Abstract
This work answers the following question, how to gather and act on personal data in smart city projects using boundary objects? Smart city projects require new mapping methods so they can share and discuss work collectively. Working collectively is necessary because smart city projects are difficult to map in one singular view for personal data because different smart city stakeholders have a part of the required information. Summarising data processing operations is most often taken for granted and under-defined in Data Protection Impact Assessment methods.
This paper is a plea for the use of boundary objects for GDPR compliance and research in smart cities. Therefore, this article is a comparison of the original context boundary objects with the context of smart cities to illustrate the need for a similar approach. The main results of this paper point to a new approach to enable collaborative GDPR compliance where specialist knowledge trickles down to developers and other actors not educated to comply with GDPR requirements.
You have full access to this open access chapter, Download chapter PDF
Similar content being viewed by others
Keywords
1 Introduction
This research paper is an answer to a pragmatic question: how to gather and act on personal data in smart city projects using boundary objects? In smart city projects, there is a need to map data processing operations due to risks to privacy and the threat of GDPRFootnote 1 fines. Collecting this information is challenging because people with this task rarely have access to the information or have the expertise to understand all technicalities.
Also, the nature of smart city projects brings its own challenges. Smart city projects comprise new innovations where multiple departments or organizations have to work together on a new technology from concept, prototype to launch. This means that: different smart city stakeholders hold a part of the required information, the project changes over time which results in personal data flows that are vague and under-defined. Because of this complexity, we could say smart city projects exist at the boundaries between different social worldsFootnote 2 where GDPR compliance adds extra complexity beyond the complexity of getting a working proof of concept.
Problem Statement:
How to improve the lack of information about personal data processing in smart city projects through boundary objects? This essay compares boundary objects as an approach that may improve personal data processing documentation required for further steps in GDPR compliance. To answer this question, we look at factors that render this a difficult undertaking and compare these to the data collection challenges that prompted the use of boundary objects as a concept and tool.
Relevance:
From a societal perspective this is important as more and more cities invest in smart city projects, which means they monitor public space more than before. To prevent a trade-off between more smart city benefits versus privacy, a complete mapping of the data collection process may help in creating the circumstances to have smart city benefits and privacy. From a scientific perspective, there is little research on how to collect and distribute information about an innovation in development and discuss it collectively. The literature is clear on the requirements to mitigate privacy challenges during development but very unclear on how to implement these in the development process. Smart cities, as an object of study, are interesting because it is still an underdefined concept that will most likely crystallize soon. It means that many actors have different views on what a smart city should be. This means two things. That boundary objects are very helpful to bridge different viewpoints and that stakeholders can work together via boundary objects to come to an acceptable definition of smart cities for all.
We believe GDPR compliance can only achieve Privacy-by-design if an organization distributes legal requirements on the ground. It will not work if GDPR compliance remains the isolated responsibility of one person. To break GDPR compliance out of its isolation, we need to cross disciplinary boundaries. Last, improving transparency tools like boundary objects for the GDPR may also increase relevance of this regulation as more stakeholders become empowered to take part in smart cities.
Results:
We found that ensuring GDPR compliance in smart city projects is a context with a high degree of interpretive flexibility; things have different meanings to different people. This is challenging because there is a collective goal of delivering a working proof of concept which is GDPR compliant. Just like museums for vertebrate zoologyFootnote 3, there is a need to create a shared language to talk about specific information between different backgrounds and disciplines.
I structure this paper as follows. We first summarize the history of boundary objects, their main components and their theoretical background. We then continue by situating smart cities, smart city projects and the challenges for GDPR compliance. Next, we compare how the problems solved with boundary objects in museums are like those of smart city projects. We then conclude with advantages of using boundary objects in smart city projects.
2 Boundary Objects History and Architecture
For this part we aim to provide the context in which Star and Griesemer developed boundary objects, the perspectives they are part of and the architecture or basic building blocks they comprise. We require this to compare this context to that of smart city projects.
