Open Smart Cities

Open Smart Cities FAQ

  • Introduction 
  • F.A.Q. 
  • Resources


Smart City technologies promise to reshape city life. From improved infrastructure and services, better traffic and pedestrian flow, safer streets and lower emissions, this revolutionary group of technologies has vast potential to make cities more livable and environmentally friendly. But while the advantages of adopting Smart City technologies abound, policy-makers, corporations and citizens must consider their associated challenges.

This FAQ seeks to answer common legal and regulatory questions about Smart City technologies. 

This FAQ was drafted as part of the Open Smart Cities in Canada project, a research based project funded by Natural Resources Canada (NRCan) GeoConnections and led by OpenNorth. In collaboration with leading researchers, CIPPIC, and smart city representatives at Canadian cities, as well as provinces with advanced open government programs, this project aims to develop municipal data management policies and guidelines that connect open data and government to smart cities programs, ensuring the two support one another. Please visit the OpenNorth website for more details about the project and its collaborators.



  • What is a “Smart City”? 

Privacy & Smart Cities 

  • How is Smart City data collected and by whom? 
  • Who “owns” the data collected by Smart City technologies? 
  • Do Smart City technologies collect personal information? 
  • How do privacy and data protection laws affect Smart City technologies? 
  • How can Smart City technologies obtain meaningful consent to collect, use, and disclose personal information? 
  • Who is accountable for personal information collected and used by Smart City technologies? 

Criminal Law & Data Security 

  • What criminal law issues are raised by Smart Cities? 
  • How does criminal law regulate data breaches and the unauthorized use of Smart City data? 
  • What can be done to protect Smart City data? 

Contract & Licensing 

  • What issues should I be aware of as a licensee of Smart City technologies? 
  • What is an “open source” license? 
  • What should I be aware of in using open source software? 
  • How might contract law limit government transparency? 
  • Do consumer protection laws apply to Smart City technologies contracts? 
  • How are contractual disputes involving Smart City technologies resolved? 

Intellectual Property 

- Copyright - 

  • How does Copyright Law affect Smart City technologies? 
  • How are consumers of Smart City technologies affected by copyright? 

- Patents - 

  • How does Patent Law affect Smart City technologies? 

- Trademarks - 

  • How do trademarks affect Smart City technologies? 

Competition Law 

  • How are Smart City technology providers affected by competition law? 

Safety, Product Liability, Insurance, & Tort 

  • What are the implications of smart and autonomous technologies on personal liability? 


  • How will Smart Cities affect the environment? 
  • What is the role of environmental law concerning Smart Cities and sustainability? 


What is a “Smart City”?

Smart Cities use sensor, network, and “big data” technologies to manage and control urban environments in real-time. Their “smartness” lies in their ability to improve decision-making and increase efficiency. They accomplish this through processing vast quantities of data at high speeds, automating processes, and providing decision-makers with valuable insights. The Smart City movement aims to improve living standards and public safety, and promote environmental sustainability.

Smart City technologies collect data such as traffic and pedestrian flow, vehicle locations, public transit use, energy consumption, greenhouse emissions, and even crime statistics. They collect data through sensors, cameras, energy meters, electronic transactions, and even police reports. The data is then processed to inform decisions and automate processes. Once processed, the data may be used to improve an intersection’s design or automate traffic signals. Smart City technologies may one day tell an autonomous car where it can park. And today, embedded sensor technologies are already telling city engineers when infrastructure is due for repair. The number of ways in which Smart City data may be used are seemingly endless.

Privacy & Smart Cities

How is Smart City data collected and by whom ?

Typically, Smart City data is collected in one of three ways:

  1. A government entity, such as a transit authority, contracts with a private company to install sensors in its infrastructure. The sensors collect data which is then processed using the private company’s software––either on the government’s or the company’s computers. For example, some cities have begun to install fiber-optic sensors in bridges and other critical infrastructure. These sensors transmit data about the structure’s condition to city engineers. The data is then used to schedule maintenance and identify structural problems.

  2. The government entity takes data it already collects (think of a police department’s crime incident data) and contracts with a private company for data analysis.

  3. The government entity contracts with a private company to access citizen-generated data on the private company’s platform. In this case, one might imagine a municipality contracting with a ride-hailing mobile app for information on traffic patterns and popular departure or destination locations.  

