Combating Covid-19: Challenge for data protection and privacy

Coronavirus disease (COVID-19) is an infectious disease caused by a newly discovered coronavirus and has been spread globally since it detected in December 2019. Technology take an essential role to combat the virus, including to do contact tracing as a part of health surveillance. Even the contact tracing is not a new method to combat a virus disease, however the using of technology has robust attention to data protection and privacy. Specific regulation and/or guideline to protect the personal data and privacy on this Covid-19 pandemic is issued by some countries as well as international organization. This research aims to examine how the data protection and privacy is response to technology challenge in the Covid-19 pandemic, including in Indonesia. Using normative legal research, this research finds out that the utilization of technology to fight the Covid-19, that is the Indonesia’s official contact tracing, has a legal basis according to the existing regulation and it reflected on the user policy of the apps with some notes. However, future research is required to ensure that the apps is protect the user’s personal data and privacy technically and comparing with other countries as well.


Introduction
COVID-19 is the name for the new coronavirus disease announced by World of Health Organization (WHO) on February 2020 for a pneumonia of unknown cause detected in Wuhan, China on December 2019. Suddenly, COVID-19 became a global pandemic. As June 12, 2020, a total of 7,410,510 people has been reported confirmed for COVID-19. Among these, there have been 418,294 death reported released to COVID-19 [1]. Since it declared a pandemic, threatens to become one of the most difficult tests faced by humanity in modern history [2].
Since technology has been apart on human life, technology is becoming a tool to assist many countries to combat the virus, including finding a vaccine to stop the virus spread. Technology assisted in population screening, tracking the infection, prioritizing the use and allocation of resources, and designing of targeted respond [3]. Due to China's experience, China has been using IT platform as one of their responses. They capitalized technology, big data, and artificial intelligence to provide authoritative and reliable information, medical guidance, access to online service, provision of education tools and remote works tools. These services have increased accessibility to health services, reduced misinformation and minimized the impact of fake news [4].

Methodology
This paper is a normative legal research that focusing on value, norm and written rules. As a normative legal research, the research conducted through regulations and literature review that classified as secondary data. Later the research approach that used is a statute approach that focusing to regulations related to the topic of paper and conceptual approach that focusing on concept of privacy and data protection. Then, the data collected from the research will be analyzed by privacy and data protection concept to answer the legal issue arise from this paper. To support this paper, this paper is also assessing an Indonesia's electronic contact tracing based on data protection principles as stated in the existing regulations.

Technology and COVID-19: Electronic contact tracing
Some technologies have been recommended to combat the Covid-19 such as artificial intelligent, blockchain, open sources technology, telehealth technology, 3D-printing, gene-editing technology, nanotechnology, synthetic technology, drones and robots [12]. Some researchers describe how to combine the Internet of Things (IoT) with next generation telecommunication networks (e.g 5G), big data analytics, artificial intelligence that uses deep learning and blockchain technology for monitoring, surveillance, detection and prevention of COVID-19 (directly related to  and mitigation of impact (indirectly related to COVID-19) [13]. One type of technology may also apply on every level stage to combat the Covid-19 such as the utilization of Artificial Intelligent as described by OECD on Figure 1 [14]. Artificial Intelligent is also used to predict how the pandemic will end [15].  According to WHO, contact tracing is defined as the identification and follow-up of persons who may have meet a person infected with the virus [16]. Contact tracing can be divided into 3 steps as illustrated on Figure 2 [17]. WHO described contact as a person who experienced any one of the following exposures during 2 days before and the 14 day after the onset of symptoms of a probable or confirmed case: (1) Face-to-face contact with a probable or confirmed case within 1 meter and for more than 15 minutes; (2) Direct physical contact with a probable or confirmed case; (3) Direct care for a patient with probable or confirmed COVID-19 disease without using proper personal protective equipment; or (4) Other situations as indicated by local risk assessments [18].

Figure 2. Steps of Contact Tracing
Contact tracing could be implemented with different technologies that are: (1) using short-range wireless technology as WiFi and Bluetooth; (2) adapting a GPS technology, and (3) using data from social networks. However, the contact tracing is also face with some critical issues that are accuracy, privacy, and energy consumption efficiency [19]. United Nation also noted that using technology, especially on Big Data and Artificial Intelligent, has high potential to abuse the human rights, including causing discrimination, be intrusive and infringe on privacy, or may be deployed against people or groups for purpose going far beyond the pandemic respond. Therefore, it shall be ensured that using surveillance in respond to COVID-19 shall place safeguards, purpose limitation and adequate privacy and data protection [10].

