Thai AirAsia seeks face scans in Krabi
Thai AirAsia (TAA), Thailand's largest low-cost carrier, plans to provide a facial recognition system at check-in for volunteer passengers on a trial basis at Krabi airport.
According to Pichet Durongkaveroj, the digital economy and society minister, TAA recently asked the DE Ministry for an opinion on whether the company would have to get permission from the ministry and related agencies.
Mr Pichet said the ministry supports the idea of a facial recognition system for airlines as a check-in alternative for passengers, one that several airlines already provide.
But he said Airports of Thailand and the Immigration Bureau of the Royal Thai Police must grant permission to TAA to use facial recognition technology, as the DE Ministry lacks the authority to green-light the project.
Facial recognition systems work by verifying the identity of a person by comparing selected facial features from a presented image with faces in a database.
Mr Pichet said the DE Ministry is pleased to give suggestions and collaborate with related agencies. Even so, it will probably be a while before a facial recognition system for passengers is in place, he said, because of the various sensitivities involved with handling personal data and the data protection bill still awaiting passage.
Mr Pichet said TAA may have to consider five points when implementing its system: passenger acceptability, good security, personal data usage, responsibility for damage and usability.
Thailand is developing a data protection law. The bill is in the drafting process, after which it will be submitted to the cabinet before going to the Council of State for amendment. Then the draft will go to the National Legislative Assembly (NLA) for a vote.
The data protection draft bill is one of two draft bills driving the government's digital economy transformation policy. The other is the cybersecurity draft bill. Both have yet to be approved by the NLA.
Once the bills go into effect as law, they will set up two new agencies called the National Data Protection Agency and the National Cybersecurity Agency.
Mr Pichet said personal data protection is quite complex, driven partly by rapidly evolving technology, but many agencies and sectors still lack awareness and knowledge for understanding personal information protection.
Previously, the government through the DE Ministry set up the Data Protection Knowledge Centre (DPKC), acting as a centralised unit to create awareness of data protection in line with international standards for state agencies and the private sector, especially online businesses.
The DPKC operates under the Electronic Transactions Development Agency (ETDA) structure, but the National Data Protection Agency won't be established until the data protection bill is passed.
The move coincides with Europe's General Data Protection Regulation (GDPR), which went into effect on May 25 this year.
The GDPR will influence domestic enterprise operations, especially in the online sector, with regard to processing personal data involving European citizens.
The DPKC was established as a competent state agency that will work independently in a manner that protects the rights of the public and raises awareness and educates. It will also clamp down on digital piracy.
The DPKC is meant as an initial step before the establishment of the National Data Protection Agency.
"All sectors need to be prepared to take care of personal data in order to comply with the principles of the law," Mr Pichet said.
Although there are several laws currently in place regarding the protection of personal information, including the Official Information Act, they only provide protection for certain personal data and do not fully protect all personal information.
There are still gaps in the protection of personal data, Mr Pichet said.