Modern traffic systems collect unprecedented amounts of detailed data. Cities are increasingly using digital twin technology – to simulate, predict, and optimize traffic flow in real time, enabling smarter and more ethical mobility decisions.
While this enables better urban mobility and safer roads, it creates fundamental questions about privacy and responsible data use. This article examines what cities must consider when balancing the benefits of smart traffic technology with citizens’ rights to privacy.
Twenty years ago, traffic monitoring was simple. Cities used rubber tubes or metal loops in roads to count vehicles. These systems couldn’t identify individual cars – they just counted numbers.
Image credit: kaninw/Shutterstock
Today’s systems are fundamentally different. Automatic Number Plate Recognition (ANPR) cameras read license plates in real-time. Smartphone navigation apps track millions of drivers. AI-powered cameras don’t just count vehicles – they can predict destinations, detect behavioral patterns, and infer personal information.
European cities face a critical challenge: they’re pioneers in smart city technology, but they also operate under the world’s strictest privacy laws. Europe issued €1.2 billion in GDPR fines during 2024 alone, with cumulative penalties reaching €5.88 billion since 2018.
ANPR systems create permanent records of where vehicles travel. This reveals sensitive information: where you live and work, which medical facilities you visit, when you attend religious services, and which political events you attend. Progressive cities now implement strict time limits – typically ~24-48 hours – before automatically deleting this data.
Even anonymized data can identify individuals when observations are connected. A vehicle seen at Location A at 8:00 AM and Location B at 8:15 AM can be tracked across an entire city. Amsterdam learned this the hard way: their smart traffic light pilot was cancelled in early 2025 after privacy authorities warned it could track complete user routes through mobile phone data.
Advanced AI systems infer personal circumstances from traffic patterns. Frequent hospital visits might reveal health conditions. Regular stops at specific locations could indicate relationships. Research shows that when people become aware of extensive data collection, their behavior changes – GDPR implementation resulted in approximately 15% reduction in website traffic as users became more privacy-conscious.
When cities share traffic data with researchers or private companies, they lose control over its use. With 20 U.S. states implementing comprehensive privacy laws by January 2026, managing data sharing has become critical. Best practices now include binding legal agreements, technical anonymization, regular audits, and increasingly, synthetic data that preserves statistical properties without exposing real observations.
The General Data Protection Regulation establishes core principles. Cities must have valid legal reasons for collecting data (typically public interest or legal obligation). They must collect only necessary information, retain it only as long as they are needed, and protect it against unauthorized access. Spain has issued 932 GDPR fines since 2018, while Ireland’s Data Protection Commission has levied approximately €3.5 billion – regulators take enforcement seriously.
Table: Fines by type of violation
Source: https://www.enforcementtracker.com/?insights
By August 2, 2026, the EU AI Act becomes fully applicable. Traffic management systems using AI – particularly those affecting individual rights like violation detection or congestion charging – are categorized as high-risk. This means mandatory privacy assessments before deployment, algorithmic transparency, human oversight, and regular accuracy checks.
Practical compliance means conducting privacy assessments before deployment, documenting legal basis, establishing vendor agreements, implementing access controls, creating automatic deletion schedules, providing citizen data access mechanisms, preparing breach response procedures (72 – hour notification requirement), and conducting regular audits.
Beyond Legal Requirements: Ethical Questions
Legal compliance is the floor, not the ceiling. Cities must address harder questions: Is constant monitoring proportionate to the problems being solved? Are less intrusive alternatives available? Do systems treat all communities equitably? Can systems be scaled back if problems emerge?
Barcelona provides instructive guidance. Under former Chief Technology Officer Francesca Bria, the city developed a citizen data sovereignty framework: data generated by citizens belongs to citizens. Barcelona uses blockchain architecture with cryptographic layers, allowing citizens to control sharing decisions. The city joined Amsterdam and New York in founding the Cities Coalition for Digital Rights, developing policies protecting citizens’ digital rights.
Barcelona created transparent procurement favoring open-source solutions, enabling small local companies to compete with international corporations. This reduced reliance on proprietary systems while improving services and gaining international recognition.
Amsterdam’s smart traffic light pilot used GPS data from mobile phones to optimize signals. The Dutch Data Protection Authority warned about extensive personal data collection. Combined with disappointing traffic results and cybersecurity concerns, the project was cancelled in early 2025. The lesson: even well-intentioned projects fail without privacy built in from the start.
Stockholm’s congestion charging system, deployed in 2006, addressed privacy through strict purpose limitation (data used only for charging), immediate deletion (images removed after payment), independent audits, and public consultation. The system achieved 20-25% traffic reduction while maintaining public acceptance through transparent implementation.
Instead of sending all videos to central servers, modern cameras analyze footage locally. A camera counts vehicles, classifies types, detects violations – all on the device itself. It transmits summary statistics like “23 cars and 5 trucks at the last minute, average speed 35 km/h.” The actual video? Deleted immediately, never transmitted. This minimizes data retention, reduces breach risk, and improves system resilience.
Differential privacy adds carefully calibrated statistical noise to data, enabling aggregate analysis while preventing individual identification. Think of it like flipping a coin before answering a sensitive survey question – researchers get useful patterns without exposing individuals. The global privacy-enhancing technologies market reached $3.12 – 4.40 billion in 2024, projected to reach $12.09-28.4 billion by 2030-2034.
AI systems learn patterns from real traffic data, then generate entirely artificial datasets that exhibit similar characteristics. These synthetic datasets can be shared freely because they contain no information about actual people. Gartner predicted that by 2026, 75% of businesses will use synthetic data instead of real customer data.
The question isn’t whether privacy-respecting traffic management is possible-it’s how to implement it. Fits Traffic, developed by dots., a technology company with 20 years of experience in transportation systems, demonstrates practical approaches to this challenge.
