Open Smart Cities

Open Smart Cities FAQ


“Smart” city technologies collect, analyse, and use data to improve city life. Data collection can be active or passive, and data analysis can reveal patterns in how people work, live, and travel. Many cities use sensors to passively collect data about how people use bridges and roads, while some cities actively collect data about residents, using cameras to gather traffic data or “smart” meters to show how people use water and electricity.

Smart city initiatives are often public-private partnerships, involving two or more public and private sector organizations working together towards a long-term goal. For example, in 2016, Ottawa and Gatineau partnered with Strava, a fitness tracker company, to gather information about how residents use urban bike infrastructure. The cities intend to use this data to make the nation’s capital region more bike-friendly. Larger scale projects, such as Sidewalk Labs’ proposal for a connected community on Toronto’s Eastern waterfront, engage complex legal issues and involve dozens of public and private stakeholders.

This FAQ discusses smart city technologies and considers how smart cities can be made “open.” It also describes how Canadian laws currently regulate smart city projects and technologies.

  • Where smart city technologies collect personal information, federal and provincial privacy laws will apply.
  • Contract law applies to agreements made between technology vendors and other parties, such as individuals or municipalities. Provincial consumer protection laws may also apply.
  • Intellectual property laws, including copyright, patent, and trademark rules, will restrict how some smart city technologies can be used, and by whom.
  • If smart city technologies harm people or things, tort law will apply.
  • Criminal and national security laws will apply if smart city technologies are hacked or used for malicious purposes.
  • Competition laws will apply if smart city technology vendors use deceptive marketing strategies or behave in anti-competitive ways.
  • Environmental protection rules can help encourage sustainable development in the smart cities context.
  • Municipal laws, such as zoning bylaws, will likely be used to shape and design smart cities.

This FAQ was drafted as part of the Open Smart Cities in Canada project, a research based project funded by Natural Resources Canada (NRCan) GeoConnections and led by OpenNorth. In collaboration with leading researchers, CIPPIC, and smart city representatives at Canadian cities, as well as provinces with advanced open government programs, this project aims to develop municipal data management policies and guidelines that connect open data and government to smart cities programs, ensuring the two support one another. Please visit the OpenNorth website for more details about the project and its collaborators.





What is a “smart city”?
What are smart city technologies?
What is an “open smart city”?


How does Canadian privacy law apply to open smart cities?
How might Ontario’s privacy laws apply to smart cities technologies?
Who administers privacy laws in Canada?
Can smart city data be shared with advertisers or law enforcement? 
What happens when smart city data is processed and stored outside of Canada?
Who is accountable for personal information collected and used by smart city technologies? 
What happens if a smart cities technology provider suffers a data breach?
How are Canadian privacy laws enforced and what are the penalties for non-compliance?

Contract Law 

How does Canadian contract law apply to smart cities projects?
Do consumer protection laws apply to smart city technologies contracts? 

Intellectual Property Laws 

When is smart city data protected by Canadian copyright law? 
How is copyrighted software different from software offered under an “open source” license? 
How might copyright protection affect citizens in the smart cities context? 
How will patent law impact the development of smart city technologies?
How might trademark law be used to protect branded smart city technologies? 

Liability for Harm to Others 

How can people harmed by smart cities technologies sue?
Can tort claims be brought against the government? 

Criminal and National Security Law 

How do Canadian criminal and national security law impact smart cities?
How does Canadian criminal law address unauthorized use of smart city data? 
How might national securities laws apply in the smart cities context?

Competition Law

How might competition laws apply in the smart cities context?

Environmental Law 

What environmental policy concerns are raised by smart city technologies?
How will environmental laws impact smart cities?
How might Canadian environmental law and policy influence smart city development?
How might cities use bylaws and other tools to regulate smart city businesses and technologies?


What is a “smart city”?

Cities have always employed technology in service of the collective goals of their urban communities.  “Smart cities” use modern sensor, network, and “big data” technologies to manage and control urban environments in real-time. Their “smartness” lies in their ability to improve decision-making and increase efficiency. They accomplish this by processing vast quantities of data at high speeds, automating processes, and providing decision-makers with valuable insights. The Smart City movement aims to improve living standards and public safety and promote environmental sustainability.

But the adoption of new technologies always comes with both benefits and drawbacks.  The term “smart city” makes it sound like there are only advantages to deploying these technologies throughout the city.  In fact, smart cities come with significant costs beyond the merely financial.

What are smart city technologies?

Smart City technologies collect data such as traffic and pedestrian flow, vehicle locations, public transit use, energy consumption, greenhouse emissions, and even crime statistics. They collect data through sensors, cameras, energy meters, electronic transactions, and even police reports. The data is then processed to inform decisions and automate processes. Once processed, the data may be used to improve an intersection’s design or automate traffic signals. Smart City technologies may one day tell an autonomous car where it can park. And today, embedded sensor technologies are already telling city engineers when infrastructure is due for repair. The number of ways in which Smart City data may be used are seemingly endless.

