Privacy vs. Pandemic Control in South Korea
The Republic of Korea (South Korea or ROK) had been tracking the spread of the novel coronavirus in a manner sensitive to the privacy of its citizens, but the government has now admitted that personally identifiable data is crucial to its efforts and may be kept for the long term.
South Korea has been lauded for its ability to avoid locking down the country but has instead relied on voluntary social distancing measures an aggressive tracking and tracing system to combat the virus. Since January 20, 2020, about 280 South Koreans have died from COVID-19 from 12,000 recorded infections. There are currently around 1,277 active cases in the country.
This aggressive tracking and tracing system was built for South Korea five years ago to beat back the spread of Middle Eastern Respiratory Syndrome (“MERS”). This tracking involves government access to cellphone data and credit card histories. The ROK government has a comprehensive data protection and privacy law in place, the Personal Information Protection Act (“PIPA”), which requires data to be deleted after being utilized for the purposes collected. Recently though the government of South Korea has admitted that it is permanently keeping data on patients from a previous virus epidemic.
The mobile application South Korea is using monitors and tracks the location of all visitors to the country, as well. Individuals, including tourists, wear a location-tracking bracelet which is referred to as “smart city tech.” The smart city tech platform shares information between cities on various things including traffic and pollution to find vulnerabilities and congestion, which makes it easier to identify hot spots for COVID-19.
This state-managed platform provides incredibly detailed personal data on an individual’s activities including their location and time spent on the location, public cameras, and credit card activity. As mentioned earlier, South Korea’s tracking and tracing efforts include monitoring of tourists. They have installed measures at Seoul’s Incheon International Airport to test anyone who arrives with symptoms. Even individuals who do not present symptoms are scheduled to be tested within three days of arrival. Individuals who come from abroad, regardless of nationality, must self-isolate for two weeks. South Korean officials claim that they are maintaining the principles of PIPA while fighting the pandemic because the location data, CCTV recording and credit card transaction can only be further traced if those health officials deem it necessary.
History provides some clarity on how flexible this discretion is. When the MERS outbreak ended, the government of South Korea determined that the public’s demand for follow-up measures to address any complications or patients’ health issues paved the way for the retention of the MERS tracing data permanently.
In recent weeks, the Korea Herald has reported an alternative to the existing system. The Prevention System for Pandemic Disease Infection proposes the use of GPS systems, wireless local area network, Bluetooth, barometer and accelerometer built into most modern smartphones to follow the movement of individuals. This data would only be held in “signal form”, without any place names, and access limited to the necessary health authorities who need this information to reduce the spread of COVID-19.
COVID-19 continues to spread throughout the world, and South Korea has mitigated well compared to many countries. We have discussed the return of balance and proportionality in privacy but the permanent retention of CCTV information, and location data by the government may be a weight that cannot be offset with privacy forward initiatives.a