Posted on April 1, 2021
Authored by Sahel Bahman*
Further to part one of our article on the impact of data protection laws on public health applications for COVID-19, this article aims to examine the development of COVID-19 apps in the West (i.e., the Netherlands, in this case) in the context of relevant privacy laws and concerns, and how this approach compares to the East (i.e., South Korea, in this case).
Covid-19 in the Netherlands
In contrast to some other nations, the Netherlands’ initial approach to COVID-19 was more moderate, embracing the concept of herd immunity. This was attained through a targeted lockdown which only closed down businesses requiring close contact, whilst leaving open other businesses. Contrasting South Korea, the Netherlands’ initial response was dependent on society to take the initiative and responsibility to control the spread. Although the measures became stricter later, it is important to note the differences in the initial responses to COVID-19 because this is reflective of the flexibility of each jurisdiction’s legislation, as will be subsequently discussed in relation to COVID-19 apps.
Intriguingly, both South Korea and the Netherlands are civil law jurisdictions; with South Korea’s data privacy laws being compared to the GDPR. However, each jurisdiction has taken a different approach responding to COVID-19, which is apparent in their data privacy laws and subsequently the process of developing COVID-19 apps.
The Netherlands’ Privacy Law
In contrast to South Korea, which follows their own data privacy laws, the Netherlands’ data privacy law is based on the GDPR. EU regulations have direct effect across all EU Member States, ergo requiring each jurisdiction to comply with the regulation. Based on Article 93 Dutch Civil Code, the Netherlands are a monist country meaning International law becomes part of their domestic legal order, hence it is directly applicable in the same manner domestic law would be. The Netherlands’ privacy law must first be discussed prior to elaborating on its effect on development of COVID-19 apps.
Article 1 GDPR states the objectives of the regulation, including protection of natural persons with regard to processing of personal data and rules relating to the free movement of personal data and protects fundamental rights and freedoms of natural persons, specifically their right to the protection of personal data. Article 4(1) GDPR defines personal data as any information relating to an identified or identifiable natural person. It further defines an identifiable natural person as one who can either directly or indirectly be identified through identifiers such as a name or location data. Article 4 GDPR’s definition of personal data is comparable to Article 2(1) of South Korea’s PIPA’s definition of personal information.
Comparably to South Korea’s PIPA, Article 6(1a) GDPR states that processing is only lawful if the data subject has given consent to the processing of his or her data. Furthermore, processing is also lawful if it is necessary for the performance of a task carried out in the public interest, in accordance with article 6(1e) GDPR. Additionally, Article 9(1) GDPR prohibits processing of personal data concerning health. Only exceptions to this are provided for in Article 9(2), subsection 1 specifies that paragraph 1 does not apply if the data subject has given explicit consent to the processing of those personal data.
Article 17 GDPR provides for the right to erasure or right to be forgotten, comparable to South Korea KCDC’s guidelines to delete data 14 days after final contact. The data subject has the right of erasure of personal data concerning them without undue delay. Therefore, in both jurisdictions a similar protection of the data subject is provided regarding storing of data.
The conditions for consent are laid down in Article 7 GDPR, specifically that it must be “freely given, specific, informed and unambiguous.” The request for consent must also be “clearly distinguishable from other matters” and presented in “clear and plain language.”
In summary, the Netherlands’ privacy laws share similarities to South Korea on the surface however, differences arise regarding the flexibility, which will be discussed in the following sections.
Tracking and Tracing in the Netherlands
Pursuant to Article 21 GDPR, the data subject has the right to object at any time to the processing of personal data that concerns them, based on Article 6(1e). This provision highlights a contrast between the Netherlands and South Korea. South Korea allows for overriding of the consent requirement with regards to collection of personal data and lacks the right to refuse profiling, whereas, in the Netherlands, in accordance with the GDPR, without the consent of the data subject, collection of personal data is not possible. As a result, this emphasizes the requirement for user anonymity within the COVID app in the Netherlands.
