SOUTH KOREA Law and Practice Contributed by: Kyungsun Kyle Choi, Eui Seok Kim, Han Kyul Nam and Eun Sun Jang, Kim & Chang
Medical Services Act (MSA) The MSA overrides PIPA when it comes to patient records held by medical institutions. The MSA strictly limits third-party access to medi- cal records, typically requiring patient consent. However, if records are pseudonymised and no longer identifiable, the PIPA (not the MSA) gov- erns their use – opening the door to broader use The BSA governs research involving human sub- jects, including clinical trials. Researchers must obtain institutional review board (IRB) approval and written consent from participants to process or share their personal information. When trans- ferring such data to third parties, researchers must either pseudonymise the data or obtain explicit consent. in digital health applications. Bioethics and Safety Act (BSA) Artificial Intelligence and Machine Learning South Korea is actively establishing a compre- hensive legal framework to govern the develop- ment and deployment of artificial intelligence (AI) and machine learning (ML), particularly in high-stakes sectors like healthcare. A major step is the enactment of the world’s second AI Act, effective 22 January 2025, which covers AI across all sectors, focusing on trustworthiness, ethics, and safety. Like the EU’s AI Act, South Korea’s AI Act adopts a risk-based classification system. AI systems with direct implications for human life and safety – such as those integrated into medical devices – are designated as “high-risk” and must meet rigorous regulatory requirements for technical robustness, transparency, and compliance with ethical norms. The Act also addresses algorith- mic bias, mandating both the government and AI developers to proactively prevent discrimi- nation throughout the entire AI life cycle – from
design and development to deployment. To sup- port this, the government must adopt a national framework plan that includes a code of ethics and human rights safeguards. In the medical device sector, the MFDS released “Guidelines for the Approval and Review of Gen- erative AI Medical Devices” in January 2025. These guidelines cover devices using genera- tive AI for tasks like diagnosis or treatment. Such devices need to meet strict approval criteria, including submitting technical descriptions, performance data, and clinical efficacy evidence as per the DMPA. However, devices that merely summarise or retrieve data without analytical capability do not fall under this category. Meanwhile, PIPA could apply to the use of per- sonal data to train AI and ML algorithms. Under PIPA, consent is required even for the use of publicly available data if it involves personal information. Data processors must be cautious not to inadvertently collect sensitive data, such as health records, unless they meet enhanced processing conditions. Importantly, the pur- pose limitation principle under PIPA mandates that personal data – including health informa- tion – must be used only for the purpose stated at the time of obtaining consent. If AI training extends beyond this purpose, data must be pseudonymised, and its use is then limited to research, statistics, or public interest archiving. Lastly, reflecting a shift toward automated deci- sion-making transparency, the amended PIPA introduces a new right for data subjects – simi- lar to Article 22 of the EU’s GDPR – allowing individuals to refuse or demand an explanation of decisions made solely by automated systems that significantly affect them. However, unlike the GDPR (which generally prohibits such deci- sions unless exceptions apply), the PIPA permits
109 CHAMBERS.COM
Powered by FlippingBook