Smart city technologies can be broken down into several categories:

Transportation Water and Electricity Environmental Monitoring Infrastructure and Architecture Government services
Transportation technologies impact how people and goods get around. Utilities technologies streamline how people access water and power. Environmental monitoring technologies use sensors and other devices to gather data about water, soil, and air quality. Physical structures can generate data using sensors, cameras, and other technologies. Smart government services aim to improve transparency, accountability, and accessibility.
  • Connected cars and buses
  • Self-driving (“autonomous”) cars
  • Car and bike-sharing services
  • Automatic bridge and highway tolling
  • Automated license plate readers
  • “Smart grid” technology that generates data about urban electricity and water use
  • Air quality sensors
  • “Smart” trash cans that notify garbage collectors when full
  • Noise sensors
  • Drone cameras that monitor traffic patterns
  • “Intelligent” street lamps that save energy and can detect gunshots
  • Sensors that notify the city when bridges and roads need repair
  • Location beacons to help people who are visually impaired
  • Free public Wi-Fi
  • Provincial and municipal open data initiatives
  • RFID smart cards that provide universal access to city services
  • Police body cameras

(See also: Future of Privacy Forum, “Shedding Light on Smart City Privacy”)

Some of these technologies are already widely used in Canada. For example:

  • Provinces use automated tolling on bridges and highways to collect road fees.
  • Civic engineers use road sensors to determine where and when infrastructure needs to be replaced or repaired.
  • Many Canadian cities have “smart” water and power infrastructure that allows residents to see when and how they are consuming resources as compared to neighbours.
  • Some provincial and municipal transportation bodies track buses using GPS technology, and allow people to access up-to-date bus and train times from their smartphones.
  • Some police forces use automatic license plate readers to identify stolen cars on the road.

Other smart cities technologies have been proposed but not yet widely implemented in Canada. For example:

  • Some police forces have proposed using drone cameras to improve policing.
  • Some cities plan to install free public Wi-Fi kiosks, in partnership with telecom providers.
  • Vendors sell intelligent street lamps which can be used to save energy and detect gunshots.
  • With advances in autonomous vehicle technology, self-driving cars and buses may be on the horizon.

Smart city projects can benefit residents in many ways. For example, adopting “smart” technologies can reduce costs for services, improve transparency and accountability, and help policy-makers make better decisions. Nonetheless, smart city technologies can also present significant challenges for certain stakeholder groups. For example,

  • Privacy-conscious individuals will likely object to being tracked by traffic cameras and drones.
  • Professional groups that have confidentiality obligations, such as lawyers, may object to having calls and conversations recorded by a self-driving car’s “black box.”
  • Other stakeholders may object to having smart city data sold or leased to third parties to, for example, sell advertisements.

One additional concern is whether or not data generated by smart cities projects will be made available to the public. Regulators will have to address these and other issues through extensive public consultation and research.

What is an “open smart city”?

OpenNorth, a non-profit organization that advocates for open smart city strategies, describes open smart cities as a collaborative effort among all actors in society – governments, civil society groups, the private sector, the media, and academia – to improve and challenge urban living. Ultimately, open smart cities are participatory, collaborative and responsive to citizens’ needs. OpenNorth defines an “open smart city” in the following way:

An Open Smart City includes the following five characteristics:

  1. Governance in an Open Smart City is ethical, accountable, and transparent. These principles apply to the governance of social and technical platforms which includes data, algorithms, skills, infrastructure, and knowledge.

  2. An Open Smart City is participatory, collaborative and responsive. It is a city where government, civil society, private sector, the media, academia and residents meaningfully participate in the governance of the city and have shared rights and responsibilities. This entails a culture of trust and critical thinking and fair, just, inclusive and informed approaches.

  3. An Open Smart City uses data and technologies that are fit for purpose, can be repaired and queried, their source code are open, adhere to open standards, are interoperable, durable, secure, and where possible locally procured and scalable. Data and technology are used and acquired in such a way as to reduce harm and bias, increase sustainability and enhance flexibility. An Open Smart City may defer when warranted to automated decision-making and therefore designs these systems to be legible, responsive, adaptive and accountable.

  4. In an Open Smart City, data management is the norm and custody and control over data generated by smart technologies is held and exercised in the public interest. Data governance includes sovereignty, residency, open by default, security, individual and social privacy, and grants people authority over their personal data.

  5. In an Open Smart City, it is recognized that data and technology are not the solution to many of the systemic issues cities face, nor are there always quick fixes. These problems require innovative, sometimes long term, social, organizational, economic, and political processes and solutions.

Smart cities act in an “open” manner when they make collected city data available to the public. Some Canadian cities — including Toronto, Edmonton, Montreal, and Vancouver — have created open data plans to improve city transparency and accountability. Some of these cities already publish extensive city data in easy-to-use online portals. For example, the City of Edmonton launched an open data platform in January 2010. Using the city’s Citizen Dashboard tool, residents and others can access current and historical data that measures progress on city initiatives (such as filling potholes or making transit services more reliable).


How does Canadian privacy law apply to open smart cities?

Federal and provincial privacy laws will likely apply whenever smart city technologies collect, use, or share “personal information.”

Canada’s private sector privacy law, PIPEDA, defines personal information as any “information about an identifiable individual.” Personal information includes data which, when combined with other data, creates a “serious possibility that an individual could be identified through the use of that information.” Examples of personal information include

  • names and email addresses,
  • biometric data such as fingerprints,
  • credit score information,
  • photographs or videos, and
  • internet protocol (IP) addresses.

Which privacy law applies will depend on who is collecting, sharing, or disclosing personal information. In some circumstances, no privacy laws may apply. For example, privacy laws generally do not apply to political parties or to non-profit organizations that are not engaged in commercial activity. If these organizations violate an individual’s privacy, recourse may be limited to tort claims, discussed below.

Privacy Act

The Privacy Act regulates how federal institutions may collect, use, and disclose personal information. Federal institutions may only collect personal information if it directly relates to a government program or activity (such as transportation). Wherever possible, federal institutions must collect personal information directly from the individual to whom it relates. Individuals must be told why the information is being collected, and must give consent before the information is used for any new purposes. The Act also gives individuals the right to access personal information held by the government and the right to request to correct any errors in respect of that information.

Personal Information Protection and Electronic Documents Act (“PIPEDA”)

PIPEDA applies to private sector organizations that collect, use, and disclose personal information while engaged in commercial activity. A technology vendor that processes personal information while performing a service for the government is likely engaged in a commercial activity and subject to PIPEDA.

