Behind the smart city slogan and the innovation awards, Spanish town halls have quietly handed the keys to our territory to a technological infrastructure under United States jurisdiction. An analysis of procurement dynamics reveals that the local governance model may be undermining key principles of strategic autonomy and competitive tendering.

The digital transformation of local government in Spain has taken a direction that is beginning to alarm experts in security and administrative law. From Madrid to Barcelona, and on through Valencia, Seville, Zaragoza, Málaga, Bilbao, A Coruña and the Canary Islands capitals, cities are becoming “smart cities” using one and the same technical architecture: ArcGIS, the software owned by the US multinational Esri.

What is presented as a necessary modernisation, however, conceals a reality of strategic negligence and possible administrative irregularities.

By centralising the management of urban data, from traffic to the water network, on US-owned proprietary platforms, the Spanish public administration places itself on unstable legal ground. The US federal CLOUD Act (Clarifying Lawful Overseas Use of Data Act, filed with the US Congress as H.R.4943, 115th Congress) allows Washington to access data stored by US technology companies regardless of where the servers physically reside, even on European soil.

This practice clashes head-on with the doctrine of the Court of Justice of the European Union set out in the landmark Schrems II judgment (Case C-311/18, code CELEX: 62018CJ0311). That ruling invalidated automatic data-transfer frameworks because US surveillance laws do not guarantee a level of protection equivalent to that required by the General Data Protection Regulation (GDPR / Regulation EU 2016/679, code CELEX: 32016R0679). By normalising standard commercial contracts with corporations subject to extraterritorial rules, the State compromises the spirit of European strategic autonomy and leaves citizens’ mobility, infrastructure and critical-service data exposed to a foreign jurisdiction.

The Privacy Framework gap: although the European Commission adopted an adequacy decision (EU-US Data Privacy Framework, Implementing Decision EU 2023/1795), the persistence of the CLOUD Act keeps the underlying conflict alive: the primacy of US national security over European fundamental rights.

2. “Tailored” tender specifications: the death of competition?

Beyond security, the procurement model raises concerns under the Public Sector Contracts Act (Law 9/2017 of 8 November, LCSP), published in the Official State Gazette under reference BOE-A-2017-12902. The technological uniformity across such diverse cities is no accident.

The core of the problem lies in the drafting of the Technical Specifications (PPT). Article 126.4 of the LCSP is categorical:

“Unless justified by the subject matter of the contract, technical specifications shall not refer to a specific make or source […] or to trademarks, patents or types […] with the aim of favouring or ruling out certain undertakings or products.”

The explicit inclusion of ArcGIS licences, or the drafting of technical requirements so precise that only a proprietary-software vendor can meet them, effectively excludes alternatives based on free software or open standards (such as QGIS or sovereign spatial-database architectures). This lack of genuine competition amounts to a technical barrier that prevents the local technology ecosystem from competing on equal terms.

3. The “black box” of local democracy

Delegating urban decision-making to proprietary software is a democratic anomaly. Public administrations are legally required to be transparent and auditable. By handing the management of the territory to a “black box”, closed-source software whose inner workings are a trade secret, the town hall gives up its capacity to audit.

This is an abdication of duties. The case law on algorithmic transparency has already made clear that the digitalisation of government cannot become a space of opacity: the source code and logic of the systems that manage public resources must be subject to public and judicial scrutiny. Using closed platforms breaks that principle and turns the administration into a captive client, dependent on a private corporation whose internal logic is shielded from any citizen oversight.

4. The paradox of public funding and sovereignty

To the technical and legal gravity is added a structural economic contradiction: the use of European public funds, including allocations from the Recovery, Transformation and Resilience Plan, governed in Spain by Royal Decree-Law 36/2020 (BOE-A-2020-17338) and linked to NextGenerationEU, to pay recurring licences to foreign multinationals.

It is paradoxical that capital meant to strengthen the Union’s resilience and digital sovereignty should be channelled into external infrastructure. Instead of using this historic investment to develop domestic digital infrastructure and boost national industry, public money subsidises the expansion of foreign platforms.

As raised in the European debates on data governance (Data Governance Act / Regulation EU 2022/868, code CELEX: 32022R0868), dependence on non-European providers for critical services is a direct strategic vulnerability. Every euro invested in a captive ecosystem is a euro subtracted from the development of open, interoperable solutions that keep the return on digital investment in the local economy, in our security and in our own hands.

Documentary record and verification index

European Union case law and legislation (data and privacy)

  • Schrems II judgment (C-311/18): EU Curia database, code CELEX: 62018CJ0311.
  • General Data Protection Regulation (GDPR): official code CELEX: 32016R0679.
  • U.S. CLOUD Act (2018): official US Congress record (Congress.gov), reference H.R.4943, 115th Congress.

Procurement framework and public funds in Spain

  • Public Sector Contracts Act (Law 9/2017): BOE search tool, code BOE-A-2017-12902.
  • Royal Decree-Law managing the Recovery Plan (RDL 36/2020): BOE, code BOE-A-2020-17338.

European digital governance

  • EU Data Governance Act (Regulation 2022/868): official identifier CELEX: 32022R0868.