Who “owns” the data collected by Smart City technologies?

“Ownership” of data is a contentious issue. In fact, data may only  be owned at law if there is a property scheme attached to it. For example, Copyright law provides ownership when data is compiled in an original manner. Where there is no property regime in place, however, the question is not about ownership, but about who controls the data.  

Control of Smart City data is determined by the agreements governments enter into with Smart City technology providers. These providers, through contract, may assert control over data and restrict public access to it. This becomes problematic when data is generated or collected using taxpayer dollars.  Some experts argue that when taxpayer dollars are used to generate or collect data, it ought to be a public resource.

Do Smart City technologies collect personal information?

Some Smart City technologies collect personal information.  Others do not.  It depends on the technology in use. Methods for hiding or masking the identity of the person from whom data was generated exist. But even if these methods are used, data may be re-identified and linked to an individual.

How do privacy and data protection laws affect Smart City technologies?

In Canada, Smart City technologies may be subject to both federal and  provincial privacy laws. The two primary federal privacy laws are the Privacy Act and the Personal Information Protection and Electronic Documents Act (PIPEDA). The Privacy Act regulates federal government dealings with personal information while PIPEDA regulates private sector dealings. At the provincial level, laws vary widely. All provinces have laws to regulate the handling of personal information by their respective provincial governments, but not all provinces regulate the private sector’s conduct with personal information. When this is the case, the void is filled by PIPEDA––with some exceptions (more details on this matter below). Thus, privacy and data protection laws vary depending on the public or private nature of the entity in question, the entity’s location, and the industry in which the entity operates.

Canadian cities are governed by provincial law. As privacy schemes vary widely among provinces, the following discussion focuses on Ontario’s privacy regime, the Privacy Act, and PIPEDA.

The Ontario Freedom of Information and Protection of Privacy Act (FIPPA) and the Municipal Freedom of Information and Protection of Privacy Act (MFIPPA) regulate the handling of personal information by provincial institutions. FIPPA regulates provincial institutions at large while MFIPPA regulates municipal institutions. Both acts are similar in purpose and construction. They protect the individual’s privacy of personal information held by government institutions and create a right for individuals to access information about themselves.

MFIPPA defines the institutions to which it applies broadly. Under the act, municipal institutions include entities such as municipalities, school boards, and transit authorities. Entities whose members or officers are appointed under the authority of a municipal council are part of that municipality under the act. Therefore, many Smart City projects will fall under MFIPPA’s jurisdiction.

Both FIPPA and MFIPPA limit how and by whom personal information is collected. Under MFIPPA, no person may collect personal information for an institution unless the collection is expressly authorized by statute, used for law enforcement or necessary to the proper administration of a lawfully authorized activity. Personal information is to be collected directly from the individual to whom the information relates unless the individual authorizes otherwise (with some exceptions).  Institutions must inform affected individuals of the legal authority for the information collection and its purpose. Furthermore, they must provide contact information for an officer or employee capable of answering the individual’s questions regarding the collection. This notice may be given orally, in person, or in writing, and communicated either directly or through indirect channels such as the news media. Lastly, the notice must reference the specific section(s) of legislation authorizing the collection.

Aside from collection, FIPPA and MFIPPA also constrain the retention, use, and disclosure of personal information. The two acts require institutions to retain personal information long enough to give individuals an opportunity to access it. They also require that institutions take reasonable steps to not use the information unless it is current and accurate and to dispose of records containing personal information once they are no longer needed. Generally, an institution may not use personal information without an individual’s consent. But consent is not required where the information is being used for the purpose for which it was collected or compiled, or if it is being used for another consistent purpose. Lastly, both acts limit the conditions under which an institution may disclose personal information.

FIPPA and MFIPPA also address “Personal Information Banks” –– databases containing personal information.  The head of an institution must make an index of all personal information banks held or controlled by the institution available to the public; keep record of any use of personal information for a purpose other than that specified within the index; and keep record of any non-routine disclosures of personal information. Records about the use and disclosure of personal information become part of that information and are therefore subject to the acts’ protections.