In some instances, PIPEDA can apply to municipal institutions. PIPEDA will apply to municipalities engaging in “non-core commercial activities” where there are no substantially similar provincial laws in place. “Non-core commercial activities" are those falling outside of the municipal institution’s core purpose. For example, a municipal transit agency selling or bartering a list of its transit pass purchasers would likely be engaged in non-core commercial activities. By contrast, activities such as charging a per-bag garbage collection fee, or charging to use an arena, would likely not engage PIPEDA as they go to the core of a municipal institution’s purpose.  

To find out more about PIPEDA, please visit our Privacy FAQ.  

Provincial privacy laws

Every Canadian province and territory has a public sector privacy law that applies to provincial institutions and municipalities. Alberta, Quebec, and British Columbia have privacy laws that apply in the private sector, and other provinces have laws that apply in the medical or employment context.

For an overview of privacy regulation at the provincial level, see Office of the Privacy Commissioner of Canada, “Provincial and territorial privacy laws and oversight”).

How might Ontario’s privacy laws apply to smart cities technologies?

In Ontario, the Freedom of Information and Protection of Privacy Act (FIPPA) and the Municipal Freedom of Information and Protection of Privacy Act (MFIPPA) regulate how Ontario government institutions handle personal information. FIPPA regulates provincial institutions at large, while MFIPPA regulates municipal institutions. Both acts protect personal information held by government institutions and grant individuals the right to access information concerning them.

Many smart city projects in Ontario will be subject to MFIPPA, which applies to a broad range of institutions including municipalities, school boards, and transit authorities. Entities whose members or officers are appointed under the authority of a municipal council are also subject to MFIPPA.

  1. Data Collection

Both FIPPA and MFIPPA limit how personal information may be collected, and by whom. Under MFIPPA, no person may collect personal information for an institution unless the collection is expressly authorized by statute, used for law enforcement, or necessary to the proper administration of a lawfully authorized activity. Personal information must be collected directly from the individual about whom the information relates, unless the individual authorizes otherwise (with some exceptions). Institutions must inform affected individuals of the legal authority for the information collection and its purpose. Furthermore, they must provide contact information for an officer or employee who can answer questions individuals may have about the collection. Notice may be given orally, in person, or in writing, and communicated either directly or through indirect channels such as the news media. Lastly, the notice must reference the specific section(s) of legislation authorizing the collection.

  1. Data Retention, Use, and Disclosure

Aside from collection, FIPPA and MFIPPA also constrain the retention, use, and disclosure of personal information. The two acts require institutions to retain personal information long enough to give individuals an opportunity to access it. They also require that institutions take reasonable steps to not use personal information unless it is current and accurate, and to dispose of records containing personal information once they are no longer needed. Generally, an institution may not use personal information without an individual’s consent. Consent is not required, however, where the information is being used for the purpose for which it was collected or compiled, or if it is being used for another consistent purpose.

MFIPPA governs the handling of personal information by Ontario municipal institutions. Under MFIPPA, municipal institutions must gain an individual’s consent to use and disclose their personal information. The law does not require municipal institutions to gain an individual’s consent to simply collect their personal information. Instead, MFIPPA only requires that institutions collect personal information directly from the individual to whom it pertains and provide notice. The notice requirement may be waived by the Minister responsible for administering the act, or by regulation, which may raise significant accountability issues.

  1. “Personal Information Banks”

FIPPA and MFIPPA also establish rules relating to “Personal Information Banks,” which are government databases containing personal information. The head of an institution must make a public index of all personal information banks held or controlled by the institution; keep record of any personal information used for a purpose other than that specified within the index; and keep record of any non-routine disclosures of personal information. Records about the use and disclosure of personal information become part of that information and are therefore also protected by privacy laws.

Who administers privacy laws in Canada?

Canada has several regulatory bodies that handle privacy issues, including the federal Office of the Privacy Commissioner (“OPC”) and provincial privacy and access to information commissioners. The OPC investigates complaints made under PIPEDA and the Privacy Act, and issues guidance on how to comply with federal privacy laws. Provincial commissioners administer and investigate provincial privacy matters, and similarly offer guidance to provincial institutions and the public.

In 2017, the OPC issued draft guidance on inappropriate data collection practices, setting out several “no-go zones” where private sector data collection would not be reasonable under PIPEDA. These “no-go zones” included tracking through discriminatory practices, tracking children, requesting genetic data, and spying on individuals through their smartphone cameras or microphones. The OPC has also issued guidelines that relate to, for example, obtaining meaningful consent online.

Can smart city data be shared with advertisers or law enforcement? 

Canada’s federal and provincial privacy laws contain rules about how personal information can be disclosed to law enforcement.

  • Under section 7 of PIPEDA, private sector organizations can legally share personal information with law enforcement, without the affected individual’s consent, for the purpose of investigating or enforcing any Canadian or foreign law. Organizations can also share personal information without consent in emergency situations.
  • Under section 8(m) of the Privacy Act, which applies in the federal public sector, personal information may be disclosed “for any purpose where, in the opinion of the head of the institution, the public interest in disclosure clearly outweighs any invasion of privacy that could result from the disclosure.”

Where information is not “personal” — because, for example, companies are stripping personal identifiers or otherwise de-identifying data sets — it can be freely shared with third parties unless otherwise protected through confidentiality terms in a contract. This sort of non-personal aggregate data is often sold to advertisers or data brokers.

What happens when smart city data is processed and stored outside of Canada?

Smart cities technologies will often use cloud computing, which may involve sending data to computer servers in other jurisdictions. While cloud computing offers benefits such as decreased costs, increased efficiency, and improved user experience, it may also  raise privacy and security concerns in the smart cities context. Many contracts with cloud service providers state that data may be stored on servers in other countries, such as the United States or any other country where the provider has subsidiaries. This data may or may not be encrypted in transit on its way to the foreign server.

