6.1 The Promises of Smart City

6.1.1 Thailand’s Smart City Concept

Smart city generally refers to the application of technologies to facilitate developments in the urban landscape (Sánchez et al. 2019). Like other smart cities around the world, Thailand’s smart city embraces technology to enable solutions to today’s city problems. Thailand defines smart city as “a city that takes advantage of modern technology and innovation to increase the efficiency of the city service and management, reduce the cost and resource usage of the target city and citizen.” It focuses on good design and participation of business and public sectors in urban development, under the concept of a modern and livable city development, for people in the city to have a good quality of life and sustainable happiness (Office of Smart City Thailand 2019). For a developer’s project to be approved as smart city, the project must invest in some digital urban infrastructure in a defined area, a secure city data storage system, and a sustainable management for service delivery in at least two of the following seven core themes: smart environment, smart people, smart governance, smart mobility, smart living, smart economy, and smart energy (Office of Smart City Thailand 2019). Each theme has specific metrics. For instance, indicators for a project aimed to deliver smart living services are installations of closed-circuit television (CCTV) cameras, sensors, and the development of a platform connected with Internet of Things (IoT) devices to deter crime and improve city hygiene (Office of Smart City Thailand 2021, p 14).

6.1.2 Livable and Sustainable City as a Context

The agenda set by Thailand’s 12th four-year National Economic and Social Development Plan (2017–2021) to create livable cities and advance sustainable development goals provides a backdrop for smart city development (Office of Smart City Thailand 2019, p 2). The plan set an agenda for a socioeconomic transformation focused on the use of high-tech and innovative methods to increase exported products and services, values, and the country’s competitiveness in foreign investment, often referred to as the Thailand 4.0 policy (Office of the National Economic and Social Development Board 2016, p 2). At the regional level, the 2018 Association of Southeast Asian Nations (ASEAN) Smart Cities Framework initiatives introduced by Singapore, a pioneering smart nation, represent a concerted effort to find a uniform concept and actions for advancing smart city development in the region (The ASEAN Secretariat 2019). According to the Framework, the strategic outcome of smart cities is to promote high quality of life, competitive economy, and sustainable environment. Among the total of 26 cities first nominated by ASEAN members in 2018, Phuket was chosen by Thailand as a pilot city, followed by Chiangmai and Chonburi (Centre for Liveable Cities Singapore 2018).

6.1.3 Legal Landscape on Personal Data and Privacy Protection

There are currently no specific regulations for technology and data processing in smart city initiatives. Relevant laws include the Electronic Transactions Act of 2011, the Personal Data Protection Act of 2019 (the Thai PDPA), the Cybersecurity Act of 2019, the Official Information Act of 1997, and the Computer Crimes Act of 2007.

Regarding personal data and privacy protection, the Thai PDPA, inspired by the European Union’s General Data Protection Regulation (EU GDPR) (2016) model and other legislation, provides duties for those engaging in personal data processing activities and guarantee of personal rights to personal data. The provisions generally apply to private and public actors who collect, use, or disclose personal data. Unless exemptions have been provided, any processing of personal data in smart city projects must also comply with the PDPA specified requirements. These are, for instance, to inform and obtain consent from an individual, to have adequate security measures in place, to provide an individual with rights to access, and to rectify and delete personal data related to them. Due to the unpreparedness of firms impacted by COVID-19, key aspects of the PDPA, including data subject rights, have been exempted for specified business company categories in the amended Royal Decree (2021), which continues until May 31, 2022, save for data security responsibilities.

The smart city promotion government agency has also been working on a City Data Platform Development Guideline Draft to establish uniform practices for platform management (Office of Smart City Thailand 2017), but it contains only technical guides, such as the platform setup, fundamental protection provided for individual users. Despite the fact that one of the five strategic pillars for the success of smart cities is data security and privacy (Office of Smart City Thailand 2017), necessary legal safeguards against the abuse of technology and personal data are missing.

6.1.4 The Promises and Privacy Risks

While smart city developments have paved the way for the promising future of a modernized and livable city, the benefits received from data processing activities in smart city developments comes at the cost of increased individual vulnerability to growing threats to personal data and privacy. Insecurities arise as personal data entrusted to the city can potentially be used against a data subject without their knowledge or consensus, turning an individual into a “fixed, transparent, and predictable” target for government and commercial exploitation and bad actor attacks (Cohen 2013, p 1905).