Article 68(1) GDPR establishes the European Data Protection Board (“EDPB”) as a body of the EU with a legal personality. The EDPB released a statement regarding processing e-communication data, stating that (location) tracking is only allowed if it is anonymous or conducted with consent of the subject. Therefore, anonymity is a crucial requirement. As a result, all COVID-19 app prototypes presented to the Dutch government had to meet anonymity requirements. However, in April 2020, the State Attorney conducted a privacy analysis on seven prototypes of COVID-19 apps which he concluded did not guarantee complete anonymity and were thus rejected. This problem continued into August when the Dutch privacy watchdog; Autorteit Persoonsgegevens, stated that the privacy of users of the COVID-19 app was still not sufficiently guaranteed. Here, the Netherlands’ contrast with South Korea is evident. South Korea’s laws allowed for overriding of data privacy laws in case of a health emergency, whereas the Netherland’s, as an EU Member State, is obliged to adhere to the GDPR hence, restricting its ability to create such apps at a faster rate.
Prior to the development of the current COVID-19 app, if a person tested positive the Municipal Health Service (GGD) would contact them and question who the person has been in contact with. A list of contacts will be made including, household members, close contacts, and contacts who were in the same space as the infected person. Although this method still allowed for contacts to be identified and tested, it still left room for error. It was highly dependent on the patient’s memory and according to psychological studies of Bartlett et al. 1932, a person’s memory is never completely reliable and can be prone to reconstruction. Therefore, the establishment of the Bluetooth based contact tracing app will allow for a more efficient method to identify and alert close contacts of positive cases, without risking interference with data privacy.
Presently, The Netherlands’ COVID app, “CoronaMelder”, is available for download and can be installed voluntarily. CoronaMelder is an app which will alert a user if they have been in close proximity, for more than 15 minutes, to someone who has tested PCR-positive. The tracing app uses Bluetooth and detects how close someone is based on how strong the Bluetooth signal is. No location data is used by the app hence, ensuring location data privacy of the user. Similar to South Korea’s COVID app, CoronaMelder exchanges random codes with other phones and therefore, does not exchange any personal or location information of the user. Consequently, the current app ensures complete anonymity of the user thus, maintaining the privacy and ultimately not requiring any form of consent as no personal data is obtained. Subsequently, there is complete adherence to the GDPR by the Netherlands.
An important contrast to be noted is the fact that the tracing app in the Netherlands uses Bluetooth to inform those who have been in contact with patients whereas in South Korea the app uses location data. Although it is anonymized in both countries when informing the contacts, in South Korea authorities can easily access a person’s location data, whereas in the Netherlands it is merely based on Bluetooth signals, hence providing more extensive protection of privacy and anonymity. Therefore, although South Korea developed the COVID-19 app at a faster pace, the Netherlands was able to ensure more protection of data privacy.
Moreover, regarding the pace of development of a tracing app, South Korean legislation reduces limitations provided by privacy laws which allowed the authorities to provide a tracing app to their citizens seven months earlier than the Netherlands. An example of such legislation in South Korea is the aforementioned Article 34-2 IDPCA, stating that the Minister of Health and Welfare must disclose various items of information required for preventing the spread of the infectious disease, including information regarding contacts of patients. On the other hand, the Netherlands has no such law as it must adhere to the laws of the EU which require consent, and if not acquired, anonymity must be ensured regarding processing and sharing of personal data. Therefore, the fact that South Korea is able to override their data privacy laws whilst the Netherlands must adhere to the GDPR even during a health emergency, allowed for South Korea to have a simpler process of implementing a tracing app, in comparison to the Netherlands who had to ensure absolute anonymity of patients and their contacts before such an app could be created.
These differences may exist as a result of different priorities between the jurisdictions. In South Korea, the MERS outbreak resulted in the authorities prioritizing public health over privacy in order to ensure the control of the spread of an infectious disease, as reflected in their amendments to allow overriding of privacy law. Conversely, the Netherlands seems to prioritize personal privacy which may be a result of the dangers that come with the Information Age or it may be due to the country not experiencing an infectious disease in its recent years to the extent that South Korea did. This is reflected in the difference between the extent of data privacy protection in each country regarding the app, as South Korea uses location data whilst the Netherlands uses Bluetooth data. Hence, the Netherlands offers more data privacy protection, at the loss of having the app produced almost seven months later than South Korea’s.
The WHO’s director-general has stated the positive impact which tracing apps have by allowing efficient contact tracing which is one of the “backbone[s] of the [COVID-19] response”. Therefore, the attempt to balance public health and data privacy may cause hindrance to the COVID-19 response and ultimately tip such a balance to favor data privacy. Consequently, the question that has arisen to legal systems across the world, as a result of the SARS-CoV-2 pandemic, is what must be prioritized and whether in the future new approaches must be taken regarding data privacy. Countries which have had worst conditions may choose to shift their focus from a balance between public health and data privacy to prioritizing public health whilst other may attempt to maintain the balance, which ultimately prioritizes data privacy.
