국가전략기술 특화연구소의 디지털 헬스 데이터 플랫폼 운영의 법적 한계와 극복

On January 26, 2024, Seoul National University Hospital (SNUH) was designated as Korea’s first National Strategic Technology Specialized Research Institute under the Special Act on the Promotion of National Strategic Technologies. This designation has positioned SNUH to undertake cutting-edge medical science research, including digital health data and advanced biotechnology, in collaboration with world-renowned institutions such as Harvard, Massachusetts Institute of Technology, and Stanford. However, during preparations for collaborative research with overseas institutions, an unforeseen legal obstacle emerged regarding the use of pseudonymized data. The research envisioned uploading pseudonymized data to the specialized research institute’s data platform, where overseas researchers could access and analyze it remotely. According to Article 28-8(1) of the Personal Information Protection Act (PIPA), even when personal information stored on domestic servers is merely accessed by overseas entities, it constitutes a “cross-border transfer,” which is fundamentally prohibited. Exceptions to this prohibition are granted only if one of the following conditions is met: 1. Explicit consent for the transfer is obtained from the data subject (Subparagraph 1), 2. Special provisions regarding the cross-border transfer of personal information exist under other laws, treaties, or international agreements (Subparagraph 2), 3. The transfer is necessary for the performance or execution of a contract with the data subject (Subparagraph 3), 4. The receiving overseas institution has obtained certification for personal information protection as notified by the Personal Information Protection Commission (Subparagraph 4), or 5. The Personal Information Protection Commission recognizes the receiving institution or country as meeting acceptable levels of data protection (Subparagraph 5). Since pseudonymized data for scientific research purposes is still classified as personal information, these regulations apply. However, due to the nature of pseudonymized data being processed without the data subject’s consent, compliance with Subparagraph 1 is infeasible. Moreover, as the research purpose extends beyond the original contractual context for which the medical data was collected, Subparagraph 3 is also inapplicable. The remaining Subparagraphs 2, 4, and 5 are currently not available. To address this issue, SNUH applied for a regulatory sandbox demonstration exception for the specialized research institute’s data platform. On June 28, 2024, the Ministry of Science and ICT conditionally approved this exception, provided that SNUH complies with the “essential safety measures” standards jointly announced by the Personal Information Protection Commission, the Ministry of Science and ICT, and the National IT Industry Promotion Agency. Separately, another barrier to international collaboration not addressed in the regulatory sandbox application is the prohibition of foreign cloud services for public institutions in Korea. Many overseas institutions prefer to use cloud services offered by global companies such as Amazon Web Services (AWS), Microsoft (MS), and Google. However, these services are not certified under CSAP, a mandatory standard for public cloud services, rendering their use prohibited for public institutions. This case highlights the urgent need for a robust legal foundation to enable domestic medical institutions to safely and systematically utilize high-quality medical data for global and domestic research. Establishing such a framework could pave the way for Korea to lead the global healthcare market through innovations such as medical large-scale language models (LLMs), medical AI, and algorithms.