Data protection law beyond identifiability? Atmospheric profiles, nudging and the Stratumseind Living Lab

Abstract

The deployment of pervasive information and communication technologies (ICTs) within smart city initiatives transforms cities into extraordinary apparatuses of data capture. ICTs such as smart cameras, sound sensors and lighting technology are trying to infer and affect persons’ interests, preferences, emotional states, and behaviour. It should be no surprise then that contemporary legal and policy debates on privacy in smart cities are dominated by a debate focused on data and, therefore, on data protection law. In other words, data protection law is the go-to legal framework to regulate data processing activities within smart cities and similar initiatives. While this may seem obvious, a number of important hurdles might prevent data protection law to be (successfully) applied to such initiatives. In this contribution, we examine one such hurdle: whether the data processed in the context of smart cities actually qualifies as personal data, thus falling within the scope of data protection law. This question is explored not only through a theoretical discussion but also by taking an illustrative example of a smart city-type initiative – the Stratumseind 2.0 project and its living lab in the Netherlands (the Stratumseind Living Lab; SLL). Our analysis shows that the requirement of ‘identifiability’ might be difficult to satisfy in the SLL and similar initiatives. This is so for two main reasons. First, a large amount of the data at stake do not qualify as personal data, at least at first blush. Most of it relates to the environment, such as, data about the weather, air quality, sound and crowding levels, rather than to identified or even likely identifiable individuals. This is connected to the second reason, according to which, the aim of many smart city initiatives (including the SLL) is not to identify and target specific individuals but to manage or nudge them as a multiplicity – a combination of the environment, persons and all of their interactions. This is done by trying to affect the ‘atmosphere’ on the street. We thus argue that a novel type of profiling operations is at stake; rather than relying on individual or group profiling, the SLL and similar initiatives rely upon what we have called ‘atmospheric profiling’. We conclude that it remains highly uncertain, whether smart city initiatives like the SLL actually process personal data. Yet, they still pose risks for a wide variety of rights and freedoms, which data protection law is meant to protect, and a need for regulation remains.