“For example, collecting data on the mobility of people helps us to better plan public transport. We can also increase people’s sense of security at bus stops or other similar locations by installing smart systems which sound an alarm if someone is assaulted. Development has many positive aspects, but the question is how we can put it all into practice while also safeguarding privacy,” says Päivi Korpisaari, professor of communication law.
The research group led by Korpisaari deals with just such challenges in the Neutral Host Pilot project, a multidisciplinary research and development project focused on developing a new digital smart city based on 5G technology. The goal of the research group is to determine the legal constraints for the project from the perspective of, for example, telecommunications regulation, privacy, personal data protection and competition law.
New technology calls for new interpretations
LuxTurrim5G is a comprehensive, joint ecosystem project that has developed solutions such as smart poles for the 5G network, which have been piloted in Kera, in Espoo. The poles form the backbone for data-based services, which are being developed in the Neutral Host Pilot project. The initiative involves various companies and research institutions, as well as the authorities.
By collecting data about people moving in the area, smart poles enable better and more individual services. However, data collection means that the legal requirements regarding various aspects such as personal data use and processing must be considered very carefully.
One of the key questions is how the information provision requirement in the EU General Data Protection Regulation can be satisfied in a public urban environment.
“It is possible in our present restricted test environment, but we will be dealing with very different data protection questions when processing the information of an entire city’s residents or when processing data in connection with various commercially available solutions, since we cannot ask for the consent of all residents nor can service providers conclude individual agreements with everyone. These are challenging questions and something we will have to address in the project,” says Oona Ojajärvi, who has worked as a research assistant in the research group.
A simple notification of data collection displayed on, for example, information boards along the city streets is not enough. From a legal perspective, it is also not possible to require people spending time in public urban spaces to consent to their information being collected. The challenge resides in how data can be legally collected, stored and utilised without resorting to excessively detailed and complex contract structures.
The technical solutions and the related legal challenges are so new that scholars have had trouble identifying prior legal practice or research results. According to Ojajärvi, very little information has been publicly available on similar projects in other European countries or on the measures related to data protection that have been adopted in these projects.
Irrespective of the nature of the technical or legal solutions adopted, transparency and trust are crucial to the successful implementation of new services.
“Koronavilkku, the Finnish application for coronavirus contact tracing, is a good example of how sensitive health information can be transferred via Bluetooth, without revealing the identity of users. Trust was key in this. People trusted the service developer, which is why so many quickly began to use the application,” says Korpisaari.
Legislation must not become a hindrance
According to Korpisaari, many companies do not fully grasp the scope of personal data nor how widely personal data legislation is applied. The research group’s expertise can help take legal requirements into account already at the planning stage, as it may prove difficult to make the solutions legally compliant later on. This is an unfortunately common problem regarding new technology: products or applications are developed before considering whether their use complies with legal requirements.
“In my opinion, data protection should be a natural part of all processes in which new data-based products or services are developed. It is a lot more difficult to solve problems later on when the development of a product or business idea has come far along and you suddenly notice that data use actually carries legal problems,” says Korpisaari.
The lack of expertise may also result in excessive caution. Companies may perceive legal requirements as nothing but threats and risks, and in the worst case, may fail to take advantage of new business opportunities. According to Korpisaari, companies sometimes have to take calculated risks, especially when dealing with novel ideas that have not yet been handled at the highest court level.
However, we can also find examples of companies that have pushed through their ideas without giving much thought to legal requirements.
“Europe has very tight data protection legislation, and many countries outside the EU have also enhanced their legislation following the adoption of the EU General Data Protection Regulation. This is a positive development. However, there is a risk of the EU falling behind its competitor countries where data is used far more freely for various purposes.”
“For example, Facebook, Google and Amazon could hardly have implemented their business ideas in the legislative framework presently in force in Europe. These are companies that have just forged ahead, and the markets have adapted to them. Their services have gradually become so important that it is now impossible to do without them,” says Korpisaari.
A platform for fair competition
Data collection and use are also regulated by competition law. As the name of the Neutral Host Pilot project suggests, the aim is to create an impartial and open marketplace platform that does not exclude anyone from the market. Among other things, this means ensuring that competing companies have equal access to data.
“You could compare the platform to phone app stores since the questions related to both are very similar. How can you offer your own data on the platform? How do you obtain data from there? How do you provide your own services in the marketplace?” notes Juha Vesala, university researcher, about the questions arising under competition law.
If the data collected by the system are openly available, this also provides opportunities to smaller companies with inadequate resources for collecting the volume of data required for business operations. In this way, the system also supports the emergence of new ideas and services.
“When developing platforms and infrastructure of this type, it is important to ensure that competition remains unrestricted and that different types of companies can operate under the same conditions. A situation in which only a few companies have the resources to operate in the market is not what we want.”
Car manufacturers, for example, have expressed concerns about self-driving cars shifting future commercial potential exclusively to technology giants. Worries have also been raised in the restaurant sector, with many entrepreneurs fearing that future profit will flow to web-based order and delivery services.
The neutral host operating model developed in the project is however only one possible option. There are also other alternative solutions and visions for collecting and utilising data on people’s behaviour in an urban environment. It goes without saying that technology giants are working on similar plans.
“Does Europe want a smart city infrastructure that is like a Facebook world, where all the user’s data are collected and only a few select operators have access to the data, or do we want a more open model that is also better controlled in terms of data protection?” Vesala asks.