The federal Privacy Act regulates the collection, use, and disclosure of personal information by federal institutions. This section highlights some of the act’s main features. Under the Privacy Act, federal institutions may collect personal information only if it directly relates to a program or government activity. Wherever possible, federal institutions must collect personal information directly from the individual to whom it relates and notify them of the purposes for the collection. Federal entities must obtain an individual’s consent before using personal information for a purpose that was not initially communicated to them. Lastly, the act gives individuals the right to access their personal information held by the government and request the correction of errors in that information.

The Personal Information Protection and Electronic Documents Act (“PIPEDA”) regulates the collection, use, and disclosure of personal information by the private sector. If no substantially similar provincial laws exist, then PIPEDA will govern private interactions with personal information within the province. Generally,  if a province has substantially similar laws to PIPEDA, those laws displace PIPEDA within the province. But certain federally regulated industries such as aviation, railways, banks, and telecommunications remain under PIPEDA’s jurisdiction, regardless of whether a province has substantially similar laws. Furthermore, working on behalf of a government institution will not exempt a company from its obligations under PIPEDA. As long as the collection, use, or disclosure of personal information arises from a commercial activity, the act will apply. A business who handles personal information while performing a service for the government is likely engaged in a commercial activity and subject to PIPEDA.

In some instances, PIPEDA applies to municipal institutions. This occurs when the institution engages in “non-core commercial activities” and there are no substantially similar provincial laws in place. “Non-core” commercial activities are those falling outside of the municipal institution’s core purpose. For instance, a municipal transit agency selling or bartering a list of its transit pass purchasers or a municipality operating a parking garage at city hall are likely engaged in non-core commercial activities . But activities such as charging a per-bag garbage collection fee, or charging to use an arena, would likely not fall under PIPEDA as they go to the core of a municipal institution’s purpose.  

Lastly, some provinces (Ontario, New Brunswick, Newfoundland and Labrador) have adopted similar legislation to PIPEDA with a focus on protecting personal health information. These laws displace PIPEDA with regards to personal health information within the province.

To find out more about PIPEDA, please visit our Privacy FAQ.  

How can Smart City technologies obtain meaningful consent to collect, use, and disclose personal information?

Smart City technologies, and the broader “Internet of Things,” challenge current models for gaining an individual’s consent to collect, use, and disclose personal information.  These technologies are unlike those of the past. They are seemingly everywhere, collecting information from smartphones, wearable devices, vehicles, sensors, and appliances. And they operate in the background, silently collecting vast amounts of information. As the Office of the Privacy Commissioner of Canada (OPCC) notes, such technologies may “yield a tremendous amount of data that can be combined, analyzed and acted upon, all potentially without adequate accountability, transparency, security or meaningful consent.” Further complicating matters is that consent requirements vary from province to province, statute to statute. The following discussion addresses consent requirements for municipal institutions in Ontario.

As mentioned above, MFIPPA governs the handling of personal information by Ontario municipal institutions. Under MFIPPA, municipal institutions must gain an individual’s consent to use and disclose their personal information. But the law does not require municipal institutions to gain an individual’s consent to simply collect their personal information. Instead, MFIPPA only requires that institutions collect personal information directly from the individual to whom it pertains and give them notice. The notice requirement may be waived by the Minister responsible for administering the act or by regulation.

Recall that where a municipal institution is engaged in “non-core commercial activities,” it is subject to PIPEDA. In these cases, the institution must obtain an individual’s consent to collect, use, and disclose their personal information. They must also inform the individual of the purposes for which their information is collected and the name of a person within the organization capable of answering questions related to the information’s collection. The same applies to businesses who handle personal information on behalf of the institution.

At the moment, consent models for Smart City technologies are still in their infancy. But providers and licensees of Smart City technologies can work to educate and engage communities, inform individuals about the purposes behind the collection and use of their personal information, and offer individuals the choice to participate.  Governments, the private sector, industry organizations, and citizens all have a role to play in this venture.  

Who is accountable for personal information collected and used by Smart City technologies?

