By Diane Mullenex, Pinsent Masons
Using Dubai as a prime example, Diane Mullenexexplores the important role of regulation in the development of “smart cities” across the world, particularly in relation to cybercrime and data privacy issues.
Although the concept of what a “smart city” is varies across countries and regions, traditionally it is construed as a place where the population gains from infrastructure and services increasing in efficiency, particularly through the use of telecommunication and technology. Recent investments in smart cities in the Middle East demonstrate how ubiquitous the issue of connectivity (and backbone networks) is, but also provide an interesting example of a regulatory attempt at addressing societal changes.
Among the myriad of smart city projects across the globe, the Dubai initiative, simply labelled “Smart Dubai” constitutes a unique example of how the reflection about dedicated regulation of smart services may set a benchmark for future similar projects across the globe.
Whereas many projects around the globe (Peterborough, Amsterdam, etc) have been focused on certain aspects of what a smart city can be (and mostly on smart grid and energy efficiency), the Dubai smart city project is particularly interesting in the way that it took a very global approach to the objectives to be met and the type of services which may form part of the new city.
For us telecom lawyers, the most striking feature of this project is the important role left to regulation, which has been considered a core issue of the project and which resulted in specific regulation being adopted to cover the future use of services within the smart city, as well as anticipating the benefits of rolling out such a big project.
The Dubai Data Law (Dubai Law No. 26/2015) was published last December in an attempt to steer the Emirate further towards its goal of being the smartest city – a motive made fundamentally clear in the objectives of the law, the first of which is to “enable the Emirate to achieve its vision in transforming Dubai into a Smart City” (article 4(1)).
This law anticipates that a smart city cannot just be a juxtaposition of “hermetic” smart services but ought to be a forum for all smart services to communicate with one another so that the greater output and benefits can be extracted from the infrastructure and smart services. Dubai has therefore created the legal framework promoting data sharing at city level, anticipating the need for open collaboration between authorities and private stakeholders.
In more detail, the law provides that Dubai data shall be classified into open and shared data, and open data is defined as “Dubai-related data which may be published without restrictions or with the minimum restrictions specified by the competent authority in this regard”. The law is still very much in its early stages and we are unaware of the full extent of its application; however, the Dubai-specific law is a clear indication of Dubai’s recognition of the need for legislation to continuously evolve and mirror the progress of a smart city.
The law guarantees the right to privacy of individuals (article 13). What can therefore be anticipated is that data to be shared shall be anonymised. However, aggregated anonymised data collected by shareholders shall be shared and made available publicly or amongst stakeholders.
This can be anticipated to be an issue for public authorities, which will have to be cautious about the type of data they thus send in the cloud. This will require on their side a thorough classification exercise of their data to ensure that the most secure information is not to be shared and potentially accessible by any third party.
A practical and technical framework for data sharing should be progressively built, as the Dubai Data Establishment (which is under the supervision of the Dubai Smart City Office) will progressively take its responsibilities.
Ultimately, although this framework fosters increased efficiency around all smart cities, it also increases the risks of network security and cybercrime issues, given the number of information sharing points. Those will need to be further addressed in the local regulations.
The exponential exchange of data on individuals and businesses is likely to attract cyber-criminals. This is likely to further foster discussions on communications regulations and the extent to which data can be accessed and/or monitored by law enforcement authorities for the prevention of crimes. Will it have an impact on the definition of lawful intercepts? Will it result in ongoing monitoring or filtering of information? If the question to the above is uncertain at the moment, the development of smart cities has nonetheless already triggered a review of cybersecurity regulations in the region.
Although the latest developments on open data are fairly recent, many smart services have been available for a few years (mostly since 2013). The current trajectory shows that a number of services have improved as a result of the implementation of smart systems: connectivity is the neural network of any smart city and the UAE has one of the most advanced fibre optic networks; building information modelling is streamlining projects and preventing disputes in the booming construction sector and Dubai’s commitment to smart initiatives is facilitated by the Dubai Smart City Office, an entity specifically established to aid the advancement of ICT infrastructure.
Cybercrimes have long been a security threat to the Middle East and the rise of a smart city can be a hotbed for crime as cybercriminals find it easier to attack internet infrastructure. The UAE is increasingly facing these attacks and has responded to the threat through Federal Law No. 5/2012 (the Cybercrime Law). This bolsters the older Information Technology Crime Law (Federal Law No. 2/2006) (the old Law) by imposing higher penalties, ranging from fines to imprisonment, on wrongdoers. Under the old Law, a “wilful act” was required create an offence for illegally accessing an electronic site. The Cybercrime Law removes the intent element and lowers the standard of wrongdoing to anyone who “gains access to a website, an electronic information system, computer network or information technology means without authorisation or in excess of authorisation or unlawfully to evidence wrongdoing” (article 2). Misuses of social media as well as gambling activities and materials that “prejudice public morals” have been incorporated into the purview of the law.
Creating additional categories of cybercrimes and further defining the classifications for violating the privacy of others is a nod to cybercriminals that the authorities remain vigilant against cyberattacks. However, as with much recent UAE legislation, we are yet to see the full extent and application of the law in the context of high-level cybercrime. Instead we have seen the law applied in relation to day-to-day activities, where individuals have been charged for offences ranging from possessing a photo taken without the subject’s consent and posting insulting remarks on social media to any form of electronic abuse through personal forums such as WhatsApp.
With the backdrop of the World Expo 2020 and Vision 2021 in mind, a number of projects are in the pipeline to enhance the development of the UAE’s smart city initiatives. While a more defined and thorough regulatory framework could provide greater transparency and help build a culture of awareness, in light of the vast amounts of data currently held on data collection platforms, the UAE’s progress on the whole is remarkable for a country that is only 44 years old.
The Middle Eastern example – where smart city projects and regulations evolve in parallel – may still further illustrate a more global need for dedicated regulations ahead of the project. Regulatory constraints shall be anticipated and evaluated from the onset of the project, as part of the master planning, so that authorities are in position to enact appropriate legislation to regulate on the usage of the networks and services to be rolled out.