Local Data Limits Threaten Accountability in Automated Enforcement
Local data ownership sounds noble, but can it actually boost accountability in automated enforcement? Local control isn't the same as real oversight that protects rights.
Look — making cities the default owners of enforcement data sounds noble. Governing’s piece on “Local Data Sovereignty in Automated Enforcement” wraps that idea in civic righteousness: local control, local policy, local accountability. Trouble is, control and accountability are not the same thing as systems that actually work while they’re supposedly protecting rights.
Let’s start with the upside, because it’s real. Local control can tighten privacy. When a mayor’s office sets strict deletion schedules and narrow use cases, voters know exactly who to blame if data is abused. There’s a clear political path to accountability that simply doesn’t exist with a distant agency or a private company three time zones away. For people already wary of automated license plate readers and traffic cameras, that’s not some abstract benefit — it’s the only arrangement they halfway trust.
But here’s what nobody tells you: sovereignty without standards is just a different kind of lock-in.
Cities want to avoid handing raw footage and biometric outputs to private vendors or federal databases. That impulse is understandable; people want their streets governed by officials they can vote out. Yet the minute a city declares, “We own all the data, we host it, we control access,” the clock starts on a brutal operational question: who is actually going to run this?
Municipal IT shops don’t magically become data centers, compliance offices, and procurement strategists because council passed a sovereignty ordinance. If they can’t handle it in-house, they’ll outsource the plumbing to the same vendors they’re trying to fence off — only now those vendors will charge a premium for the privilege of obeying bespoke local rules.
Take procurement reality. A single police department buying an automated license-plate reader system or traffic cameras from a vendor like Motorola Solutions or a cloud provider like AWS doesn’t just pick a gadget. It’s choosing among three expensive paths: build and host the entire stack in-house, demand that the vendor deploy into city-controlled infrastructure, or accept vendor-hosted but “segregated” storage that meets whatever the local sovereignty rules say this month.
Guess which one cash-strapped cities will pick.
Vendor-hosted “sovereign” storage is just centralization with better marketing. The vendor keeps building the core product on its own terms, then layers on some logical partitions, some contractual language, maybe a dashboard to make the city feel in charge. Smaller municipalities get squeezed hardest; they can’t afford custom data localization or bespoke integrations, so they end up locked into whichever big supplier can spin their sovereignty rules into a billable feature set.
Give me a break — this is where policy people usually wave their hands and say, “IT will handle it.”
Automated enforcement isn’t just a camera and a server. It’s an ecosystem: sensors, edge processors, analytics models, alerting pipelines, evidence storage, and legal discovery processes. When every city gets its own flavor of data sovereignty, that ecosystem fragments. Different rules about retention, sharing, and anonymization make interoperability brittle. A regional transit authority and a city police department trying to share footage during an incident now have to reconcile incompatible encryption schemes, metadata formats, and access logs.
That fragmentation doesn’t just annoy technicians. It makes enforcement slower and sloppier, and it pushes costs back onto citizens. Picture a driver ticketed by an automated system in one jurisdiction who needs exonerating footage held by another with different access rules and appeal timelines. Instead of arguing the facts, lawyers will argue about chain of custody, admissibility, and whether some city clerk followed the right deletion policy last quarter. That’s a good business model for attorneys, not for public safety.
Yes, compared to a single centralized state or federal database, local sovereignty is the lesser evil in many people’s eyes. Democratic proximity matters. Local officials are more exposed to voters than federal bureaucrats or corporate leadership in another state. Privacy advocates are not hallucinating those power imbalances.
Still — velocity matters. Centralized systems can concentrate scarce security expertise, publish standardized APIs, and maintain consistent audit regimes in a way small cities simply cannot. The tradeoff everyone tiptoes around is this: we’re swapping the risks of centralized abuse for the risks of decentralized incompetence. Cities won’t just need “control” on paper; they’ll need security engineers, internal auditors, incident response teams, procurement lawyers, and the budget to keep them.
Wake up: assigning sovereignty without resourcing verification turns privacy rules into decorative stickers on a very expensive server rack.
There’s a better tool than either “DC runs everything” or “every town is an island.” Fund regional platforms with national interoperability rules. States or regional compacts could set minimum exportable metadata formats, common logging requirements, and baseline retention windows, then let cities tune stricter deletion policies and use limits on top. You’d get standardized plumbing and auditing, while keeping decisions about how long to hold plate reads or which violations to auto-ticket closer to the ballot box.
History’s already told us how this goes when you don’t coordinate. Early 911 systems were local, fragmented, and wildly inconsistent; people died because calls couldn’t be routed or located across jurisdictions. Only when states and the federal government pushed shared standards and regional infrastructure did 911 start to behave like a reliable public utility instead of a patchwork of experiments. Automated enforcement data is walking down the same path right now.
Here’s what nobody tells you the second time: vendors actually like clear, shared rules. When multiple cities and regions converge on the same technical standards, companies can build once, certify once, and sell many times. That gives public agencies more bargaining power, not less, because they’re negotiating around a common baseline instead of haggling over bespoke one-off clauses that no one else will ever enforce.
Governing is right to push data sovereignty onto the agenda; this fight is coming either way. The cities that read that headline and stop at “we should own our data” are going to discover, fast, that whoever owns the pipes and schemas owns the power.