[Asking the Path in the Data Economy] Law and Legal Conflicts... The Long Road Ahead for Medical Big Data

[Asia Economy reporters Seulgina Jo and Heungsun Kim] Insurance company A is considering a service that analyzes the likelihood of cancer and genetic diseases based on medical data of insurance subscribers following the implementation of the Data 3 Act in August, and proposes customized products and rates by combining it with its own insurance data. Although this service has been commercialized overseas for several years, it has not even been attempted domestically due to obstacles such as the Personal Information Protection Act.

With the implementation of the Data 3 Act expected to bring about major changes including telemedicine in the medical field, which has been a relatively sensitive area as well as new industries for companies, concerns are rising on the ground that the law alone is not enough. There are numerous prerequisites to be prepared for the full-fledged data economy era.

For instance, in the case of company A, conflicts between the Personal Information Protection Act and medical-related laws are inevitable in the process of combining medical data and insurance data. It is anticipated that additional legal amendments will follow across society. There are also claims that rights such as data portability and refusal rights should be introduced in this process.

Establishing governance for revitalizing the data economy and protecting personal information is also essential. Discussions on a control tower such as a Data Agency have already begun in the political sphere.

According to the related industry on the 9th, the Ministry of Health and Welfare is preparing a 'Medical Data Specialized Guideline' considering concerns that conflicts may arise with medical-related laws such as the Medical Service Act about a month before the implementation of the Data 3 Act.

The Personal Information Protection Act, which allows pseudonymized information to be provided to third parties without consent, conflicts with the obligation to prohibit information leakage under the Medical Service Act. The National Health Protection Act also separately protects 'personal information,' making conflicts between legal systems inevitable in the current state. Unlike the Personal Information Protection Act, which does not mandate consent, the Bioethics and Safety Act requires a review committee before providing data to third parties for research purposes. These factors contribute to differing interpretations regarding the use of pseudonymized personal medical information.

Attorney Kwangbae Park of the law firm Kwangjang explained, "The concept of pseudonymized information in the Medical Service Act differs from that in the Personal Information Protection Act. Confusion may arise." He added, "Since the Medical Service Act is a special law concerning medical care, additional procedures such as those under the Bioethics Act must be followed when combining medical data." This explains why there are calls inside and outside the industry for reviewing the legal consistency between the Data 3 Act and medical-related laws.

Earlier, the Ministry of the Interior and Safety drew a line by stating that the provisions of the Medical Service Act and the National Health Protection Act take precedence over the Personal Information Protection Act amid such controversies, but concerns remain that interpretations may differ when applied in practice. A law firm official who wished to remain anonymous said, "Even if special laws take precedence, it is unrealistic to apply them to every field. Many difficulties are inevitable," and pointed out, "The Medical Service Act also needs to be revised consistently to reflect amendments to the Personal Information Protection Act."

This issue is not limited to the medical field. Even within the Data 3 Act, controversies arise over which law applies when financial data under the Credit Information Act and data under the Personal Information Protection Act are combined. Seongyeop Lee, president of the Korea Data Law Policy Association, said, "When pseudonymized information from a non-financial institution like a telecommunications company is combined with that from a financial institution, it becomes ambiguous which law applies," adding, "This could become a problem after the Data 3 Act is implemented." The Credit Information Act has a broader scope and simpler procedures than the Personal Information Protection Act regarding pseudonymized information application and combination.

The National Assembly Legislative Research Office emphasized, "It is necessary to review the legal consistency between recently added or amended legal provisions in the 21st National Assembly," and stressed, "There is a need to discuss whether the differences in application targets and regulatory levels between the Personal Information Protection Act and the Credit Information Act are appropriate."

Alongside this, voices have been raised that the criminal penalty provisions within the Personal Information Protection Act are excessive. Since criminal penalties apply even for simple negligence violations, it is expected to become an obstacle to companies' data utilization efforts in the future. An industry insider sighed, "The scope of safety measures is ambiguous, and there may be situations that occur inevitably despite compliance with the law, but if all are subject to criminal penalties, who would want to be a personal information manager?"

In response, the Legislative Research Office proposed measures such as criminal penalties only for wrongful intent, or easing criminal penalties while strengthening administrative regulations like fines or civil damages. It also added that it is necessary to consider introducing data portability and refusal rights for automated decision-making within the Personal Information Protection Act to strengthen the rights of data subjects.

Establishing governance is also cited as a future task. The heated discussions on establishing a Data Agency in the political sphere started in this context. Representative figures include Lee Kwang-jae of the Democratic Party of Korea, who has advocated for the establishment of a Data Department or Data Agency since early this year, and Kim Jong-in, emergency committee chairman of the United Future Party, who shouted at a Data Agency forum, "National power is proportional to data utilization." The ruling and opposition parties plan to push related legislation soon.

Joo Suhwan, president of the Korea Information Security Association, supported the establishment of a control tower, saying, "Just as the establishment of the Ministry of Information and Communication led to the development of Korea's IT industry, it is time for the nation to consider the future direction to develop the data industry, which is called the 'rice of the future.'"

However, separate from this intention, there are many voices pointing out the possibility that the Data Agency could become a redundant organization. It is not easy to manage data from a wide range of fields such as finance, medical care, and education in one department, and its role is likely to overlap with existing domestic organizations that share data management duties, such as agencies under the Ministry of Science and ICT, the Ministry of the Interior and Safety, and the Personal Information Protection Commission.

Kim Jaehwan, head of policy at the Internet Enterprise Association, criticized, "For the activation of the data economy, it is most important to enable data to be used as needed in the right place, so it is questionable whether it is necessary to centralize everything in one place." An ICT conglomerate official also expressed concern, saying, "I don't know what a 'Agency' without policy functions would do. It could become another regulation."

Cho Kwangwon, president of the Korea Data Industry Association, which operates a big data company, proposed an independent committee-level organization that complements the practical shortcomings of the 'Agency,' saying, "In the era of the 4th Industrial Revolution, a future-oriented organization that creates a dynamic industrial environment is needed."

© The Asia Business Daily(www.asiae.co.kr). All rights reserved.