Privacy and Health Research. 5. New Laws in Europe

In contrast to the U.S., most European countries have for some years had in effect broad data- protection laws, based on human rights principles. All focus on personally identifiable data. Most deal with legitimacy of need-to-know; with notification of data-subjects, and consent; with data-subject rights, such as the right to examine data about oneself; with data security; and so on. And they establish remedies and sanctions against violations. ⁷⁸

Usually the laws are administered through independent national "data protection commissions" or "registrars." These bodies investigate complaints, critique the privacy implications of government programs, mediate privacy disputes, perhaps audit organizations' privacy protections, and represent the country's privacy interests internationally. ⁷⁹ In some countries, such as Germany, provincial, in addition to federal, data-protection laws and agencies also are important. (Australia, New Zealand, Canada and several of its provinces, South Africa, and Japan also have active data privacy laws and agencies.) Again: The U.S. has no equivalent bodies.

In Europe sensitivities about health data run very high. National healthcare systems of course process huge volumes of data about individuals. In Europe medical data increasingly are being processed via electronic media. Electronic "smart cards" are being tried for medical billing (in Germany) or to carry some health data (in France), but progress is slow, because of both medical objections and privacy concerns. A pan-European "electronic health passport" has been proposed which would carry at least emergency medical information such as blood type and allergy information, but movement toward such a system has met with much opposition on privacy grounds. In France the Health Ministry has announced that by 1999 doctors must submit all of their bills electronically; but the medical establishment is resisting. In the U.K., communication of medical data via a new "NHS-Net" Internet service has been promoted by the National Health Service (NHS); but protests by both doctors and the public, largely over security and confidentiality, have forced a standoff, which has not yet been resolved.

In the past few years most legislatures have been readdressing the issues of informational privacy, especially with respect to data processed electronically. Several have adopted, or are currently considering proposals for, new laws covering health data. Now the issues have gained Europe-wide dimensions. All of this has implications for the U.S. and other countries outside Europe.

(78) For comparative analysis see Colin J. Bennett, Regulating Privacy: Data Protection and Public Policy in Europe and the United States(Cornell University Press, Ithaca, New York, 1992).

(79) For background from the view of a privacy commissioner, see Flaherty, as cited in endnote (1).

• The European Union Data Privacy Directive

  • On October 24, 1995, after five years of deliberation, the European Parliament and the Council of the European Union (E.U.) adopted a "Directive on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data" (hereafter, Directive).⁸⁰

    The Directive is extremely broad, covering the processing of all information about individuals. Its dual purposes are aptly expressed in its title. It is not specifically oriented to health data, although at a few points it makes reference to public health and medical data. If enforced literally some of its provisions could be inimical to health research.⁸¹

    The Directive is a "framework directive" establishing general principles, with which the fifteen E.U. Member States must bring their national "laws, regulations and administrative provisions" into congruence by October 1998 (Article 32).⁸²

    "Personal data" and "processing" are defined comprehensively (Article 2).

    (a) "Personal data" shall mean any information relating to an identified or identifiable natural person ("data subject"); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity.

    (b) "Processing of personal data" ("processing") shall mean any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction.

    ---

    (80) "Directive 95/46/EC of the European Parliament and of the Council," Official Journal of the European Communities No. L 281, 31–50 (November 23, 1995). Available on the Internet in English, Dutch, French, German, Italian, and Spanish via the European Union Web site <http://www2.echo.lu >.

    (81) A useful early review was Stefaan Callens, "The Privacy Directive and the use of medical data for research purposes," European Journal of Health Law 2, 309–340 (1995).

    (82) The Member States of the E.U. are Austria, Belgium, Denmark, Finland, France, Germany, Greece, Ireland, Italy, Luxembourg, The Netherlands, Portugal, Spain, Sweden, and the United Kingdom.

• Legal Revisions in Some European Countries

  • The following sketches of the situations in six European countries are meant simply to illustrate the kinds of legal activities that are taking place now. All European countries have some protections in operation, and all are now evaluating whether they must make adjustments to comply with the E.U. Directive. 1998 is expected to be a busy year in privacy legislation.

• New Council of Europe Recommendation on Protection of Medical Data

  • The Council of Europe is an intergovernmental organization of 39 countries, head- quartered in Strasbourg. Compared with the E.U., it comprises 24 more countries (but includes all members of the E.U.), draws heavily upon expertise in its member countries and depends on a relatively smaller staff, and its actions are not formally enforceable.⁹³ The two organizations coordinate their work. E.U. Commission staff represent the E.U. in all important activities of the Council of Europe, as they have done during the recent years' deliberations over data privacy in general and those over protection of health and medical data specifically.

    In 1981 the Council of Europe passed an influential "Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data," which set out a number of principles.⁹⁴ Within a few years most major European countries ratified the Convention. It was on the basis of this Convention, and the deliberations that had led up to it, that most European countries developed their own laws and set up data-protection regimes.

    The 1981 Convention is not formally binding. But it has set the tone for much data- protection work, and has been referred to many times in judgments on such issues as international data transfer. Some countries require the obtaining of special permission, or the establishment of a contract surrounding a "data corridor," so to speak, between institutions, before allowing transfer of sensitive data from their country to an institution in a country that has not ratified the Convention or where the protections are deemed weak.

    Countries which are not members of the Council of Europe have been encouraged to ratify or otherwise adopt the provisions of the Conventions. The U.S. is not in position to do so, because, among other reasons, it lacks Federal privacy law covering data in the private sector.

