a smart city, architects of the framework should ask themselves a series of questions at the outset:

  • What are the long-term and interim goals of the smart city?
  • Who are the stakeholders of the smart city, and what are their concerns and interests?
  • How can a data governance framework be a map to ensure the city can meet its goals while responding to the stakeholders’ concerns and interests?
  • How can that map be flexible enough to seek, evaluate, and incorporate stakeholder input?

Pursuing the smart city’s goals without considering stakeholders may lead to fatal criticism for lack of transparency or public engagement, and failing to address the specific goals of the city may result in an ineffective and vague project that brings minimal, or no, benefits to an urban environment.  Architects of data governance frameworks, therefore, may find the considerations outlined above helpful in addressing these questions and designing a plan that works for their particular city’s objectives and constituencies.

[1] See, e.g., Rob Kitchin, The real-time City? Big Data and smart urbanism, 79 GeoJournal 1 (2014).  See also, Manick Wadhwa, Understanding the Impact of Smart Cities and the Need for Smart Regulations,, (noting that the Smart Cities Council has defined a smart city as one that has digital technology embedded across all city functions, which are designed to address issues of data management, intellectual property rights, proper data handling and physical storage and distribution requirements.); Jathan Sadowski & Frank Pasquale, The Spectrum of Control: A Social Theory of the Smart City, First Monday, July 2015, (“[T]he label ‘smart city’ is nebulous. There’s not a single definition that can be called up and applied anytime the label is invoked. . . . One important and constant characteristic of these different visions, however, is that they aim to evoke positive change and innovation — at least as the proponents see it — via digital [information communication technology]; essentially, building an IoT at the city-scale by installing networked objects throughout the urban environment (and even the human body) for a wide range of different purposes.”);  Mario Weber & Ivana Podnar Zarko, A Regulatory View on Smart City Services, 19 Sensors 415 (2019) (noting that an International Telecommunications Union focus group on smart sustainable cities analyzed dozens of definitions and concluded that “[a] smart sustainable city is an innovative city that uses information and communication technologies (ICTs) and other means to improve quality of life, efficiency of urban operation and services, and competitiveness, while ensuring that it meets the needs of present and future generations with respect to economic, social and environmental aspects.”).

[2] Kitchin, supra note 1.

[3] Igor Calzada, Data Spaces and Democracy, 2019 RSA Journal at 40.

[4] Christian Iaione, Elena De Nictolis & Anna Berti Suman, The Internet of Humans (IoH): Human Rights and Co-Governance to Achieve Tech Justice in the City, 13 L. & Ethics of Hum. Rts. 263 (2019); Sadowski, supra note 1.

[5] Linnet Taylor, Christine Richter, Shazade Jameson & Carmen Perez del Pulgar, Customers, Users or Citizens? Inclusion, Spatial Data and Governance in the Smart City (Maps4Society, University of Amsterdam, 2016)

[6] Ben Green, The Smart Enough City: Lessons from the Past and a Framework for the Future 143-63 (Strong Ideas, MIT Press, 2019).

[7] Ellen P. Goodman & Julia Powles, Urbanism Under Google: Lessons from Sidewalk Toronto, 88 Fordham L. Rev. 457 (2019).

[8] Wadhwa, supra note 1.

[9] Goodman, supra note 7, at 458.

[10] Laura Bliss, Critics Vow to Block Sidewalk Labs’ Controversial Smart City in Toronto, Bloomberg CityLab (Feb. 25, 2019),

[11] Goodman, supra note 7, at 464.

[12] See, e.g., #BlockSidewalk, (last updated Oct. 19, 2020); Bianca Wylie, In Toronto, Google’s Attempt to Privatize Government Fails—For Now, Bos. Rev.  (May 12, 2020),; Erin McDermott, Smart Cities: Innovative or Orwellian?, The Kenan Inst. for Ethics at Duke Univ. (Mar. 27, 2019),; Matthew Phelan, Google Reveals More Images of its Futuristic Toronto District, Inverse (Aug. 17, 2018),

[13] Sidewalk Toronto, Sidewalk Labs, (last visited Feb. 2, 2022).

[14] Master Innovation and Development Plan, Sidewalk Labs 191 (2019),

[15] Master Innovation and Development Plan, Sidewalk Labs 420

[16] Jacqueline Lu & Jesse Shapins, Project update: Submitting the Digital Innovation Appendix, Sidewalk Toronto, Medium (Nov. 15, 2019),

[17] Sidewalk Labs, Master Innovation & Development Plan: Digital Innovation Appendix, Quayside Toronto (2019),

[18] Adam Carter & John Rieti, Sidewalk Labs cancels plan to build high-tech neighbourhood in Toronto amid COVID-19, CBC News(May 7, 2020),

[19] Moira Warburton, Alphabet’s Sidewalk Labs Cancels Toronto ‘Smart City’ Project, Reuters (May 7, 2020),

[20] See Ellen P. Goodman, Sidewalk Toronto Goes Sideways: Five Lessons for Digital Governance, Medium (June 23, 2020),

[21] Bristol is Open,, (last visited Feb. 2, 2022).

