What makes a “smart city” smart? Increasingly, the answer lies in the deployment of connected devices and the “internet of things” (IoT). From traffic and transport to energy management systems, key functions are being equipped to provide real-time and actionable data to inform the operation of city-wide systems and services. Machine to machine (M2M) communication drawing data from sensors embedded into objects, vehicles, street furniture and infrastructure vastly increases the potential for gathering and using data about everything from traffic jams to pedestrian flows, energy demand and supply, outages and maintenance needs in utility services. These developments reflect similar trends in extractive industries, manufacturing and logistics which are rapidly adding up to the “fourth industrial revolution”.

Smart city and “industrial internet” developments jostle with domestic and consumer-facing innovations to create an increasingly complex and interdependent web of connections. All, of course, depend on the capacity and resilience of electronic communications networks, and all either create or intensify the challenges facing regulators responsible for ensuring competitive access to efficiently managed networks. They also generate huge and expanding quantities of data at every scale, from individual to complex organisation, and with that data comes new and enhanced vulnerabilities.

Law and regulation, typically, lag some decades behind technological development. The result is that courts and regulators in any jurisdiction, whether common law or code-based, generally have to reach for the legal tools that provide the closest analogies from earlier stages of development to deal with new challenges. While that remains true of legal and regulatory responses to IoT and smart city developments, it is possible to identify areas in which legal issues are likely to arise.

Electronic communications networks

A key challenge for regulators is how best to accommodate M2M and IoT within regimes that have tended to assume close control over spectrum often (as in Poland and India during 2015) involving auctions under which operators pay extremely large sums for licensed frequencies. With M2M and IoT increasingly being directed to unlicensed or “white space” spectrum, such as that vacated by analogue tv services, tensions are becoming apparent between licensed operators and the developers of IoT devices. A key battleground is the treatment of interference. Many IoT devices are designed to operate across a range of frequencies, scanning for currently unused bands. Where IoT devices use frequencies that are close to licensed parts of the spectrum, the holders of expensive licences understandably demand protection.

One key mechanism is the “kill switch”, a database-driven mechanism that allows regulators to force the disconnection of offending IoT devices. For IoT developers and investors, viability can depend on the approach taken by regulators in each jurisdiction to this key question: when and how should a “kill switch” be used? How far can IoT developers warrant the reliability of their services when faced with anything more than a momentary switch-off. For others, the stakes might be even higher as IoT devices play an ever-more significant role in critical systems ranging from traffic safety to healthcare. Arguably, established electronic communications operators who have become used to being the “disruptors” now themselves face disruption as governments and regulators enter into close and mission-critical relationships with IoT device providers.

In the UK, the sector regulator Ofcom has elected to avoid the issue, instead opting for a “guard band” approach, under which channels considered most likely to risk interference may not be used. While that approach marks a clear attempt to balance interests, it does rule out the use of potentially key parts of the available spectrum.

Product liability

Who would be responsible if a self-driving car crashed and caused death or personal injury? Recent incidents involving Tesla's "Autopilot", together with the UK government's current consultation on measures to facilitate the development of insurance products for self-driving cars, make this a particularly topical issue.

Equally, who would be responsible if a wearable device designed to administer medication failed due to a regulatory intervention or a data breach? Such questions would not be resolved by reference to a wholly new body of specially-created law. Rather, they would have to be dealt with by applying existing principles and causes of action.

Data and privacy

Perhaps the most significant areas of concern relate to the ownership, processing, use and security of data generated by IoT devices and smart city infrastructure. Data concerning individual location, activities and even intimate personal information will be gathered and stored. Who is responsible? In Europe, much attention is currently focused on implementation of new data laws through the General Data Protection Regulations (GDPR), due to come into force on 25 May 2018. For the UK, a key question is whether Brexit will result in a radically different regime for data law. There is an early and strong consensus among data law experts that such divergence is unlikely. Given the likely timescale for implementation of Article 50 (the formal trigger for Brexit) there is a strong likelihood that the UK will still be an EU member state when the GDPR comes into force. In any event, the need to trade with and to transfer data to continuing EU member states means that any UK law will have to meet "adequacy" requirements. That strongly militates against any decision to retain the existing provisions in Data Protection Act 1998 as that regime implemented and reflects the 1995 Directive which the GDPR has been designed to replace.  