Privacy and data protection
Privacy and data protection has potential to be abused in accordance to technology surveillance in respond to COVID-19. Privacy is part of human rights. However, privacy is an abstract concept. Privacy is to protect emotional life that called as a right to be let alone [20]. Specifically, the concept of privacy is associated as control over personal information [21].
Privacy and technology always attract each other. Post argument that technology can endanger intimate personal information [22]. There are four basic group of harmful activities: (1) information collection, (2) information processing, (3) information dissemination, and (4) invasion [23]. Privacy classified into several type, including personal information [24]. Personal information or also known as personal data interpreted as any information relating to an identified or identifiable individual (data subject) [25] [26]. As part of data protection, there are some specific personal data considered as sensitive data, including data health. For sensitive data, there are some restriction and extra treatment shall be considered before processing them, for example treatment sensitive data on General Data Protection Regulation (GDPR) [26].
Application of technology on human life arise attention of personal data protection. There are 132 countries has put in place legislation to secure the protection of data and privacy [27]. Data protection regulation ensure that processing of personal data shall respect of data subject and conducting due to the data protection principles. Each country put their data protection principles on their national legislation. In general, the data protection regime was inspired by the OECD 1980 which applied the first principles of privacy that were recognized internationally as describe in Figure 3 [28]. However, there are some exception for data protection application that insert in the national legislation such as national sovereignty, national security and public policy as long as it is carried out as minimal and must be known by the public [25].

Privacy and data protection on the Covid-19
United Nations emerged that respond of the Covid-19 shall respect and not abuse to human rights, including privacy and data protection. Global Privacy Assembly listed 50 entities (countries and organization) that has guideline for data protection on Covid-19 [29]. Data collected is not only using by the country, but also share to other country and international health organization as part of cooperation to combat the Covid-19 globally. Data sharing including information about imported cases to facilitate contact tracing and inform containment measures is one of recommendation from WHO to handling the Covid-19. However, such data sharing shall be conducted under International Health Regulation [4]. Later, based on guideline issued by WHO and EU in Table 1, it could be summarized that to respect personal data health as part of data protection and privacy, then the data processing shall be made anonymized.
Actually, data sharing is not new policy. WHO has issued Policy Statement on Data Sharing in the context of public health emergency on April 13th, 2016. Under WHO's data sharing policy, there are 3 categories for data sharing in public health emergencies: (1) surveillance, epidemiology and emergency respond, including health facilities, (2) genetic sequences, and (3)  trials. Basically, the data is belonging of countries in which they generated. However, there are consensus to share the data. Those data sharing shall be made anonymized to protect privacy and to ensure confidentiality [30].
As a respond to the Covid-19, EU has issued Guidelines 04/2020 on the use of location data and contact tracing tools in the context of the Covid-19 outbreak on April 21, 2020. EU has issued GDPR which not only impact to any parties who processing the EU's citizen, but also influencing development of data protection legislation in other countries. Therefore, this paper also take consideration how EU handling data protection issue in the context of the Covid-19. The Guideline focusing on localization data and contact tracing application as describe in general on Table 1 [30]. According to the Guideline 04/2020, main source for localization data are: (a) location data collected by electronic communication service providers; and (b) location data collected by information society service providers application whose functionally requires the use of such data.

Localization Data
a. Data can only be transmitted if they have been anonymized by the provider, or if data indicating the geographic position of user's equipment, with prior consent of user. b. The storing of information on the user's device or gaining access to the information already stored is allowed only if: (i) the user has given consent; or (ii) the storage and/or access is strictly necessary for the information society service explicitly requested by the user c. Derogations to the rights and obligations provided for in the "e-Privacy" Directive are however possible when they constitute a necessary, appropriate and proportionate measure within a democratic society for certain objectives. d. For the re-use of location data collected by an information society service provider only be further processed with the additional consent of the data subject or on the basis of a Union or Member State law which constitutes a necessary and proportionate measure in a democratic society to safeguard the objectives referred to GDPR. e. Preference should always be given to the processing of anonymized data rather than personal data.

Contact Tracing Application
a. The application should not collect unrelated or not needed information, which may include civil status, communication identifiers, equipment directory items, messages, call logs, location data, device identifiers, etc. b. Data broadcasted by applications must only include some unique and pseudonymous identifiers, generated by and specific to the application. c. Implementations can be a centralized or a decentralized approach. d. Any server involved in the contact tracing system must only collect the contact history or the pseudonymous identifiers of a user diagnosed as infected. e. State-of-the-art cryptographic techniques must be implemented. f. The reporting of users as Covid-19 infected on the application must be subject to proper authorization, If confirmation cannot be obtained in a secure manner, no data processing should take place that presumes the validity of the user's status. g. The controller, in collaboration with the public authorities, have to clearly and explicitly inform about the link to download the official national contact tracing app in order to mitigate the risk that individuals use a third-party app