Boundary objects as a concept resulted from Star and Griesemer’s research into cooperative work in the absence of consensus [1]. This occurs if different social worlds have to arrive at a coherent (research) result. For example, during the developments of Berkeley’s Museum of Vertebrate Zoology, 1907–39 [2]. The cause and context for this research was the authors’ search for situations in need of cooperative work where little to no consensus exists.
Star and Griesemer describe the beginning of the 20th century in West America as a situation where zoologic museums were evolving from amateur collections to academic curated collections. Here, amateur enthusiasts curated museums for fellow enthusiasts. In Stars case, these amateurs were interested in Californian ornithology. What changed, was biological science’s need for large information collections. This meant that amateurs from different hobbies increased their interaction with curators and scientists to create scientific knowledge together.
Grinnel, an ecology biologist and director of Berkeley’s Museum of Vertebrate Zoology is instrumental to facilitate this change from amateur museum to a research center: “Joseph Grinnell was the first director of the Museum of Vertebrate Zoology. He worked on problems of speciation, migration and the role of the environment in Darwinian evolution. Grinnell’s research required the labours of (among others) university administrators, professors, research scientists, curators, amateur collectors, private sponsors and patrons, occasional field hands, government officials and members of scientific clubs” [2].
Grinnell changed the practices of amateur bird collectors and museum curators to fit his needs as a biologist. His aim was to map how environment plays a role in Darwin’s evolution theory to support Darwin’s work with proof. To do so, Grinnell collected bird sightings, bird cadavers and references to where these were found. This collection needed to be so large Grinnell could not do it alone.
The group of amateurs already gathered information and birds to contribute to the museum but in a non-standardised, incoherent way. Thus the practices of this group did not fit the rigorous reporting Grinnell required. To use their information for scientific progress, Grinnel had to overcome two barriers. First, the work Grinnell expected them to do had to fit in their current activities. Second, he had to discipline amateurs to understand what he expected from them without overburdening their free time.
Grinnell taught his different information providers how to do fieldwork with the bare minimum of required biological knowledge and methods to standardise this. Next, he encouraged the use of boundary objects; specifically structured field notes containing information fields of interest to all involved parties but still rigorous enough for scientists to use as input for their research.
For example, when amateur and professional trappers capture animals, they needed to understand what parts of the animal had to remain intact, how to preserve them and last, what information trappers needed to add about the environment they captured it in. Grinnell facilitated the first two through teaching and the latter with field notes.
In Star’s words, the information and the actors that contributed needed discipline. As we will see, this challenge is very similar to our smart city environment where non-experts collect information and where this information needs discipline as well. This brings us to the following section on how to carry this out.
2.1 Boundary Object Architecture
Boundary objects and standardization facilitate information sharing where actors try to perform cooperative work in the absence of consensus. Interpretive flexibility of a subject causes the latter. Different people see different meanings in the same phenomenon. This poses challenges for collective work because the chances to align everyone spontaneously are non-existent. Therefore, mutual understanding increases through standardisation and boundary objects.
Standardization takes place before the use of boundary objects, because it is work that brings different social worlds together: “By emphasizing how, and not what or why, methods standardization both makes information compatible and allows for a longer ‘reach’ across divergent worlds” [2].
A boundary object is a material or organisational structure to allow groups without consensus to work together. In that regard the object functions as an information carrier to facilitate work between groups that wish to cooperate despite their lack of consensus. It comprises two elements: object and boundary [1]. Object refers to something people act toward and with while boundary refers to a line between two worlds or social groups.
The object requires the following [1]:
-
It has to exist between two or more social worlds
-
It is vague for common purposes but particular social groups can specify information further because it remains open enough
-
If no consensus exists, it can be a back and forth object until they reach consensus
For example, index cards to classify collections of bird samples. These exist between the person who brought in the bird cadaver, the curator and the scientist. It satisfies the first condition. It is open because it contains more information fields than any of the involved parties require. Each actor is interested in a subset of these information fields. Last, the history of the museum Star describes is one where Grinnell and others had to work on convincing others and part of that convincing comprised changing reporting methods to better fit in their free time.
