Foreign “smart cities” could face GDPR fines for misusing EU citizens' data, a government smart city tsar has warned. Dr. Jacqui Taylor, strategic advisor to the UK government on smart cities, said that public bodies and companies based outside the EU could face fines worth millions of pounds if they fail to follow strict rules which protect EU residents from data misuse.

Smart cities across the globe are beginning to collect data from residents and visitors to monitor purchasing, public transport and services use, but there has been controversy about how the data is managed and whether there is enough transparency about what it is used for.

GDPR, which came into force in May 2018, requires that companies and public bodies who manage data must be transparent about what they are collecting and what they are using it for, and allows a “data subject” to revoke their consent for their data to be processed. An example could be where a visitor from an EU country downloads a smart city’s app ahead of visiting in order to access perks such as parking, free WiFi and information about local events. 

If they are still in an EU country, they are covered by the law. They may also be covered if their data is collected during a visit and retained after they leave, although lawyers said the rules on this were less clear.

Rafi Azim-Khan, Pillsbury partner at Pillsbury and leader of the firm’s Data Privacy & Cybersecurity practice in Europe, said regulators could consider the residence status of an individual to determine whether they were protected by the law, as well as factors such as where they pay taxes and where their children were in school. 

“If you go right back to the basics, there is a decent argument to say that the lawmakers intended that genuine EU citizens who might be travelling in other parts of the world, if their data is being captured and processed, you do run that risk if you don’t look after that data in the way that is mandated under the new rules,” he said.