As digital healthcare emerges as a core engine of the Fourth Industrial Revolution, medical data has acquired a dual legal status: it is both sensitive personal information requiring strict protection and a public good essential for promoting national...
As digital healthcare emerges as a core engine of the Fourth Industrial Revolution, medical data has acquired a dual legal status: it is both sensitive personal information requiring strict protection and a public good essential for promoting national health. This duality inevitably leads to a constitutional tension between the individual’s right to self-determination of personal information and the state’s duty to protect health and foster industry.
This study aims to derive legislative implications for the Korean legal system by analyzing these constitutional issues and comparing global legislative trends. First, this paper examines the recent decision by the Constitutional Court of Korea (2023), which affirmed the constitutionality of processing pseudonymized data without the data subject's consent. The Court ruled that such utilization does not violate the principle of proportionality, provided that strict safety measures are implemented. However, this study argues that legal constitutionality does not automatically guarantee social acceptance or procedural legitimacy.
To address these challenges, this study conducts a comparative analysis of medical data regimes in major jurisdictions. The European Union (EU) is moving towards the ‘European Health Data Space (EHDS),’ which mandates data sharing for secondary use while granting data subjects ‘opt-out’ rights. The United States combines the privacy protections of HIPAA with the ‘21st Century Cures Act,’ which enforces data interoperability by penalizing ‘information blocking.’ Japan has established a trust-based distribution model through the ‘Certified Operator’ system under its Next Generation Medical Infrastructure Act, while China strictly controls medical data as a national strategic resource based on its Data Security Law.
In contrast, the current Korean legal framework, specifically the Personal Information Protection Act, allows for consent exemptions for scientific research but lacks sufficient procedural guarantees—such as independent oversight bodies or practical opt-out mechanisms—comparable to global standards. Furthermore, the enforceability of data sovereignty initiatives like ‘My Healthway’ remains limited due to the absence of penalties for data blocking.
Consequently, this paper proposes four key legislative improvements: (1) the enactment of a special act dedicated to the promotion and protection of digital healthcare data; (2) the establishment of a state-certified data intermediary agency to ensure transparent and independent governance; (3) the legalization of a ban on ‘information blocking’ to substantiate the data subject's right to data portability; and (4) the reinforcement of national security measures regarding the cross-border transfer of sensitive bio-data. These measures are imperative to establish a reliable data ecosystem that harmonizes the constitutional values of human dignity with the public interest of health promotion.