Accountability is a key privacy law principle and a tricky subject when it comes to Smart City technologies. According to the OPCC, “To be accountable, an organization needs to be able to demonstrate what it is doing, and what it has done, with personal information and explain why.” However, doing so in the Smart Cities context is often complicated by the number of stakeholders involved. These range from governments who license technology to various hardware and software providers involved at different points in the collection, processing, and reporting of personal information.  By mapping data flows and defining the responsibilities and relationships between each party in the information chain, governments and technology providers can structure systems that maintain privacy and identify who is accountable at each step. Accountability best practices also require governments and private actors to diligently select and supervise technology vendors, regularly monitor and audit vendor security and privacy practices, and implement contractual protections surrounding personal information.

Criminal Law & Data Security

What criminal law issues are raised by Smart Cities?  

As with other networked technologies, Smart City technologies are vulnerable to hacking and manipulation. Malicious hackers may disrupt smart transportation systems, causing personal injuries and property damage. Similarly, bad actors may breach sensitive data and threaten public safety, disrupt financial markets, and expose private information.

How does criminal law regulate data breaches and the unauthorized use of Smart City data?

Criminal law seeks to deter the malicious and unauthorized access, use, and distribution of private information. Sections 342(3) and 342.1 of the Criminal Code prohibit the fraudulent and unauthorized use of computers and credit card data. Sections 402 and 403 criminalize identity theft and identity fraud. Section 184 makes it illegal to wilfully intercept private communications, and section 430(1.1) criminalizes mischievous tampering of computer data.  The Criminal Code defines “mischief” in relation to computer data as destroying or altering computer data; rendering it meaningless, useless or ineffective; obstructing or interfering with the lawful use of computer data; or obstructing, interrupting or interfering with a person in the lawful use of computer data or denying access to computer data to a person entitled to access to it.

Penalties for the above-noted offences range from prison sentences of under six months and/or fines of up to $2,000 for lesser crimes and up to 10 years in prison for more serious, indictable offences.   

What can be done to protect Smart City data?

The Future of Privacy Forum suggests several methods for protecting Smart City data and limiting the impact of potential data breaches. These include developing programs for vendor and privacy management, and adopting standard practices for handling and processing information.  Vendor management involves diligently selecting and supervising vendors, monitoring them, and conducting audits of their security and privacy practices. It also includes implementing contractual protections for personal information. Privacy program management involves establishing “institutions,  practices, and procedures to ensure that accountability is maintained and resources [are] provided to oversee, govern and audit organizational use of [an] individual’s data.” Practices for handling and processing personal information aim to limit the data collected to that which is necessary for a given purpose. They also aim to minimize the impact of privacy breaches. The Future of  Privacy Forum identifies three such measures: local storage, data minimization, and de-identification. Local storage involves processing data within devices; instead of transferring raw personal data from the device, only analytics or aggregated data are transferred to the “cloud” or other machines. Data minimization involves only collecting personal information that is “directly relevant and necessary” for any given purpose. Lastly, de-identification renders personal information collected and used by Smart City technologies unidentifiable. While de-identification is certainly a deterrent to malicious actors, recall that there are ways in which even de-identified data can be traced back to an individual.

Contract & Licensing

What issues should I be aware of as a licensee of Smart City technologies?

Licensees must bargain with Smart City technology providers to obtain contractual safeguards and limit their own liability. Safeguards may spell out who is accountable for personal information as it is held in or transferred through part of a system or specify data security standards that must be respected by the technology provider. Care must also be taken to address warranties, indemnities and limits to liability for the damage, loss, or malfunction of smart devices. As noted earlier, mapping out data flows and relationships,  and specifying each actor’s responsibilities in the data chain is essential for determining who is accountable when problems arise.

Licensees should also be mindful of “contracts of adhesion,” better known as “boilerplate” or “standard form” contracts. These are “take-it-or-leave-it” contracts that do not allow terms to be negotiated. When entering into such a contract, licensees should verify whether the terms allow them to comply with their statutory obligations, such as those arising under FIPPA, MFIPPA or PIPEDA.

What is an “open source” license? What should I be aware of in using open source software?

Some Smart City software may employ what is known as an “open source” license. An open source licence is one in which the source software code is made available to the public, but the use or modification of the code is subject to terms spelled out within the license. Usually, this requires the licensee to make software derived from the source code available to the public. Any derived software may be subject to the same terms as the original license. For more information on open source licenses please visit our dedicated FAQ here.

How might contract law limit government transparency?

