LAUSR

to data were passed by the National Assembly of the Republic of Korea: the Personal Information Protection Act, the Act on Promotion of Information and Communication Network Utilization and Information Protection, etc., and the Credit Information Use and Protection Act [1]. The amendments of these acts are abbreviated by the media as the “Three Data Bills (TDB)”. While the past laws put more emphasis on protection of personal information, the TDB not only provide data protection but also paved the way for data utility. The potential usefulness of big data in healthcare allows healthcare policy decisions to be made based on data, supports medical developments through data research, and makes data-driven precision medicine achievable [2]. However, the Korean laws have focused mostly on the protection of such data. As a result, academic and industrial circles have been demanding changes to encourage data sharing. One of the noticeable changes made to the amended TDB is that pseudonymous data is explicitly defined [3]. Article 2 of the Personal Information Protection Act (PIPA) defines pseudonymized information as personal information that is pseudonymized and becomes incapable of identifying a particular individual without the use or combination of information for restoration to the original state. Although deidentification or anonymization is not subject to the PIPA, pseudonymization is explicitly defined and falls within the scope of personal data in the Act. In the amended Act, pseudonymized information may be processed without the consent of data subjects for statistical purposes, scientific research, and the preservation of records for the public interest, and so forth. A specialized institution designated by the Protection Commission or a related administrative agency may combine pseudonymized information stored outside the organization. Moreover, it may become possible to combine claim data of the National Health Insurance Service or the Health Insurance Review & Assessment Service with the patient information stored in hospitals. The amendment of the PIPA follows the trend of the protection of personal information standards of developed countries. This means that it is also a change to meet the protection standards of the European Union’s General Data Protection Regulation (GDPR) or the Health Insurance Portability and Accountability Act (HIPAA) of the United States. Meeting strict GDPR personal data protection standards is tough, especially for the companies exporting to Europe. Therefore, Korean laws have been amended to comply with the GDPR requirements to facilitate the export of local products abroad. The GDPR, like the TDB, also defines pseudonymized data as personal data and renders information no longer re-identifiable if there is no additional information [4]. We may infer that the GDPR recommends pseudonymization to process and utilize data. The HIPAA by the US government achieves the deidentification of protected health information through the expert determination method and safe harbor method [5]. The expert determination method has the disadvantage that it is necessary to appoint an expert for each study, requiring more money and time investment. On the other hand, it also Big Technology and Data Privacy