In force since 25 May 2018, the General Data Protection Regulation (GDPR) provides a highly restrictive framework for the use of facial recognition technology in European cities. So restrictive as to hinder the development of smart cities? On the contrary, argues Cécile Maisonneuve, chairwoman of La Fabrique de la Cité think tank: by establishing a forum for debate, Europe is protecting cities from a drift towards curtailed freedoms while at the same time enabling them to take control of the issue.

In what way has the debate on facial recognition technology cast a new light on smart cities?

Cécile Maisonneuve. Let’s say that in light of this debate, smart cities, which until now have been an abstract or fanciful notion for most people, have become more tangible. Why has this issue of facial recognition attracted so much media and political attention? Because it’s primarily associated with security considerations and public freedoms. And this makes it a highly sensitive and real topic for all of us.

Would you say that there are two opposing sides or visions in this debate?

C.M. It does seem as if a fault line has emerged between China and the rest of the world. On one side, you have China and its restrictive practices, which, with its social credit system, has fully incorporated facial recognition into public spaces and social life. And on the other, you have Western cities questioning the ethics of applying artificial intelligence to biometric data.

But not all Western cities are taking the same position…

C.M. Most have adopted a cautious, wait-and-see attitude. In essence, what they’re saying is that they’re not ready to roll out a model that is still tainted by numerous methodological biases, in particular in terms of gender and ethnic origin categories. San Francisco was one of the first major cities to opt for a moratorium on the issue, quickly followed by several other American cities and even federal states. However, cities like Berlin, London, and Nice have chosen to apply facial recognition technology, using the principle of citizens’ prior consent and improved public safety as an argument. Incidentally though, I should mention that as yet no study has supported this supposed causal link between CCTV and an increase in security or decrease in insecurity. And the facts, unfortunately, do not do much more to back it up.

You don’t see there being a divide between China and the Western world?

C.M. To acknowledge this binary divide as truth of fact is to deny the reality of law. It’s like saying that sharing membership of the democratic world means we all share the same legal systems. Europe has a specific tool that the US doesn’t have, one that is designed to strictly protect personal data and privacy: the GDPR, in force since 25 May 2018. The tool reflects the totally different approach taken to personal data on either side of the Atlantic. America has no central data protection authority, the reason being that data is seen chiefly as something with commercial value. That’s not the case in Europe where personal data is governed by a specific law falling under the regime of fundamental freedoms, which has constitutional status.

What does the GDPR say?

C.M. It establishes the principle of prohibiting the collection of biometric data in public spaces. But it does set out exceptions. First, for decision-making at state level, where data processing is necessary for “reasons of substantial public interest”, especially in the light of security-related criteria. Second, where prior consent of the individual has been given, which understandably proves problematic in the public domain. It’s thanks to this second exemption that experiments have been carried out in Nice, for example. In the event of an opt-in scenario, the GDPR requires however that an impact assessment be conducted. Where the assessment indicates a high risk to individuals, the opinion of the regulatory authorities is called for – and indeed the French data protection authority (CNIL) objected to the Nice case. The opinion of the individuals concerned or of their representatives can also be sought.

Doesn’t this restrictive and complex framework reflect the GDPR’s failure to adapt to innovation?

“The GDPR may not be perfect in every way but what it does do well is to set the limits needed to conduct a constructive debate”

C.M. One of the GDPR’s limits is that is doesn’t explicitly lay down the principle of the right to carry out testing. But in France and elsewhere, the national legislator is fully within its right to authorise cities, on the basis of the GDPR, to test innovations. The GDPR may not be perfect in every way but what it does do well is to set the limits needed to conduct a constructive debate. Its purpose is to protect not to oppose change.

You mentioned that the principle of individual prior consent proves problematic in the public domain. Google says it’s simply not technically possible.

C.M. Google wants to create a piece of city that is developed right from the design stage with a digital layer. The problem in the world of data is that the major players, in other words tech giants and chief among them Google, want to be theoreticians, producers, and regulators all at the same time. They claim to shape the concepts, and define the rules, and assess their enforcement! We urgently need to break free from this de facto monopoly, to open up debate by fully involving citizens, to question existing assumptions and to think about the status of public spaces. Furthermore, the technical complexity of the topic must not conceal the highly political and democratic nature of it. That’s why it’s important to be firm about the principle of anonymity. Let’s face it, if we call into question the philosophical foundation established by the Enlightenment movement – the right to anonymity – cities will quite simply be unbearable to live in. What makes urban overcrowding bearable is precisely the opportunity for anonymity, since it creates that all-important distance when in close proximity to others.

So, you don’t think that the GDPR will spell the end of smart cities?

C.M. It may well do the exact opposite if we agree to make it the basis for a sensible, responsible, and constructive debate. The GDPR is an opportunity for smart cities. My fundamental view is that smart cities only have a future if they are “sustainable”. And by that I mean socially, politically, and also ecologically sustainable. In all areas, whether finance, energy, production, or consumption, it’s recognised that we now need to do more with less. In all areas except data that is, where the narrative is still based on the so-called Moore’s Law, the principle of exponential growth. Sustainable development, which was built on three historical pillars – environmental, economic, social – must now also be viewed from the perspective of digital metrics.