While PIPEDA applies to cloud service providers that have a real and substantial connection to Canada, other international laws, such as the national security laws of the state where data is stored, may also apply to data stored internationally. Contractual provisions between smart city technology vendors and purchasers cannot override these international laws, potentially exposing data to other privacy and security risks.

For further discussion of transborder data flows and privacy, see Heidi Bohaker, Lisa Austin, Andrew Clement & Stephanie Perrin, “Seeing Through the Cloud: National Jurisdiction and Location of Data, Servers, and Networks Still Matter in a Digitally Interconnected World.”)

Who is accountable for personal information collected and used by smart city technologies? 

Accountability is a key part of Canadian privacy law. This can be complicated in the smart cities context because of the sheer number of stakeholders involved. Smart city stakeholders range from governments who license technology to various hardware and software providers involved at different points in the collection, processing, and reporting of personal information.  

Accountability best practices require governments and private actors to diligently select and supervise technology vendors, regularly monitor and audit vendor security and privacy practices, and implement contractual protections that safeguard collected information. By mapping data flows and defining the responsibilities and relationships between each party in the information chain, governments and technology providers can structure systems that maintain privacy and identify who is accountable at each step.

What happens if a smart cities technology provider suffers a data breach?

If a data breach occurs and PIPEDA applies, affected individuals may choose to file a complaint with the OPC. In assessing the complaint, the OPC will investigate whether the company “implemented safeguards appropriate to the sensitivity of the information it held.” If the complaint is well-founded (for example, because the company did not have adequate security safeguards in place), the OPC may make recommendations to the company for further action. If the company does not follow those recommendations, the Commissioner may take the company to court.

In 2015, Parliament passed new mandatory data breach notification rules which have not yet come into force. Once the new breach notification rules take effect, organizations will have to file a mandatory report with the OPC following a data breach. Companies will also have to notify all parties affected and keep data breach records.

How are Canadian privacy laws enforced and what are the penalties for non-compliance?

The Privacy Commissioner of Canada handles complaints that arise when private sector organizations violate PIPEDA. The Commissioner can investigate complaints made by individuals or launch complaints on his or her own. Following an investigation, the Commissioner may make non-binding recommendations to promote compliance with the law. If the organization does not follow the Commissioner’s recommendations, the Commissioner may bring the matter to federal court.

The Commissioner also investigates alleged violations of the Privacy Act, though federal court oversight is limited to matters involving access to information requests. The Commissioner “does not have order-making powers under the Privacy Act,” and cannot force federal government institutions to take any specific actions. The Commissioner may, however, work with a federal institution to improve its information-handling practices.

For more information about how federal privacy laws are enforced, see Office of the Privacy Commissioner, “Enforcement of PIPEDA” and “Privacy Act compliance help.”

In Ontario, it is an offence to willfully disclose personal information in violation of FIPPA or MFIPPA, or to fail to comply with orders made by the provincial Information and Privacy Commissioner. Persons who violate either act may be liable for fines of up to $5000.

Contract Law

How does Canadian contract law apply to smart cities projects?

Agreements between governments and smart city technology providers are governed by contract law. Many technology contracts are standard form contracts offered on a “take-it-or-leave-it” basis. The classic example of a standard form contract is an End User License Agreement, which is generally not negotiated between parties. Terms in these agreements may, for example, prevent governments from making smart city data available to the public.

Before entering into a contract with a technology provider, smart city project leaders should verify whether agreement terms allow them to comply with statutory obligations, such as those under FIPPA, MFIPPA or PIPEDA. Some useful contractual safeguards in the smart cities context are terms which specify

  • Who is accountable for personal information as it is held in or transferred through part of a system;
  • What data security standards must be respected by technology providers;
  • Whether and how confidentiality obligations will apply to third party service providers, such as data processors;
  • Whether there are any warranties, indemnities, or liability caps which will apply if smart devices malfunction, or if they are damaged or destroyed; and
  • That data processors must also abide by all specified restrictions and obligations.

Some experts argue that when taxpayer dollars are used to generate or collect data, that data ought to be a public resource. Teresa Scassa, Canada Research Chair in Information Law, notes that such scenarios raise “the issue of the extent to which ‘data sovereignty’ should be part of any smart cities plan.”

Do consumer protection laws apply to smart city technologies contracts? 

Provincial consumer protection laws, such as Ontario’s Consumer Protection Act (CPA), will not apply to contracts between municipalities and smart city technology providers. Consumer protection laws regulate agreements between consumers and suppliers, not business-to-government or business-to-business agreements. The Act defines a consumer as “an individual acting for personal, family or household purposes,” and excludes individuals acting for business purposes.

Consumer protection laws apply to consumer agreements, such as those between a ride-sharing business and its passengers. Where a ride-sharing platform’s users are individuals acting for a personal, family, or household purpose, and where users have entered into an agreement with the ride-hailing app to supply services for payment, the CPA will likely apply. What is less clear, however, is whether consumer protection laws would apply where the individual has entered into a contract with a municipal institution, such as by purchasing a “smart” transit pass from a municipal transit agency.

Intellectual Property Laws 

Canada’s intellectual property (IP) regime is set out in three pieces of federal legislation: the Copyright Act, Patent Act, and Trade-marks Act. This section discusses IP issues which may uniquely arise in the smart cities context.

When is smart city data protected by Canadian copyright law? 

The Canadian Copyright Act protects original literary, dramatic, musical, and artistic works. Computer programs — such as the software used to run smart city platforms — are generally considered “literary works” and can be protected under the Act.

Copyright law may also be used to protect the data that smart city technologies collect and analyze. While facts are not protected by copyright, data can be copyrighted if it forms an “original compilation.” The definition of a “compilation” under the Copyright Act includes works “resulting from the selection or arrangement of data.” If a compilation is originally authored — an assessment which will likely involve looking at the skills involved, parameters used, and choices made to collect and order the data — it may quality for copyright protection. Obvious and “merely mechanical” selections and arrangements do not enjoy copyright protection.

