Lola Bardají

With each passing day there are more smart buildings. Users put their face or fingerprint in front of a camera to enter their homes, wave their hand to trigger a sensor that turns the lights on, use remote controls to open the blinds, and tell Alexa to turn the television by uttering just one word.

You could not wish for greater convenience. Smart, efficient convenience. All thanks to the evolution of information and communication technologies, the internet of things (IoT) and artificial intelligence (AI).

The home automation or domotics technology that emerged in the 70s was designed to enable the smart control and automation of their home, efficient energy management and, in short, safety and comfort for homes and their users.

Back then, no one could have imagined the future scope of this technology – or its underlying legal issues. Basic domotics have evolved into smart buildings with built-in IT ecosystems so, to a certain extent, there has also been a shift from household security to the risk of invasions of privacy.

Smart buildings cannot exist without data. Indeed, these buildings are able to generate and process vast amounts of data, many of which are personal

When users of homes open doors by simply looking at them or change the temperature of their homes with a mere gesture or turn lights on at the time programmed by a device to heat up their dinner, the smart building software analyses the sensors that gather the building’s operating data. These data are constantly monitored in order to constantly improve the system and ensure greater user convenience, whilst anticipating and avoiding faults.

Smart buildings cannot exist without data. Indeed, these buildings are able – i.e., have the technological capability – to generate and process vast amounts of data, many of which are personal. So, the million-dollar question is: how are the data of smart buildings stored and processed? Are regulators aware of the need for specific legal safeguards in this sphere?

This is a very important issue. So much so that regulators seeking to uphold this protection go to great lengths to provide legal requirements to prevent breaches of privacy. The EU General Data Protection Regulation (GDPR) clearly sets forth specific rules for safeguarding personal data and, to a greater extent, sensitive data such as biometric data (used increasingly to control the access to smart buildings), the processing of which is prohibited except for legal exemptions. Likewise, the EU’s proposed AI regulations stipulate very specific obligations and sanctions for using what is known as a high-risk AI system, and also require providers to be responsible for incorporating AI systems in the EU, regardless of their nationality or country of residence. Once passed, it remains to be seen whether the two regulations overlap or even contain contradictions.

How are the data of smart buildings stored and processed? Are regulators aware of the need for specific legal safeguards in this sphere?

Once again, the EU is promoting serious, comprehensive, and robust legislation on such an important issue that it has connotations of its own for smart cities (public sector) and smart buildings.

It is not surprising, therefore, that the city council of a city like New York - the city par excellence - has passed the Tenant Data Privacy Act (TDPA) signed off by the mayor of this great city last April and which will be fully implemented in 2023.

The TDPA regulates the collection, use, protection and holding of tenant data by the owners of buildings with smart access systems, i.e., any access mechanism to a building with digital technology enabling entry to a class A, multi-family dwelling (all those intended to be permanent housing in various formats), including radio frequency devices, mobile applications, and biometric data.

In a sphere in which vast amounts of data are gathered, there could be a market for selling and trafficking this data in the absence of specific legal constraints

In short, not only will the tenants of a smart building in New York have quick, easy access to their home, but their personal data will be more secure and protected because tenants must consent to their data being stored and processed by the owners of the buildings.

No one can fail to see that in a sphere in which vast amounts of data are gathered, there could be a market for selling and trafficking this data in the absence of specific legal constraints. This is why the TDPA also includes stipulates that the owners must destroy the data gathered by a smart system within 90 days unless such data are held in an anonymous format. This rule will, of course, apply whenever a home is vacated.

data-privacy
Related content: The volume of data you have reflects your value. Is data owned?

With this law, New York joins the ranks of other legislative initiatives for the protection of biometric data, such as those of Illinois, Washington, and Texas, all of which are in line with the standardised data protection provided by the European GDPR.

When Orwell wrote his dystopian novel 1984, he could never have imagined (or perhaps he did) that the undesirable society he described in his book, i.e., a society being watched over by a Big Brother, could happen in the 21st century.

There can be no doubt about the important role of the law - regulators, standards, and legal safeguards - in the creation of smart cities which are sought-after and, accordingly, respectful of the environment and energy, and which safeguard the fundamental rights of their citizens. This role is essential.

All written content is licensed under a Creative Commons Attribution 4.0 International license.