[22] See, e.g., BigClouT, (last visited Feb. 2, 2022) (discussing BigClouT, an initiative that seeks to increase efficient use of infrastructure and economic and natural resources).

[23] See, e.g., About, Replicate Project, (discussing the Replicate project, which seeks to support energy efficiency, sustainable mobility, and digital infrastructure).

[24] See, e.g., 5G Smart Tourism, West of England Combined Authority, (last visited Feb. 2, 2022) (discussing the 5G Smart Tourism project, which is deploying augmented and virtual reality for visitors to tourist attractions and seeking to enhance public safety behind the scenes at such attractions).

[25] Bristol is Open, supra note 21.

[26] One City Plan, Bristol One City (2019),

[27] Connecting Bristol, Bristol Connected City (Aug. 2019),

[28] Data Deluge, Economist (Mar. 19, 2016),

[29] Connecting Bristol, supra note 27.

[30] Id.

[31] Alessandro Sancino & Lorraine Hudson, Leadership In, Of, and For Smart Cities—Case Studies from Europe, America, and Australia, 22 Pub. Mgmt. Rev. 701 (2020), available at

[32] Data Deluge, supra note 28.

[33] Smart Streetlights Program, City of San Diego, (last visited Feb. 22, 2022).

[34] Tekla S. Perry, San Diego’s Smart Streetlights Yield a Firehose of Data, IEEE Spectrum (Jan. 16, 2019),

[35] Department Instruction – Intelligent Streetlight Data Policy, City of San Diego (revised Feb. 6, 2019),

[36] Id. at 3.    

[37] Jesse Marx, Smart Streetlights Are Now Exclusively a Tool for Police, Voice of San Diego (July 20, 2020),

[38] Sarah Holder, In San Diego, ‘Smart’ Streetlights Spark Surveillance Reform, Bloomberg (Aug. 6, 2020     ),

[39] Andrew Bowen, Under Pressure From Privacy Advocates, San Diego Mayor Shuts Down Streetlight Cameras, KPBS (Sept. 10, 2020),

[40] Ellen P. Goodman, San Diego Smart Streetlights and the Surveillance Dance, (Dec. 8, 2020),

[41] Mimi Elkalla, Cameras in San Diego’s controversial Smart Streetlights turned off — for now, ABC 10News San Diego (Sept. 11, 2020),

[42] Omari Fleming, SDPD Chief of Police Renews Call for Use of Streetlight Cameras to Fight Crime, NBC 7 San Diego (Jan. 6, 2022),

[43] Policy Responses, Array of Things, (last visited Feb. 22, 2022).

[44] Id.

[45] Brian Nordli, How the Array of Things Project Is Making Chicago a Smart City, Built In (Mar. 26, 2020),

[46] The Winner: Columbus, Ohio, U.S. Dep’t of Transp. (Sept. 28, 2016),  The Smart City Challenge was a 2015 initiative by USDOT asking mid-size cities to “develop ideas for an integrated, first-of-its-kind smart transportation system that would use data, applications, and technology to help people and goods move more quickly, cheaply, and efficiently.”  USDOT selected 7 finalists out of 78 applicants, and compiled lessons learned in a report entitled Smart City Challenge: Lessons for Building Cities of the Future, U.S. Dep’t of Transp. (June 29, 2017),

[47] U.S. Department of Transportation Grant, Smart Columbus,

[48] Smart Columbus Operating System, Smart Columbus,

[49] Final Report for the Smart Columbus Demonstration Program at 6-1, Smart Columbus (Jun. 15, 2021),; see also Ben Blanquera, Smart Columbus – Thank you to the Technical Work Group members, LinkedIn (Sept. 10, 2019),

[50] Final Report for the Smart Columbus Demonstration Program at E-7, Smart Columbus (Jun. 15, 2021),; see also A sustainable future for urban mobility, Accenture (Apr. 29, 2021),

[51] Essentials of the Smart Columbus Operating System, Smart Columbus (Feb. 28, 2022),

[52] Id.

[53] Project Management Plan for the Smart Columbus Demonstration Program, Smart Columbus, 8 (2021), Management Plan-Update-V3.pdf.

[54] Id.

[55] Id. at 71.

[56] Data Management Plan for the Smart Columbus Demonstration Program, Smart Columbus (2019),

[57] Data Privacy Plan, Smart Columbus (2019), Columbus Operating System Data Privacy Plan_0.pdf.

[58] Id. app. B at 49-51 (containing an example of a Privacy Impact Assessment).

[59] See, e.g., Aarian Marshall, America’s ‘Smart City’ Didn’t Get Much Smarter, Wired (June 28, 2021, 7:00 AM),

[60] Id.

