It is pouring rain. An 18-wheeler misses a turn and collides with a bus, injuring 50 passengers who now need urgent care. How to locate quickly emergency facilities that can dispense specialized care to such a large group? Where to find the ambulances or helicopters to transport them? What is the shortest route? How can ambulances avoid flooded areas or traffic jams?

Imagine a bustling city that keeps current information about such things. A city where the police can use intelligent systems to manage traffic lights and road signs. Where sensors are installed to identify flooded zones. And where all this crucial information is accessible from a single command center.

You’ve arrived in Smart City.

A smart city is one that relies on telecommunications, networks, connected devices, data analytics, artificial intelligence, and other technologies to process large amounts of data for the benefits of its residents. How does it do this?

Elements of a smart city


In the example above, rescue of injured passengers entails the combined knowledge and information management of specialized physicians, hospital beds, emergency transportation, traffic signals, rush-hour traffic patterns, even sanitation. This data is gathered by networked devices—cameras, drones, sensors—and then transmitted via telecom, broadband, and Wi-Fi to be processed in the cloud. A multitude of intelligent systems then distributes needed information to all necessary parties.

Major cities around the globe are already using many of these technologies: smart water meters, intelligent streetlights, networked road signs. Gunshot detectors, linked surveillance cameras, and license-plate readers are already available to law enforcement. In Barcelona, for example, smart garbage bins send a signal to the city’s department of sanitation when they are full. In London, to address traffic congestion, smart technology prompts traffic lights to respond in favor of buses. Systems like this can be managed separately, or integrated so they can be used in concert when coordinated efforts—such as our hypothetical bus accident—are imperative.

The participants

Specialized hardware, software, and telecom capabilities are necessary to collect and process data to ensure key players can make informed decisions. City agencies might subcontract specialized services to third parties via a services agreement or public-private partnership. Financing could come from traditional government appropriations or through private entities that invest in infrastructure and which might be compensated over time—by receiving a percentage of any revenue the project ultimately generates, for example.  For example, a city may partner with a financier and a street furniture manufacturer to provide and maintain bus shelters and park benches for the benefit of the city’s residents in exchange for a share of the revenue generated from advertising showcased on the street furniture.

Big data needs strong protection

Security, confidentiality, integrity

All this modern magic requires access to significant amounts of data, —data that must be protected at all times, whether in use, in storage or in transit. Technical challenges abound any time a large system is connected to subsystems operated by third parties. In March 2018, Atlanta was the victim of a ransomware attack that spread through the city’s network, shutting down, for several days, crucial departments such as Revenue (payment of water bills and parking tickets), the Police, and the Court system. 

This incident made manifest the significant cybersecurity risks a smart city takes on, underscoring the importance of proper security controls, backup strategies, and up-to-date protections.


Ubiquitous license-plate readers, facial-recognition software, mobile devices, and a host of other technologies enable the collection of data and identifiers that can link accumulated data to individuals—personal information, in other words. A number of state and federal laws govern the use of such personal information, and people expect to be informed when their personal information is collected. What is the best way to do this, though, when so much data is gathered from so many sources so quickly? Who has the right to access it, and what about its potential secondary uses? Could license-plate data initially compiled to count traffic, say, be repurposed to profile specific individuals? When should the information be anonymized or deleted?

Legal issues, legal strategies, legal solutions

With so many participants and tools being put to such a wide range of purposes, legal issues proliferate, beyond even the fact that a town or city administration is a primary party to these contracts. Given the stakes, due diligence is imperative to investigate the financial strength of the participants, the technical performance and connectivity of their systems, and their ability to ensure adequate security and withstand criminal attacks. Contract terms should address security, incident-response planning, data disposal, and insurance and delineate key operational factors such as technology licenses, escrow, maintenance, and upgrades.

In addition, because data (both personal and non-) is essential to the operations of smart-city services, contracts must address the parameters of their collection and use. Who owns the gathered information? Who owns the results once the data is processed? Who has responsibility for all this, and who is liable in the event of a ransomware attack? For that matter, who is responsible if an intelligent system itself makes a wrong decision?

Allocation of liability and insurance coverage among the primary players is especially complex given the variegated nature of the participants and the potential for unintended consequences. There are ethical considerations, too, concerning secondary use of data for surveillance or prejudicial decision making.

Smart cities need smart procedures

Cities are becoming smarter, and the acquisition and operation of systems like those described above raise numerous legal, ethical, and financial issues. Who owns, controls, and is responsible for the collection, processing, use, dissemination, and disposal of this data is the all-consuming question that must be dealt with in every plan, every contract, every interaction with the public. Only then can the benefits from large-scale use of personal and non-personal information outweigh the very real risks involved in its collection.


A partner at Greenberg Traurig, Francoise Gilbert focuses her practice and research on U.S. and global data privacy and cybersecurity in a wide variety of markets, including, GDPR compliance, Internet of Things, data analytics, artificial intelligence, robotics, and other emerging technologies. She is the author of the two-volume treatise “Global Privacy and Security Law,” published by Wolters Kluwer. Ms. Gilbert holds CIPP/US, CIPP/EU, and CIPM certifications, and has received law degrees and obtained bar admissions both in the United States and in France.