The law surrounding who owns machine-generated works is evolving differently across the world. As smart city technologies become more complex and interconnected, digital devices and platforms may begin to produce their own, copyrightable works. Canada and the United States do not currently protect works created by non-humans, while the UK and New Zealand do afford protection to computer-generated works.

How is copyrighted software different from software offered under an “open source” license? 

Some smart city technologies may use what is known as an “open source” license. An open source licence is one where the source software code, and sometimes hardware plans, are made available to the public. Using or modifying the code is usually subject to rules, such as an obligation to make software derived from the source code available to the public.

For more information on open source licenses please visit CIPPIC’s Open Source Software FAQ.

How might copyright protection affect citizens in the smart cities context? 

When a city buys a connected street lamp, it may own the physical lamp but will likely only license the software used to make the lamp “smart.” Cities may have an opportunity to negotiate these licenses, or they may be offered on a take-it-or-leave it basis.  Technology licenses may govern whether consumers or third parties can access smart city technologies for maintenance and repair, and may also outline whether consumers can reproduce, modify, or distribute smart city software.

Smart city technologies may also come loaded with technological protection measures (TPMs), such as digital locks. For example, the software in a city’s intelligent street lamps might reject lightbulbs that are not made by the software provider’s partners. If the software is protected by a TPM, modifying the software to permit using third-party lightbulbs might be unlawful. Under the Copyright Act, it is unlawful to circumvent TPMs to access a copyright-protected work, even if that access is otherwise lawful. While the Copyright Act allows individuals to circumvent TPMs to make computer programs interoperable, that exception does not apply to making physical things interoperable.

It is possible that smart cities could be “held hostage” by technology providers that restrict the who may repair smart city devices. If any problems arise in the software, the city may have to hire someone authorized by the copyright owner to do any maintenance. These authorized providers may be in the position to raise prices, which in turn could impact consumers in the form of higher taxes or service fees.

How will patent law impact the development of smart city technologies?

Patents offer inventors a time-limited monopoly on the right to make and sell their inventions. While software is generally not patentable (and protected instead under copyright law), a novel invention that operates with the aid of software may still be patentable. Smart city technologies may also have patentable aspects, such as novel sensor hardware, inventive connectivity mechanisms, and new information processing methods.

For smart city technologies to interact, communicate, and exchange information from different sources, devices must be interoperable and use standardised technology. Patents may act as a barrier to interoperability and standardization, which could potentially stifle innovation. For example, without open standards, third-party users may have to obtain a license before using or potentially repairing patented technology. Such licenses could be refused, or in some case lost.

Smart city technology stakeholders can look to the smartphone industry to address some of the issues related to patents and licensing. For example, various bodies responsible for setting standards have imposed a condition that licenses for “standard essential patents” (SEPS) should be available to third-parties on fair, reasonable and non-discriminatory terms. For a broad overview of how standard essential patents work, see Charles Arthur, “The Smartphone Patent Wars Explained”)

How might trademark law be used to protect branded smart city technologies? 

In the smart cities context, trademark issues will likely arise through licensing. Specifically, trademark protection could affect smart city projects by making branded innovations more expensive to operate and use. Licensing issues may also prevent smart city technology vendors from marketing their products as compatible or interoperable with other trademarked products or devices.

In Canada, a valid trademark must be distinctive of its owner, which means the mark must point to a single source. It is common for businesses to capitalize on the goodwill in their marks by licensing their trademarks to third-parties. Granting licenses to third parties increases the risk of the mark losing its distinctiveness.

Section 50 of the Trade-marks Act helps preserve the distinctiveness of licensed marks. It provides that the use of the mark by a licensee has the same effect as use of the mark by the owner, so long as the owner maintains and exercises direct or indirect control over the character or quality of wares or services using the licensed mark. To safely license a mark, trademark owners often specify strict standards relating to trademark use, set out inspection rights, and restrict sub-licensing. While these practices allow companies to maintain the reputation and goodwill associated with a brand, they are also expensive, and these costs may be passed along to consumers.

Liability for Harm to Others 

How can people harmed by smart cities technologies sue?

Smart cities will transform how people and goods get around. Autonomous vehicles, computerized traffic systems, and smart intersections may all become part of future transit ecosystems. Shifting decision-making from human drivers to computers raises questions about who should be liable when accidents happen. Will autonomous car owners be liable for accidents, or will car manufacturers be liable through product liability? At least one leading Canadian law firm predicts that self-driving cars may prompt a shift from driver-based to product-based liability in motor vehicle accidents.

In the common law provinces (that is, all provinces but Québec), these sorts of legal disputes are settled through “tort law”, which is the type of law that deals with liability for harm done to others. While tort cases can be expensive, the end result of a successful lawsuit is usually a damage award and payment for legal costs.

Four types of tort claims are relevant in the smart cities context:

  Negligence claims Nuisance claims Common law torts Statutory torts
When might a claim arise? If a person has been harmed by the careless or reckless actions of another, he or she may be able to sue for negligence. If a person has been harmed by substantial interference with his or her land, he or she may be able to sue for nuisance. If a person has been harmed by behaviour that courts recognize as tortious, he or she may be able to sue the person who did the harm. If a person has been harmed by actions specified as tortious in a statue, he or she may be able to sue the person who did the harm.
What does the plaintiff have to prove?

To succeed in a negligence case, the plaintiff will have to show that he or she was owed a duty of care by the defendant. The harm must have been reasonably foreseeable, and there must have been sufficient proximity between the parties to justify potential liability.

If the defendant failed to meet the appropriate standard of care and does not raise any defenses, he or she will likely have to pay damages.

