Smart cities face a rapidly evolving legal landscape

17 Oct 2023

Image: © ZinetroN/

William Fry’s Barry Scannell discusses the various regulation smart city projects need to consider, the steps to take during a data breach and striking a balance between compliance and innovation.

As technology evolves, more countries and municipalities have been making investments in the concept of smart cities in recent years.

For example, a report from Guidehouse Insights earlier this year claimed the global smart city technology market is expected to grow to more than $301bn in value by 2032.

The growth of IoT, AI and edge computing technology is making the concept of a digitally connected city feasible, which could offer various benefits to society and improve existing services for citizens.

But the push into more advanced technology also opens the door to regulatory issues, along with the need to keep data protected from breaches and cyberattacks.

Barry Scannell is a senior solicitor and consultant in William Fry’s technology department, specialising in AI, copyright, IP, technology law and data protection.

Speaking to, he said following regulations is a “crucial” practice for cities implementing smart technologies. He also noted that a proactive stance towards data protection is gaining ground, which he referred to as a “privacy by design and default” principle.

“As urban centres morph into smart cities, the legal frameworks governing them are evolving, ushering in several emerging trends and best practices in smart city governance,” Scannell said. “Additionally, there’s a growing emphasis on crafting ethical frameworks for AI and data usage to ensure transparency, fairness and respect for human dignity.

“Robust data governance frameworks alongside open data policies are being hailed as best practices, fostering innovation and public engagement in smart city visions.”

The key regulation to watch

There are various forms of regulation – new and old – that cities have to take into consideration as they adopt smart technologies. Scannell said GDPR is the “bastion of data protection” in both the EU and other countries. He described this regulation as one that includes accountability, transparency, data minimisation, integrity, confidentiality and purpose limitation.

“The GDPR’s reach extends to IoT devices and AI systems which process the personal data of EU-based residents,” Scannell said. “In essence, GDPR should be integrated into the very DNA of smart city projects.”

Scannell said the EU’s ePrivacy Directive complements GDPR by focusing on the confidentiality of electronic communications, which impacts IoT devices that engage in passive data collection.

“Similarly, the Data Governance Act and Data Act are set to change the landscape of data use and sharing,” Scannell said. “The Data Governance Act is looking to streamline data availability and sharing within the EU particularly amongst public bodies, while the Data Act aims to clarify data usage rights and foster a fair data economy.”

Meanwhile, there is more recent regulation that is set to shake up certain tech sectors, which will become important for smart city projects to consider. The EU’s AI Act aims to rein in ‘high-risk’ AI activities and protect the rights of citizens. The rules will make certain AI technology prohibited and add others to a high-risk list, forcing certain obligations on the tech’s creators.

“The act necessitates smart cities to assess the risk profiles of their AI applications, particularly high-risk ones, to ensure compliance,” Scannell said. “Transparency, accountability and robust data governance are pivotal under the act, urging smart cities to ensure their AI technologies are transparent, explainable and well documented.”

Scannell said the EU’s Cybersecurity Act means cities will have to certify that their smart technologies comply with “robust security standards”.

Continual monitoring for regulatory compliance is essential given the dynamic nature of data protection laws.” Scannell said. “The rapid pace of technological evolution could outpace existing legal frameworks, leading to a regulatory lag and increasing litigation risks.”

Cybersecurity concerns

Cyberattacks remain a constant concern in the digital world, with a wide variety of threats from individual hackers to state-sponsored hacking organisations and commercial spyware vendors.

Scannell warned that data security is “vital” to both protect against cyberattacks and to maintain the trust and privacy of citizens.

If a breach was to occur due to smart city technology, both the city authorities and technology providers would have certain obligations, according to Scannell.

“Depending on the nature of the breach, an immediate obligation could be notifying the relevant data protection authorities as dictated by laws like the GDPR, and if the breach poses a high risk, informing the affected individuals directly,” Scannell said. “Documenting the incident meticulously is also obligatory, encompassing an investigation into the breach’s causes and the extent of data compromised.”

Like any other breach, Scannell said it would be vital for smart cities to resolve the issue and take measures to patch vulnerabilities and enhance existing security measures. He also added that cooperation with law enforcement is “indispensable” if criminal activity is involved in a breach.

“Compliance with consumer protection and cybersecurity laws is vital to avoid further legal repercussions and reassure both the public and regulatory bodies,” Scannell said. “The risk of litigation necessitates proper legal counsel for risk management, and engagement with insurance providers as per cyber liability policies helps manage financial repercussions.”

Balancing innovation with regulation

With new, exciting forms of technology sprouting up at a rapid rate, it can become difficult to strike the right balance between bringing in new tech for its benefits and adhering to regulation standards.

Scannell said one way to strike this “fine balance” is by having “harmonised engagement” between all the relevant stakeholders, such as policymakers, tech companies and citizens. Meanwhile, improvements in education can improve understanding between these groups while open, transparent communication can build trust among citizens.

“Engaging with the community and leveraging international cooperation enable cities to align technology and regulation with citizens’ aspirations and global best practices respectively,” Scannell said.

“Embracing collaborative regulation emerges as a vital strategy, entailing a co-creative process to develop flexible and future-oriented regulatory frameworks. Regulatory sandboxes provide controlled environments for testing new technologies without contravening current laws, aiding in refining these frameworks alongside technological advancements.”

As various smart city projects can involve partnerships with private tech companies, Scannell said “legal safeguards” are vital.

The safeguards in these partnerships can include “comprehensive contracts” that clearly show the terms on data collection, usage and security.

“Establishing a well-structured data governance framework is crucial for managing data throughout its lifecycle, ensuring adherence to policies on data quality, management and privacy.”

10 things you need to know direct to your inbox every weekday. Sign up for the Daily Brief, Silicon Republic’s digest of essential sci-tech news.

Leigh Mc Gowran is a journalist with Silicon Republic