Uncertain future of privacy protection under the Korean public health emergency preparedness governance amid the COVID-19 pandemic

Abstract This article explores the implications of South Korea’s assertions that it has successfully controlled the transmission of coronavirus disease (COVID-19). South Korea has consistently pursued two underlying policies since the COVID-19 outbreak, namely, securing maximum transparency and undertaking seemingly extreme preemptive measures. However, these measures have resulted in privacy concerns. Public health authorities are allowed to collect comprehensive personal details for contract tracings. Although the system of divulging infected persons’ routes has been praised by the public, the contact tracing system carries blatant privacy risks. Politicians are easily tempted to reveal more information than is necessary or perhaps more than is legal to alleviate public anxiety. Until now, professional groups’ autonomous authority has withstood the populist call for further intrusive measures against privacy rights. Nonetheless, it remains unclear how far the current public health emergency preparedness governance will go to strike a balance between privacy protection and efficient disease control, given the nebulous future of the current pandemic.

ABOUT THE AUTHOR Younsik Kim is an associate professor of constitutional law at Sungshin Women's University in Korea. Previously, he was a senior researcher at the Korean Constitutional Research Institute at the Constitutional Court of Korea. Younsik holds a Ph.D. in law from the University of Edinburgh, where his thesis focused on the relationship between investor-state arbitration and national constitutional law. He has an LL.M. from the University of Chicago and an LL.M. and LL. B. from Korea University. His research interests cover constitutional law and administrative law, legal theory and international investment law. This research serves as part of a larger exploration of populism and the Korean Constitution in a crisis era. Furthermore, this will be related to other issues such as the triangle relationship, which is emerging among politics, science (public health), and the law in a post-COVID world.

PUBLIC INTEREST STATEMENT
The Korea's response to the COVID-19 outbreak drew global attention. However, Korean policies, such as a need for maximum transparency and the undertaking of seemingly extreme preemptive measures, raise several human rights issues, especially privacy concerns. These concerns culminated in the Disclosure of Information on Routes of Confirmed Cases, which discloses the travel routes of the infected people to the public. Politicians were tempted to reveal more information than was perhaps appropriate by law to alleviate public anxiety. On the other hand, professional groups' autonomous authority has withstood the populist call for further intrusive measures against privacy rights. Nonetheless, it remains unclear how far the current public health emergency preparedness governance will go to strike a balance between privacy protection and efficient disease control given the nebulous future of the current pandemic. This will be the heart of question how the constitutional system deals with the populist threat in the name of public health.
Since the COVID-19 pandemic outbreak began, people within Korea have been receiving daily safety information text messages on their mobile phones from local authorities. Those messages indicate places, stores, and travel routes of confirmed cases in districts or counties where the mobile users are currently located. Sending the notices to everyone implies that the government is tracking all mobile phones, not only those of infected citizens. People internalise this new normal as the COVID-19 pandemic rages on. These practices raise concerns about privacy and instances of online bullying. In one instance, online rumours circulated that an infected man was having an affair with a woman after their travel routes were made public. In another case, a municipal government leader posted on Facebook that a woman had transmitted the virus to her boyfriend after an evening visit. She asked people to stop shaming her when she found herself ostracised on the internet. (BBC, 2020;Choe, 2020a;Choon, 2020;Jeong, 2020) The Korean people have displayed ambivalent attitudes towards this privacy crisis amid the pandemic. According to a poll conducted in mid-February 2020, amid the first wave, 53% of 1,000 respondents worried about being socially stigmatised because of the COVID-19 infection, and 24% reported being more afraid of the stigma than the infection risk. (M. N. Kim, 2020) In contrast, 49.2% of the 500 respondents in another poll wanted more public disclosure about the infected patients; 40.6% stated that they felt that enough information was already available, whereas less than 10.2% were opposed to this public alert system. (Realmeter, 2020) Korea has developed a relatively efficient public health emergency preparedness (PHEP) governance. In this governance, public authorities (central and local governments) and the private sector (professional groups and civil society) cooperate to establish institutional structures and policies for disease prevention and control. (H. Klingebiel & Tørres, 2020;Moon, 2020;Shaw et al., 2020;You, 2020) Korean strategy against COVID-19 is defined by transparency and preemptive action. The Korean president consistently emphasised that "pre-emptive measures should be taken strongly and swiftly enough to be regarded as rather excessive." (C.  Public health authorities (PHAs) provide transparency to the public by maximising public access to government information. (Moon, 2020;You, 2020) Lessons learned in the wake of the 2015 outbreak of Middle East Respiratory Syndrome (MERS) coronavirus reinforced these principles.
However, combining restrictive measures for efficient prevention of emerging infectious diseases (EDIs) with transparency in risk communications engenders privacy concerns. While the PHAs collect and process a controversial scope of personal information for swift and efficient contact tracing, they also disseminate some part of the collected data to the public under the guise of transparency. Revealing too much personal information could lead to unexpected social problems, such as online trolling in the private sphere. The politicians who crave the media spotlight echo the unfiltered public demand to collect and disclose more personal information.
Against this backdrop, this research analyses how the Korean PHEP governance balances adequate privacy protection with efficient PHEP. Compared to other works in the area, this study pays more attention to the negative effects of South Korea's public assertions that it has controlled the transmission of COVID-19. It describes responses to these assertions in terms of politics and law amid the uncertainty of the current pandemic. This study also explores medical experts' roles in controlling political pressures. This study starts by analysing the lessons of the 2015 MERS outbreak to understand the current PHEP governance. Then, we examine the achievements and future challenges in the revised Korean PHEP governance regarding privacy protection.

Systemic failures of preemptive and swift initial response
Korea experienced the largest MERS coronavirus outbreak beyond the Middle East in 2015. (see D. H. Cho, 2015;Petersen et al., 2015, pp. 54-5 for a general discussion) A government white paper and numerous pundits attributed the then public health crisis to initial failures in adopting timely and preemptive measures. (MOHW (Korean Ministry of Health and Welfare), 2016, p. 428-9; KSID (The Korean Society of Infectious Diseases), 2017, p. 20-5; Lim & Sziarto, 2020, pp. 652-3) Inadequate field epidemiological investigations (FEIs) during the outbreak's initial phases precluded public authorities from formulating action plans corresponding to the MERS virus' epidemiological features. Although cases soared suddenly, a few FEI officials suffered from unbearable workload tracing infections. Moreover, at that time, PHAs also missed critical opportunities to decelerate the virus under the then Infectious Disease Control and Prevention Act (IDCPA I). The FEI investigators did not have legal powers to impose restrictive self-quarantine measures concerning confirmed cases and their respective contacts. (MOHW (Korean Ministry of Health and Welfare), 2016, p. 83-94;Jun et al., 2018, pp. 356-65) Finally, the government provisionally permitted the FEI officials to employ criminal investigation techniques to gather personal information. The PHA and medical professionals realised that conventional methods could not effectively contain the spread of the infection. In-person interviews were lagging and inaccurate because interviewees had vague memories or were reluctant to divulge sensitive personal data. The government authorised the FEI officials to obtain credit/debit card transaction records, mobile phone GPS information, and CCTV records. The Central MERS Response Task Force, established by the Korea Centre for Disease Control and Prevention (KCDC), worked closely with three major mobile phone companies and the Financial Supervisory Service (FSS). The FEI interview results were compared and supplemented with location information from telecommunication companies as well as the FSS financial records. (MOHW (Korean Ministry of Health and Welfare), 2016, p. 83-93; C. Lee & Ki, 2015, pp. 3-5) The extensive access to personal data challenged the Personal Information Protection Act (PIPA (Personal Information Protection Act), 2014), a legislation that functions a framework to protect personal information. Under PIPA, personal information is defined as information pertaining to a living person, including their full name, resident registration number, photographs or videos, etc., by which the individual in question can be identified. This concept of personal information includes a simple combination of data that can be used to identify individuals. Besides, the Act on the Protection, Use, etc. of Location Information (APULI (Act on the Protection, Use, Etc. Of Location Information), 2015) limited the collection of personal location information that is defined as "the location information regarding a particular person". The location information specified in the APULI also refers to any type of information readily combinable with other data to track someone's location, although that information alone is insufficient. The APULI prevents the collection, use, and dissemination of GPS information, except for police authority requests or necessity of emergency rescue operations. Similarly, the Protection of Communications Secrets Act (2017) prescribes that communication confirmation data can be collected for and revealed to the judiciary and law enforcement authorities only when required for criminal procedures. Personal credit history, such as card transaction records, is considered personal information. The Credit Information Use and Protection Act (2015) allows this type of information transfer to law enforcement authorities, such as the police, for criminal investigations or safety issues.
