Pervasive Personal Data Collection at the Heart of South Korea’s COVID-19 Success May Not Translate

South Korea’s COVID-19 pandemic response has been widely viewed across the globe as an example to study. While widespread testing has been consistently mentioned as a best practice to emulate, less has been said about how crucial the ability to harvest and disclose vast amounts of personally identifiable data was to the South Korean government’s success story.

The Personal Information Protection Act (PIPA) in South Korea imposes strict compliance requirements on entities that collect any information that could be used to identify a specific person. Individuals also have the right to be forgotten, among other data ownership rights.

While organizations in both the private and public sectors are required to comply with the PIPA, government agencies that require personal data for public interest purposes can collect and use data without the need to obtain consent. Indeed, the South Korean government has ridden on this exception to bring a raging outbreak to heel in a matter of weeks. The ability to collect, process and widely disclose personal data has enabled health authorities to conduct contact-tracing with military precision.

Upon the discovery of a confirmed case of COVID-19 in South Korea, health authorities conduct an epidemiological survey to determine the point of infection and possible close contacts. This process begins with an interview and is enriched using credit card transaction data, mobile phone tracking, and CCTV, which can be provided by private business owners and employers. The result is a detailed hour-by-hour reconstruction of the individual’s whereabouts in the days leading up to the confirmation of infection. In some instances, data processors can even determine whether the person in question was wearing a mask at specific times inside certain venues, suggesting that business owners and employers disclose personally identifiable images to the government.

Close contacts identified in the epidemiological survey are then contacted and, if necessary, tested and quarantined. The government also uses the location data to deploy teams to disinfect locations where a confirmed case has been, such as offices and even private residences.

All of this is done within a matter of hours. Moreover, this data is disclosed to the public via alerts that are sent to smartphones in every district in which a confirmed case has traveled. Individual districts also maintain websites where these alerts are archived and available for public viewing indefinitely. The age, gender, and ethnicity of a confirmed case, as well as the district where he or she resides and works, is also included in these public notifications. As a result, it is probable that these individuals can be identified by members of their community.

Publicly disclosing these details has helped South Korea maintain calm and avoid imposing lockdowns which have further crippled other countries. Privacy concerns have been raised, particularly where individuals have been subject to harassment; however, public perception of the government’s response measures in this fully democratic country have generally been positive.

Governments seeking to replicate the approach that South Korea has deployed could be frustrated by personal data protection laws, particularly for jurisdictions subject to the General Data Protection Regulation (GDPR) which mandates enhanced data protection requirements for health data. Data subjects are afforded strong protections and data ownership rights under the regime, including the right to object to data processing in some cases.

Exemptions for epidemic response and public health do exist under the GDPR but they may not extend to the extensive data collection that is necessary to conduct the type of contact-tracing that South Korea is doing. Indeed, European regulators have sought to restrict the collection, sharing, and use of personal health data in recent days. The Italian government’s data protection authority (the Garante) has mandated that the collection of data related to COVID-19 can only be carried out by public health authorities. Employers in Italy were also warned that they cannot require employees to disclose whether they are experiencing symptoms of COVID-19. Similarly, the Information Commissioner’s Office in the United Kingdom has cautioned businesses not to disclose “more information than necessary” regarding employees who may have contracted COVID-19.

As such, the ability of employers and governments to gather data for contract-tracing may be limited.

Some businesses in the private sector are endeavoring to collect much needed COVID-19 health data in a manner that complies with privacy laws. A startup called Zoe, in partnership with King’s College Hospital in London, recently released a COVID-19 symptom-tracking app which asks users to voluntarily disclose health data. The primary purpose of the app is to gather information that could be useful for policy responses.

In contrast, jurisdictions that have made exemptions to data privacy laws to enable local health authorities to conduct aggressive contract-tracing have been comparatively more successful in their pandemic responses. Apart from South Korea, Singapore, Taiwan, and Hong Kong have collected and shared personally identifiable information of confirmed cases. Much of this data has been crucial in aiding policy responses to emerging risks such as spikes in COVID-19 cases from inbound travelers.

The tactics used in Taiwan, which is also a democracy, have generally been well-received, but the discretion of the state’s use of personal data has been questioned. In the unitary city-state of Singapore, concerns have been raised over whether health data could be used for other purposes, such as the enforcement of the Protection of Online Falsehoods and Manipulations Act (POFMA).

The COVID-19 pandemic could spark regulatory change and a shift in public perception on a range of topics, including data privacy issues. However, it remains to be seen whether governments that have temporarily given themselves sweeping power to collect data will be able to hang on to that discretion, as well as whether countries lacking such authority will seek it in the aftermath of this pandemic.

For more on how the COVID-19 pandemic may impact personal data privacy, view this video from the Thomson Reuters Foundation Newsroom.