In the next section, the author draws on the surveillance technology used to promote Phuket smart tourism campaigns to illustrate the local views and international practices related to privacy and personal data. Section 6.3 examines a variety of legal challenges presented by the Phuket case including (i) finding a common ground to the global–local privacy perception conflicts; (ii) new normality proposed by the Thai PDPA against the community view; (iii) unreasonable, unnecessary, and disproportionate data processing activities; and (iv) the lack of appropriate privacy-preserving legal mechanism. A consideration for integrating privacy into the city’s architecture is proposed in Sect. 6.4, with a conclusion in Sect. 6.5.

6.2 The Case of Phuket Smart Tourism

This section illustrates the use of CCTV and wearable technology in smart tourism, the views of local governments and entrepreneurs, as well as international perspectives on the implications for privacy.

6.2.1 The Vision of Phuket Smart Tourism

Phuket, known as Andaman Pearl, is a 543-square-kilometer island in southern Thailand with a population of about 400,000 people and 8 million visitors each year. In pursuing a smart tourism goal, the island, positioning itself as a world-class tourist destination, aims to enhance visitors’ and residents’ experience by promoting trade and commercial activities with safer travel and easy access to landmarks and iconic tourist attractions (Centre for Liveable Cities Singapore 2018, p 51). The ultimate goals of smart tourism are to increase capacity to receive up to 13 million visitors, boost income and jobs in tourism, which account for 96.5% of the city’s gross domestic product (GDP), and attract foreign investment to the city (Nanthaamornphong et al. 2020). Public Places in Plain Sight

More than 1000 city-owned CCTVs are linked with those of private businesses to monitor public places such as parking lots, piers, and public boats to detect rule violation as part of the Phuket Eagle Eyes project, a safe city’s campaign aimed at active crime prevention and making Phuket a safe tourist destination (Centre for Liveable Cities Singapore 2018, p 52). More free Wi-Fi hotspots, 5G highspeed internet, and additional cameras with facial recognition and automated license tracking are planned to connect and send information to the Phuket City Data Platform, where various types of analytics are undertaken by the city’s partners in combination with analysis of data from public resources to learn about people’s habits (Nanthaamornphong et al. 2020). Insights from the real-time data collected from CCTVs and electronic wristbands the government planned for the tourists will enable authorities to monitor activities on the island (Centre for Liveable Cities Singapore 2018, p 52). End users of the city data platform, such as entrepreneurs, will gain from utilizing insights and open data to find problems and to improve and innovate services (Samui Times 2018). The city administrator and the Thai Information and Communication Technology Department also benefit from accessing the platform’s reports. Tourists and residents will receive news and event information from the official department and social media network and contact authorities in case of emergency through the platform (Software Industry Promotion Agency 2021). Ao Por Smart Pier

The smart pier project was launched by the Digital Economy Promotion Agency (DEPA) in partnership with the pier operators to keep track of passenger numbers in each boat to avoid overcrowding, ensure their safety, and strengthen tourists’ confidence following boat accident reports (National News Bureau of Thailand 2018, 2020). Ao Por Pier in Thalang district is a gateway for visitors to relax and enjoy the beauty of the neighboring islands, serving as a model for other piers. The renovation included automatic gates with smart card scanners and face recognition. Automated temperature screening devices were installed at the entrance. Ticketing kiosks gather personal information from all boat passengers, including tour operators, boat owners, captains, and crew members who must register themselves with an ID card and have their photos taken by the kiosks before their departure. Following registration, each person will receive a wristband with a quick response (QR) code feature designed specifically for sea activities (Manager Online 2020).