Consequently, it was highly controversial whether the FEI officials had the authority to collect and process the vast amount of personal data. Most parts of PIPA do not apply to exceptional cases where there is an urgent need for "the public safety and security, including public health, etc". However, ambiguity prevailed on whether the EDI outbreak and public health crisis could be considered an exceptional case as prescribed in PIPA. As the situation rapidly escalated, the government could not remain silent on this issue. Finally, the Ministry of Government Administration and Home Affairs stated that the exemption from the PIPA application was allowed by expanding the concept of "the public safety and security, including public health, etc." to include EDI prevention and control. The government interpreted this exemption as applicable to FEIs and other relevant management measures, such as monitoring quarantined close contacts. (S. Lee & Kim, 2015, pp. 25-8) The government also authorised the PHAs to handle the location information through an interpretative expansion of APULI. Article 29 (1) and (2) of APULI prescribe that an information processor may collect, use and provide someone's location or mobile device information without consent in cases-warranted by emergency rescue agencies or the police-for emergency measures or public warning purposes. In this instance, the government clarified that emergency measures and public warnings included responses to the EID outbreak. In this way, if PHAs requested the location information from mobile companies through the police, they provided that information to the police. Then, the police transferred the obtained information to the PHAs.

Lack of transparency in crisis communications
During the MERS outbreak, poor risk communication and government secrecy endangered public trust in the government and the medical profession. The unprecedented acceleration of the infection exacerbated public anxiety. While the demand for information increased, PHAs argued that unnecessary information disclosure could engender avoidable social unrest. This passive attitude towards direct access to government information fractured public trust. Consequently, a vicious circle of distrust fomented, and the apprehensive public relied on online rumours and misinformation rather than official government statements. (MOHW (Korean Ministry of Health and Welfare), 2016, p. 114-21;People's Health Institute and Health Right Network, 2016, p. 51-8;Sang-Il Lee 2015, 275;E. D.H. Kim, 2015, pp. 98-105) Therefore, whether the government should disclose the list of medical institutions where MERS infection had occurred became a pivotal issue. The majority of the MERS-infected persons in Korea had contracted it within and between hospitals. One infected person transmitted the virus by visiting multiple hospitals, thus infecting other patients, visitors and medical personnel. People wanted to avoid infection risks by accessing the list of hospitals that were treating or had treated infected patients. The Korean Medical Association (KMA) demanded that, although the information was not necessarily accessible to ordinary people, frontline medical staff could access a list of confirmed patients and their close contacts to protect medical staff against possible infection. The government argued that additional information disclosures were unnecessary because they successfully eliminated the infection risk through disinfection and decontamination measures. The KCDC stated that the FEI staff were closely following all visitor transmission routes to the hospitals. Additionally, the PHA and even some medical specialists posited that disclosing the hospital list was unnecessary and could stigmatise medical workers and the residents neighbouring the hospitals. (MOHW (Korean Ministry of Health and Welfare), 2016, pp. 304-7) Finally, the government capitulated to vehement public criticism. It released limited information (locations that MERS patients had visited, names of their medical institution and exposure date) only to infectious disease specialists and infection control offices. However, the limited information release created a public backlash. Public confidence in the government deteriorated as the FEIs had failed to identify the transmission routes in several cases, thus resulting in the spread of rumours beyond government control. An internet developer launched the MERS Map, drawing on information leaked from medical staff or citizen reportage, to circumvent government secrecy. This website indicated the places and hospitals associated with confirmed cases. (MOHW 307-321; KSID (The Korean Society of Infectious Diseases), 2017, pp. 26-30) When the local authorities decided to disclose the movement routes, public distrust reached its pinnacle. Park Won-soon, the mayor of Seoul and a former human rights lawyer and activist, was informed that patient no. 35, later revealed to be a doctor in a major hospital, was one of 1,500 people who attended the general assembly of a housing redevelopment association. The Central MERS Response Task Force refused to disclose the information of patient no. 35. The central government also insisted that further steps were not required because of the patient's low communicability as long as it could establish the contact level of the patient through FEIs and monitor close and direct contacts separately. Conversely, Seoul's mayor urged the central government to release the whole movement path of patient no. 35. Mayor Park argued that the people wanted to evaluate the infection risks through unidentified contacts and then undertake selfprotection measures when informed of proximity to those infected. Finally, the mayor released a record of patient no. 35's movements on 4 June 2015 without giving any advance notice to the central government. As his midnight emergency press briefing dominated the next morning newspaper headlines completely, the Central MERS Response Task Force and KCDC became disconcerted about this bombshell news. The mayor of Seoul avowed that public health interests outweighed the right to privacy. Since then, the Seoul metropolitan city government has kept the public regularly apprised of MERS-infected patient movements. (MOHW (Korean Ministry of Health and Welfare), 2016, pp. 314-15) The disclosure of patient transmission routes could be decoded in a political context. Tensions existed between Mayor Park, the potential presidential candidate of the opposition party, and the then-Korean-President Park Geun-Hye. Even before the MERS outbreak, the mayor of Seoul had sent persistent political distrust signals against President Park's management style: that is, secrecy and top-down leadership. (Hahm & Heo, 2017, pp. 652-4) Mayor Park criticised the central government for failing to screen suspected MERS patients and covering-up critical but government-adverse safety information. Meanwhile, the public circulated a conspiracy theory that the government hesitated to disclose the hospital list and information on patient no. 35 because the requested information was relevant to a mega-hospital (Samsung Medical Center) of Samsung Group, a Korea-based multinational conglomerate. Samsung has been believed to maintain a long, suspicious bond with political powers, especially under the aegis of the then-ruling party. (Lim & Sziarto, 2020, pp. 70-1) Conversely, President Park warned that the mayor of Seoul's precipitous actions could exaggerate the MERS risk and stir unnecessary turmoil. Ock, 2015) Although the mayor of Seoul achieved political support because of stringent and resolute preemptive measures, some observers raised unanswered questions about clear scientific evidence to support his actions. Scant attention was paid to whether and how the public disclosure of infection routes made disease control efficacious. Contrary to the uncertain benefits, considerable doubts were raised over whether this system excessively infringed upon the personal privacy rights of infected people without adequate legal ground. Of course, the PHAs were delegated to collect and handle the personal data under the broad exemption of PIPA. However, no clear statutory grounds permitted the PHAs or local government to publicly disclose personal information collected only for FEI. (Bae, 2015, pp. 15-20) Such controversies about the public disclosure of infection routes were quickly countered by political considerations and situational urgency justifications. An empirical study illustrated that public anxiety declined immediately after the government published hospital lists and Seoul released information on patient no. 35. (Choi & Eun, 2018, pp. 52-4) Seoul's measures sent strong signals of commitment to disease control and attracted media attention. This solution was politically expedient for local government leaders who suffered from a lack of resources and knowledge compared with their central authority counterparts. Finally, other politicians raced to emulate Seoul's mayor despite critical comments from some human rights watch groups. (MOHW (Korean Ministry of Health and Welfare), 2016, p. 356-7; People's Health Institute and Health Right Network, 2016, pp. 47-9) For example, Lee Jae-myung, the Mayor of Seongnam (who later became the Governor of Gyeonggi Province), posted the residential address and workplace of a confirmed COVID-19 patient as well as the name of her child's school on his social service network, immediately following the controversial press briefing by Seoul's mayor mentioned earlier. The infected party was later identified as a Samsung Medical Center nurse, and her detailed information, including her child's identity and school data, was publicly revealed and spread by internet users. Mayor Lee claimed that this action was justified for the sake of public interest and public access to government information for disease prevention. His actions mirrored the mayor of Seoul, whose conduct attracted media focus and made the public feel relieved amid the central government's chaotic response. In contrast, medical specialist groups, such as KMA and Korea Nurses Association, argued that this reckless public disclosure of personal information could endanger privacy and eventually efficient disease prevention by causing social stigmatisation on medical staff. (Seok Young Dong-Woo D.H. Kim, 2015)

Forming institutional memories: safety first
The public and experts accused the government of PHEP incompetence. At the request of the National Assembly, The Board of Audit and Inspection of Korea (2016) investigated the policy failures of PHEP and recommended disciplinary action against 39 PHA officials and other public officers, including dismissal of the KCDC Director. After the MERS outbreak, 31 white papers or reports were published during 2015-2016 by various central and local governments, including professional organisations and NGOs.  While some promoted political objectives to flaunt best practices of municipal authorities, others aimed to record painful lessons and make policy recommendations. The aftermath of the MERS outbreak formed institutional memories for the following policymakers to update the PHEP policies and technical field manuals.
