The Chula Vista City Council has approved a new policy that will govern how the city can use technology and protects residents from data collected by its surveillance equipment.
The policy was developed by a city task force formed after residents learned in 2020 that the police department had allowed numerous law enforcement agencies, including Immigration and Customs Enforcement, to access data gathered by its Automated License Plate Reader program. Chula Vista’s signature drone program had also raised public concern over whether it could violate people’s privacy.
Residents have wanted strong oversight of the city’s technology systems from experts who could understand emerging technologies and review data gathered by law enforcement gadgets. The forthcoming Privacy and Technology Advisory Commission mandated under the policy aims to serve that role.
“Ultimately, the policy is designed to get any kind of technology that the city uses to come through this new commission,” said Jim Madaffer, CEO of the public relations firm the city hired to guide the task force in creating the rules.
The commission will review new acquisitions and reports prepared by city staff on potential impacts the tools could have on the public and city systems, as well as facilitate public discussions on related issues. The commission may consist of technology experts, financial auditors, public safety professionals and activists focusing on government transparency.
Under the new policy, technology is categorized into three types: general technology, which includes emails and cellphones; sensitive technology, like drones and traffic signal cameras; and surveillance technology, such as the license plate readers.
Surveillance technologies will require the highest level of oversight.
If Chula Vista wants to acquire a new surveillance tool, for example, the city would have to develop a policy explaining why it is needed, how it would be used and protocols for data collection and access. A report evaluating potential impacts and ways to mitigate any negative effects would also be created. The privacy commission would then review the report and make a recommendation to the City Council, which would ultimately permit an acquisition. If approved, the city manager would report at least once every two years how the technology had been used, any adverse impacts and the status of the data collected.
Residents and privacy activists who pushed for oversight said the policy is a good start, but it doesn’t go far enough. Some worry that vague language will lead to an ineffective policy with too many loopholes.
The rules grant the city manager or City Council power to waive elements of the policy “in the event of demanding circumstances or other circumstances that make compliance impossible or infeasible.”
Advocate Nancy Relaford said the waiver built into the policy “renders it almost meaningless” because “that could cover anything at any time.”
Madaffer said circumstances would include events like an earthquake or if a drone captured footage of a crime in progress that was unrelated to the call it was deployed to.
Task force members and residents also felt strongly about the need to hire a chief privacy officer, akin to UC San Diego’s campus privacy officer Pegah Parsi, whom the task force met during their information-gathering sessions. Parsi manages privacy initiatives related to students and employees and offers guidance on state privacy laws.
Chula Vista will instead have an advisor function that could be carried out by “one or more City staff members or consultants with privacy and technology expertise,” reads the policy.
Sophia Rodriguez, the task force’s chair, said hiring a chief privacy officer is a vital investment for the city, especially with major projects underway and a rise in growth.
“With the new bayfront project, we’re going to have a lot of foot traffic, a lot of personal information (that) these new companies, these new hotels will be collecting,” said Rodriguez. “This is prevention at its finest.”
City Manager Maria Kachadoorian ultimately decided which policy elements that the task force developed would be proposed to the City Council. She approved the majority, but not to hire a chief privacy officer. She said the move would require budget consideration and that hiring a consultant to do the same would be faster than going through the recruitment process.
Pedro Rios, a task force member, said he wanted the policy to acknowledge that Chula Vista had shared license plate reader information with federal agents and that the community pushed for corrections.
Mayor Mary Casillas Salas agreed with Rios. Though not specific to ALPR, city staff added language that one of the policy’s purposes is to “respond to valid community concerns regarding the sharing of personal information through the use of technology that has the potential for adverse impacts on civil liberties.”
Task force members and residents also encouraged the city to consider creating a privacy rights ordinance, much like San Diego’s surveillance ordinance approved earlier this year.
Councilmember Steve Padilla, who is poised to become a California senator, said he hoped the new City Council would “consider codifying (the policy) in a more meaningful way” by way of an ordinance.