The agreements entered into between governments and Smart City technology providers are governed by contract law. Terms in these agreements may prohibit governments from sharing data with the public, limiting government transparency. According to Teresa Scassa, Canada Research Chair in Information Law,  such scenarios raise “the issue of the extent to which ‘data sovereignty’ should be part of any smart cities plan.” Governments who value data transparency should consider the impact of contractual terms restricting their ability to share information with the public and adopt policies that address such issues.  

Do consumer protection laws apply to Smart City technologies contracts?

Provincial consumer protection laws like Ontario’s Consumer Protection Act (CPA) do not apply to contracts entered into between municipalities and Smart City technology providers. The CPA regulates agreements between consumers and suppliers, not business-to-government or business-to-business agreements. The act defines a consumer as “an individual acting for personal, family or household purposes,” and excludes individuals acting for business purposes.

That being said, consumer protection laws will play a role when consumer agreements are formed. Returning to our ride-hailing app example, mobile app businesses form consumer agreements with their app users. The app users are individuals acting for a personal, family, or household purpose and they have entered into an agreement with the ride-hailing app to supply services for payment. Unlike the municipal agreements mentioned above, these agreements will fall under the CPA’s protections. What is less clear, however, is whether the CPA would apply where the individual has entered into a contract with a municipal institution, such as by purchasing a “smart” transit pass from a municipal transit agency.

How are contractual disputes involving Smart City technologies resolved?

When parties cannot resolve a contractual dispute on their own, they may bring the matter to court through litigation. This is often an expensive and drawn-out process. To facilitate resolving disputes out of court, contracting parties may wish to include alternative dispute resolution (ADR) clauses within their contracts. These are contractual agreements used to settle disputes through methods like arbitration and mediation. Part of their appeal is that they help avoid disputes from going to costly litigation. ADR agreements are binding on parties and will block them from bringing a matter to court unless they have exhausted the arbitration or mediation process.

While mandatory ADR clauses can facilitate dispute resolution for business-to-business or business-to-government contracts, some provincial laws render them unenforceable in consumer agreements (Alberta, Ontario, Quebec). Furthermore, the Supreme Court of Canada found that BC’s consumer protection laws were not explicit enough to enforce an arbitration clause in a consumer contract.  

Intellectual Property

- Copyright -

How does Copyright Law affect Smart City technologies?

Smart City technologies are powered by software, which is protectable under copyright. Copyright Law in Canada is governed by the Copyright Act, which protects original literary, dramatic, musical and artistic works. Under the Act, Ccomputer programs are categorized asfall under the category of “literary works.” Literary worksand areis defined as “a set of instructions or statements, expressed, fixed, embodied or stored in any manner, that [are]is to be used directly or indirectly in a computer in order to bring about a specific result.” Hence, manufacturers often look to copyright as a means to protect their software.

Copyright protects original expression, not ideas or facts. To meet the necessary threshold for originality, a work must (1) not be copied, (2) have originated from the author, and (3) be a product of exercise of skill and judgement that is more than trivial (i.e. not a purely mechanical exercise). As such, software that is dictated by the operating system or reflects common programming practices is not considered original expression and does not qualify for copyright protection. Ongoing modifications or fixes made to software over time may not meet the requirements of originality if they are simple mechanical changes that allow the software to function in the original matter intended. Furthermore, if a user of the a software imports data into the program, the author of the software will not own copyright to that data.

Smart City technologies also  collect and analyze large volumes of data. Where compiled in an original manner, this data, which  may be protectable under copyright. if the data was originally compiled. The definition of a “compilation” under the Copyright Act includes works “resulting from the selection or arrangement of data.”. So while many Smart City technologies will meet this definitionAnd again, assessing the originality of their data compilation of data is key to determining if they are protected by copyrightt protection exists. FThere is no copyright in facts are not protected by copyright, but the data collected about facts - the skills involved, parameters used, and choices made to collect and analyze the data - is originallity authored and protectable under copyright.

As Smart City technologies become more complex and interconnected, they may produce their own, protectable works under copyright. For instance, they may one day operate as more than just devices and sensors collecting data, acting as asbut as producers , with little or no human intervention, of works that may qualify for copyright protection; all with little or no human intervention. The question often arises of who will own these computer/machine-generated works? The law in this area is evolving differently across the world. Canada and the U.S. do not protect works created by non-humans. CSome countries however such as the UK and New Zealand, however, have allowed for protection offor  computer-generated works.