In contrast, it was dubious whether such policy failures could be considered illegal. After the MERS outbreak, several damage claims were filed against the government and major hospitals where cluster infections occurred. (Seoul Central District Court, 2018, p. 2019) In most cases, the patients got infected through hospitals where other MERS-infected patients either stayed or visited. The claimant argued that if the PHAs had conducted swift and efficient FEIs and tests or released information on the hospitals that those infected visited, they would have avoided visiting the hospitals, or the infected parties could have been traced and quarantined before visiting those hospitals.
The Supreme Court of Korea presumed that, given the lack of knowledge about EID and extreme uncertainty at that time, it could not make a legal judgment based on the present perspective. Thus, the court rejected negligence in establishing an appropriate manual and releasing information. Conversely, the court recognised some negligence concerning failure to conduct efficient FEIs, virus tests and immediate and preemptive quarantine measures. Nevertheless, the Supreme Court held that the illegality of the negligence could be tolerated because some of the situations that the government faced during the MERS outbreak were inevitable. The court indicated that PHEP suffered from a lack of resources and limited legal power for efficient and swift disease control and prevention. Simultaneously, it also considered that the epidemiological features of the MERS virus had not yet been fully understood even by medical experts. Significantly, the court did not recognise causation between state negligence and patient deaths. Given extreme uncertainties at that time, the Supreme Court explained that it failed to find any clear evidence to demonstrate that lives could have been saved had appropriate measures been taken. (Supreme Court, 2019) Regardless of the judicial decisions, the PHEP policy failure was attributed to the government and its politicians. In Korea, the failure of PHEP was one of the major factors that contributed to the presidential impeachment of former President Park Geun-hye. The public exasperation during the MERS outbreak mirrors another tragedy of 2014.  The MV Sewol Ferry sank in the south-western sea, drowning 304 (including approximately 250 high school students) of 476 passengers and crews. The public was infuriated by the incompetent national disaster response system and the president's attitude, which seemed to downplay government culpability. (Jin & Song, 2017) Park again suppressed critical voices during the crisis. This debacle was replicated in the MERS outbreak in 2015. The accumulated distrust towards the government had a significant impact on the risk perception of the MERS infection. (Jang et al., 2020) Those series of incidents and public disappointment with government response diminished the president's political support. (Ku et al., 2018, p. 67-8;Hahm & Heo, 2017, p. 654;Choe, 2015) Eventually, President Park Geun-hye was impeached after corruption scandals were reported by the news media in 2017. Choi Soon-sil, the president's secret old friend, was accused of extorting tens of millions of dollars from businesses. Allegations surfaced that she manipulated the president's decisions without any official status by accessing confidential documents and intervening in cabinet meetings. Millions of people took to the streets for daily candlelight vigils for nearly six months. These unprecedented protests drove the reluctant legislature, where President Park Geunhye's party held a majority, to submit the impeachment motion to the Constitutional Court of Korea. (Shin & Moon, 2017, p. 118-25;Turner et al., 2018) Evidently, the impeachment was motioned directly from Choi's political scandals. However, mismanagement of national disasters, including the Sewol tragedy and the MERS outbreak, formed significant parts of that long-accumulated public anger. (J. Park & Chung, 2021, pp. 14-15) The public call for political accountability on the national disaster was reflected in the motion for impeachment. In Korea, a president can be removed from office when the Constitutional Court accepts the motion, which is then passed by the National Assembly requesting the impeachment. The MERS outbreak was absent from the legislative motion. However, criticism of the PHEP under Park's administration was implicitly referenced in the Sewol incident. The tragedy symbolised the incompetency of the national disaster preparedness system. In the motion to impeach, the National Assembly argued that the president breached the right to life drawn from Article 10 of the Korean Constitution because she and her administration missed the critical time to save people because of their negligent initial response.
The Constitutional Court rejected the poor performance argument as an impeachment ground. Instead, the court recognised the constitutionality of the impeachment motion on grounds other than her poor performance. The court held that according to Article 10 of the Korean Constitution, the president-as the executive head-bears the comprehensive abstract duty to take appropriate measures to rid risks and threats to physical safety and lives of the people. The court elucidated that the emergency response to Sewol Ferry Sinking was inadequate and inappropriate. However, the majority opinion did not admit that the president had a primary legal duty to take direct specific action in the national disaster situation, such as participating in the field rescue operation in person. However, the failure to respond to the emergency did not amount to the conclusion that she breached her duty to protect people's lives and safety without further evidence. Additionally, the impeachment petitioners argued that the president violated her constitutional obligation to faithfully execute the presidential duties prescribed in Article 69 of the Korean Constitution. However, the court interpreted that Article 69 cannot provide a basis to normatively bind the president to execute her duties faithfully, but only legally. Thus, the majority opinion argued that the president's performance of duties, faithful or not, cannot be subject to constitutional review but only to political decisions, such as an election. Consequently, the Article 69 issues raised by the petitioners cannot serve as a ground for impeachment because the Constitutional Court, like the judiciary, is required to consider purely legal standpoints. However, this reasoning remains controversial because the concurring opinions of Justice Kim Yi-su and Justice Lee Jin-sung argued that the president violated her constitutional duties in handling the Sewol Ferry Sinking. They indicated specific actions that should have been taken by the president in the early stage of the disaster response. (Constitutional Court Decision, 2016) Although the judiciary refrained from recognising the legal responsibility for the national disaster response failures, the administration that followed (under Moon Jae-in) understood that people consider safety issues to be the top policy priority and that the government must demonstrate competency in national crisis responses for political survival. (J. Park & Chung, 2021, p. 4) Today, Korean people place safety as the foremost policy priority beyond other values. Risk perception has been more sentient, whereas risk acceptability has significantly subsided. As trust in government diminishes, people prefer politicians who show more commitment to pursuing a safe society, even at the cost of other values, such as human rights, the rule of law and democracy.