To succeed in a nuisance case, a plaintiff must show that he or she was substantially and unreasonably harmed by damage to or interference with his or her property.

The person who did the harm can raise defenses, such as that the nuisance-causing conduct was authorized by a statute.

Common law torts recognize liability for a wide range of harms. Some examples include

  • trespassing on another person’s property
  • intentionally inflicting mental suffering on another person; and
  • invading another person’s privacy to cause distress, humiliation or anguish.

The test for establishing liability will depend on the tort in question.

Some federal and provincial laws allow citizens to sue in tort when certain circumstances are met.

For example, in British Columbia, Manitoba, Saskatchewan, and Newfoundland individuals can sue civilly in respect of privacy violations.  For example, the British Columbia Privacy Act provides, “It is a tort, actionable without proof of damage, for a person, wilfully and without a claim of right, to violate the privacy of another.”
How might it apply in the smart cities context? Smart car manufacturers could be held liable for negligent vehicle design if, for example, cars marketed and sold in Canada malfunctioned in snowy conditions. If a city’s smart sewage system became blocked and released waste into a person’s backyard, the city could potentially be held liable in nuisance. Whether the claim would succeed depends on whether the harm could have been prevented (by for example, building backflow valves), or whether it was an inevitable consequence of operating the system.

(Note, however, that in Ontario, nuisance claims relating to municipal water or sewage leaks are explicitly precluded by statute).
If an employee of a smart city technology vendor accessed sensitive information about an individual and sold that information to the individual’s a former spouse, the employee could be liable under a common law privacy tort. Under the British Columbia Privacy Act, a person would likely be civilly liable for damages if he or she compromised a city surveillance camera and used it to spy on someone else.

Can tort claims be brought against the government? 

Whether a citizen can sue his or her city in relation to a malfunctioning smart city technology will likely depend on, (i) rules on municipal liability provided in provincial laws, and (ii) whether the harm resulted from a policy decision that was within the government’s discretion to make.

Provincial laws often place limits on when municipalities can be held liable for harms suffered by citizens. For example, in Ontario, lawsuits generally cannot be brought against city officials who cause harm while performing their civic duties in good faith. Some statutes do, however, establish ways for citizens to recover damages from municipal governments in certain circumstances (such as, for example, when citizens are harmed while using roads that are improperly maintained). Where government actions constitute policy decisions (a broad term which includes actions taken according to by-laws, administrative decisions, and other valid exercises of government discretion), decision-makers will generally not be liable for harm caused by those decisions.

Criminal and National Security Law 

How do Canadian criminal and national security law impact smart cities?

Some smart city technologies may be vulnerable to hacking. Engineers and academics have identified malicious hacking as a key concern in the development of self-driving cars. A hacker who, for example, locked someone out of a car, forced a car to accelerate into an intersection, or took control of a steering wheel to cause a collision would likely face sanctions under Canadian criminal law.

How does Canadian criminal law address unauthorized use of smart city data? 

Our Criminal Code deters “malicious and unauthorized access, use, and distribution of private information” through:

  • Prohibiting fraudulent and unauthorized uses of computers and credit card data (ss 342(1) and 342(3)),
  • Criminalizing identity theft and identity fraud (ss 402 and 403),
  • Disallowing someone from wilfully intercepting private communications (s 184), and
  • Condemning mischievous tampering of computer data (s 430(1)(1)).

“Mischief” in data contexts includes:

  • destroying or altering data to render it meaningless and useless,
  • interfering with the lawful use of computer data, and
  • denying access to computer data to a person entitled to its access.

Penalties for these offences range from prison sentences of under six months and/or fines of up to $2,000 for lesser crimes, and up to 10 years in prison for more serious offences.   

How might national securities laws apply in the smart cities context?

Canada’s national security laws may apply if cyberterrorists target critical infrastructure, such as smart electricity grids or telecommunications services. For example, the Security of Canada Information Sharing Act allows government agencies to share information when responding to activities that undermine the security of Canada (a term defined to expressly include interference with critical infrastructure). This means that if a hacker tried to take down a smart grid, law enforcement could collaborate with Canada’s national security agencies — CSE and CSIS — to respond swiftly.

In 2016, Public Safety Canada issued useful guidance relating to cybersecurity and critical infrastructure. The report stresses the importance of planning for cyber attacks, and highlights the need to appropriately assess risks associated with bringing critical infrastructure online.

Competition Law

How might competition laws apply in the smart cities context?

The federal Competition Act regulates a wide range of anti-competitive behaviours and practices. In the smart cities context, anti-competitive behaviour could take several forms:

Deceptive marketing practices are regulated under Part VII.1 of the Competition Act. If Competition Bureau finds that a company’s marketing has materially misled consumers, that company could face criminal penalties or significant fines. A false or misleading statement will be considered material when, based on “the general impression it conveys,” it could influence consumers to buy a product, or use a service, as advertised.

  • If a smart cities technology vendor materially misleads consumers about how it collects, uses, shares, or erases data (in, for example, marketing materials or an inaccurate privacy policy), it may be violating the Competition Act. If the vendor’s misstatements were made intentionally or recklessly, the vendor could face criminal penalties including jail time. Vendors that unintentionally mislead the public with material misstatements can also face multi-million dollar fines.

Mergers between competitors, suppliers, or other companies may be also be regulated under section 92 of the Competition Act. To assess whether a proposed or completed merger between companies is anti-competitive, the Competition Bureau will define the relevant market (for example, the market for street lamps in the City of Toronto) and then assess whether the merger would lead to a substantial lessening or prevention in that market (for example, allowing the new company to significantly raise prices for street lamps).

