Guidelines for Data Protection Impact Assessment (DPIA) in Smart City Development: A Case Study of Phitsanulok Smart City
Article Sidebar
Main Article Content
Abstract
This research article presents a guideline for data protection impact assessment (DPIA) in the development of smart cities, using Phitsanulok Smart City as a case study. The study employs a mixed-methods approach, including comparative legal analysis, document analysis, and semi-structured interviews to gather the perspectives of data subjects. The findings reveal that personal data processing in Phitsanulok smart cities entails high risks due to complex data flow pathways, overlapping jurisdictions, and the involvement of numerous stakeholders. Therefore, a personal data protection impact assessment (DPIA) is necessary. This should include detailed data flow mapping, the establishment of joint data controller agreements, assessments of necessity and proportionality, as well as risk assessments and the implementation of appropriate risk mitigation measures. The article identifies risks and proposes risk mitigation measures in three key areas: (1) data breaches resulting from internal and external risks; (2) the inability of data subjects to control the use of their personal data; and (3) adverse impacts on other rights and freedoms.
Article Details
References
Article 29 Data Protection Working Party (WP29). “Guidelines on Data Protection Impact Assessment (DPIA) and determining whether processing is ‘likely to result in a high risk’ for the purposes of Regulation 2016/679 (wp248rev.01).” Accessed April 20, 2023. https://ec.europa.eu/newsroom/article29/items/611236/en.
Berggren, Amalia. “Surveillance in Nineteen Eighty-Four: The Dismantling of Privacy in Oceania.” BA Thesis, Faculty of Art and Social Sciences, Department of Languages, English Department, Karlstad University 2016.
Binns, Reuben. “Data Protection Impact Assessments: A Meta-Regulatory Approach.” International Data Privacy Law 7, no. 1 (2017): 22-35.
Boyle, James. “Foucault in Cyberspace: Surveillance, Sovereignty, and Hardwired Censors.” University of Cincinnati Law Review 66 (1997): 177.
Edwards, Lilian. “Privacy, Security and Data Protection in Smart Cities: A Critical EU LAW Perspective.” European Data Protection Law Review 2, no. 1 (2016): 13-14.
Digital Economy Promotion Agency. “Executive Summary: Phitsanulok Sustainable Smart City.”Accessed January 10, 2025. https://drive.google.com/file/d/1XQ51mDGUSgyKVofSuA6vapgYzvJYJp3W/view. [In Thai]
Digital Economy Promotion Agency. “Executive Summary: Phitsanulok Smart City.” Accessed January 10, 2024. https://drive.google.com/file/d/1QCtAcVgfc_kQExfzNilrIQMax2s6Xv3O/view. [In Thai]
Faisal, Kamrul. “Applying the Purpose Limitation Principle in Smart-City Data-Processing Practices: A European Data Protection Law Perspective.” Communication Law and Policy 28, no. 1 (2023): 67-97.
Information Commissioner’s Office. “Data Protection Impact Assessments (DPIAs).” Accessed April 20, 2023. https://ico.org.uk/media/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/data-protection-impact-assessments-dpias-1-0.pdf
Information Commissioner’s Office (ICO). “Legitimate Interests.” Accessed December 25, 2024. https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/lawful-basis/legitimate-interests/
Ismagilova, Elvira, Laurie Hughes, Nripendra P Rana, and Yogesh K Dwivedi. “Security, Privacy and Risks within Smart Cities: Literature Review and Development of a Smart City Interaction Framework.” Information Systems Frontiers 24, no. 2 (2022): 1-22.
Krishna, Rama Reddy Kummitha. “Smart Technologies for Fighting Pandemics: The Techno- and Human- Driven Approaches in Controlling the Virus Transmission.” Government Information Quarterly 37, no. 3 (2020/07/01/ 2020). https://dx.doi.org/https://doi.org/10.1016/j.giq.2020.101481.
Methicha Yuboolchit. “Biometric Data Protection under the Personal Data Protection Act 2019”. Naresuan University Law Journal 14, no. 1 (June 18, 2021): 49–71. accessed June 18, 2025. https://so04.tci-thaijo.org/index.php/lawnujournal/article/view/244415. [In Thai]
Michael Friedewald, Ina Schiering, Nicholas Martin and Dara Hallinan, “Data Protection Impact Assessments in Practice Experiences from Case Studies” in Computer Security ESORICS 2021 International Workshops Revised Selected Papers, Germany, October 4-8 2021.
Na Pibul, Auntika. Legal challenges of the protection of personal data in the context of Smart City. Graduate Law Journal 13 no.2 (2020), 271–294. [In Thai]
NIST (National Institute of Standards and Technology), US Department of Commerce. “Considerations for Managing Internet of Things (IoT) Cybersecurity and Privacy Risks.” (2019). Accessed December 20, 2024. https://doi.org/10.6028/NIST.IR.8228
Office of Data Protection Commissioner. “Ireland, Twentieth Annual Report of the Data Protection Commissioner 2008.” Accessed January 24, 2025. https://www.dataprotection.ie/sites/default/files/uploads/2018-12/AR2008.pdf
Personal Data Protection Commission Singapore. “Guide to Data Protection Impact Assessments.” Accessed April 20, 2023. https://www.pdpc.gov.sg/help-and-resources/2017/11/guide-to-data-protection-impact-assessments.
Phitsanulok Provincial Labour Office. Labour Situation Report, Phitsanulok Province, Q1 2025. 2025. Accessed May 28, 2025. https://phitsanulok.mol.go.th/wp-content/uploads/sites/23/2025/05/-1-2568.pdf. [In Thai]
Suwannakit, Methinee, “The Protection of Privacy and Private Information in the Digital Age: A Comparative Study of English and Thai law Applying to Individual Media Users,” (PhD thesis, University of Glasgow, UK, 2023), 103-104.
Vandercruysse, Laurens, Caroline Buts, Michael Dooms. “A typology of Smart City services: The case of Data Protection Impact Assessment” Cities 104 (2020) 102731.