Enhanced power to handle personal information
The Korean legislature overhauled the system through revisions of the IDCPA I in 2015-2016. They attempted to remove grey areas that challenged the collection and processing of personal information during the MERS outbreak. Revised legislation (IDCPA II (Infectious Disease Control and Prevention Act II), 2015) provided statutory grounds for the PHAs to handle the vast amount of personal information. A series of reformations contributed to efficient contact tracing and leadoff prevention of infection spread during the current COVID-19 pandemic.
However, several questions remain dormant beneath the public acclaim for successful disease control and prevention. The most severe challenge to privacy protection is the government's ability to collect and process personal information without an individual's consent. The controversial clause, that is, Article 58 (1) para 3 of PIPA, survived the revision of the PHEP system without any change. Therefore, most parts of PIPA are still not applicable to all types of information handling under the PHEP situation. Although the IDCPA II incorporates personal information protection measures, it is questionable whether such safeguards work effectively.
Loopholes in the privacy protection system under the current PHEP system exist in the FEI process. In painful lessons from the 2015 MERS outbreak, Korea learned that efficient and timely FEI is one of the most critical factors that prevent the disease from spreading in the early stages of the outbreak. FEI officials have adopted efficient and preemptive prevention measures, such as contact tracing and immediate quarantine.  The interviewee must fill out the Epidemiological Investigation Form. (KCDC, 2020a) The KCDC issues and updates the case investigation form, but FEI teams in the field adjust its detailed contents according to changing infection patterns. (IECPA II 2020) They must submit various types of personal information, including their travel history to the affected area and a record of clinical symptoms. Required personal information includes name, resident registration number, gender, nationality, home address, phone number and occupation (specific workplace or school names). FEI officials usually ask for more information than is specified in the IDCPA II Enforcement Decree and the case investigation form. This is because efficient contract tracing demands that close contacts, such as family members, friends or colleagues, and public facilities (medical or religious institutions and care centres) visited by the subject be identified. (G. Lee 2020, 156) Furthermore, Schedule I of the IDCPA II Enforcement Decree allows the FEI official to obtain medical records from hospitals or doctors.
The current system enlarges the scope of people under investigation. Article 12 of the IDCPA II Enforcement Decree permits officials to conduct FEIs only for "patients, etc. with an infectious disease", which Article 2 paras. 15-2 of the IDCPA defines as "a patient with an infectious disease, a patient suspected of an infectious disease, or pathogen carrier". However, the concept of a patient suspected of an infectious disease is vague. Nevertheless, the PHA's mandate (IDCPA II Enforcement Decree) goes beyond the definition provided by the legislation (IDCPA II) so that the scope of investigation may cover people in any potential or presumable contact with an infected patient. Consequently, PHAs have the authority to include not-yet-confirmed patients beyond the legislative scope if they have any suspicion of contact with confirmed cases or presumption of infection risk.
Such enhanced power to collect and process personal information is based on "other matters necessary to reveal the cause of an infectious disease". This phrase is vague enough so that the list of collectable data is not exhausted and the PHA may adjust the scope of the investigation to changing situations. Compared with the strong powers of the PHAs, individuals do not have forceful ways to protect their personal information. That no one is allowed to refuse, interfere with or invade the FEI is particularly concerning. Any such misbehaviour, including the presentation of false statements or intentional omission of facts in the course of an investigation, may constitute a criminal offence. (IDCPA II (Infectious Disease Control and Prevention Act II), 2015, Article 18-3) When the interviewees refuse to cooperate with the FEI, or when it is impossible to conduct efficient investigations, PHAs may request necessary information directly from other public agencies. (IDCPA II (Infectious Disease Control and Prevention Act II), 2015, Article 18-4) PHAs can collect the following information listed in Article 76-2 (3) of IDCPA II from various private and public bodies.
Through delegated legislation, the executive branch may also aggrandise the scope of accessible personal information under the terms, "[o]ther information prescribed by Presidential Decree for monitoring the movement paths of patients with infectious diseases", as stipulated in Article 76-1 (2) paragraph 4 of IDCPA II.
The IDCPA II Enforcement Decree prescribes collectable information, which includes financial records, travel card statements and CCTV image data. PHAs cannot obtain location information directly from private sources because it can only be collected and managed by law enforcement authorities. However, the KCDC FEI, under the Ministry of Health and Welfare (MOHW), can obtain GPS information from telecommunication companies by requesting it from the police. (Ibid. Article 76-2) PHAs cannot install CCTV cameras because Article 15 of PIPA permits the installation of CCTV cameras only for limited purposes, such as police control of crime, traffic and security. The IDCPA II, however, under the exemption clause of the PIPA, (Article 58-1, para. 3) allows PHAs to use information from CCTV cameras installed for other purposes. (G. Lee 2020, 155) As the current system expanded the range of personal information collected and processed by an FEI officer, collected data is exposed to risks such as leakage or reckless personal information management. (Ahn et al., 2020, pp. 171,327-8, G. Lee 2020 Therefore, although medical staff and public health officers who divulge confidential information can be charged with a criminal offence, (IDCPA II (Infectious Disease Control and Prevention Act II), 2015, Article 74 and 78) this protection system is not effective. This system is vulnerable to many risks factors such as reckless document management. Civil servants, for example, were accused of leaking information about confirmed patients. Those local officials took charge of taking quarantine measures. They took over the personal information of the confirmed cases, the route of movement, and the identities of close contacts from the contract tracers. They were alleged to have taken pictures of documents on their mobile phones and transfer it to their family and friends via social media. Such sensitive information rapidly spread online. (H. Lee 2020)

Public disclosure system of travel routes of confirmed cases
Enhanced powers to collect and process personal information for efficient FEI, coupled with transparency policy, engendered the privacy protection system. Korea learned that building trust between the government and its citizens is essential for effective disease control in a fluctuating pandemic situation. (Choi & Eun, 2018, p. 54-6;Fung et al., 2015) Thus, Korean officials promoted efficient and timely crisis communications by expanding transparency and access to government information. The IDCPA II prescribes that people have the right to government information related to the prevention and management of an infectious disease. All information shall be maintained and updated by the central and local governments. (Article 6-2) However, a request for government transparency does not necessarily mean that the government will disclose the collected personal information. Although the government gathers personal information for public policy purposes, the collected information must remain private. The government can use or disclose this information on rigorously restricted conditions. The public disclosure of personal information can cripple efficient disease control and prevention by stigmatising and discriminating against infected patients. The fear of social stigma can discourage people from taking preemptive action, such as a virus test or symptom reports. Nevertheless, panicked people living with the uncertainty of a pandemic situation can confuse private and public government information.
After the MERS outbreak, the National Assembly allowed the MOHW to promptly release information deemed essential in preventing infectious diseases. Such information includes "the movement paths, transportation means, medical treatment institutions, and contacts of patients of the infectious disease". (Ibid. Article 34-2) Disclosure of travel routes of confirmed cases (Public Disclosure System), first introduced by Seoul during the MERS outbreak, has become even more popular during the COVID-19 pandemic. Jung et al., 2020, pp. 10-11) The information on the routes of confirmed cases is produced through the FEI's contact tracing. This data indicates how an infected party moved, who they met and where they visited, presented in a specific timeline before symptoms are reported to the authorities. The municipal authorities and the KCDC provide this information to the public regularly through a website or text message service.