How are consumers of Smart City technologies affected by copyright?

When you buy a refrigerator, you own the physical refrigerator. When you a buy a Smart refrigerator, you own the physical refrigerator, but do you own the software enabling the refrigerator? The answer is most likely not - you license the software. The same is true of many Smart City technologies. Usually the sale of the physical product includes a license for the software. These licenses areoften feel  very often  one-sided as the consumer must agree to the license terms of the license before in order to usinge the product. For example,Tthe scope of the license may govern for example whether consumers or third parties can access the software for maintenance and repair. User rights in the license may also outline whether consumers can reproduce, modify or distribute the software.

The freedom to modify or repair goods is further limited by technological protection measures (TPMs). TPMs, also known as a digital locks or digital-rights management, are is defined as “any effective technology, device or component” that ordinarily prevents access to a copyright-protected work. Under the Copyright Act, it is unlawful to circumvent TMPs to access a protected work, even if that access is otherwise lawful. Your Smart fridge might be equipped with TPM-protected software. If any problems were to arise in the software, you would have to hire someone authorized by the copyright owner to do any  the repairs. Whenever the software needs to be accessed, you are tied to the copyright owner and prevented from making any modifications or additions to the software yourself.

TPM- embedded software can also be used to tie consumer products to other products made by the same company. The Copyright Act allows circumvention of TPMs to make computer programs interoperable, but it does not include making physical things interoperable. For example, tThe software in your Smart fridge might reject lightbulbs that are not made by the software provider’s partners. If the software is protected by a TPM, modification to the software to allow the use of third-party lightbulbs might be unlawful.

As cities spend more and more of their budgets on Smart City technologies, one can see where problems relating to TPMs may arise. Cities may be “held hostage” by technology providers who restrict the city’s ability to choose who may conduct maintenance on the technologies it uses. These providers may be in the position to raise prices, which in turn could impact consumers in the form of higher taxes or cuts to essential services.

- Patents -

How does Patent Law affect Smart City technologies?

Patents protect any new and useful art, process, machine, manufacturer or composition of matter, or any new and useful improvement thereof. In the case of Smart City technologies, software is generally not patentable, but software may describe a patentable invention. As computer-implemented inventions, patents for Smart City technologies would  typically fall under the category of “art” and be claimed as methods. Many parts of Smart City technologies have patentable aspects including the devices and parts of the devices themselves, the application of the devices, the processing and means of connectivity means of and between devices, as well as the processing of data collected from the devices.

Patents may act as a barrier to the interoperability required by Smart City technologies. The success of these technologies largely rests on their ability to communicate and function with each other. For Smart City technologies to interact, communicate, and exchange large volumes of information from different sources, devices must be interoperable and use standardised technology. If however standardized elements of technology become patented, this may cause  however, problems may arise. Unless third-party users obtain a license from the patent owner, they may be forced to infringe upon those patents. Licenses may placecould have further restrictions on servicing and increase the cost of Smart City technologies. An answer to these problemsOne solution may lie in an approach pioneered byin the smartphone industry.  In that industry, theis for various bodies responsible for who setting standards have to imposed a condition that licenses for “standard essential patents” (SEPS) should be available to third-parties on a fair, reasonable and non-discriminatory terms.

- Trademarks -

How do trademarks affect Smart City technologies?

As Smart City technologies become increasingly connected, trademark issues will likely arise in the context of licensing connected objects. In Canada, a valid trademark must be distinctive of its owner - the mark must point to a single source. It is common for businesses to capitalize on the goodwill in their marks by licensinge their trademarks to third-parties to capitalize on the goodwill in the mark. But granting licenses to third parties increases the risk of the mark losing its distinctiveness.

Section 50 of the Trademarks Act helps preserves the distinctiveness of the licensed mark. It provides that the use of the mark by a licensee is deemed to have the same effect as use of the mark by the owner, as long as the owner maintains and exercises direct or indirect control over the character or quality of the wares or services. Practices forIn order to safely licensinge your mark, some practices  include giving public notice, having a written agreement, specifying standards, setting out inspection rights, and exercising caution in allowing sub-licensing.

