The West vs. the East: Data Privacy and the Different Approaches to COVID-19 Apps (Part I – South Korea)

Posted on March 25, 2021

Authored by Sahel Bahman*

COVID-19 tracing apps: side effects on personal data protection should be  avoided - News 2020 - 2021
Image Source: Council of Europe

Introduction

The ongoing SARS-CoV-2 pandemic, and its spread between and within countries, has revealed a potential for the use of modern privacy laws in public health policy. For countries and health systems alike, the most effective way to understand the severity and prevalence of COVID-19 would be to track positive cases; trace contacts and places PCR-positive cases might have visited or seen. This makes sense, given the exponential nature of viral contamination.[1] However, given the world is in the ‘Information Age’, digital data has exposed people to illicit and illegal activities such as fraud, identity theft, or even malign hacking to obtain personal information[2]. Therefore, especially in liberal democracies, data protection laws have been approved and are enforced as they seek to protect the rights of citizens within such democracies[3]. An example of this would be the Netherlands which, as a result of privacy laws such as the European Union’s General Data Protection Regulation (“GDPR“), did not release a tracking and tracing COVID-19 app until the 8th of October 2020, almost seven months after initial measures were taken by the government. On the other hand, a COVID-19 app was available in South Korea from March 2020. This is largely due to the amendments South Korea made to their Infectious Disease Prevention and Control Act (“IDPCA“), following the MERS epidemic and to their privacy laws in January of 2020. In case of a serious outbreak of a disease, these amendments allowed the government to have more access to data by overriding several privacy laws, including the Personal Information Protection Act 2011 (“PIPA“). This allowed South Korea to take swift action far sooner during the initial stages of the SARS-CoV-2 pandemic, which will be elaborated upon within this article.[4] [5]

This two-part series aims to analyse the differences between South Korea and the Netherland’s data privacy laws and how these affected the development of apps tracking and tracing positive COVID-19 cases. It is important to distinguish between tracking and tracing apps. Tracking refers to gaining insights in real time hence, a tracking app will be able to detect a person’s current location and the places they have been.[6] Whereas, tracing is done in retrospect. Tracing apps detect encounters between people through bluetooth or location and based on the strength of radio signals it is able to detect the distance between people and trace the proximity.[7]

The first part of this article will assess COVID-19 in South Korea, their privacy laws and the development of the COVID-app. In the second part a comparative view will be taken to assess the different approach taken by the Netherlands.

Covid-19 in South Korea

South Korea was one of the first countries to be affected by COVID-19, the first case being reported on 20th of January 2020. South Korea’s initial response to prevent the spread was to impose a special entry procedure which included an entry ban on travelers from high-risk nations and requiring all travelers entering the nation to download a “Self-Diagnosis App” to monitor the development of symptoms. Moreover, 14-day quarantine became mandatory as of April 1st.[8] However, to avoid harsh lockdowns and a complete ban on travel, South Korea adopted a test, trace and treat strategy to control the spread, emplaced by April 2020. As a consequence of amended laws following the 2015 MERS outbreak, the government was prepared to deal with an infectious disease.[9] [10]

South Korea’s Privacy Law

It is vital to elaborate on the privacy laws in South Korea to understand how these were overridden during the SARS-CoV-2 pandemic. One of these was the PIPA which entails South Korea’s data protection law. Article 1 of PIPA states the purpose of the legislation is to further realize the dignity and value of the individuals by protecting their privacy from the unauthorized collection, leak, abuse or misuse of personal information. Personal information is defined in Article 2(1) as information pertaining to any living person that makes it possible to identify such individual by his/her name and resident registration number, image, etc. Article 15(1)1 prohibits the collection, use and disclosure of personal data without prior consent of the individual whose data is involved.  However, in January 2020 the Korean National Assembly passed amendments to the PIPA including adding a provision to Article 15 and 17.[11] Article 15(3) and Article 17(4) now allows a personal data controller to use, release and provide personal data and information without consent of a data subject so far as it is in line with the purpose it was collected for and measures are taken to secure the encryption.