Questions arose about clear statutory guidelines for the local government to manage the Public Disclosure System. The IDCPA II delegated the central government (MOHW) to take charge of this system with its accompanying responsibilities. While local authorities released information obtained from the KCDC and the municipal investigators in arbitrary and inconsistent ways, there was no explicit provision to impose statutory protocol concerning information management. Furthermore, there was no uniform model to keep municipal authorities from competing to enlarge the scope of disclosable information. The range of disclosed information varied among local authorities in the absence of uniform guidelines. While one local government posted the movement routes only on the official blog and website, another sent text messages with detailed information on occupation or workplaces of confirmed cases. (G. Lee 2020, 158-62; G. Kwon,[19][20] While the benefits of the Public Disclosure System are nebulous, the disclosure of movement routes exposes the infected individual to higher privacy risks. Since the MERS outbreak, it remains debatable whether the Public Disclosure System is conducive to disease control and public safety. (Zastrow, 2020) Naturally, detailed information on the movement paths of confirmed cases is a critical time-saving measure for PHAs to curb the spread of infection. (Ienca & Vayena, 2020) Thus, the IDCPA II conferred PHAs with the extensive power to collect personal information. However, it is questionable whether the information necessary for public health experts is evenly required for laypeople. Some argue that the people might assess on their own the need for a preemptive virus test before onset of symptoms when informed of proximity to an infected case or hot spot. (Jung et al., 2020, p. 2) Nevertheless, it is difficult to present clear evidence on the effectiveness of the public announcement system in helping people reduce infection risk.
In reality, the Public Disclosure System reveals too much information to the public. (K. Jang, 2020, p. 205) When the government releases route information on confirmed carriers over the internet, any personal information is made anonymous. This measure aims to prevent people from identifying an individual by combining scattered information. Nonetheless, technological developments encourage people to reveal personal identity through simple clicks. In the early stages of the COVID-19 outbreak, several private internet users identified a confirmed case by compiling released information from central and local authorities. (Corona Map) A website was launched that assigned a unique identification number to each person and visualised movement paths of the confirmed cases on an electronic map. (The Government of Republic of Korea, 2020, p. 55) Finally, certain civic groups expressed concern for protecting human rights in infectious disease control. On 9 March 2020, the National Human Rights Commission of Korea (NHRCK) expressed concern that disclosure of extensive personal information could deter people from getting tested and diagnosed. (National Human Rights Commission of Korea, 2020a) Although the Public Disclosure System might bring unclear public health benefits, it will deter people from rejecting quarantine measures. The disclosed travel routes indicate whether the infected patient has complied with the quarantine (social distancing) guidelines. In this context, disclosure of infection routes functions similar to social sanctions. People tend to internalise government regulations because of the psychological fear of ostracisation and potential social accusations they may face after their private behaviours are revealed.

Function of medical expertise against political pressures
With regard to privacy concerns, the finely tuned system of checks-and-balances between governmental policies and the medical expertise has managed to filter populist will. The private expert groups and doctor-licensed public officials under the current PHEP governance seem to serve as a bulwark against political pressure.
During the MERS outbreak, medical specialists in and out of the government gained autonomy and public respect. Public confidence in the government was highly sensitive to government deference to professional groups, such as the KMA or the Korean Society of Infectious Diseases during the MERS outbreak. (Choi & Eun, 2018, pp. 52-4) Since then, the government risks considerable public criticism when it decides not to follow scientific advice in a public health crisis. The expert's advisory opinion also contributes to secure the public's buy-in toward the measures to restrict political demands to open more private information.
Such a public attitude is reflected in a specialist-oriented flexible PHEP system, where the government may delegate extensive powers to the KCDC and the MOHW early on during a public health emergency. Such an arrangement allows officials and medical personnel to buy time to slow the spread of the COVID-19 infection by circumventing the lagging, bureaucratic, decision-making chain. The KCDC can obtain frontline control power for the PHEP by establishing the Central Disease Control Headquarters (CDCH) immediately after the outbreak is recognised. The CDCH can review and modify policies and protocols in rapid response to the changing epidemiological features of the virus without waiting on political decisions from higher authorities. (J. Park & Chung, 2021, p. 4;Pardo et al., 2020, p. 11-15; This trend has been growing in the long battle against COVID-19. In October 2020, the previous KCDC upgraded into the Korea Disease Control and Prevention Agency (KDCA). This structural change indicated the emerging status of professional groups within the PHEP governance.
Initially, KCDC and its preceding organisations took charge of EDI control and prevention. This policy area was usually dominated by medical specialists, such as licensed doctors. However, issues of the EDI had been relatively marginalised in the overall public health policy until the KCDC was established in the wake of the Severe Acute Respiratory Syndrome outbreak. In terms of function, the Korean EDI response system consisted of two pillars, namely, the National Institute of Health (NIH) and KCDC under the control of MOHW. The NIH conducted the primary EDI research under the KCDC while the KCDC implemented most EDI policies based on NIH research results. Nevertheless, the MOHW, predominantly comprising ordinary public officials, had the final authority to establish public health policy along with the final word on policymaking and the power to budget and appoint. (Ju & Jang, 2020, pp. 363-4) During the MERS, people learned that the KCDC needed more autonomous authority from political and bureaucratic influences. (Ju & Jang, 2020, pp. 369-73) As previously discussed, some experts ascribed the early failures of the EID response to the politicised bureaucracy of the MOHW and its higher politicians. The professional groups indicated that Korea lost critical time in preventing the early spread of the EID because political decisions limited the policy discretion of the professional-oriented KCDC. Nevertheless, MOHW bureaucrats were reluctant to transfer leadership to the KCDC in the governance structure of the PHEP. The government upgraded the KCDC Director status to a vice-minister level position. However, the MOHW appointed non-expert officials in most positions, except for Jung Eun-kyeong, the director of the KCDC, and several management positions.
The KCDC Director and medical specialists within the KCDC played critical roles in disease prevention and control amid the COVID-19 crisis. Among these experts was Dr Jung Eun-keyong, the KCDC Director, who was also among KCDC staff members during the 2015 MERS outbreak. Her other colleagues charged with disciplinary measures left the KCDC, but she stayed. Her commitment and calmness during the pandemic response touched the people, resulting in wide public support to provide the KCDC with greater policy discretion and appointment powers. (Walker, 2020) The National Assembly and the MOHW started discussing a plan to establish an independent EDI response agency, KDCA. However, the MOHW attempted to detach the NIH, the critical organisation of the KCDC, from the new KDCA. The medical community and the public criticised this move because the KDCA could not function effectively without the NIH, and the president ordered a review of the MOHW's restructure from scratch. Currently, the KDCA has independent power over personnel and policymaking matters separate from the MOHW. (Kwak, 2020) Furthermore, the president, in January 2021 entrusted the KDCA commissioner with plenary powers to lead a cross-government task force for a COVID-19 vaccination campaign. It is unprecedented to delegate the vice-minister-level KCDC commissioner to command and control the task force team comprising ministers and minister-level officials. (W. W.  Consequently, whenever political leaders compete over politically useful measures-in a scientifically questionable or even harmful manner-experts and officials, until now, have raised their voices by proposing scientifically supported grounds. Expert voices are gaining influence on public opinion. The president, during the COVID-19 pandemic, sent signals to respect professional groups within the KCDC. Evidently, high-ranking political leaders should take their responsibilities seriously, especially when it comes to bold quarantine measures, such as a comprehensive lockdown or school closures, which are beyond the jurisdiction of the KCDC. (KCDC, 2020c) Thus, the CDCH, led by the KCDC (KDCA), became a subordinate organ to the Central Disaster and Safety Countermeasures Headquarters, controlled by the prime minister after the government raised the national disaster alert level to "serious" based on the Framework Act on the Management of Disasters and Safety. (KCDC, 2020c;Kim et al., 2020) However, the government always takes the professional authority of the CDCH of KCDC seriously through the entire decision-making process. The KCDC, with the public confidence in its expertise, was able to persuade the legislature and the public to limit the excessive power to disclose unnecessary personal data.