This is where Star and Griesemer divert from Actor-Network theory on which they rely. There is a soft kind of steering that strives for coexistence instead of domination: “Grinnell’s methods emphasis thus translated the concerns of his allies in such a way that their pleasure was not impaired - the basic activities of going on camping trips, adding to personal hobby collections and preserving California remained virtually untouched. With respect to the collectors, Grinnell created a mesh through which their products must pass if they want money or scientific recognition, but not so narrow a mesh that the products of their labour cannot be easily used” [2].
2.2 Origin of the Approach
In this section we situate Star and Griesemer’s work within the respective disciplines they borrow from, symbolic interactionism and ANT. This is done to show the subtle difference between boundary objects and ANT. This difference will be used in the conclusion to refer to two styles of collaboration.
Symbolic interactionism “is part of a tradition of thought which comes from symbolic interactionism which seeks to qualify articulation mechanisms surrounding the perspectives of authors belonging to heterogeneous social worlds” [3]. Symbolic interactionism is “a micro-sociology tradition which rejects both sociological and biological determinism and privileges explanation on the basis of dynamic interactions which are observable between individuals. It underlines the fact that the sense of phenomena results from interpretations made by actors in context. These interpretations are to do with interpretive frameworks which move away from interactions between actors (verbal and non-verbal symbolic interactions)” [3].
Social worlds are defined as “activity groups which have neither clear boundaries nor formal and stable organisations. They develop through the relationship between social interactions which move away from the primary activity and the definition of pattern and reality. The notion derives from the symbolic interactionism tradition” [3].
ANT is adapted to fit with symbolic interactionism and the aim of the authors, to enable consensus between social worlds where there is none. In order to do that they render ANT more ecological. This means that they approach the interessement phase of Callon [4] in a manner where each actor is equally capable of defining translations. In order to understand this we need to define translations, interessement and obligatory passage points.
Translation [5] refers to the situation where one actor A succeeds in convincing another actor B to change their behaviour, usually in favour of the first actor (A). This is most often initiated by creating interessement [4]. This means that actor A needs to redefine his problem in such a way that it also becomes actor B’s problem. In obligatory passage points (OPP) actor A has created a situation where B has to pass through because there is no other way and in so doing they change their behaviour to align with the prescribed behaviour A expects from B.
What the authors criticize ANT for, is that the latter’s analysis aims at mapping obligatory points of passage. According to Star and Griesemer this means that networks are always reduced to the dominance of one actor.
In my opinion, Star and Griesemer reduce ANT to this top down thinking where one actor is dominant, and this makes sense since ANT is full of examples of OPPs that reinforce this observation. Nevertheless, the method ANT prescribes is one where each actor should be described in the same way without any a priori distinction [4, 6]. What is more, this approach leaves room for resistance in the concept of anti-scripts [7] and circumscription [8], two concepts that refer to resistance of actors to proposed translations.
This theoretical discussion set aside, what can be said is that Star and Griesemer are using ANT in a different context. The context is what they refer to as N-translation [2]. All involved actors are suggesting translations for other actors and because this is a context of collaboration, the question changes from domination to cooperation. How is it possible to have many translations while keeping consensus?
This means that the boundary object approach is more concerned about solutions than contestations. ANT is more suited to unearth hidden conflicts and contestations in dominant configuration. This approach focuses on the critical aspects of social constructivism. Boundary objects as an approach, use the fact that social constructivism exists to enable cooperation between actors; different understandings of the same phenomenon exist and that this can be overcome if all actors agree on standard definitions and approaches that can be used by all because they fit in their practices and social worlds.
3 Smart City Definition and Project Context
The aim of this part is to summarize what a smart city might mean and what this means for smart city projects that process personal data. Without reducing smart cities in one definition, we could say that this concept broadly refers to a development where multiple actors decide to work together on a smart city challenge. In terms of cooperation, the ideal refers to working with as much stakeholders as possible: “a smart city should focus on collaborating with diverse stakeholders, using technology as an enabler to achieve better and more efficient services to citizens” [9].
