The Pandemic’s Personal Data Epiphany: A Comparative Overview on South Korea and Indonesia

by Michelle Natashia & Claudia Inggrid

South Korea was one of the hardest-hit countries by the COVID-19 global pandemic. The Korea Centers for Disease Control and Prevention (“KCDC”) has already confirmed 6.284 cases in the Land of the Morning Calm approximately two months after the first identified outbreak.[1] The government of South Korea authorized the launch of Corona 100m (Co100), an application that collects information about the health, location, and movements of the user. In order to gather data, the government used different types of information. Although tracking relies mostly upon the GPS system, they accessed credit and debit card transactions, phone location logs, and surveillance cameras to capture movements.[2]

The collection of data has made it possible for the government to monitor movements and whereabouts of COVID-19 positive people before and after the test result comes out.[3] The results are used to alert and notify people who have been around the patient recently or where the ‘infection locations’ are. The application may also inform the authorities of whether an individual ordered to self-quarantine has sneaked out.[4] The government had made this information available via text alerts to people’s phones and public websites. Up until now, the electronic surveillance method has eased South Korea in suppressing the COVID-19 spread without the need to enact a lockdown policy. The country has become an example by combining ‘3T: Test, Treat, Track’ strategy with its utilization of technology.

Following South Korea’s steps, in March 2020, the Indonesian Communications and Information Ministry along with the State Owned Enterprises Ministry rolled out the “PeduliLindungi” application. Aiming to avail contact-tracing efforts for tracking down cases and suspected patients, this application requires a GPS and Bluetooth connection. This application records the identity of the device or phone number to detect the user’s whereabouts. It also enables an anonymous exchange of identities when a user is in the surroundings of another user whose data has been uploaded to “PeduliLindungi”. Furthermore, it will alert users when they enter an area with close proximity to confirmed or suspected cases under surveillance.[5]

The following part of this writing scrutinizes the differences between data protection arrangements which underlie the use of tracing applications in South Korea and Indonesia. Noting the fact that these tracking applications retain users’ data for quite some time, authors see that these applications shoulder a notable privacy risk. The first two confirmed COVID-19 cases in Indonesia show how the breaching of privacy had left patients stigmatized by the community. After President Joko Widodo announced the age, residence, and source of infection of the first two COVID-19 positive people in Indonesia, news broke and personal details of the two patients spread on WhatsApp groups and social media with unclear origins. Case 1 (31 y.o. woman) and case 2 (64 y.o woman) said that media coverage on this matter struck a greater toll than the disease itself.[6] This violation of privacy can potentially undermine the government’s effort to abate this pandemic for fear of being publicly harassed. Entailing political, economic, and social changes, the decades-long evolution of privacy must be preserved.[7]

South Korea

The main legal basis of South Korea’s surveillance operation to battle COVID-19 is regulated under Article 34–2 of the Infectious Disease Control and Prevention Act. This provision allows the Korean government officials to disclose citizens’ information to prevent the spread of infectious disease. Pursuant to Article 34–2, the types of information to be disclosed are movement paths, transportation means, medical treatment institutions, and contacts of patients of the infectious disease.

Evidently, South Korea’s current Personal Information Protection Act (“PIPA”) is considered as one of the world’s strictest privacy regimes.[8] For instance, PIPA regulates that public institutions shall establish and disclose a privacy policy toward personal information which consists of eight different rigorous matters required by the law. Public institutions shall mention the purpose and period of processing personal information, the rights and obligations of data subjects, the name of the department in charge, and a few more requirements stated in Article 30 PIPA. In addition to that, the penal provisions under the law are designated with a considerable degree of detail. In an event of negligence or where personal information has been breached, the guilty person may face up to 10 years of imprisonment with prison labor or a fine of up to 100 million won.[9]

Even though PIPA was enacted in 2011, it has been continuously amended throughout the years. In August 2020, the Korean National Assembly passed the amendment of PIPA. These changes will improve a few principles of personal information protection and some are in compliance with the data retention measures carried out by the South Korean governments due to the outbreak of the Novel Coronavirus. The amendment is tranquilizing the concept of consent that has been strictly upheld by PIPA. This relaxation is related to the newly introduced notion of PIPA, pseudonymized information.