    In February 1997, after five years' deliberation, the Council of Europe's Committee of Ministers—comprising the foreign ministers of all the Members—adopted a detailed "Recommendation on the Protection of Medical Data" (hereafter, Recommendation).⁹⁵ Many observers believe that because this Recommendation is specific to medical data and is felt to be practicable, and also because it covers all of Europe, it may well become deferred to as the guiding document for Europe. Governments have already approved it in the Council of Europe, so they must expect to implement its principles. And it is thought that for this sector the E.U. eventually may amend its Directive and explicitly defer to the Council of Europe Recommend- ation.

    Even though its title refers to "medical" data, the Recommendation in Article 1 makes clear that it covers health data broadly:

    The expression "medical data" refers to all personal data concerning the health of an individual. It refers also to data which have a clear and close link with health as well as to genetic data.

    The Recommendation's concerns are to protect personally identifiable data, but it notes (Article 1): "An individual shall not be regarded as 'identifiable' if identification requires an unreasonable amount of time and manpower."

    Article 3 limits the circle allowed to process health data:

    In principle, medical data should be collected and processed only by health-care professionals or by individuals or bodies working on behalf of health-care professionals. ... Controllers of files who are not health-care professionals should only collect and process medical data subject either to rules of confidentiality comparable to those incumbent upon a health-care professional or to equally effective safeguards provided for by domestic law.

    Article 4.3 affirms: "Medical data may be collected and processed if provided for by law for public health reasons... or another important public interest."

    The Recommendation includes the standard fair-practice requirements to inform subjects, seek informed express consent, allow data-subject access and rectification of data, and the like.

    Article 12, "Scientific Research," lays out this series of conditions:

    12.1.

    Whenever possible, medical data used for scientific research purposes should be anonymous. Professional and scientific organizations and public authorities should promote the development of techniques and procedures securing anonymity.

    12.2.

    However, if such anonymization would make a scientific research project impossible, and the project is to be carried out for legitimate purposes, it could be carried out with personal data on condition that:

    a.

    the data subject has given his/her consent for one or more research purposes;

    or

    b.

    [provision having to do with legally incapacitated subjects];

    or

    c.

    disclosure of data for the purpose of a defined research project concerning an important public interest has been authorized by the body or bodies designated by domestic law, but only if:

    i.

    the data subject has not expressly opposed disclosure; and

    ii.

    despite reasonable efforts, it would be impracticable to contact the data subject to seek his consent; and

    iii.

    the interests of the research project justify the authorization;

    or

    d.

    the scientific research is provided for by law and constitutes a necessary measure for public health reasons.

    Transfer of personally identifiable data from a country which has ratified the Convention of 1981 of the Council of Europe to countries which have not is to be prohibited—unless "equivalent protection" is ensured, perhaps by contract, "and the data-subject has the possibility to object to the transfer" (Article 11).

    An important question for the coming period is how the considerations of this Council of Europe Recommendation on the Protection of Medical Data will intersect with those in the implementation of the E.U. Data Privacy Directive.

    ---

    (93) The Members of the Council of Europe are Albania, Andorra, Austria, Belgium, Bulgaria, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Liechtenstein, Lithuania, Luxembourg, Malta, Moldavia, The Netherlands, Norway, Poland, Portugal, Romania, Russia, San Marino, Slovakia, Slovenia, Spain, Sweden, Switzerland, "the Former Yugoslav Republic of Macedonia," Turkey, Ukraine, and the United Kingdom.

    (94) Council of Europe, "Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data," European Treaty Series No. 108 (January 28, 1981).

    (95) Council of Europe, "Recommendation of the Committee of Ministers to Member States on the Protection of Medical Data," No. R (97) 5 (February 13, 1997). For context see also the "Explanatory Memoranda."

• Dialogue between the u.s. And Europe

  • For the U.S., it will be very important over the next few years to engage in high-level, broadly based dialogue with European leaders over the implementation of the E.U. Directive and the Council of Europe Recommendation. Discussions will have to be held with national governments and with intergovernmental organizations. Health data and health research must be addressed specifically; they simply cannot be dealt with in the same way as banking, credit, tax, education, transport, or criminal data.

    In these discussions private-sector organizations involved with health research should participate fully. So should regulatory agencies that require international transfer of health data.

    Focal issues regarding health research will be:

    • Specifics in the implementation of the E.U. Directive by Member States, and pan-E.U. decisions taken by the E.U. Working Party, the Commission, and the European Parliament.
    • Especially, the determination of "adequacy" of conditions for transfer of data from the E.U. to the U.S. and other countries outside the E.U.
    • The adoption by Members of the Council of Europe of the "Recommendation on Protection of Medical Data" and its detailed implications for practice.
    • Recognition of the special needs in health research (such as the need to take ethnic and sexual factors into account, the need to accommodate secondary studies in databases, the need to retain data for a long time, and the like).
    • Recognition of the special requirements already established in government regulation of research, development, and postmarketing study of pharmaceuticals, biological products, diagnostics, and medical devices.
    • Recognition of the need to harmonize with the forthcoming E.U. Clinical Practice Guidelines (now in draft) and other international research guidelines.
    • Emphasis on the need for uniform criteria and standards that will foster the international flow of health data.

    In all of this, the U.S. government and other American organizations should not only be asking for concessions and exemptions, but also taking the opportunity of this period of reform to improve the ways they themselves handle these matters, and exerting international leadership.