Revision of the IDCPA for more privacy protection
Korean lawmakers adopted the expert recommendations to limit the scope of disclosed information on the movement routes of confirmed cases. A bipartisan amendment of the IDCPA II attempted to limit the uncontrolled discretion of local governments and PHAs to release such information to the public. (IDCPA III (Infectious Disease Control and Prevention Act III), 2016) The heads of local governments cannot activate the Public Disclosure System until the government proclaims the situation as "serious level", which refers to the second most serious emergency situation among the categories of crisis alerts provided for under the Framework Act on the Management of Disasters and Safety (2018) The amended Act also clarifies a person's right to complain about the information disclosed about themselves. Therefore, any affected person may complain against the MOHW minister (currently KDCA) online, in writing or orally, if they claim the disclosed information to be spurious or inaccurate. When the receiving minister finds the complaint to be reasonable, they shall take appropriate action. (IDCPA III (Infectious Disease Control and Prevention Act III), 2016, Article 34-2) Article 34-2 of the IDCPA III was again amended in September 2020 to impose more responsibilities on the PHAs and municipal government (IDCPA IV (Infectious Disease Control and Prevention Act IV), 2020). The current IDCPA not only allows the central PHAs (KDCA) but also local governments to disclose information related to movement routes of confirmed cases. In practice, the Korean system delegates ultimate powers and imposes corresponding responsibility to the local government in disclosing travel information. The head of the local government came out to respond to any person who took issue with the privacy breaches because in addition to the KDCA, the authorities against whom an aggrieved information-subject can file a complaint include the heads of local governments. The IDCPA prescribes that from the disclosed information, the KDCA and municipal government shall remove any identifiable information, such as name and gender, that is not related to infectious disease prevention. (IDCPA IV (Infectious Disease Control and Prevention Act IV), 2020, Article 34-2[1]) Furthermore, the IDCPA IV Enforcement Decree prevents the authorities from disclosing names, specific addresses below the town or county level and other types of information that KDCA has designated. (IDCPA IV Enforcement Decree IV (Enforcement Decree of the Infectious Disease Control and Prevention Act), 2020) Detailed protocols are posted on the KDCA homepage, and the KDCA gives official notice to the heads of municipal authorities. If the disclosure of the confirmed case movement routes and relevant information achieve its purpose, the KDCA and the local government shall delete the disclosed information without delay. (IDCPA IV (Infectious Disease Control and Prevention Act IV), 2020, Article 34-2[2]) The KCDC also established a protocol that reflected the recommendations of the NHRCK immediately after a legislative amendment in the National Assembly. This protocol serves as a recommendation for the municipal authorities to manage the Public Disclosure System. Municipal governments can disclose places visited and transportation means only when public exposure to an infected individual or infectious sources are expected to pose a high risk of communal infection. Regarding risk assessment, relevant authorities are obligated to consider various types of epidemiological evidence, such as the clinical symptoms of the confirmed cases, duration of stay at a visited place, use or non-use of a face mask, and types and time of exposure. Furthermore, if the FEI can identify all the contacts and routes visited, the movements in question may not be disclosed. Furthermore, the disclosure period is limited. Confirmed case information is accessible to the public from one day before the onset of symptoms to the last day of quarantine. The information may be available from one day before the specimen is collected until the last day of quarantine for those whose symptoms were not confirmed in FEIs. After that period ends, public authorities are required to delete all data. Figure 1 (KCDC, 2020b) The authorities remove any identifying information and provide only epidemiologically meaningful information. The list of visited places and transportation shall be posted instead of listing the individual confirmed cases and their routes (see the following figure). If the site is a facility or a store accessible to the public, its business name, address and the time when exposed to the infection risk can be disclosed. When the name of the business is revealed, its exact address must be specified to avoid confusion with other establishments using the same name. Similarly, the specific branch name, floor and room numbers must be indicated to avoid confusion with other branches of the same franchise or different businesses within the same building. If transportation information is being disclosed, the local government specifies the line and carriage number of trains and subways, bus number, date and time of boarding, place of destination and time of arrival. (Seon, 2020)

PHEP governance and vulnerability to politics
Although the PHEP governance has been balancing between efficient disease prevention and privacy protection, its function is hindered by external factors. First, political pressure threatens privacy protection. There is a noticeable correlation between the government support rate and the number of confirmed cases. For example, the ruling party achieved a landslide victory in the general election immediately following the flattening of the first infection wave curve in April 2020. (J. Park & Chung, 2021, pp. 13-17) Conversely, President Moon had the lowest rating of his presidency, and his administration was criticised for taking inappropriate action during the third wave in December 2020. (R.  The local PHEP governance is more vulnerable to populist thrusts. First, the KCDC protocol does not have any legally binding effect and allows considerable discretion for local governments to adjust the scope of disclosable information. For example, the infected person's workplace may be revealed if the local government recognises a high risk of massive spread. In this arrangement, local politicians do not turn a blind eye to increasing public pressure to disclose more information, given closer relations between politicians with their voters than in national politics. For instance, after following the KCDC protocols, a mayor said that he received outraging protest calls from many local citizens to withdraw commitment to KCDC recommendations. (D. Choi 2020) In reality, most local governments only pretended to change the Public Disclosure System for a while immediately following the publication of KCDC guidelines. The scope of the disclosed information in the local public announcement practice depended entirely on the seriousness and speed of infection spread. (G. Lee 2020, 158-62) Furthermore, most local politicians consider the public announcement system the best way to keep their constituents safe. Such a policy attitude is scientifically doubtful but politically workable. For example, after Lee Jae-myung, the Governor of Gyeonggi Province (former Mayor of Seongnam during the MERS outbreak), adopted questionable but rapid preemptive quarantine measures, he became the most popular presidential candidate in the 2022 presidential election. (Y. Jung, 2020) The first wave, which was before the IDCPA revision in February 2020, witnessed how the government and politics reacted to the public panic. Patient no. 31, a member of an emerging offshoot Christian new religious movement called "Shincheonji Church", was proven to be a super-spreader in Daegu, the southeastern city of Korea. Because the mainstream Christian churches regarded Shincheonji as unorthodox, the believers gathered in secret. Shincheongi communities are vulnerable to cluster infections because of their unique style of worship. Hundreds of people gathered in a vast hall and spoke aloud. The people panicked that more infections would emerge swiftly through the nationwide human network, and approximately 1,100 branches of the Shincheonji Church were closed. Church members attempted to conceal their identities from other mainstream Christians because of social stigma. Furthermore, this religious movement was politically isolated because it showed ideologically conservative views against the ruling party. (S. Choe, 2020b;N. Park 2020) The Korean government and politicians blamed Shincheonji for this infection wave. Soon, local governments competed to undertake preemptive actions to prevent potential transmission in their communities. The mayor of Seoul issued administrative orders to force closures, ban gatherings and force disinfection at Shincheonji within Seoul. This preemptive governmental response culminated when the KCDC requested Shincheonji to hand over its registered member list to conduct the EFIs and to recommend COVID-19 tests for its members. Shincheonji resisted the request because of an overreach of privacy. The Korean president sent an adamant warning that the refusal to cooperate could constitute a criminal offence. The Minister of Justice immediately instructed public prosecutors to investigate and press charges on Shincheonji key members if it obstructed or refused to cooperate with the authorities. (Rashid, 2020) Meanwhile, Lee Jae-myung, the Gyeonggi Province governor, took a quick step that attracted media attention. He immediately ordered a forcible entry into the Gyeonggi headquarters of Shincheonji after it was reported that two confirmed cases were directly related to the Shincheonji gathering