Walravens et al. pursued a more empirical definition in close collaboration with large Flemish cities: “A Smart City is a city in which all relevant city actors from the quadruple helix work together on more efficient and effective solutions, with the goal of tackling urban challenges. This collaboration is characterized by enabling innovative solutions that respect the local context and individuality of a city. Collecting, processing, sharing and opening data with relevant stakeholders contributes to concrete policy making and solutions. The local government can take up different roles, depending on the projects and which stakeholders or technological solutions are involved: local government can initiate, facilitate, direct, stimulate, regulate, experiment, test, validate, implement… The local government performs this function to serve and protect the public interest” [10].
In these definitions stakeholders are defined as members of the quadruple helix which “includes four types of actors (1) policy, (2) citizens, (3) research and (4) private partners” [10]. We can safely assume and testify in what follows that the quadruple helix consists of actors coming from different social worlds. But also that they wish to cooperate but lack consensus.
3.1 Smart City Project Context
It is impossible to talk about THE smart city, so instead we focus on concrete projects. That is the reason why we refer to the smart city project context. We define this context as an interdisciplinary and inter-organisational context which focuses on results first and GDPR compliance a bit later. Since we focus on GDPR compliance, we will follow with a section on privacy in smart city contexts after the more general description which follows now.
Smart city projects tackle urban challenges first and address GDPR challenges created later. Due to the newness and vagueness of smart cities as a concept, many projects are proofs of concept to illustrate possibilities. As a result, projects are evaluated on their performance first and secondly on their privacy protection. On a more practical level it means that practical solutions to implement a project are added first and that these are then evaluated with regard to the GDPR. This is pragmatic as the GDPR alone cannot steer innovation.
As previously mentioned authors point out the need to include the quadruple helix in smart city projects. These cooperations are believed to foster the exchange of ideas and technology [11]. This requirement to involve many different stakeholders results in a bigger variety of disciplinary backgrounds or social worlds. We define three challenges that render consensus difficult, a vertical challenge of working on different levels or social worlds. A horizontal challenge of working with different organisations. And lastly, the GDPR compliance challenge itself.
Project Vertical (Interdisciplinary Challenges)
With vertical I refer to the different layers in a single organization and the challenge of reaching consensus in one organization. In each project, different roles have to contribute to the successful implementation of a project: project management, development, legal, user testing, communication are roles that are often taken up by different people inside an organisation. The first challenge consists of aligning these different layers of an organisation. This is difficult because these layers are tied to different social worlds. For example, project managers may not have the same technical background their development team has.
Project Horizontal (Inter-organisational Challenges)
The quadruple helix includes different organisations and stakeholders’ involvement in smart city projects. This adds an additional layer of factors that slow down the collection of relevant information and decision making based on this information. We can discern three factors: More time and effort is required to reach the right people that have information, the GDPR itself becomes an item of interpretation between different organisations and all of the vertical challenges apply to each organisation. For example, a city may propose a joint controllership but their partner may not believe that this is really necessary. The newness and vagueness of the text create discussions on what it really means for smart city projects.
Particular Compliance Context
In this article we limit ourselves to accountability: “as a principle which requires that organisations put in place appropriate technical and organisational measures and be able to demonstrate what they did and its effectiveness when requested” [12]. Here the EDPS refers to the following measures: “adequate documentation on what personal data are processed, how, to what purpose, how long; documented processes and procedures aiming at tackling data protection issues at an early state when building information systems or responding to a data breach; the presence of a Data Protection Officer that be integrated in the organisation planning and operations etc.” [12]. In this paper we focus on adequate documentation to ensure the ensuing steps of accountability.
This means that the GDPR poses a requirement from the legal layer to the other layers in one organization and between multiple organizations: be able to account for all the data processing on personal information. The challenge is very similar to that of the vertebrate zoology museum. Information has to be gathered in a disciplined manner and information itself has to be standardised to become useful. In practice this means that a person charged with documenting how data are processed has to do two things:
-
Ask other parties to collect information about data processing operations
-
Facilitate decision making about data processing operations
In sum, it could be said that knowledge is gathered without really knowing what needs to be collected. Decisions have to be made without really understanding what is at stake. This is a very similar situation to the vertebrate zoology museum. In what follows we explain why and how the Berkeley’s Museum of Vertebrate Zoology is the same situation as our smart city projects.