The Fits Vision system offers processing of pictures and video streams locally on existing camera infrastructure, extracting traffic insights without centralized storage of raw video. Also, it offers the option that all pictures and videos are being processed centrally at central location. The system handles multiple use cases-traffic flow counting, intersection monitoring, railway crossing surveillance, road surface quality assessment-while maintaining strict privacy standards through on-device processing and immediate data anonymization.
For toll operators and traffic management centers, Fits Vision enables vehicle detection and tracking on multi-lane free-flow lanes without expensive LIDAR equipment. The system performs classification and counting at the edge, transmitting only aggregate statistics. Raw video never leaves the camera, yet cities and toll-road operators still receive accurate operational data.
The back-office platform demonstrates privacy by design principles in practice. The system implements automated data lifecycle management, ensuring sensitive information is retained only for operationally necessary periods. For parking enforcement and traffic violations, it separates operational data (requiring real-time access) from historical analytics (using aggregated, anonymized datasets). Additionally, all FitsTraffic customers receive data protection impact assessment (DPIA) documentation with their license, which serves as a foundation for meeting GDPR requirements.
Fits Traffic’s philosophy recognizes a critical truth: video quality, lighting conditions, weather, and operational contexts significantly impact both detection accuracy and privacy protection. “One size fits all” approaches fail to deliver both quality results and appropriate safeguards. This is why the company emphasizes tailor-made solutions that balance technical performance with stringent privacy protection.
Why Privacy Matters to Fits Traffic: As pioneers in the Baltic region’s intelligent transportation sector, we understand that technology vendors bear responsibility for how their systems affect citizens. Privacy isn’t a checkbox for compliance – it’s fundamental to building sustainable, trustworthy urban infrastructure. Cities that deploy surveillance without privacy protections face public backlash, legal penalties, and ultimately, project failure. Conversely, systems built with privacy as a core architectural principle enable cities to realize traffic management benefits while maintaining public trust. This approach isn’t just ethically right – it’s practically necessary for long-term success.
Technical and legal measures require complementary governance. Transparency measures include public registries of all sensors, data access portals enabling citizens to review their data, regular privacy reports, and algorithm documentation. Democratic governance includes privacy advisory boards, public consultation before deployment, sunset provisions requiring periodic renewal, and whistleblower protections.
The Cities Coalition for Digital Rights, launched by Amsterdam, Barcelona, and New York in 2018, provides frameworks for international cooperation on these challenges.
Connected and autonomous vehicles will generate unprecedented data volumes. Biometric sensors for driver authentication require careful scrutiny. Predictive analytics blur boundaries between traffic management and behavioral surveillance. Cross-border data flows need international agreements. The Global Cross-Border Privacy Rules Forum, launched in June 2025, is developing updated requirements, though harmonization remains challenging.
Cities should prioritize privacy by design, embedding protection from system inception. Collect only necessary data. Make practices transparent and understandable. Provide communities meaningful voice in surveillance decisions. Implement technical safeguards systematically. Maintain legal compliance. Plan for breaches. Conduct regular audits. Foster public trust through engagement. Collaborate internationally through networks like the Cities Coalition for Digital Rights.
Traffic data offers substantial potential for improving urban mobility, reducing congestion, and enhancing safety. But these benefits must not compromise privacy, autonomy, and public trust. Cities face a choice, but not the false choice between smart cities and surveillance cities.
Europe has issued over €5.88 billion in GDPR fines since 2018, demonstrating that privacy is a legal requirement, ethical obligation, and competitive advantage. The question isn’t whether to protect privacy or improve traffic management – it’s how to accomplish both. With thoughtful design, robust safeguards, and genuine democratic oversight, this balance is achievable and essential.
Successful cities will view privacy as a foundation for public trust rather than an obstacle to innovation. Solutions like Fits Traffic demonstrate that privacy-respecting traffic management is practically achievable with proper technical architecture and organizational commitment. This approach creates urban environments where people want to live, work, and move freely – truly smart cities, not surveillance cities.
Regulatory and Compliance
European Union. (2016). General Data Protection Regulation (GDPR). Official Journal of the European Union.
European Union. (2024). Regulation on Artificial Intelligence (AI Act). Entry into force: August 2, 2026.
GDPR Enforcement Tracker. (2024). Cumulative fines: €5.88 billion (2018-2024). Spain: 932 fines; Ireland: €3.5 billion.
Gartner. (2024). Privacy regulation forecast: 75% of global population coverage by 2024.
Research and Analysis
International Journal of Industrial Organization. GDPR implementation: ~15% long-term traffic reduction for websites.
Privacy-Enhancing Technologies Market Report. (2024). Global market: $3.12-4.40 billion (2024), projected $12.09-28.4 billion (2030-2034).
Gartner. (2026). Synthetic data: 75% of businesses to use generative AI for synthetic customer data by 2026.
City Case Studies
Barcelona City Council. (2018-present). Citizen data sovereignty framework. Blockchain privacy architecture.
Cities Coalition for Digital Rights. (2018). Amsterdam, Barcelona, New York. Digital rights framework.
Amsterdam Municipality. (2023-2025). Smart traffic lights pilot cancelled following privacy concerns.
Stockholm Transport Administration. (2006-2007). Congestion charging: 20-25% traffic reduction.
Technology Solutions
Fits Traffic. Computer Vision Solution for Transportation. Edge-based monitoring with privacy-by-design. https://fitstraffic.com
dots. Fits Traffic Back-Office Platform. 20 years experience in transportation IT infrastructure.
International Frameworks
Global Cross-Border Privacy Rules Forum. (2025). Developing requirements for sensitive data protection.
U.S. State Privacy Legislation. (2026). 20 states with comprehensive laws emphasizing consent and oversight.