Trademark protection could restrain trade in Smart City technologies by permitting the use of authorized and branded options only. Since trademarks can theoretically last forever, as long as there is continued use of the mark and the registration is renewed every fifteen years, this could have a significant impact on the cost of Smart City technologies.

Competition Law

How are Smart City technology providers affected by competition law?

Competition Law in Canada is regulated under the Competition Act. Under the act, those who engage in anti-competitive practices may be subject to financial or even penal sanctions. In the Smart Cities context, anti-competitive behaviour could take on several forms. If a merger between dominant companies within the Smart Cities sector had the effect of restricting competition, it would likely be anti-competitive. Other examples include leveraging data in ways that prevent competition, and tied-selling.

Mergers between Smart City technology companies can be problematic because these companies may hold extremely large and valuable datasets or control the flow of large amounts of information. This may allow merging companies who hold large amounts of information or control data flows to restrict competition. Specifically, this would occur where the newly-merged company was in a position to raise prices above the competitive level for a significant period of time.

Tied-selling occurs when a supplier, selling one product, requires or induces a purchaser to buy an additional product. It can also occur when the supplier prevents the purchaser from using a different product along with the purchased product.     the placement of digital locks in smart devices and restricting how purchasers or licensees may use technologies.  


Safety, Product Liability, Insurance, & Tort

What are the implications of smart and autonomous technologies on personal liability?

Smart Cities will transform how people and goods get around. Autonomous vehicles, computerized traffic systems, and smart intersections are all anticipated components of the future transit ecosystem.  But shifting decision-making from human drivers to computers raises questions about who should be liable when accidents happen. Will it be autonomous car owners or will car manufacturers be liable through product liability? In the common law provinces, such legal disputes are settled through tort law. Provincial Sale of Goods Acts and Consumer Protection Acts may also apply where sellers have sold unfit autonomous vehicles or other connected devices.

Autonomous vehicles will also impact the insurance industry. Through sensors and connected technologies, insurance providers will have an increasing number of ways to assess risk. At least one leading Canadian law firm predicts that the automation of vehicles on our roads will lead to a drastic shift from driver-based to product-based liability.  


How will Smart Cities affect the environment?

Many Smart City technologies aim to promote environmental sustainability. Smart City data may be used to reduce or restrict the number of vehicles on the roads, minimizing  emissions. Sensors measuring air quality can provide policymakers with actionable data. And smart energy grids will deliver and store electricity with increased efficiency. In short, there are many ways in which Smart City technologies can help society become more environmentally friendly.

What is the role of environmental law concerning Smart Cities and sustainability?

Environmental law has the potential to drive the adoption of Smart City technologies. Environmental law translates government policy into laws that encourage and incentivize desirable environmental behaviour and discourage and penalize the undesirable. In the energy sector, it provides governments with various tools to curb energy use and waste. Incentives may include research grants or tax credits for businesses and individuals who install smart, energy-efficient technologies. They may also include direct investment from federal and provincial governments to install smart infrastructure.

Hoehner Research and Consulting Group identifies three independent building blocks for smart energy solutions: low carbon generation, efficient distribution, and optimized consumption. The law has a role to play in each of these three areas. For example, governments may encourage low carbon generation by incentivizing renewable energy production through wind, solar, and geothermal energy. In the area of efficient distribution, governments may legislate the adoption of smart energy grids that use computer systems to improve electricity storage and distribution. Lastly, to optimize consumption, governments may require that traditionally inefficient appliances such air-conditioning, heating, and water-heating systems comply with certain energy consumption standards and communicate their consumption to a smart electricity grid. This would allow the grid to identify patterns and adjust energy delivery accordingly.

In Canada, governments at the federal, provincial, and municipal levels all have laws to protect the environment, regulate industry, and promote sustainability. Those operating within the Smart City space are wise to familiarize themselves with the environmental laws of their jurisdiction.

Laws at the federal level include the Canadian Environmental Protection Act (CEPA), the Environmental Enforcement Act (EEA), the Federal Sustainable Development Act (FSDA) and the Canada Foundation for Sustainable Development Technology Act (CFSDTA). CEPA is the federal government’s main tool for protecting the environment and human health. The EEA aims to harmonize environmental enforcement regimes among nine acts of parliament and provides new administrative monetary penalties to enforce compliance. The FSDA establishes the Sustainable Development Office to develop and maintain systems monitoring the progress of the federal government’s sustainable development strategy. The CFSDTA establishes a foundation to fund sustainable development technologies.