The Act on The Protection, Use, Etc. of Location Information aims to protect privacy from leakage, abuse and misuse of location information[12]. Article 2(1) defines location information as “information about a place where a portable object or an individual exists or has existed at a certain time, which is collected by the use of telecommunication equipment facilities […]”. Furthermore, Article 2(2) defines personal location information as location information of a specific person. Provisions regarding the prohibition on collection of location information is provided for in Article 15. Article 15(1) prohibits the collection, use, or provision of location information of an individual or mobile object without the consent of the individual or owner of the mobile object. Therefore, South Korean legislation contains safeguards to ensure protection of location data; however, the extent to which these are adhered to during a health emergency will be discussed in the following section.

After the 2015 MERs outbreak in South Korea, the IDPCA was amended to ensure that in case of a health emergency, personal data could be collected to allow for efficient response for controlling the disease. These amendments allowed for public agencies, specifically the Korea Centers for Disease Control and Prevention (“KCDC“), to collect and share seven categories of data of (suspected to be) infected individuals with the central, municipal or local governments, national health insurance agencies and healthcare professionals.[13]

The IDPCA aims to control infectious diseases through necessary matters in order to maintain citizen’s health[14]. Article 2(1) IDPCA provides a series of definitions of an infectious disease. COVID-19 would be categorized as a Group 5 “infectious disease under surveillance by the World Health Organization (WHO)”. This is further defined by Article 2(8) IDPCA stating that such an infection means that it was designated to be subject to surveillance by the WHO to prepare for an international public health emergency, as announced by the Minister of Health and Welfare. In March 2020, the WHO Director-General announced that COVID-19 is characterized as a pandemic, thereby falling into the aforementioned definition[15].

Tracking and Tracing

South Korea’s approach to controlling the pandemic is a “Test, Trace, Treat”[16] approach. Tracing methods will be elaborated upon in this section in order to assess how the IDPCA allowed setting aside of data privacy laws during the pandemic.

Contact tracing is conducted through an app which identifies the movements of confirmed patients through location data[17]. This allows for authorities to ensure these patients are complying with self-isolation as well as allowing tracing of who the patients were in contact with and consequently may have infected[18].[19] Prior to this, the KCDC investigators would have to request data such as credit card transactions of confirmed patients from police investigators which requires a waiting period hence, taking longer. The current system allows for various data sets to be analyzed immediately and given to health investigators.[20]

The IDPCA requires the release of virus carrier travel logs. Article 34-2(1) IDPCA states that citizens should be provided with detailed information about patients with infectious disease. This includes their movements and contacts once the alert levels are at “precautions” or above. Therefore, in cases like COVID-19, it is explicitly required by the IDPCA that the population should be informed if they have been in contact with a PCR-positive person.

Article 34-2(1) IDCPA requires the release of detailed information to citizens in order to acquaint them with the measures taken for preventing the infectious disease. The KCDC published guidelines stating the period of disclosure of data is from one day before symptoms began to the date of quarantine and if there were no symptoms then location information will be disclosed from one day prior to the date of quarantine. Hence, providing protection to personal data by limiting the period of time which data can be collected from. Additionally, the KCDC emphasized that personally identifiable information must be excluded hence, there would be no violation of article 15(1)1 PIPA. Moreover, data must be deleted 14 days from the last contact and the data is anonymized by converting personal information regarding location like address into random long strings of four characters.[21] Hence to further guarantee protection of personal information data as specified under Article 15(1)1 and under the newly amended article 15(3) and 17(4) PIPA, the data is anonymized, limited in duration and scope. If a person has been in contact with a PCR-positive case, they will receive a notification from the app which informs them that they may have been infected, as required by Article 34-2(1) IDPCA, hence, securing encryption through anonymity of the patient and yet allowing for the possibly infected person to get tested and treated.[22] [23]

The provision to request to provide information is laid down in Article 76-2 IDPCA. Article 76-2(1) IDPCA states that the Minister of Health and Welfare or the Director of the KCDC may, if necessary, to prevent the spread of infectious diseases, ask central administrative agencies, heads of local government, medical institutions, pharmacies, corporations and individuals to provide information of patients with infectious diseases and those likely to be infected. Hence, the Act allows for public agencies to collect information of patients and those who may get infected as a result of contact with the infected in order to prevent the spread of an infectious disease, like COVID-19. One of the types of information that can be collected is portrayed in Article 76-2(1)2 IDPCA which is personal information including names, resident registration numbers, addresses and telephone numbers. As previously stated, Article 15(1)1 PIPA prohibits collecting individuals’ personal information without their consent however, in case of a health emergency, like COVID-19, the IDPCA allows for the PIPA to be overridden.