that took place in Gyeonggi. He went straight to the church with 40 officials, declaring that "this [is a] state of war" in front of press cameras. Under the governor's command, the authorities secured forced access to the full list of 33,582 Shincheonji followers in the Gyeonggi area and the additional list of 9,930 attendants of the religious gathering in question. An analysis of the member lists allowed the authorities to identify 3,296 church members suspected of potential involvement in cluster infections. The provincial government recommended the COVID-19 test and closely monitored the identified Shincheonji believers with two weeks of selfquarantine orders. (H. Park 2020;Y. Hong, 2020) Finally, the church handed over the full list of the nationwide registered members to the KCDC. This list was not open to the public but was reported to include names, dates of birth, gender, addresses and phone numbers of approximately 210,000 members. The politicians and the heads of the local government competed to propose aggressive actions against privacy protections. After the local authorities obtained the full list of Shincheonji from the central government, they contacted and recommended the church members to take the COVID-19 test. If local PHAs failed to reach the members, the FEI officials closely traced them with the help of additional policesourced personal information. (J. Kim 2020) Governor Lee argued that Shincheonji's leader wilfully hid a part of the list to obstruct the FEI as he insisted that the full list obtained from the KCDC did not match data from the city. He suspected that the church presented false information to the local or central PHAs. (M. Choi 2020) Meanwhile, Seoul's mayor reportedly charged the key leaders of Shincheonji with murder through wilful negligence. Eventually, he revoked approval for the corporate establishment of Shincheonji because the church violated the licence terms and caused severe damage to the public interest. (Kang, 2020) After the first wave, the government recommended everyone to self-quarantine, regardless of their symptoms, and download the "Self-Quarantine Safety Protection App". (Ministry of Science and ICT Republic of Korea, 2020, pp. 34-9) When a self-quarantined person moves from a designated area, the mobile application, like in the case of electronic tagging, uses GPS tracking information to alert the public authority. It is the self-quarantined individual's responsibility to regularly report their health status to the public authorities. They can conveniently use the app instead of calling or meeting the officials in charge. The app is optional for self-quarantined Korean residents within the Korean territory, whereas it is strictly mandatory for all foreign and national overseas arrivals. (D. Park & Noh, 2020) The Korean government overrode objections from the MOHW in April 2020 and introduced electronic bracelets for self-quarantined people. The government can use these bracelets to monitor the location of a self-quarantined individual. This bracelet is paired via Bluetooth with the Self-Quarantine Safety Protection App. If a self-quarantined person moves more than a certain distance (20 m) away from the mobile or destroys the band, the system automatically alerts the officials in charge. Although the government called the bracelets "safety wristbands" to avoid the negative image of an electronic anklet, civil society and the NHRCK have criticised them. "(2020, 2020b) Finally, the prime minister stated that the government would put this wristband on people who have broken self-quarantine rules, such as going outside without notice and not answering regular health-check calls. The prime minister mentioned that this measure was supported by professional advisers, without disclosing specific details. A recent poll indicated that approximately 80% of the respondents espouse the new policy. (Yonhap, 2020) Korea admitted that there is no legal basis to coerce the violators to wear the wristband. Instead, someone accused of breaking the rules will be asked to wear the wristband voluntarily in exchange for leniency. If the accused refuses to wear the band, they must stay in accommodation support centres for affected people. These facilities are a temporary isolation unit monitored and staffed by health professionals. Furthermore, those violators who refused to wear the wristbands were required to pay the accommodation fee and other living costs. Some argue that these requirements coerce individuals to wear the band. They also raise digital security concerns in regards to the Self-Quarantine Safety Protection App, which they argue is susceptible to hacking. (G. Kwon, 2020, pp. 25-6, C. Park 2020

Exhaustion of public patience amid recurring infection waves
Political pressure clouds the future of privacy rights in the COVID-19 era. Given the future uncertainty of prolonged COVID-19, the government will likely approve the growing threats to personal information. Whenever recurring massive infection waves overwhelm communities, the government and the people will be tempted to lean gradually towards more intrusive preemptive measures against privacy.
In May 2020, the Korean government was embarrassed by massive cluster infections amid a marked decline in the infection rate. The public alert system disclosed that a super-spreader barhopped several gay bars in Itaewon, a famous party district in Seoul (for LGBT people). Social stigma spread quickly against minority groups, discouraging people who frequented bars and their vicinities from voluntary testing. (V. Kim 2020a) Seoul and MOHW quickly established a list of 5,517 "person[s] suspected of contracting an infectious disease" (infection-suspected persons) under Article 2 of IDCPA III. IDCPA III defines an infection-suspected person as a person who is proven or suspected of coming into contact with a "patient with an infectious disease". A traveller or visitor from a "(strict) quarantine inspectionrequired area", where a disease outbreak occurred, is considered an infection-suspected person. Furthermore, it may include anyone exposed to public health risks, infectious pathogens or diseases. If a person is labelled as an infection-suspected person by the PHAs, their personal information can be collected and processed for the FEI and other EID prevention measures according to Articles 76-2 (1) and (2) of the IDCPA III. The government identified the people suspected of cluster infection in Itaewon by securing the visiting lists and card transaction records of the clubs en route of confirmed cases.
The mayor of Seoul took an additional step; the Seoul Metropolitan Government with the MOHW declared that anyone who stayed for more than 30 minutes in the Itaewon area during the highrisk period (24 April 2020 to 6 May 2020) was considered an infection-suspected person. To identify those people, the government needed to collect and process access records from all the base stations within the Itaewon area. Mobile phones automatically transfer and receive signals to the closest base stations of mobile companies as long as the phones are switched on. Moreover, communication between mobile phones and the base stations are pre-programmed to be documented as access records within the base stations. If the government can examine access records of a specific base station, it can identify all the people who arrive and depart near that base station. The PHAs-through the police-requested the three major Korean mobile companies to analyse the access records from the Itaewon area base stations and identify all the people who were around the club for more than 30 minutes between 24 April and 6 May 2020. The mobile companies submitted personal information of all users, including their names, phone numbers and addresses. Next, the Seoul Metropolitan Government sent text messages to 10,950 people on the list urging them to get tested for COVID-19.  Seoul's measure was extraordinary from the perspective of the usual FEI standard practice for location information. Investigators do not usually start by collecting mobile phone location information, including access records from the base stations on the route of that person; they must first identify the particular person in question. In the Itaewon case, the process followed was the opposite. Seoul collected all the mobile user access records at a specific time and place and then identified and shortlisted people suspected of being infected from the blanket collections of access records. Consequently, Seoul exposed numerous anonymous people to privacy risks as it arbitrarily categorised all the people listed as "infection-suspected persons". During the entire process, the government did not request consent for information collection and processing.
Seoul's measures raised privacy concerns. (K. Jang, 2020, pp. 202-4) A constitutional petition is pending in the Constitutional Court of Korea against Seoul's response to the Itaewon cluster infection. This constitutional claim can be considered a symbolic turning point as a significant legal response to privacy leaks. In the early state of the COVID-19 outbreak, the public appetite for more information disclosure and general anxiety created an atmosphere that deterred aggrieved persons in many cases mentioned in the introduction of this research from considering legal action against privacy leaks. In this case, the claimant visited a restaurant in the Itaewon area in late April. The restaurant was far from clubs and places known to have been visited by a COVID-19 confirmed patient. However, his location information and base station access information was collected by the Seoul Metropolitan Government and the MOHW without consent. The claimant, along with the other 10,905 people, received a text message from the Seoul Metropolitan Government.