The pier operator and the government agency said the QR code could help locate passengers and save time and money on tracing, which can cost up to 5 million Thai baht for each person (Leesa-nguansuk 2021). According to the news article, the minister claimed that the wristband allows a tourist to access medical services from healthcare providers without having to carry any paperwork and to be expedited in the insurance claim process in case of incidents at sea (Tortermvasana 2020). Digital Yacht Quarantine

Another wristband model, also known as a health tracker or smart watch, has become a highlight of Thailand’s first digital yacht quarantine project. The trial in October 2020 was done by the DEPA in collaboration with an IoT network infrastructure provider, a wearable tech startup, a yacht marina safety operator, and the Thai Yacht Business Association (Tourism Authority of Thailand 2021). The campaign serves as an alternative state quarantine program for visa holders who choose to stay on a yacht rather than in hotels or the government-designated locations, and to ensure detection if they leave the permitted area. Visitors who participate in this program must wear the smart watch at all times during their 14-day onboard quarantine after receiving the COVID-swab test from medical personnel on shore and registering with the maritime safety operator. The smart watch’s sensors can monitor the wearer’s heart rate, blood pressure, body temperature, and location. Real-time data from the devices are displayed on the dashboard and matched with the wearer’s profile, including age, gender, and country, enabling staff to monitor visitors’ health and assess health risks during their 14 days. The system enables visitors to send an SOS signal if they need immediate assistance or to obtain advice when they become lost (Phuket Private All Tours 2021).

The campaign’s aims are to maintain public health, bring back foreign visitors who made up about 60% of income in the yacht business, and revitalize the tourism industry suffering more than 320 million Thai Baht loss due to travel restrictions during the pandemic (Phuket News 2021; RYT9 2021). The marina safety operator was confident that this new standard would impress travelers in all areas, as the operator can also serve them with tourist information, emergency contact, insurance claims, and an e-payment service. Phuket has been chosen as a model followed by other smart cities for sustainable tourism management and a sandbox for city reopening with COVID-19 containment programs in Thailand (Kasemsuk 2021; Phuket News 2021; RYT9 2021).

6.2.2 The Government and Local Entrepreneurs’ Privacy Perception

Even before the pandemic, tour operators, DEPA, Telecom, travel insurance companies, maritime safety providers, and the Tourism Authority of Thailand had planned smart wristbands for travelers as part of Phuket Smart Tourism. Smart wristbands were originally designed with location tracking, an e-wallet, and travel insurance in mind (Matichon 2020). According to reports in the media and the Smart City 2021 proposal, the government intends to require visitors to wear wristbands and use the Thailand Plus smartphone app, which will allow authorities to track and notice when the band is removed, with potential legal consequences for the visitor. Data collected from wearable devices will be combined with government data to ensure precision and better disease control (Matichon 2020; Software Industry Promotion Agency 2021). The ministry’s continued endorsement of the city’s and its partners’ initiatives reflects what the government and business leaders see as good and sound practices in prioritizing public interest and increasing profits to the economy as a whole, as well as claiming consumer convenience and better personal safety above fundamental privacy. The research, however, highlighted personal data protection rules as potential roadblocks to the implementation of the integrated CCTV cameras project and smart tourism project work, but stated that it will be safe based on individual consents received (Huawei Technology White Paper 2019, p 95).

6.2.3 Review of International Perspectives on Surveillance Technology

Many cities are considering banning pervasive surveillance technology to protect people’s privacy. The Commercial Facial Recognition Privacy Act (2019) was in effect in San Francisco, a technological hub and a center of civil liberties advocacy, to restrict facial recognition and other remote biometric monitoring devices. The reasons for the restriction are to alleviate concerns about empowering the government tracking people in their daily lives and danger caused by technology. In Hangzhou, East China’s Zhejiang Province aiming to be the country’s best digital governance, a draft bill was proposed to the local assembly in December 2020 to prohibit collecting biometric data without consent in residential communities. With rising threats from data leakage, identity theft, and personal privacy breaches, the residents fear biometric data and sensitive information such as the time and length they spend at home being disclosed to others. Therefore, many residents have refused to have their face information collected by the communities, despite some inconvenience caused by not sharing data (Lanlan 2020). In the EU where the GDPR is in effect, a municipality in Sweden has been fined for testing CCTV by monitoring the attendance of a class of students at school. The Swedish data protection authority found the school board failed to adequately assess risks to data subjects from sensitive biometric data processing, and that consent from an obviously weaker party alone may not be sufficient to give a lawful basis for the processing (European Data Protection Board 2019). The Dutch municipality’s installation of sensors in shopping streets that can detect a Wi-Fi signal sent from a passerby’s mobile phone for the purpose of counting the number of people was found to be unnecessary for the purposes of measuring the city center’s crowdedness, and therefore it violated shoppers’ and workers’ privacy and their right to not being spied on as they go about their activities (European Data Protection Board 2021).