Pseudonymized information is a type of information in which the individual’s name is changed to another unique identifier.[10] This kind of data may no longer be used to identify a specific individual without using additional information to restore it in its original state. The usage of pseudonymous data is considered to be beneficial to the advancement of COVID-19 tracking applications as it preserves more of the user’s privacy. There aren’t any names or addresses given, yet some still manage to connect the dots and identify people. For example, two patients are facing judgement from the public who decided that they are having an affair by associating the information’s similarities. It also caused financial loss to the business owner since the identity of stores is specifically mentioned by the information shared.[11]

Without the consent of the data subject, the amended PIPA allows data handlers to process pseudonymized information for several purposes, such as statistical compiling, scientific research, and record preservation for the public interest. The new law encourages authorities to collect personal information by using pseudonymized personal information if it is possible to do so.[12] For all that, it should be drawn into attention that the provisions regarding the destruction, deletion, and amendment of personal information do not apply to pseudonymised information.[13]

Indonesia

The exercise of this electronic tracking measures mandated by the Minister of Communication and Information Decree Number 171 of 2020 as amended by Minister of Communication and Information Decree Number 253 of 2020 (“MOCI 171/2020”) is indeed in line with Article 6 Indonesian Law of Infectious Disease Outbreak. The launch of the “PeduliLindungi” application actively involves the community to abate the spread of this pandemic. It is further regulated by the government’s COVID-19 task force that those intending to go on domestic or international trips must have the government-made application installed and activated on their mobile phones.[14] The official website of “PeduliLindungi” also claims that the application is safe as user data is encrypted and will only be accessed if they are deemed to be at risk of infection.[15]

Despite the fact that the technology is rather useful, privacy and security risk of personal data still arises. MOCI 171/2020 only stated that the implementation of this application is subject to the prevailing laws and regulations, without regulating further on its own provisions. Nonetheless, Indonesia still lacks data protection regulation and the ones available do not provide a comprehensive set of provisions for data protection. At the time of this writing, there are no further provisions regulating “PeduliLindungi”, notably restrictions limiting what data will be collected once you activate the application in order to track your whereabouts.

Constitutionally, the state is bound to protect the privacy and data of the population. Article 28G paragraph (1) of the 1945 Constitution of the Republic of Indonesia reads, “Every person has the right to protect themselves, family, honor, dignity, and property under his authority, and is entitled to a sense of security and protection from the threat of fear to do or not do something that is a human right.” It is true that data protection arrangements are scattered in numerous laws in Indonesia. Nevertheless, provision on the protection of personal data can be found in Law №11 of 2008 as amended by Law №19 of 2016 regarding Information and Electronic Transaction (“Electronic and Information Transaction Law”) and Government Regulation №71 of 2019 regarding the Implementation of Electronic Systems and Transactions (“GR 71/2019”). Adding to that, MOCI had also issued MOCI Regulation №20 of 2016 regarding the Protection of Personal Data in Electronic Systems (“MOCI 20/2016”). Collectively, these three form the personal data protection regulations in Indonesia.

With the fact that “PeduliLindungi” conducts an anonymous exchange of identities, it is clear that Indonesia has recognized the concept of pseudonymized data. Admitting the existing data protection regulations do not arrange a provision about pseudonymized data, its mechanism will be regulated on the upcoming Personal Data Protection Bill expected to be passed by the parliament. Regardless, the use of pseudonymized data in Indonesia remains rigid. Article 9 MOCI 20/2016 along with Article 14 paragraph 3 GR 71/2019 implies that users’ consent must be collected before Electronic System Providers could proceed to process any data despite being used for public interest, such as public health.

In downloading “PeduliLindungi” at both the Appstore and Google Play, users need to fill a consent form written in Bahasa Indonesia.[16] In regards to this, Article 14 paragraph 1 letter (g) GR 71/2019 also stated that processing of personal data needs to be done by notifying the purpose of collection, processing activities, and possibility of failure to protect personal data. These demonstrate that the notification of privacy policies are compulsory before users decide to share their personal information to avoid ‘misinformed’ decision-making and unintended consequences experienced by the user.

Final Disclosure

Based on the comparison between data protection regulation in South Korea and Indonesia, we see that compliance of the app towards the law differs especially in the arrangement of privacy policy, pseudonymized data, and rigidness of users’ consent. The aforementioned tendency on using pseudonymized data shows that both countries are aware of the importance of privacy rights. Although pseudonymised data has been practiced on both countries’ COVID-19 tracking applications, Indonesia still awaits legislative approval of the bill whereas South Korea has passed the amendment since August 2020. It is important to keep in mind that pseudonymized data must be treated as a type of personal data, hence the government may require the user not to re-identify the data for ensuring comprehensive data protection. To give an example, the U.S. Healthcare Cost and Utilization Project obliges data users to sign an agreement that expressly prohibits any attempt to identify individuals.[17]