With regards to location information, Article 76-2(2) IDPCA states that if it is necessary for the prevention of infectious diseases and its spread, the Minister of Health and Welfare may request the National Police Agency, regional police agency and police station to provide location of information of patients with the infectious disease and persons who are likely to be infected by an infectious disease. This article explicitly allows for this information to be collected notwithstanding Article 15 of the Act on the Protection, Use, etc. of Location Information. This current article had been amended in December 2015, illustrating how the IDPCA was revised to allow for overriding of privacy laws in favor of public health, and consequently, allowing for tracing apps to be developed at a faster rate because adherence to privacy laws was not a strict requirement.

Conclusion

In summary, South Korea’s amendments to the IDPCA allowed for flexibility regarding its privacy laws which ultimately aided in the pace of the development of the COVID-19 app. The second part of this series shall examine the implementation of privacy laws and public health apps in Netherlands to portray the differences between a country in the West and one in the East when approaching Covid-19.


*Sahel Bahman is a Researcher at IntellecTech Law and a second year European Law student at Maastricht University in the Netherlands. She is currently studying four jurisdictions namely; French, German, Dutch, and English whilst also taking a holistic perspective by looking at European Union law. Sahel has a keen interest in data protection and IP law and hopes to pursue a career in this field of law. 

[1] World Health Organization, WHO Director-General’s opening remarks at the media briefing on COVID-19. WHO, 16 March 2020. https://www.who.int/director-general/speeches/detail/who-director-general-s-opening-remarks-at-the-media-briefing-on-covid-19—16-march-2020, last visited 15 March 2021

[2] Kurt M. Sauders and Bruce Zucker, “Counteracting Identity Fraud in the Information Age: The Identity Theft and Assumption Deterrence Act”, Cornell Journal of Law and Public Policy, 1999, Vol. 8, Iss. 3, Article 5, p. 667-675.

[3] Kevin D. Haggerty and Minas Samatas, Surveillance and Democracy. 1st Edition, New York; Routledge-Cavendish, 2010.

[4] Sangchul Park and Gina Jeehyun Choi and Haksoo Ko, “Information Technology-Based Tracing Strategy in Response to COVID-19 in South Korea – Privacy Controversies”, The Journal of the American Medical Association, Vol. 323, No.21, June 2020

[5] Chris H. Kang, Sun Hee Kim and Doil Son, South Korea: Korea Introduces Major Amendments to Data Privacy Laws, mondaq, 02 March 2020. https://www.mondaq.com/privacy-protection/898830/korea-introduces-major-amendments-to-data-privacy-laws, last accessed 15 March 2021

[6] Björn Greif, Corona App: What’s the Difference between Tracking and Tracing?, Cliqz, 29 April 2020.

https://cliqz.com/en/magazine/corona-app-whats-the-difference-between-tracking-and-tracing, last accessed 15 March 2021

[7] Ibid

[8] Coronavirus Disease 19, Republic of Korea, Korean government’s response system (as of February 25, 2020), 2020. http://ncov.mohw.go.kr/en/baroView.do?brdId=11&brdGubun=111&dataGubun=&ncvContSeq=&contSeq=&board_id=, last accessed 15 March 2021

[9] Sangchul Park and Gina Jeehyun Choi and Haksoo Ko, “Information Technology-Based Tracing Strategy in Response to COVID-19 in South Korea – Privacy Controversies”, The Journal of the American Medical Association, Vol. 323, No.21, June 2020

[10] Ministry of Economy and Finance, Tackling COVID-19—Health, Quarantine and Economic Measures: Korean Experience. Ministry of Economy and Finance of Korea, Ministry of Economy and Finance, 26 March 2020.https://english.moef.go.kr/pc/selectTbPressCenterDtl.do?boardCd=N0001&seq=4868, last accessed 15 March 2021