  • Merger regulation in the technology context may be complicated by the fact that technology companies with low market share may nonetheless hold very large and valuable datasets. Defining relevant markets can also be complicated in the context of platforms which collect data on free platforms and sell that data as an input for other services, such as advertising (Competition Bureau, “Big data and Innovation: Implication for competition policy in Canada”). Switching costs for consumers (that is, the difficulty of moving data from one platform to another), and network effects (which arise when a platform becomes more valuable as more users use it) may also complicate enforcing competition rules in the smart cities context.

Tied-selling occurs when a supplier, selling one product, requires or induces a purchaser to buy an additional product. It can also occur when the supplier prevents the purchaser from using a different product along with the purchased product.

  • In the smart cities context, tied-selling could occur where a vendor sells one product with another, forcing municipalities to purchase both.

Abuses of dominance occur when a dominant company engages in a practice of anti-competitive acts, such as withholding resources from a market or selling products at a loss to keep potential competitors out of the market.

  • A dominant smart cities technology vendor may commit an abuse of dominance if it, for example, sells sensors at unsustainably low prices in order to prevent competition from other sensor manufacturers.

Bid-rigging investigations can sometimes come up in the public procurement process (that is, the process where a public body, like a municipality, allows companies to bid on providing a requested product or service). Bid-rigging happens when two or more individuals or companies work together to make the bidding process unfair and anti-competitive.

  • In the smart cities context, if two or more vendors agreed to submit bids, withdraw bids, or set prices or terms together before submitting bids to municipalities, those vendors could be charged with bid-rigging.

Environmental Law

What environmental policy concerns are raised by smart city technologies?

While many smart city projects have eco-friendly objectives, adopting smart city technologies can involve significant environmental trade-offs:

Environmentally-friendly effects

Environmentally harmful effects

Smart city data may be used to reduce or restrict the number of vehicles on roads, minimizing  emissions.

Smart city devices may need to be replaced often, generating e-waste which may not be recyclable.

Sensors measuring air quality can provide policy-makers with actionable data.

The batteries used to power electronic devices may be toxic to the environment.

Smart energy grids can deliver and store electricity with increased efficiency.

The semi-precious minerals used to make sensors and chips are often mined in countries with lax environmental and human rights laws.

In Canada, federal and provincial environmental laws address some, but not all, of the above benefits and concerns.
How will environmental laws impact smart cities?

In Canada, governments at the federal, provincial, and municipal levels all have laws to protect the environment, regulate industry, and promote sustainability. At the federal level, the Canadian Environmental Protection Act, 1999 (CEPA), the Environmental Enforcement Act (EEA), the Federal Sustainable Development Act (FSDA) and the Canada Foundation for Sustainable Development Technology Act (CFSDTA) may all apply to smart cities initiatives.

Environmental laws also exist, and vary widely, at the provincial level. Generally, provincial environmental laws regulate specific types of pollution such as air, water, and soil contamination; different types of hazardous goods; waste management; and certain resource-intensive industries such as the oil and gas sector, mining, and shipping. Ontario’s Environmental Protection Act also includes, for example, specific provisions regulating motor vehicles and renewable energy.

Finally, local governments such as municipalities can regulate some environmental matters by, for example

  • Exercising statutory powers related to public health, water, and waste management;
  • Enacting bylaws to prevent cars from idling, to limit water consumption, or to control noise levels;
  • Using planning and zoning laws to promote walkable cities and encourage efficient land use; and
  • Using business licensing and regulation powers to promote sustainability.
How might Canadian environmental law and policy influence smart city development?

Hoehner Research and Consulting Group identifies three independent building blocks for smart energy solutions:

  • low carbon generation
  • efficient distribution, and
  • optimized consumption.

The law has a role to play in each of these three areas:

  • Governments may encourage low carbon generation by incentivizing renewable energy projects that use wind, solar, and geothermal energy.
  • In the area of efficient distribution, governments may encourage cities to adopt energy grids that use computer systems to improve electricity storage and distribution.  
  • To optimize energy consumption, governments may require that traditionally inefficient appliances such air-conditioning, heating, and water-heating systems comply with certain energy consumption standards and communicate their consumption to a smart electricity grid. This would allow the grid to identify patterns and adjust energy delivery accordingly.

Ultimately, Canadian environmental law may be a powerful tool in the smart cities context, offering incentives to encourage eco-friendly behaviours and creating penalties for environmentally-harmful practices. For example, existing rules in the energy sector provide governments with various tools to curb energy use and prevent waste. Incentives may include research grants or tax credits for businesses and individuals who install smart, energy-efficient technologies. They may also include direct investment from federal and provincial governments to install smart infrastructure.

How might cities use bylaws and other tools to regulate smart city businesses and technologies?

Many smart city projects promote increased urban density and encourage walkable cities. These goals can often be achieved through zoning bylaws and urban development guidelines.

Bylaws are municipal rules which are binding in the city. For example, the City of Toronto Act,  2006, empowers city officials to make bylaws in respect of public health and safety; business licensing; protection of persons and property; and the economic, social and environmental well-being of the city. Many Canadian cities already use bylaws to regulate ride-sharing applications such as Uber and short-term lodging platforms such as AirBnB.  

Land-use and zoning rules will likely be used to shape open smart cities. For example, urban planning guidelines, such as the City of Toronto’s Green Standards, can set sustainability requirements and targets for new city development projects. These sorts of rules could be updated to promote smart city objectives by, for example, mandate charging stations for electric cars or encouraging innovative waste removal strategies.

Zoning bylaws state what sorts of buildings can be built where, and designate how buildings may be used. Changing zoning bylaws can dramatically impact how people live, work, and get around cities.

At least one major smart city project group proposes using smart city technology to support dramatic changes to zoning bylaws. Sidewalk Labs, a sister company to Google which plans to build a connected community on the Toronto Waterfront, advocates for flexible zoning rules and “outcomes-based” building codes. This involves zoning buildings as “use-neutral” and using sensors to monitor compliance with dynamic air quality, sustainability, comfort, and infrastructure capacity performance targets (rather than using static zoning rules to restrict how buildings may be used).