Privacy is a fundamental human right that should be assessed in light of all human rights. Therefore, it should be evaluated also in the essence of the right of life and health. One right should not detract from the importance and protection of another right.[18] In the midst of this pandemic, we are held accountable not only for ourselves, but also for others. As responsibility arises, the more likely it is that transparency trumps privacy interest. The protection of privacy is derogable. Interference is allowed if it is done on the basis of the law. As stated in the International Covenant on Civil and Political Rights General Comment No.16 concerning the Right to Privacy, specific and detailed regulations in determining circumstances where interference may be permitted are compulsory as a key to ensure the confidentiality of data. However, people in Indonesia still doubt the confidentiality of their data. The escalation of technology will promote data analysis to generate massive potential in providing more public benefits. On that account, the maintenance of personal information shall perpetually be followed with legal and ethical considerations.

REFERENCES

[1] S. Eun et al., ‘Transmission Potential and Severity of COVID-19 in South Korea’, International Journal of Infectious Disease, vol. 93, 2020, p. 339.

[2] CJ. Rory, ‘Tech Tent: Can we learn about coronavirus-tracing from South Korea?’, BBC, 15 May 2020, https://www.bbc.com/news/technology-52681464, (accessed 7 July 2020).

[3] S. Nicola, ‘South Korea announces no new daily cases in vindication of ‘trace, test, treat’ strategy ‘, The Telegraph, 30 April 2020, https://www.telegraph.co.uk/news/2020/04/30/south-korea-announces-no-new-daily-cases-vindication-oftrace/, accessed 7 July 2020.

[4] BBVA, ‘How do COVID-19 tracing apps work and what kind of data do they use?’ [website], https://www.bbva.com/en/how-do-covid-19-tracing-apps-work-and-what-kind-of-data-do-they-use/, (accessed 7 July 2020).

[5] Peduli Lindungi, https://pedulilindungi.id, (accessed 8 July 2020).

[6] Ardila Syakriah, ‘Privacy breach, fake news take mental toll on Indonesia’s first COVID-19 cases’ https://www.thejakartapost.com/news/2020/03/04/privacy-breach-fake-news-takes-mental-toll-on-indonesias-first-covid-19-cases.html (accessed 30 September 2021).

[7] W. Samuel and D. Louis, ‘The Right To Privacy’, Harvard Law Review, vol.4, no.5, 1890, p. 193.

[8] W. Alex, ‘GDPR Matchup: South Korea’s Personal Information Protection Act’, International Association of Privacy Professionals [website], https://iapp.org/news/a/gdpr-matchup-south-koreas-personal-information-protection-act/ (accessed 8 July 2020).

[9] Personal Information Protection Act, s. 70–75.

[10] B. Frederik Zuiderveen, G. Jonathan, E. Mireille, ‘Open Data, Privacy, and Fair Information Principles: Towards a Balancing Framework’, Berkeley Technology Law Journal, Vol. 39, №3, 2015, pp. 2130.

[11] ‘Coronavirus privacy: Are South Korea’s alerts too revealing?’, BBC, 5 March 2020, https://www.bbc.com/news/world-asia-51733145 (accessed 8 July 2020).

[12] Law Library: Library of Congress,’Regulating Electronic Means to Fight the Spread of COVID-19’, 2020, p. 71, https://www.loc.gov/law/help/coronavirus-apps/korea.php.

[13] Lee&Ko Law Firm, ‘Major Amandment to the Personal Information Act Passed by National Assembly’, Legal500 [website], https://www.legal500.com/developments/thought-leadership/major-amendment-to-the-personal-information-protection-act-passed-by-national-assembly (accessed 8 July 2020).

[14] COVID-19 Task Force Circular Letter Number 9 of 2020 about changes to Circular Number 7 of 2020 concerning The Criteria and Travel Requirements of People in the Adaptation of New Habits to Productive and Safe Communities COVID-19, ss. f.

[15] Peduli Lindungi, accessed 8 July 2020.

[16] Minister of Communication and Information Decree Number 171 of 2020 regarding the Protection of Personal Data in Electronic Systems, s.6.

[17] Frederik Zuiderveen, G. Jonathan, E. Mireille, ‘Open Data, Privacy, and Fair Information Principles: Towards a Balancing Framework’, pp. 2124.

[18] United Nations Global Pulse & International Association of Privacy Professionals, Joint Report, ‘Building Ethics Into Privacy Frameworks for Big Data and AI’, 2018, pp. 6.