Principle 3. Provide Accessible Means for Dispute Resolution, Use Graduated Sanctions Against Rule Breakers, and Make Enforcement Measures Clear.

Ostrom’s original principles: Provide accessible, low-cost means for dispute resolution; Use graduated sanctions for rule violators.

1. Provide accessible means for dispute resolution

Dispute resolution and rule enforcement are necessary complements to transparency and reporting requirements. There is no point in publishing an operating or privacy policy if there are no consequences for violating those policies. Written statements are worthless without ways to hold actors accountable.Without ways to hold actors to account, those written statements are worthless.

Create a place, process, and figure responsible for conflict resolution in a manner that stakeholders perceive as fair. Provide mechanisms for rule enforcement and for dealing with bad actors appropriately.

Grievances over smart city projects may come to light after technologies are implemented, or following the release of new information due to monitoring activities. Disputes may arise over data breaches or policy violations (e.g., individuals may complain that their data is used in an unanticipated or impermissible way), or over the location and presence of different technologies (e.g., the existence of an integrated data center, or sensors installed uncomfortably close to a school).

Courts provide one means of dispute resolution. Yet most existing data-protection laws are very limited in scope and accessibility, and therefore are not conducive to court adjudication. For example, many comprehensive data-privacy laws (such as GDPR or CCPA) are directed only at private companies and not government, exempting public bodies from compliance. Other legislation enabling data privacy suits (such as the Federal Trade Commission Act Section 5) does not allow for a private right of action, so individuals are unable to bring claims on their own behalf. Instead, a case would have to be filed by a body like an attorney general or the FTC.

An obvious solution is to amend existing legislation or introduce new legislation that address these challenges. City ordinances have been shown to be effective tools to enforce norms around surveillance technology.¹ Under Seattle's surveillance ordinance, for example, the city’s Chief Technology Officer can order a stop to the acquisition or use of surveillance technology or its data if any practices violate the ordinances. Under Oakland's surveillance ordinance, any individual “subjected to a surveillance technology in violation of this Ordinance” can bring a lawsuit in California courts against the city, and be entitled to recover actual damages.

But not all situations will or should result in litigation, as a matter of practicality and accessibility. Lawsuits take a considerable amount of time and resources which many people cannot afford. If a resident is unhappy about a sensor located right next to their house, for example, this issue may be better resolved through mediation between that individual and those responsible for sensor placement. An impartial third party, mutually agreed upon, can act as judge—perhaps a city-level government official. In a smart city data dispute, the arbitrator may want to take a more hands-on role, such as conducting an impact assessment of the sensor.

The New York Attorney General’s Bureau of Internet and Technology (BIT) accepts tips and complaints directly from the public, and mediates disputes between consumers and online sellers, service providers, and Internet companies. Could we take inspiration from these procedures, expanding the scope to include government agencies, as well as complaints beyond fraud, deception, or unfair business practices?

2. Use graduated sanctions against rule breakers

Ostrom emphasised the need for proportionate sanctions, or different enforcement actions based on the seriousness and context of an offense.

Sanctions related to smart city data should deter potential wrongdoers and also provide retributive relief to victims. Large fines are effective as a deterrent. On the other hand, ordering a specific action, such as an injunction on the technology, or an order to move its location or alter its data practices, may be more effective at correcting the wrong and providing relief to the victim.

Sanctions should be based on the actual and potential harm suffered, any history of abuse or misuse, whether the violating party was already aware of the problem, and its response, if any.

Finally, transparency and consistency about what types of harm trigger sanctions is key for purposes of fairness and compliance.