Other concerns focus on the question of how resource-starved municipal authorities might seek to fund smart city projects. If, and to the extent, that the solution lies in commercial partnerships or public-private joint ventures then a key question must be how far private sector involvement is driven by the potential value of data. For civil society, the balance between security and facility is a live and pressing question. The challenges are immense. For example, it is extremely difficult to see how key GDPR concepts such as "privacy by design" and "privacy by default" can be accommodated in the context of a smart city drawing on immense volumes of surveillance and behavioural data gathered from myriad IoT sensors, stored in the cloud and subjected to sophisticated analytics. Mapping data flows across smart cities would be an essential element of any privacy impact assessments, and would represent a substantial challenge – not least because of the potential for cloud infrastructure to be located anywhere in the world.

Smart cities also give rise to significant issues relating to consent to the capture and processing of data, prompting some commentators[1] to argue either for some form of generalised "pre-consent" or even for a radical move away from consent as a basis for data collection and processing. Arguably, the more reliant governments and municipal authorities become on private sector funding for innovation, the greater the likelihood of accepting reduced protection for data subjects.

Looking beyond data protection, the role of law and regulation in protecting privacy may also require a fundamental rethink. Privacy law is a relatively slender aspect of human rights law, resting on cases such as Von Hannover[2] which pointed towards minimum reasonable expectations of privacy in public. That said, in finding that Article 8 of the ECHR provided some protection for a tennis-playing Princess, the court seems to have found significant the combination of photographs taken and published without the subject's knowledge or consent and the "harassment" practised by paparazzi in search of such photos. It must be open to question how far that reasoning would apply to pervasive image and data-gathering in a smart city context, while Brexit could conceivably involve the UK withdrawing from or otherwise altering its relationship with the ECHR.

Contract structures

The coming together of public and private entities and the meshing of young technology with old infrastructure in commercial partnerships and public-private joint ventures can create a challenging array of relationships. Multiple service and system suppliers may be involved in the development, testing and implementation of some solutions whilst interfacing with existing infrastructure can create the risk of potential gaps in legal responsibilities. There is also (Brexit aside) ample scope for exploring newly-available structures for procurement such as "innovation partnerships" which seek to connect academia, knowledge-transfer and commercial spin-offs, private investment and public funding to create a scalable market for innovative technologies not currently available in the market.

As is often the case, lessons can be drawn from analogous situations. In particular, consortium and multi-sourcing models have been developed from an interest in “best of breed” contracting or “select sourcing”. This is a strategy of allocating different components of a project to separate best of breed suppliers. Structures vary. The suppliers may be grouped in a consortium, or the procuring entity may contract with each separately, whilst placing supplier management and integration responsibilities onto a lead supplier. This results is an interesting matrix of relationships, up and down between the procuring entity and suppliers, and from side to side with operating level and integration agreements between the suppliers. However, the upside of this complexity is that the approach can lessen the performance and credit risk for the procuring entity. The cutting edge technology may reside within a start-up venture, whilst the project financing and organisational demands require the involvement of an established “name” to add muscle.

Alternatively, large and established players may well opt for acquisition. Recent examples include the 2014 acquisition by Huawei of “internet of things” pioneers Neul (the name being the gaelic word for “cloud”).

There is also the possibility that developer-driven business structures might require an even more fundamental rethink of recognised legal forms. Joint stock and limited liability companies, partnerships, limited partnerships and (more recently) limited liability partnerships are creatures of legislation, reflecting positive and negative experiences from previous industrial revolutions. The emergence of "decentralised" or "distributed autonomous organisations" as a structure adapted to IoT, blockchain and related strands of development has already prompted considerable debate among lawyers on their appropriate classification – often resolving to the key questions: who would we be contracting with? Who could we sue? Although firmly located within its own jurisdiction, each smart city will inevitably form part of a global, and globalised, network that brings novel challenges and opportunities. Law and regulation inevitably form part of the context within which smart cities develop, but it is far from clear that smart cities will bend to the law, rather than law having to bend to smart cities.


[1] For example, Ewa Luger and Tom Rodden, "An informed view on consent for Ubicomp", Proceedings of the 2013 ACM international joint conference on Pervasive and Ubiquitous Computing, pp 529-538, ACM, New York

[2] ECtHR, Application no 59320/00, 24 June 2004