Striking a Balance between Data Privacy and Public Health Safety
A South Korean Perspective
June Park looks at the debate on the collection, processing, and control of data during the Covid-19 pandemic and draws on South Korea’s experience with these issues to consider how democracies might find the right balance between data privacy and public health safety.
The Covid-19 pandemic has sparked a fierce debate on the collection, processing, and control of data. In the absence of a global standard on how to manage data, countries around the world have exhibited different approaches to deploying data in pandemic governance, particularly in the testing and tracking of Covid-19 and surveillance mechanisms for monitoring quarantines. As the pandemic accelerated the contactless mode of life, expanding the digital realm of the global economy with an unprecedented speed, the virus has inadvertently unleashed new methods of surveillance.
Central to the policy debate is the collection and processing of data for combating the pandemic. Countries have exhibited stark differences in their preferred approaches to data governance. Some have deployed data with clear policy goals, while others have declined to do so or are still undecided. Several factors influence a country’s approach to deploying data for battling Covid-19. Laws on controlling infectious diseases and implementing personal data protection that vary by jurisdiction have led to different policy choices and outcomes. Technical capabilities and existing infrastructure in network connectivity play a critical role as well. The pandemic has compelled governments to choose a policy path on data deployment, whether or not they are equipped with the required technology.
As the pandemic lingers on amid vaccination efforts, how data should be used by governments in a public health crisis will remain under debate. There is still no global consensus on this issue, and there may never be. Countries are thus on their own to determine their data governance policies.
In the case of South Korea, prior experience with infectious diseases established a precedent for mandating conditional data collection under the revised Infectious Disease Control and Prevention Act (IDCPA). In contrast to the demand for freedom from interference in the United States and Europe, South Korea has manifested a public willingness to surrender partial data for freedom from the threat of the virus. At the same time, the country still engages in constant debates over data privacy and public health safety through the handling of individual claims for data protection under the Personal Information Protection Act. This essay examines these issues further to shed light on the comparative dimensions of data governance among democracies.
HIGH-TECH AND DIGITAL METHODS DEPLOYED IN SOUTH KOREA’S PANDEMIC GOVERNANCE
In South Korea, digitalization has rapidly transformed the way of life over the past few decades. The country’s digital prowess during the pandemic has been evidenced by augmented exports of its semiconductors and solid-state drives and continued expansion of 5G network infrastructure led by Samsung. South Korea has relied on the core technologies developed through such efforts to better manage pandemic governance. Its smart cities digital hub—a system developed based on state-of-the-art tools for efficient management of transportation, water, energy, and other networks—has been used as a platform for the Covid-19 Smart Management System (SMS), which traces and detects virus clusters using rapid and nationwide RT-PCR testing. The kits were developed with the help of artificial intelligence (AI) by South Korean biogenetic firms even before the detection of patient zero in South Korea and are now mass-produced in smart factories for export. The development of AI tools for measuring Covid-19 infection risk is also underway.
Inevitably, the deployment of AI enabled South Korea to respond efficiently and early to Covid-19. But none of these efforts could have taken place without the technological leap and the institutional backing for conditional data collection under the IDCPA, which was revised following the outbreak of Middle East Respiratory Syndrome (MERS) in 2015.
CONDITIONAL DATA COLLECTION UNDER THE IDCPA
Article 76-2 (1) of the revised IDCPA is one of the key policy tools behind South Korea’s efficient pandemic governance. It mandates the Ministry of Health and Welfare to collect data regarding the spread of infectious diseases in a declared public health emergency. South Korea’s method comprises tracing, testing, treatment, isolation, and rigorous disinfection. This approach would not have been feasible without the conditional collection of data, supported by a high rate of mobile penetration and credit card use among the South Korean public and complemented with high-speed network connectivity infrastructure.
In contrast to several European countries and half of all U.S. states, which have used decentralized apps, the SMS developed by South Korea’s Ministry of Land, Infrastructure and Transportation is a centralized system built on the existing smart cities digital hub that is applicable nationwide under the IDCPA. Since its launch in March 2020, SMS has enabled conditional collection of data, which occurs upon the discovery of an infection case at a testing site, for subsequent epidemiological survey in a matter of ten minutes on average per case. Data collection in the SMS uses GPS data and credit card information to track the virus, as well as closed-circuit television footage if required to verify patient reactions to determine the origin of the infection. All this occurs under the IDCPA.
While this process may seem draconian for free societies, it is worth noting the advanced security of the SMS. Access to the system is given to a minimum number of epidemiological investigators at the Korea Disease Control and Prevention Agency (KDCA), which serves as the data controller. Operations are within an intranet that denies access to any other government agency (even the Ministry of Land, Infrastructure and Transportation, which handed over the data controller authority to KDCA when the system was launched). The system stands behind a double firewall to prevent hacking, deploys the highest levels of network security for logging in, and keeps record of all activity within the system.
During the 2015 MERS outbreak, only the Korea Centers for Disease Control (now the KDCA) held the authority to give tests, and hospitals were far from transparent about infections. MERS was a shocking experience for South Korea, resulting in 186 cases and 38 deaths—the highest number anywhere outside the Middle East. This experience served as the cornerstone of IDCPA revisions to mandate conditional data collection. Although Severe Acute Respiratory Syndrome (SARS) had affected South Korea in 2002, there were no casualties. MERS was the critical juncture for South Korea. Thereafter, people were more willing to relinquish their civil liberties in part, conditionally, if they could avoid being bogged down by the invisible threat from a future virus. The notion here is that a universal danger is a threat to freedom and that a risk management system must protect the individual from being exposed to that danger.