The international responses to the use of surveillance technology and risks to community life have clearly shifted toward the preservation of personal privacy, although certain technological gains in crime prevention and personal convenience must be sacrificed. Phuket can learn from other communities about their concerns and expectations around facial recognition technology and other monitoring equipment, as well as informed choices required for individuals to ensure that the processing of their personal data is not done without their knowledge or agreement. Essentially, when it comes to vulnerable targeted groups, consent alone may not be sufficient to justify the legitimate goals sought by the processing. Phuket city’s council should consider listening to the residents’ voices after educating them on the privacy impacts while following the worldwide trends to limit the use of biometric data, so that the user’s travel experience design may properly take into account international tourists’ and Phuket’s inhabitants’ true concerns.

6.3 Challenges for Privacy and Personal Data Protection from Phuket Experience

6.3.1 Finding a Common Ground for Global–Local Privacy Expectation

The evident contrast between the Thai appropriate practices of personal data and privacy perceptions and the recognized practices of enterprise and worldwide communities has raised the question of what constitutes a proper baseline for regulating activities in the public domain. While a study on privacy expectations of tourists and city residents using public areas is necessary to adequately assess the impact of personal data related processing activities proposed by smart city campaigns, the author opines that the intended use of the space by groups of users will help determine the level of privacy protection required. In the instance of the digital yacht quarantine, it would make more sense to create a default rule based on the higher expectations of international yacht tourists and the exclusive nature of this type of tourist. By contrast, since the piers are designated to be an immersive space for people of all cultures and backgrounds, from everyday ferry users to domestic and international visitors, options for the least intrusive means of personal data processing that caters to diverse individual preferences would reduce the discomfort experienced by people with high sensitivities. Care must also be exercised if different conditions are imposed for local and international visitors in order to avoid unfair and discriminatory treatment, particularly if a privacy choice comes at a higher cost of services.

6.3.2 The PDPA’s Proposed New Normality and the Community Way

The fact that the local tradition differs greatly from the new Thai PDPA norms and globally recognized standards of practice has increased the possibility of noncompliance as well as negative feedback from tourists who are treated with superior legal protection in their home country. Changes made to comply with global norms, on the other hand, require unavoidable adjustments in people’s engagement in community life. The locals may be compelled to be more reserved. What appears to be commonplace may be found unreasonable and prohibited under the new personal data protection regulations, for example, photographing and sharing a photo of people on the beach without their knowledge, public area surveillance by CCTVs, or private surveillance by a car owner’s onboard camera device that records a view on the street and from a passenger’s seat for accidental insurance claims.

6.3.3 Unreasonable, Unnecessary, and Disproportionate Data Processing Activities

The author found that current designs of processing activities may fail to adhere to reasonable personal information practices pursued by most jurisdictions.

As for the smart pier projects, the design of a smart wristband for boat passengers must follow the purpose specification and data minimization principles by collecting only the personal data necessary for protecting personal safety of the passenger at sea and for tracing after an accident. The continued tracking and recording of location data for all age groups during sea trips lasting from a half to a full day, without clear limits on who can access and on the retention period of personal data will fail the necessity requirement for protecting the pier operator’s legitimate interest. Instead, the design should allow tracking and alerts only from a user’s activation or when an incident occurs. A high volume of sensitive passenger registration data acquired from kiosks, including biometric data and the national ID card and password, exceeds what is required for counting people and preventing overcrowding on the boat. As alternatives for visitors, a less intrusive method that reveals fewer personal facts when a passenger gets onboard should be made available. If passengers do not have a choice to opt out of the insurance and health packages based on tracking, there is a risk that the negative impact on their privacy is not balanced by the benefits obtained by the data controller from processing the claims, given the unlikelihood of sea incidents and the availability of less intrusive means to ensure safety.

As for the case of digital yacht quarantine, the collection and sharing of health data like body temperature and COVID-like symptoms with officers is necessary for protecting personal vital interests and the public health as required by the quarantine mandate. Twenty-four-hour temperature and heart rate monitoring are, however, clearly unnecessary for ensuring compliance with the quarantine rule and unnecessary for persons who do not require intensive health checks. Sharing comprehensive health records and personal profiles with pier operator personnel in the same way as medical staff do is unnecessary processing. The vast scope and breadth of health data collected in real-time, 24 h a day for 14 days, obviously fall short of necessity and does not meet the proportionality balance required for compliance with quarantine rules. The case also implies that continuing to employ such wristband health tracking capabilities once the pandemic state improves will no longer justify the privacy impacts.