At the provincial level, environmental laws vary widely, but generally they regulate, among other things, specific types of pollution such as air, water, and soil contamination; different types of hazardous goods; waste management; and certain resource-intensive industries such as the oil and gas sector, mining, and shipping. Ontario’s Environmental Protection Act also includes specific provisions regulating motor vehicles and renewable energy.

In conclusion, environmental law may offer both government and private actors with incentives for adopting Smart City technologies that promote environmental sustainability.




Access to Information Act - The Access to Information Act provides Canadians with a right of access to information held in federal government records.

Privacy Act - This act sets rules for how the federal government handles personal information. It also gives Canadian citizens and permanent residents the right to access their personal information held by government agencies and have errors in that information corrected.  

Freedom of Information and Protection of Privacy Act (Ontario) - This act performs similar functions to the aforementioned federal Access to Information Act and Privacy Act with regards to Ontario provincial institutions.

Municipal Freedom of Information and Protection of Privacy Act (Ontario) - This act performs similar functions to the aforementioned federal Access to Information Act and Privacy Act with regards to Ontario municipal institutions.

Personal Information Protection and Electronic Documents Act (PIPEDA) - PIPEDA regulates the collection, use, and disclosure of personal information by the private sector. It applies in all Canadian provinces except those that have adopted substantially similar legislation. It also applies to certain federally regulated industries regardless of the existence of similar provincial legislation.  

Criminal Code - The Criminal Code regulates criminal law in Canada and includes provisions criminalizing the unauthorized interception of communications and the fraudulent and unauthorized use of computers.  Smart City technologies depend on communications and computer technologies to transfer and process information.

Copyright Act - The Copyright Act regulates copyright in Canada. It defines rights, copyright infringement, exceptions to infringement, and remedies for those whose rights have been breached. Software falls under copyright law, and so providers and users of Smart City software should be familiar with their rights and obligations in regards to copyright.

Patent Act - The Patent Act regulates the granting of patents for inventions within Canada.

Trade-marks Act  - The Trade-marks Act regulates both registered and unregistered trademarks. it regulates the adoption, use, transfer, and enforcement of rights in respect to all trademarks.

Competition Act - The Competition Act promotes competition in Canadian markets and regulates anti-competitive behaviour.

Sale of Goods Act (Ontario) - The Sale of Goods Act governs contracts for the sale of goods in Ontario. Other common law provinces have similar legislation.

Federal Sustainable Development Act & Canada Foundation for Sustainable Development Technology Act form the foundation of the federal government’s sustainable development regime.


Further Reading

Office of the Privacy Commissioner of Canada, Overview of Privacy Legislation in Canada - This page is a good starting point for those who wish to gain a basic understanding of Canadian privacy law.

Office of the Privacy Commissioner of Canada, The Internet of Things: An introduction to privacy issues with a focus on the retail and home environments - This paper provides an overview of privacy issues arising from the “Internet of Things,” of which Smart City technologies are a subset.

UN University Operating Unit on Policy-Driven Electronic Governance - Smart Sustainable Cities: Reconnaissance Study - This study produces several insights into both the potential and challenges posed by smart cities with regards to sustainability.

Articles & Resources

Future of Privacy Forum, Shedding Light on Smart City Privacy - Future of Privacy Forum has put together this insightful, interactive page highlighting Smart City technologies and the privacy issues arising from them.

Teresa Scassa, uOttawa Centre for Law, Technology and Society, Emerging Legal Issues in the Smart Cities Context - One of Canada’s leading tech law authorities reflects on legal issues stemming from Smart Cities. Topics covered include privacy, liability, and data ownership.

Lilian Edwards, Privacy, Security, and Data Protection in Smart Cities: A Critical EU Law Perspective - Professor Edwards of the University of Strathclyde discusses privacy, security, and data protection as they relate to Smart Cities in the European context.

David Murakami Wood, Queen’s University, Smart City, Surveillance City - Professor Murakami Wood explores the vast surveillance capacity of Smart Cities.