DATA PRIVACY UNDER THE PERSONAL INFORMATION PROTECTION ACT
As personal data is protected under the General Data Protection Regulation of the European Union, South Korea also protects personal data under the Personal Information Protection Act. South Koreans take personal data very seriously, but in the case of a public health emergency, they subscribe to the health officials’ guidelines under the IDCPA. These require conditional surrender of personal data, to be deleted after fourteen days.
Nonetheless, South Korea has not been without concerns over personal data protection. One of the most controversial cases was an infection cluster around gay clubs and bars in Itaewon in June 2020. Gossip on social media and word of mouth were the main sources of personal data leakage, prompting calls for greater protection of individual rights. At the time, the Seoul government offered anonymous Covid-19 testing for the LGBTQ community. Such testing was instrumental in controlling the virus. Other criticism has circulated online, and the Personal Data Protection Commission has received an influx of petitions regarding personal data protection during the pandemic. Despite such concerns, however, the majority of South Koreans remain willing to consent to conditional surrender of personal data for public health efforts so long as it remains anonymous.
There was an understanding in Europe earlier on in the pandemic that due to the speed of infection, electronic tracing would be required to fight the spread of Covid-19. Because the General Data Protection Regulation is very stringent in protecting the personal data of EU citizens, most member states and the United Kingdom opted for apps that operate in a decentralized mode. The one exception was France, which adopted a centralized database for its app that was compliant with the General Data Protection Regulation. Nevertheless, the French-developed TousAntiCovid app did not garner much public support due to frequent systematic failures and the lack of a critical mass of users. The lackluster performance of the tracking apps that countries first adopted in 2020 raises serious questions about their efficacy. Recent surges of new infections in Europe amid vaccine rollouts call into question the functionality of decentralized tracking tools based primarily on voluntary participation in order to ensure data privacy.
More importantly, the continued series of lockdowns in Europe prompts questions about what civil liberties truly are, and whether confining citizens to their residences rather than deploying conditional data collection methods better ensures civil liberties. Conditional data collection could enable greater individual mobility and economic activity as vaccines are rolled out. In a broader context, the same question may be asked about mandatory mask-wearing or quarantine guidelines, as well as vaccination passports in the future to ensure safer domestic and international travel.
FINDING THE RIGHT BALANCE BETWEEN DIGITAL PRIVACY AND PUBLIC HEALTH SAFETY
For democracies, finding the right balance between the use of technology for public health and data privacy will be a priority to prepare for future pandemics. Such efforts may also contribute to ending the current pandemic by enabling more efficient vaccine rollouts and tracking virus mutations. Yet there are concerns that data collection could be routinely justified in emergency situations, or possibly never reversed after the pandemic and instead exploited for surveillance to build new technological systems of social control. In autocracies where laws and regulations to protect personal data are nonexistent, data collection would not be under conditional provisions but rather would be compulsory. The widespread concern is that when data collection is conducted in a systematic method, it could tempt governments to tighten their grip on power and control over private lives even in democracies.
As the pandemic continues and contactless interactions become commonplace, the world is likely to gravitate toward further digitalization. In order to limit the influence of the digital environment, free societies must harness the system by improving digital literacy and adopting secure mechanisms (e.g., blockchains). Policymaking and regulation tend to lag behind technology, and individuals must be prepared for the change. For Europe, the Covid-19 pandemic could be the critical juncture for finding such a balance between data privacy and public health safety. Efforts similar to those that followed MERS in South Korea are now being considered. At the July 2020 meeting of the Council of the European Union, comments from EU members were collected on options for revising Article 6b of the General Data Protection Regulation. A social consensus on the acceptable level of conditional data collection for public health safety and the appropriate methods for collection must be addressed head on in preparation for the next pandemic.
South Korea, for its part, is still on the path to finding the right balance between machine-enabled and data-protected ways of life. This is an essential task, as it has become increasingly clear over time that the country is not going back to a non–data driven way of life. In medicine, this is evidenced by pilot programs at major hospitals for the collection of medical data upon consent to identify genomes that cause rare diseases. Societies will need to adopt specific regulations and revisions of existing laws to strike the right balance between such data collection and personal freedom as new technologies are adopted.
In addition to punitive measures against hacking, preventive measures against the collection of data leading to negative human influence on AI systems in the machine learning process are also needed, as evidenced by the shutdown of South Korea’s AI chatbot Iruda due to the use of hate speech in the system’s learning process. Progress toward the anonymization of personal data is seen as a positive step to defend personal freedom in the data-driven world under Covid-19. One recent measure in South Korea that other democracies might consider is the use of anonymized personal codes to replace QR check-ins at public venues for entry.
June Park is an East Asia Voices Initiative (EAVI) Fellow with the East Asia National Resource Center in the Elliott School of International Affairs at the George Washington University. The views expressed are those of the author.
 Sanghoon Lee, “COVID-19 Smart Management System (SMS) in Korea,” Ministry of Land, Infrastructure and Transportation (South Korea), April 22, 2020, https://events.development.asia/system/files/materials/2020/04/202004-covid-19-smart-management-system-sms-republic-korea.pdf.
 Justin McCurry, “South Korean AI Chatbot Pulled from Facebook after Hate Speech towards Minorities,” Guardian, January 13, 2021, https://www.theguardian.com/world/2021/jan/14/time-to-properly-socialise-hate-speech-ai-chatbot-pulled-from-facebook.