First, the claimant questioned whether the government has statutory grounds to collect and process the location information of people who have visited the risky area. Although the IDCPA III allows PHAs to collect the location information of any infection-suspected person, the data collection process did not occur after those infection-suspected people were identified. Conversely, the PHAs identified infection-suspected people by collecting the personal data of the general public who stayed around Itaewon. The PHAs, in this case, collected access records of people who were not considered suspect of being infected. The 10,905 infection-suspected people were chosen after a blanket collection of access records from base stations around the Itaewon area.
Second, the claimant argued that the concept of "infection-suspected person" is so ambiguous that the PHAs or government can expand the collection scope without limits and beyond necessity. While the current legislation confers strong powers to collect and process location information, it does not have clear set standards for designating an infection-suspected person. (G. Kwon, 2020, pp. 24-5) Although the PHAs are required to assess whether a concerned person is exposed to "risk factors, such as infectious pathogens" and "may have contracted an infectious disease", the meaning of "risk factors" remains unclear and is entirely at the discretion of the PHAs.
After multiple mass infections originated from Itaewon, the government introduced QR code technology for efficient contact tracing. Entertainment facilities, such as clubs, bars and karaoke rooms, are designated as high-risk facilities and are mandated to keep visitor information through a QR code application installed on smartphones. If visitors download a smartphone application and enter personal information, such as name, contact information and date of birth, they receive a one-time authentication number or QR code. The QR code is extinguished 10 seconds after issuance to prevent unauthorised duplication. All information is automatically destroyed within four weeks to protect personal information. (S.  However, the possibility of hacking into the QR code database system cannot be completely denied. Although the process appears voluntary, it is compulsory. A person will be unable to enter or use the facilities even under limited conditions if they refuse to present their information. Moreover, people unfamiliar with QR code technology can manually fill out the visitor roster kept inside the facilities. In that case, it is highly doubtful that public authorities can effectively control the mismanagement of personal information by private owners of the facilities. As Korea has experienced repeated infection waves, public patience has gradually exhausted. The government and politicians consider much more aggressive action to appease public anxieties. For example, in August 2020, another infection surge occurred because of a political rally held by right-wing Christian groups against a liberal government. As the government again levelled up the social distance measure, it exasperated Koreans who had previously tolerated harsh measures. They denounced the conservative groups while top politicians named them and their rally participants as murders. As key leaders of the conservative groups declared their refusal to cooperate with FEI, the Korean government identified and traced the rally participants and conducted a comprehensive joint criminal investigation on church leaders. (T.  As more people refuse to follow rigorous government instructions amid this lingering pandemic, public authorities devise increasingly aggressive and even questionable approaches to enforce compliance. Separate from criminal charges, many municipal governments warn of filing legal suits and damages of hundreds of thousands of dollars against infected parties if FEI proves a lack of compliance with social distancing guidelines or deceit towards FEI authorities about their travel routes. (V. Kim 2020b) The extent to which professional expert groups can be guardians of privacy protection is still unclear. Evidently, professional groups have screened the unreasonable public demand to threaten privacy protection and PHEP until now. In the example of the Shincheonji-originated infection wave, many politicians urged public prosecutors or police to forcibly investigate key church leaders to seize the information necessary for FEI. However, the KCDC and the MOHW stated that if Shincheonji believers hid from law enforcement authorities, the forced investigation would not help ensure efficient quarantine measures. They added that the top priority was to persuade the church to present the information voluntarily. (M. Lee 2020) Through risk communication, the KCDC Director and NHRCK disseminated a consistent signal that social stigmatisation and hate speech should be prevented from the perspective of the PHEP efficiency and the value of privacy protection after the Itaewon cluster infections. Such a "calm-down" attitude helped Seoul to set up an anonymous testing system where anyone could get a COVID-19 test without privacy concerns. The PHA does not require any specific personal information except for a phone number.  In many cases, expert groups have shown negative attitudes towards disclosing unnecessary personal information to ordinary people.
However, medical experts and professionals within the KDCA remain silent, or even implicitly supportive, of enhancing the powers to collect and process personal information. It is worth noting that although medical experts have shown support for the steps undertaken to increase statutory powers for efficient EDI preventions, they display negative attitudes towards disclosing personal data to laypeople or increasing engagement with the public. For instance, a member of the National Assembly, questioning the KCDC (now KDCA), revealed that the KCDC has decided to permanently maintain the personal information of 2,325,845 people collected during the COVID-19 response processes. The information includes name, resident registration number, guardian's name, landline phone number, mobile number, address and occupation. The KCDC explained that the Centre approved this internal instruction in 2018 before COVID-19 and that this instruction applies to the current pandemic situation. The KCDC insisted that the permanent preservation of personal information is required to efficiently perform disease control and public health promotion in the future. In response to the privacy concerns, the KCDC has committed to maintaining a tight security system. Such an attitude presents the privacy loophole in the current PHEP system. Of course, the KCDC has no statutory authority to preserve the personal information permanently. However, the current IDCPA II neither requires the PHAs to destroy personal information nor-at the same time-prevent its permanent preservation. Whether the collected personal data will be preserved entirely depends on the KDCA's discretion.

Conclusion: on the line
While the 2015 MERS outbreak inflicted a collective social trauma, it also offered social immunisation for the COVID-19 pandemic. (Lee et al., 2020, p. 729;Oh et al., 2020) The current Korean government attempted to win popular support by enhancing transparency and empowering the PHAs and medical professionals. An ameliorated PHEP system has helped Koreans bring the current public health crisis under relatively stable control without too stringent measures, such as a total lockdown. However, it is difficult to ignore the fact that the MERS experience has driven people to compromise on privacy protection for the sake of an "exceptional situation". The legacy of the MERS outbreak led to an ironic situation wherein considerable privacy concerns were overlooked under the pretext of efficiency and transparency during the public health emergency. Despite potential threats to privacy, the public demands more personal information, while shrewd politicians exploit this demand. (Do, 2020;Yi & Lee, 2020) The populist threat to individual privacy rights is anticipated to gain force as the current crisis continues to last much longer than people anticipated. For example, a government survey indicated that an absolute majority of Korean people (37.5% very appropriate and 53.8% mostly appropriate) appear to support current government policy concerning the use and disclosure of confirmed case personal information during the public health crisis. Furthermore, more than half of Korean people (58.8%) had used the COVID-19 map to locate confirmed cases or the public announcement of movement routes, and 92.7% of them consider those systems useful during the pandemic. (The Presidential Committee on the Fourth Revolution, 2020) Panicked people are likely to gravitate to charismatic leadership as long as the epidemiological features of the infectious disease remain nebulous. People tend to prefer preemptive measures that they would otherwise oppose. Conversely, critical voices will be marginalised as more stringent policies prove to be efficacious and gain increased public support. Moreover, how far medical experts will show commitment to privacy protection, even after the PHEP efficiency and their powers are limited, is not clear.
To conclude, Korea is precariously walking a tightrope between privacy infringement and efficient PHEP. Korean PHEP governance is on the line and more likely to be politicised as public patience wears off from the uncertainty of the lingering pandemic. Judging from the current situation, Korea will reach the end of the dark pandemic tunnel relatively sooner than other countries. While the lesson of the MERS outbreak shaped the institutional memory for the current PHEP system, the institutional memory that the legacy of the COVID-19 pandemic will form in regard to the future of Korean PHEP remains unclear. Is Korea standing at a darker and longer tunnel entrance towards a public health Big Brother?