4 Comparison of Situations
In this section we compare the context of the museum with that of smart city projects. What they have in common, is the need to include other parties to gather information, that all involved actors care for a common goal and that there is a need for standardization and boundary objects.
In both cases, the people who have access to the required information for good biological research or data protection, are not the people responsible for this goal. The people who have access to this information have access for different reasons. It means that they are from a different social world than biologists or GDPR managers. In the case of the smart city, these people are in the business of making sure their part of the smart city project works.
All involved stakeholders hold privacy dearly as it is important for the realization of their own goals. Trappers, amateurs, etc. capture and observe birds and care about understanding the environment of these birds. In both cases, there is an overlap but each actor may differ in terms of engagement or degree of importance. An engineer will not add the same priority to GDPR compliance as a compliance manager.
Those who care most about gathered information are the compliance manager and biologist but these have to rely on other actors to gather the necessary information to reach their common goal. Mapping bird ecologies or compliance with the GDPR. Because of this, those that gather information other than the specialists need to use standardized methods and boundary objects to attain this goal.
In conclusion we can say that both situations are highly similar. It could be argued that documenting data processing operations is easier compared to the museum context because the smart city context works with paid professionals rather than hobbyistsFootnote 4. GDPR compliance as a goal may also be more contested than the preservation and collection of wild life. GDPR can be motivated positively, for example, because we value privacy, or negatively, because we try not to get fined or receive negative attention.
4.1 Incoherent GDPR Compliance
This section adds examples of lack of consensus that can either be solved through standardization or boundary objects to further prove the point that this approach would add value to smart city projects. The lack of consensus may lead to a mismatch between legal concepts and other disciplinary concepts, the lacking existing boundary objects to gather information and the need for data visualizations that are understandable for all.
In many cases, the biggest challenge consists of reducing the mismatch between key legal concepts and the definition stemming from other social worlds. For example, knowing what personal data is, is the most important definition because it allows anyone involved in a smart city project to understand that a data collection or processing operation should be documented. A very common mistake consists of interpreting personal data as data the person who sees the data can use to identify an individual. This also means that data that do not allow someone to identify an individual is non-personal. As a result, IP-addresses but also infrared images are too quickly categorised as non-personal or anonymous data.
Another challenge is perhaps the need to fill in a data register. This is a repository to store all GDPR required information in an excel or database format. These registers use GDPR jargon making them difficult to use for non-GDPR users. What is more, a data register is a really difficult format to see the risks posed by the data because it is too abstract to identify possible risks.
Lastly, a lot of time is lost in discussions where legal concepts have to be applied in agreements that follow reality. Here agreements are drawn without a clear idea of what will happen in the project. A mismatch between the reality that is assumed by the legal department and that of the actual personal data flows may follow as a result.
5 Conclusion
In the theoretical discussion about Star and Griesemer’s divergence from ANT, the big difference was a difference of approach to problems. In ANT a problem was solved through careful manipulation of different actors until they acted in one way as planned by the most dominant actor. In this case, all other actors have to pass through an obligatory passage point. In boundary objects, a more ecological approach is put forward. Collaboration can only exist if knowledge is shared through the largest common denominator and when new actions are aligned with existing practices. For GDPR compliance, we face the same choice. Compliance can be achieved through domination or collaboration.
In the case of domination, this means that a compliance manager needs to take care that GDPR requirements become an obligatory passage point. Regardless of what other actors think or feel, there is no alternative than to comply with the behavior prescribed by the compliance manager. On a more pragmatic level this sort of GDPR compliance will look imposed and top down. A compliance manager will have to impose her or himself in project processes and demand to be reckoned with.
If collaborative GDPR compliance is the goal. This is not achieved by forcing other actors through an obligatory passage point, compliance from the boundary object point of view is achieved by fitting compliance efforts in the actions that already occur in smart city projects. This means that boundary objects and thus compliance documents and methods need to make sense and be useful for other tasks than mere compliance.
The Latter Approach has Advantages for Overall Privacy in Smart Cities
-
If the aim is to increase privacy-by-design, then GDPR concepts should be present in the minds of developers and project owners.