Precisely how municipal law will impact smart city development will vary by province and by city. Open smart cities can promote transparency and accountability by ensuring the public is adequately consulted before city bylaws and urban planning guidelines are changed.



Access to Information Act: The Access to Information Act provides Canadians with a right to access information held in federal government records.

Privacy Act: This act regulates how the federal government handles personal information. It also gives Canadian citizens and permanent residents the right to access personal information held by government agencies, and to have errors in that information corrected.  

Freedom of Information and Protection of Privacy Act (Ontario): FIPPA is similar to the federal Access to Information Act and Privacy Act, but applies to Ontario provincial institutions.

Municipal Freedom of Information and Protection of Privacy Act (Ontario): MFIPPA is similar to the federal Access to Information Act and Privacy Act, but applies to Ontario municipal institutions.

Personal Information Protection and Electronic Documents Act (PIPEDA): PIPEDA regulates the collection, use, and disclosure of personal information by the private sector. It applies in all Canadian provinces except those that have adopted substantially similar legislation. It also applies to certain federally regulated industries regardless of the existence of similar provincial legislation.  

Criminal Code: The Criminal Code regulates criminal law in Canada and includes provisions criminalizing the unauthorized interception of communications and the fraudulent and unauthorized use of computers.

Copyright Act: The Copyright Act regulates copyright in Canada. It defines rights, copyright infringement, exceptions to infringement, and remedies for those whose rights have been breached. Software is generally protected under copyright law.

Patent Act: The Patent Act regulates granting patents for inventions within Canada.

Trade-marks Act: The Trade-marks Act regulates both registered and unregistered trademarks. It also regulates the adoption, use, transfer, and enforcement of rights in respect to all trademarks.

Competition Act: The Competition Act promotes competition in Canadian markets and regulates anti-competitive behaviour.

Sale of Goods Act (Ontario): The Sale of Goods Act governs contracts for the sale of goods in Ontario. Other common law provinces have similar legislation.

Federal Sustainable Development Act & Canada Foundation for Sustainable Development Technology Act: These laws form the foundation of the federal government’s sustainable development regime.

Further Reading

Office of the Privacy Commissioner of Canada, Overview of Privacy Legislation in Canada: This page is a good starting point for those who want to gain a basic understanding of Canadian privacy law.

Office of the Privacy Commissioner of Canada, The Internet of Things: An introduction to privacy issues with a focus on the retail and home environments: This paper provides an overview of privacy issues arising from “Internet of Things” technologies, of which smart city technologies are often a subset.

UN University Operating Unit on Policy-Driven Electronic Governance, Smart Sustainable Cities: Reconnaissance Study: This study discusses the potential and challenges posed by smart cities with regards to sustainability.

Articles & Resources

Future of Privacy Forum, Shedding Light on Smart City Privacy: The Future of Privacy Forum has put together this insightful, interactive page highlighting smart city technologies and some privacy issues arising from them.

Teresa Scassa, uOttawa Centre for Law, Technology and Society, Emerging Legal Issues in the Smart Cities Context: One of Canada’s leading tech law authorities reflects on legal issues stemming from smart cities. Topics covered include privacy, liability, and data ownership.

Lilian Edwards, Privacy, Security, and Data Protection in Smart Cities: A Critical EU Law Perspective: Professor Edwards of the University of Strathclyde discusses privacy, security, and data protection as they relate to Smart Cities in the European context.

David Murakami Wood, Queen’s University, Smart City, Surveillance City: Professor Murakami Wood explores the vast surveillance capacity of Smart Cities.

Cathy O’Neil, Weapons of Math Destruction: How Big Data Increases Inequality and Threatens Democracy: O’Neil, a quantum engineer, warns that algorithms can adversely impact day-to-day life in surprising and unsettling ways.

Latanya Sweeney, Technology Science: This journal offers an “open access forum for any original material dealing primarily with a social, political, personal, or organizational benefit or adverse consequence of technology.”

Latanya Sweeney, “theDataMap”: This interactive tool allows users to see where their personal data flows when using certain websites and applications.

Smart City Toolkits and Resources for Cities

Chourabi et al., “Understanding Smart Cities: An Integrative Framework”: The authors discuss how to define a smart city, and consider organizational and technological challenges associated with smart cities.

Making Sense, “The Making Sense Toolkit”: This European “toolkit for participatory sensing” provides a framework for environmental monitoring projects and discusses several case studies.

New York City, “Digital Playbook: Principles and Strategies”: This report discusses six principles and 12 strategies that underpin New York City’s digital policy.

Public Safety Canada, “Fundamentals of Cybersecurity for Canada`s Critical Infrastructure Community”: This 2016 report discusses Canadian cybersecurity best practices, safeguards, and resources for the critical infrastructure community.

Anastasia Stratigea, Chrysaida-Aliki Papadopoulou & Maria Panagiotopoulou, “Tools and Technologies for Planning the Development of Smart Cities”: This academic report proposes and discusses a participatory planning framework for developing smart cities.

STEP UP, “Developing enhanced Sustainable Energy Action Plans”: This useful guidebook discusses smart city projects in Riga, Glasgow, Ghent and Gothenburg. It also provides a framework for cities to develop sustainable energy action plans.

Smart Cities Council, “Smart Cities Financing Guide”: This guide, developed by the Center for Urban Innovation at Arizona State University, discusses various strategies for funding smart city projects.

Smart Cities For All, “Smart Cities For All Toolkit”: This toolkit discusses how information and communications technology can be used to promote accessibility and digital inclusion.


This page was last updated November 2017.
David Fewer, Director, CIPPIC