[61] Rebecca Bellan, All the Tech that Went into Turning Columbus, Ohio, into a “Smart City,” TechCrunch (Jun. 28, 2021, 9:14 AM),

[62] Smart Columbus Program Summary, Smart Columbus, 3 (June 2021),

[63] See, e.g., Bellan, supra note 61; The City of Columbus, Beyond Traffic: The Smart City Challenge, U.S. Dep’t of Transp. (2016),

[64] About Us, Amsterdam Smart City, (last visited Feb. 23, 2022).

[65] Id.

[66] Tada is een beweging voor een verantwoorde digitale stad – van èn voor iedereen [Tada is a Movement for a Responsible Digital City – from and for Everyone] (English translation), tada, (last visited Feb. 23, 2022) [hereinafter Tada is a movement].

[67] tada, (last visited Feb. 23, 2022).

[68] Id.

[69] Id.

[70] Tada is a movement, supra note 66.

[71] Theo Bass et al., Reclaiming the Smart City: Personal Data, Trust and the New Commons, Decode (July 3, 2018),

[72] Building a Smart + Equitable City, N.Y.C. Mayor’s Office of Tech & Innovation (2015),

[73] Drew Van Duren et al., Connected Vehicle Pilot Deployment Program Phase 2, N.Y.C. Dep’t of Transp. (2017),

[74] Id.

[75] Local Laws and Executive Order (Local Law 245, Local Law 247, and Executive Order 34), N.Y.C. Mayor’s Off. of Info, Priv.,,the%20Mayor%27s%20Office%20of%20Operations (last visited Feb. 23, 2022); Local Laws of the City of New York For the Year 2017 No. 245, N.Y.C. Mayor’s Off. of Info. Priv (2017),; Local Laws of the City of New York For the Year 2017 No. 247, N.Y.C. Mayor’s Off. of Info. Priv (2017),

[76] See N.Y.C. Admin. Code § 23-1203.

[77] IoT Strategy: The New York City Internet of Things Strategy N.Y.C. Mayor’s Off. of the Chief Tech. Officer (2021),

[78] About the IoT Guidelines, N.Y.C. Guidelines for the Internet of Things, (last visited Feb. 23, 2022).

[79] IoT Strategy, supra note 77.

[80] About the IoT Guidelines, supra note 78.

[81] Privacy + Transparency, N.Y.C. Guidelines for the Internet of Things, (last visited Feb. 23, 2022).

[82] Data Management, N.Y.C. Guidelines for the Internet of Things, (last visited Feb. 23, 2022).

[83] Infrastructure, N.Y.C. Guidelines for the Internet of Things, (last visited Feb. 23, 2022).

[84] Security, N.Y.C. Guidelines for the Internet of Things, (last visited Feb. 23, 2022).

[85] Operations + Sustainability, N.Y.C. Guidelines for the Internet of Things, (last visited Feb. 23, 2022).

[86] Annie McDonough, Adams orders consolidation of city tech agencies under one authority, City & State New York (Jan. 19, 2022),

[87] Id.

[88] Jared Mondschein, Aaron Clark-Ginsberg, & Andreas Kuehn, Smart Cities as Large Technological Systems: Collective Action Problems as Organizational Barriers to Urban Digital Transformation (TPRC48: The 48th Research Conference on Communication, Information and Internet Policy, Dec. 14, 2020),

[89] See Green, supra note 6.

[90] The City of Chicago Technology Plan, City of Chicago (2013),

[91] Chicago Tech Plan — 18 Month Update, City of Chicago (2015),

[92] Array of Things, (last visited Feb. 23, 2022).

[93] Id.

[94] Array of Things Operating Policies, Array of Things (Aug. 15, 2016),

[95] Chicago Data Portal, City of Chicago, (last visited Feb. 23, 2022).

[96] Policy responses, supra note 43.

[97] Yezi Peng, The City of Chicago and its Array of Things Project, Harvard Bus. Sch. Digit. Initiative (Apr. 4, 2017),

[98] Whet Moser, What Chicago’s “Array of Things” Will Actually Do, Chicago Mag. (June 27, 2014),

[99] Nordli, supra note 45.

[100] Id.

[101] Array of Things, supra note 91.

[102] Barcelona Ethical Digital Standards – a Policy Toolkit, Cities Coal. for Digit. Rts., (last visited Feb. 23, 2022).

[103] Francesca Bria & Malcolm Bain, Manifesto in favour of technological sovereignty and digital rights for cities, Ethical Digit. Standards, (last visited Feb. 23, 2022).

[104] Essential values of the programme, Ethical Digital Standards, (last visited Feb. 23, 2022).

[105] Ross Tieman, Barcelona: smart city revolution in progress, Fin. Times (Oct. 26, 2017),

[106] Id.

[107] See Philip Preville, How Barcelona is leading a new era of digital democracy, Sidewalk Labs (Nov. 13, 2019),; See also Thomas Graham, Barcelona is leading the fightback against smart city surveillance, Wired (May 18, 2018),