In summary, South Korea and the Netherlands share some similarities in their legislation regarding data privacy – including the applicable privacy laws of both countries emphasizing the importance of consent before access to data is granted, as portrayed in Article 15(1)1 PIPA and in Article 6(1a) GDPR, respectively. However, a significant difference still exists regarding the possibility of revoking previously given consent. The Netherlands allows for data subjects to object to the processing of personal data concerning him or her personally at any point. Whereas in South Korea, there is no comparable provision in any of the relevant data privacy legislation. Consequently, the relevant authorities in South Korea are able to continuously process individuals’ data once initial consent has been provided, unlike in the Netherlands where authorities must take into account revocation of consent. Hence, the processing of data in South Korea can be facilitated by the authorities at a faster pace, as no issues may potentially arise from revocation of consent. Therefore, even in its similarities, differences arise in each jurisdiction, ultimately affecting the pace of COVID-19 app development.
To conclude, the abovementioned differences between South Korea and the Netherlands in this article are: revocation of consent, the flexibility of privacy laws, and the impact this had on the development of the apps. The most significant difference is the flexibility of privacy laws, meaning, South Korea did not have to adhere to as many limitations in the grey area where public health and privacy intersect. This allowed the South Korean authorities to develop and implement a tracing app during the early stages of the spread of the disease. The Netherlands on the other hand are required to adhere to the data privacy laws provided by the EU and consequently had to develop several prototypes before the final app could ensure complete compliance with legal requirements. Therefore, the differences between each jurisdiction resulted in track and trace apps for COVID-19 to be developed at a considerably different pace.
*Sahel Bahman is a Researcher at IntellecTech Law and a second year European Law student at Maastricht University in the Netherlands. She is currently studying four jurisdictions namely; French, German, Dutch, and English whilst also taking a holistic perspective by looking at European Union law. Sahel has a keen interest in data protection and IP law and hopes to pursue a career in this field of law.
 The Government of the Netherlands, New measures to stop spread of coronavirus in the Netherlands, Government of the Netherlands, 12 March 2020. https://www.government.nl/latest/news/2020/03/12/new-measures-to-stop-spread-of-coronavirus-in-the-netherlands, last accessed 15 March 2021
 Chris H. Kang, Sun Hee Kim and Doil Son, South Korea: Korea Introduces Major Amendments to Data Privacy Laws, mondaq, 02 March 2020. https://www.mondaq.com/privacy-protection/898830/korea-introduces-major-amendments-to-data-privacy-laws, last accessed 15 Marc 2021
 Consolidate version of the Treaty on the Functioning of the European Union, 2016, OJ 202, Article 288
 Gerrit-Jan Zwenne and Marte van Graafeiland, Openbare samenvatting privacyanalyses bron- en contactonderzoekapps, Pels Rijcken, 19 April 2020. https://www.rijksoverheid.nl/onderwerpen/coronavirus-app/documenten/publicaties/2020/04/19/samenvatting-privacy-analyse-contactonderzoeksapps, last accessed March 15 2021
 Autoriteit Persoonsgegevens, DPA: Privacy of coronavirus app users not yet sufficiently guaranteed, Autoriteit Persoonsgegevens, 17 August 2020. https://autoriteitpersoonsgegevens.nl/en/news/dpa-privacy-coronavirus-app-users-not-yet-sufficiently-guaranteed, last accessed March 15 2021
 Government of Netherlands, Factsheet: Coronavirus: How Does Contact Tracing Work?, 18 August 2020
 Bartlett, F. C. (1932). Remembering: A study in experimental and social psychology. Cambridge, UK: Cambridge University Press, p 203 & 213.
 History.com Editors, Pandemics That Changed History, History.com, 1 April 2020. https://www.history.com/topics/middle-ages/pandemics-timeline, last accessed 15 March 2021
 Alfred Ng, Coronavirus pandemic changes how your privacy is protected, Cnet, 21 March 2020. https://www.cnet.com/health/coronavirus-pandemic-changes-how-your-privacy-is-protected/, last accessed 15 March 2021