6.3.4 Absence of an Appropriate Tool for Privacy-Preserving Legal Mechanism

Specific protections such as the GDPR’s obligation to conduct data protection impact assessments (DPIA) and the right to object to automated processing, as well as non-discrimination principles similar to the California Consumer Privacy Act 2018 (CCPA), are missing from the Thai PDPA and the guideline for smart city. According to the GDPR Art. 22, 35 and Recital 35, privacy high-risk practices, such as automated decision-making and profiling and mass surveillance in public places, require a data controller to conduct a DPIA to ensure that all threats have been thoroughly evaluated and appropriate measures to minimize the impact on individuals have been implemented before the processing begins. Non-discrimination protections under the CCPA Section 1798.125 strengthen a consumer’s right not to sell their personal data and ensure that they will not be exposed to unjust discrimination or undue pressure from lower quality services or price increases. They also require businesses to explain the logic behind automated decisions, as well as any special offers or discounts offered to data subjects in exchange for benefits obtained by the use of their personal data. Phuket Smart City policy should be tailored to incorporate these privacy-preserving functions.

6.4 Moving Forward

6.4.1 Privacy in a Human City

Even though privacy aspects vary in each society, social values of privacy preserve trust, sincerity, and the confidence one needs in developing interpersonal relationships (Moore 2003, p 22; Richards and Hartzog 2016). Even from the standpoint of a non-individualist culture, privacy is essential since its loss causes personal insecurity and social instability (Lü 2020, p 7). In tourism, the self-discovery process allowed by the sense of freedom, autonomy, and authenticity experienced by a person or a group is made possible through privacy. Ning (2017) argues that authentic experiences involving personal and intersubjective feelings emerge from the existential state of being of a visitor when she expresses herself free of the constraints experienced in daily life. Privacy primarily functions as a safe space for emotional release, freedom from unwanted interference, for learning to develop one’s personality, and define boundaries in relationships with others (Westin 1967). Privacy values therefore must be reintegrated into smart city measures in order to safeguard human capabilities to experience authenticity, set limits, and develop discernment on the values and information in front of them.

6.4.2 Universal Regulatory Design Considerations

A smart city regulation design should be adaptable, with a default set on a gradient scale and customization options to accommodate a wide range of privacy preferences of visitors and residents. When a privacy policy governing a place change, such as when entering a residential area with a high density of CCTVs, visitors should be prompted with a visual sign or cue to be informed. Designing a smart city regulation based on user experience can grasp privacy harm the laws of some jurisdictions have not yet recognized. For instance, the loss of ability to control their exposure to an environment and harms from surveillance as experienced by individuals from active means of categorizing, narrating, and norming in addition to being observed (Cohen 2008, p 194) can be addressed through a regulatory design that takes into account privacy impacts from real user experience. A tailored policy based on user experience can avoid dissonance and ideological conflicts between law in books and on the ground and increase regulatory soundness. With these privacy design considerations in mind, a city can demonstrate its openness to new digital culture by enhancing tourists’ smart experiences at their own pace and achieve the smart city’s goal.

6.5 Conclusion

The city’s design of personal privacy safeguards matters because it affects the way a visitor experiences the city—how they learn about, connect with the people and the place, define the boundaries, and ultimately develop personal meanings from the city exploration process. Without adequate privacy protection, such freedom and autonomy are endangered by the data processing activities that have been made without one’s knowledge, consent, willingness, or alternative choices available, thus interfering with one’s decisional privacy. Threats to personal authenticity and freedom from misuse of technology can occur through an exposure of excessive monitoring of personal behaviors in people’s private and leisure moments, which has led to the alteration of behaviors in personal interactions and self-censorship of some deviating behaviors. Proposed use of smart wristbands and other surveillance technologies in Phuket tourism campaigns, smart pier and digital yacht quarantine, demonstrates that local privacy perceptions vary significantly from the international perspectives provided by laws protecting personal data. The use of wristbands also raises questions about privacy risks, the reasonableness of the ongoing processing activities under the relevant laws, and the lack of adequate regulations to protect personal data and privacy in the smart city.