-
Boundary objects create a back and forth dynamic and the documentation of such a process may be interesting to understand the development and the meaning of a particular smart city. Moreover, such documents would increase accountability as all decisions are documented.
-
Boundary objects allow laymen to aid in the easiest tasks of GDPR compliance. By enabling partners to map their own data processing operations, money and effort is saved that would otherwise go to an internal or external specialist. This would not only be costly but also a lost learning opportunity.
Notes
- 1.
The General Data Protection Regulation replaced the Data Protection Directive in May 2018. An important change in this reform is the principle of accountability. It requires data controllers to be able to demonstrate compliance with GDPR principles. For this requirement smart cities require full awareness about their data processing activities and this is perceived as new by many data controllers.
- 2.
Cfr. infra.
- 3.
The case Star and Griesemer used to develop the concept of boundary objects.
- 4.
At least this was the case for the projects this author was involved in. Citizen science and participatory action research are becoming common place in smart city projects which means that hobbyists will become part of the solution. www.curieuzeneuzen.be is an example of an approach including hobbyists.
References
Star, S.L.: This is not a boundary object: reflections on the origin of a concept. Sci. Technol. Hum. Values 35, 601–617 (2010)
Star, S.L., Griesemer, J.R.: Institutional ecology, ‘translations’ and boundary objects: amateurs and professionals in Berkeley’s Museum of Vertebrate Zoology, 1907-39. Soc. Stud. Sci. 19, 387–420 (1989)
Trompette, P., Vinck, D.: Revisiting the notion of boundary object. Rev. Anthropol. Connaiss. 3(1), 3 (2009)
Callon, M.: Some elements of a sociology of translation: domestication of the scallops and the fishermen of St Brieuc Bay. In: Power, Action and Belief: A New Sociology of Knowledge? pp. 196–223. Routledge, London (1986)
Callon, M.: Techno-economic networks and irreversibility. In: Law, J. (ed.) A Sociology of Monsters: Essays on Power, Technology, and Domination, pp. 132–161. Routledge, London; New York (1991)
Law, J.: After ANT: complexity, naming and topology. Sociol. Rev. 47, 1–14 (1999)
Latour, B.: Where are the missing masses? The sociology of a few mundane artifacts. In: Bijker, W.E., Law, J. (eds.) Shaping Technology/Building Society: Studies in Sociotechnical Change, pp. 225–258. MIT Press, Cambridge (1992)
Akrich, M.: The de-scription of technical objects. In: Shaping Technology/Building Society: Studies in Sociotechnical Change, pp. 205–224. MIT Press, Cambridge (1992)
Mechant, P., Walravens, N.: E-government and smart cities: theoretical reflections and case studies. Media Commun. 6, 119 (2018)
Walravens, N., Waeben, J., Van Compernolle, M., Colpaert, P.: Co-creating a practical vision on the smart city. In: Proceedings of the 15th Architectural Humanities Research Association International Conference, Eindhoven (2018)
Baccarne, B., Mechant, P., Schuurman, D.: Empowered cities? An analysis of the structure and generated value of the smart city ghent. In: Dameri, R.P., Rosenthal-Sabroux, C. (eds.) Smart City. PI, pp. 157–182. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-06160-3_8
Accountability. https://edps.europa.eu/data-protection/our-work/subjects/accountability_en
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2019 IFIP International Federation for Information Processing
About this chapter
Cite this chapter
Heyman, R. (2019). Sharing Is Caring, a Boundary Object Approach to Mapping and Discussing Personal Data Processing. In: Kosta, E., Pierson, J., Slamanig, D., Fischer-Hübner, S., Krenn, S. (eds) Privacy and Identity Management. Fairness, Accountability, and Transparency in the Age of Big Data. Privacy and Identity 2018. IFIP Advances in Information and Communication Technology(), vol 547. Springer, Cham. https://doi.org/10.1007/978-3-030-16744-8_2
Download citation
DOI: https://doi.org/10.1007/978-3-030-16744-8_2
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-16743-1
Online ISBN: 978-3-030-16744-8
eBook Packages: Computer ScienceComputer Science (R0)