[11] Chris H. Kang, Sun Hee Kim and Doil Son, South Korea: Korea Introduces Major Amendments to Data Privacy Laws, mondaq, 02 March 2020. https://www.mondaq.com/privacy-protection/898830/korea-introduces-major-amendments-to-data-privacy-laws, last accessed 15 March 2021

[12] Act on the Protection, Use, Etc, of Location Information as translated in: Global Regulation; Act on The Protection, Use, Etc of Location Information [English], Article 1

[13] Sangchul Park and Gina Jeehyun Choi and Haksoo Ko, “Information Technology-Based Tracing Strategy in Response to COVID-19 in South Korea – Privacy Controversies”, The Journal of the American Medical Association, Vol. 323, No.21, June 2020

[14] Infectious Disease Prevention and Control Act as translated in: Korea Law Translation Center; Infectious Disease Control and Prevention Act 2015 [English], Article 1

[15] World Health Organization, WHO Director-General’s opening remarks at the media briefing on COVID-19, World Health Organization, 11 March 2020. https://www.who.int/dg/speeches/detail/who-director-general-s-opening-remarks-at-the-media-briefing-on-covid-19—11-march-2020, last accessed 15 March 2021

[16] Ministry of Economy and Finance, Tackling COVID-19—Health, Quarantine and Economic Measures: Korean Experience. Ministry of Economy and Finance of Korea, Ministry of Economy and Finance, 26 March 2020.https://english.moef.go.kr/pc/selectTbPressCenterDtl.do?boardCd=N0001&seq=4868, last accessed 15 March 2021

[17] Ibid

[18] Ministry of Foreign Affairs Korea,한국의 코로나19 대응: 코로나 바이러스 추적 Korea`s Response to COVID-19: How It Tracks Down the Coronavirus, Ministry of Foreign Affairs Korea, 31 May 2020. http://www.mofa.go.kr/eng/brd/m_22744/view.do?seq=6&srchFr=&srchTo=&srchWord=&srchTp=&multi_itm_seq=0&itm_seq_1=0&itm_seq_2=0&company_cd=&company_nm=&page=1&titleNm=, last accessed 15 March 2021

[19] Ministry of Economy and Finance, Tackling COVID-19—Health, Quarantine and Economic Measures: Korean Experience. Ministry of Economy and Finance of Korea, Ministry of Economy and Finance, 26 March 2020.https://english.moef.go.kr/pc/selectTbPressCenterDtl.do?boardCd=N0001&seq=4868, last accessed 15 March 2021

[20] Sarah Wray, South Korea to setp-up online coronavirus tracking, SmartCitiesWorld, 12 March 2020. https://www.smartcitiesworld.net/news/news/south-korea-to-step-up-online-coronavirus-tracking-5109, last accessed 15 March 2021

[21] Gyuwon Jung, Hyunsoo Lee, Auk Kim and Uichin Lee, Too Much Information: Assessing Privacy Risks of Contact Trace Data Disclosurre on People With COVID-19 in South Korea, Frontiers in Public Health, 18 June 2020. https://www.frontiersin.org/articles/10.3389/fpubh.2020.00305/full, last accessed 15 March 2021

[22] Ministry of Foreign Affairs Korea,한국의 코로나19 대응: 코로나 바이러스 추적 Korea`s Response to COVID-19: How It Tracks Down the Coronavirus, Ministry of Foreign Affairs Korea, 31 May 2020. http://www.mofa.go.kr/eng/brd/m_22744/view.do?seq=6&srchFr=&srchTo=&srchWord=&srchTp=&multi_itm_seq=0&itm_seq_1=0&itm_seq_2=0&company_cd=&company_nm=&page=1&titleNm=, last accessed 15 March 2021

[23] Ministry of Economy and Finance, Tackling COVID-19—Health, Quarantine and Economic Measures: Korean Experience. Ministry of Economy and Finance of Korea, Ministry of Economy and Finance, 26 March 2020.https://english.moef.go.kr/pc/selectTbPressCenterDtl.do?boardCd=N0001&seq=4868, last accessed 15 March 2021

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s