Thank you for the very informed question.
I think we need to consider data as split into two very separate streams when we talk about connected cities.
One is, as you mention, personal data that's identifiable to an individual and relates to the decisions that individual makes in interactions with government and with private sector companies.
In the broad concepts that I described in my notes, I was dealing more with de-identified data, aggregated data, the sort of information that is collected by your phone in terms of motion and distance and speed. This is the information that allows companies like Google, Apple, and others to give you traffic information. When you look at the map, you don't identify a single driver; you identify the trends that were collected from thousands of drivers on the road at the same time as you. It's the same with many of these other more generalized services. The implemented technology has privacy safeguards that aggregate the data to a level that allows you to have precision about location or behaviour, without having precision to the level of an individual.
I just want to make the final point that you're right in identifying that there's a shared responsibility there. If you're using an Apple phone or a Google phone, you need to understand that the phone manufacturer, the company, and the application developer have your interests in mind. Government agencies and their partners also recognize that there must be an imperative to protect personal privacy in implementing those technologies.