Designing Health Data Portability Under Korean Law

Two bills have recently been proposed at the Korean National Assembly to introduce data portability provisions to the Personal Information Protection Act. The two bills were largely modeled on Article 20 Right to Data Portability of European Union’s General Data Protection Regulation (“GDPR”). We argue that the proposed “one-size-fits-all” provisions are ill-suited to health data portability for a few reasons. First and foremost, the bills stop short of mandating interoperability of data being transferred, in a manner similar to the GDPR. Unlike in some other sectors, however, interoperability is critical in achieving ease of data transmission in health care, because health IT is highly fragmented with numerous vendors, each with their own data format. Secondly, the two bills exempt inferred data and derived data from data portability, also in a manner similar to the GDPR. While such exemption may be striking a balance between the interest of individuals and the interest of data controllers, it renders data portability almost valueless in the context of health care, where important data are usually inferred data and derived data created by health providers. Lastly, an exemption from data portability for small businesses will be at odds with health care, in which primary care clinics are inevitably “small businesses”. These limitations found in the data portability bills are not surprising, in light of the core objective of their model, Article 20 of the GDPR, which was to promote competition by helping users retrieve their data held by dominant service providers. Hence, we argue that a better approach to health data portability is to amend the Medical Service Act that already includes basic measures to facilitate data exchange between health providers. Although the Medical Service Act too has to be amended to implement health data portability in the scale already being implemented in other countries, it will not be limited by the need for universal applicability across different industries that the general, Personal Information Protection Act faces. Instead, more nuanced and sophisticated health data portability can be designed in the Medical Service Act that provides more clarity to complex legal issues unique to health data, such as interoperability, data scope, health information exchange and secondary use, to name a few.