Electronic contact tracing in Indonesia
Indonesia is one of the countries affected by the Covid- 19 As referred to the regulations stated in Table 2, the health surveillance through data collection, data processing, data analysis, and dissemination is allowed to produce objective and measurable information for decision making related to the disease. Data processing is carried out by data recording, validation, transformation, and grouping based on location, period and individual.
The electronic contact tracing is involved for personal data since the application will connect to user's gadget and allow to access some information. Even though the Article 28 (1) UUD 1945 is not stated clearly for personal data protection, however the Article 28 (1) UUD 1945 is interpreted as a legal basis for personal data as a part of human right and consequently it should be protected by law. Besides, the Telecommunication Act also stated that the telecommunication service provider shall keep any information that delivered and/or received by the customer through telecommunication network and/or telecommunication services. Unless it stated contrary by regulation, the personal data's processing is required for prior consent of data subject as stated in the Information and Electronic Act. Later, the data subject is entitled to request for erasing their personal data. Specifically, the regulations as stated in  Table 2 stated that the personal data health is classified as personal data, then it will be treated as confidential unless the conditions as stated in Article 57 Health Act are fulfilled. Article 57 Health Act stated that data health is confidential, unless: (1) stipulated by law; (2) court order; (3) prior approval of subject data; (4) public interest; and (5) patient interest.
Related to privacy and data protection on the electronic contact tracing, Ministry of Communication and Information Decree No.171/2020 only stated that privacy and data protection will be referred to applicable law. However, draft of Indonesia's data protection act has not been approved at this moment. Then, the privacy and data protection of the electronic contact tracing will be referred to existing legislation as described in Table 2 that can be summarized as:(1) subject to prior consent of data subject; (2) clear information regarding data collecting and processing shall be provided before the prior consent given by the data subject; (3) comply with principles of data protection as stated in Government Regulation No. 71/2019, which are collection limitation principle, purpose specification principle, data quality principles, use limitation principles, security safeguards principles and destruction of personal data.
The research assesses compliance of such regulation on the Peduli Lindungi application. However, the assessment is not including technical and system procedure of the application. Assessment is referring to any information provided by the Government on the apps. Comparing with the Tracetogether, a Singapore contact tracing application, most information related to the application cannot be found in the Peduli Lindungi website. The detail information is provided when user is installing and/or sign into the application.

General Information Developer
PT Telkom Indonesia

Available at
Apps store, Google Play Procedure a. When the app is installing, the apps will ask permission to activate the Bluetooth and data location. b.
Bluetooth will identify other user on the Bluetooth range and keep the record (the identified user, location and timestamp) for 14 days. c.
User's identity will be an ID anonym. Function a. The apps will send a notification to user, if: -User in a public area and close to other application user.
-User is in red zone (an infected area) and/or green zone (an uninfected area) -User is out of isolation area when they are still on self-quarantine. b.
The apps will identify other application user and keep their ID Anonym for 14 days.

Technology
Bluetooth Fitur Red zone information, list of hospital and public health, health consultation Instruction to use Available

Mandatory/Volunteer
Volunteer Compliance of Data Protection Principles Prior consent -When the user is installing the apps. The apps will ask a prior approval for keep phone number (encrypt), access to Bluetooth, location. User's phone number will be used by the Government to contact the user if the user has contact with the person infected. - The user is entitled to revoke their consent by sending written notification by email.

Collection limitation
User's handphone number, user's ID anonym, location and timestamp Purpose specification Data will be used for: (a) tracking contact listing; (b) setting self-quarantine's location; (c) inform the zone's classification; and (d) as information for the government's decision making.

Data quality
Data cannot be changed. User shall reinstall for user's data change

Use limitation
Data will not distribute to other party, unless to the authorities that appointed for Covid-19 or it stipulated by law.

Security safeguard
Bluetooth's security Period to keep the data Not state clearly. It is only information that the system will keep the ID anonym for 14 days and the server will erase the record when the user is uninstalling.
Therefore, there are two types of data that collects and processes on the Indonesia's electronic contact tracing apps. First, personal data that is collected by the apps and second, the personal data health that may arise when the user is detected as infected. According to the Table 3, both data shall be protected by law. The apps itself has provide the terms and condition that reflected how the data will be collected and processed as stated by the existing data protection regulations. However, it needs further analyse how the personal data health is protected technically.

Conclusion
Technology shall be utilized to respond the COVID-19, including to monitoring the spread of virus and provide any information required by the government to take necessary action as well. However, the state shall ensure that technology utilization shall not abuse the privacy and data protection. Some countries and international organization have taken initiation to provide a guideline for data protection and privacy on the Covid-19 pandemic, including the anonymous data as the answer.
Indonesia has the official electronic contact tracing for COVID-19, Peduli Lindungi. The apps is established under the Indonesia's existing data protection regulations that has not been strengthened yet by the specific data regulation act. Terms and conditions as mentioned on the Indonesia's contact tracing apps has reflected the data protection principles as stated in the Indonesia's exiting regulation with some notes. First, the period of application's existing and data's retention is not stated explicitly. Second, it is recommended to put those terms on the application's website. It helps person who is willing to install the apps but need more information. Third, since a specific data protection act has not been issued until today, the data's sharing between the authorities shall refer to a clear and valid guidance as well as between the states and international organization. Fourth, in accordance to strengthen the legal protection for personal data and privacy, the specific data protection act is a must. Finally, to obtain a comprehensive point of view, a comparison study regarding the implementation of electronic contact tracing in other countries and technical assessment are required.