On October 24, 1995, after five years of deliberation, the European Parliament and the Council of the European Union (E.U.) adopted a "Directive on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data" (hereafter, Directive).80
The Directive is extremely broad, covering the processing of all information about individuals. Its dual purposes are aptly expressed in its title. It is not specifically oriented to health data, although at a few points it makes reference to public health and medical data. If enforced literally some of its provisions could be inimical to health research.81
The Directive is a "framework directive" establishing general principles, with which the fifteen E.U. Member States must bring their national "laws, regulations and administrative provisions" into congruence by October 1998 (Article 32).82
"Personal data" and "processing" are defined comprehensively (Article 2).
(a) "Personal data" shall mean any information relating to an identified or identifiable natural person ("data subject"); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity.
(b) "Processing of personal data" ("processing") shall mean any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction.
(80) "Directive 95/46/EC of the European Parliament and of the Council," Official Journal of the European Communities No. L 281, 31–50 (November 23, 1995). Available on the Internet in English, Dutch, French, German, Italian, and Spanish via the European Union Web site <http://www2.echo.lu >.
(81) A useful early review was Stefaan Callens, "The Privacy Directive and the use of medical data for research purposes," European Journal of Health Law 2, 309–340 (1995).
(82) The Member States of the E.U. are Austria, Belgium, Denmark, Finland, France, Germany, Greece, Ireland, Italy, Luxembourg, The Netherlands, Portugal, Spain, Sweden, and the United Kingdom.
Elements of the Directive
The Directive does not restrict the processing of data which are not personally identifiable. But for the processing of those that are, consent from the data-subject generally is required.
Article 7 stipulates that "Member States shall provide that personal data may be processed only if:
(a) the data subject has unambiguously given his consent; or
(b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; or
(c) processing is necessary for compliance with a legal obligation to which the controller is subject; or
(d) processing is necessary for protecting the vital interests of the data subject; or
(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller or in a third party to whom the data are disclosed; or
(f) [some other circumstances apply].
The data "controller" is "the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data" (Article 2(d)).
As for consent, Article 2(h) defines it broadly but firmly:
"The data subject's consent" shall mean any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed.
Notice that the consent is to be "specific and informed." If applied literally, for some secondary research this would require solicitation of more-focused consent than is now sought.
The exception for "performance of contracts" presumably would apply to healthcare agreements between care-providers and patients. (But does this assume that consent is implicit, or, waived? Consent to what?) The exception for "protecting the vital interests of the data subject" presumably would apply to emergency medical treatment and some other situations where consent is not feasible. Tasks "carried out in the public interest" are treated further in Article 8 (see below).
The Directive addresses data-quality issues (Article 6), such as requiring that "every reasonable step... be taken" to ensure that inaccurate data are erased or rectified. It sets out general public-notification requirements. It notes that data should not be stored longer than is required for meeting the initial purposes of collection. This requirement is directly in opposition to many research needs for retaining data for many years even if later uses cannot be predicted. (Recent large-scale studies of several decades worth of data on the effects of oral contraceptives, and of estrogen replacement therapy, are among the many examples of the societal payback from retaining health research data.) Presumably in implementing the Directive national governments will recognize such requirements, which have long been embodied in regulations and good- practice guidelines covering research on medicines, vaccines, and medical devices.
In the interest of fair use, Articles 10 and 11 set out requirements for the notifying of data- subjects (whether the data have been collected from the subjects directly, or indirectly) as to the identity of the "data controllers," the purposes of the processing, and other circumstances. Article 11(2) provides, however, that the notification requirements "shall not apply where"
in particular for processing for statistical purposes or for the purposes of historical or scientific research, the provision of such information proves impossible or would involve a disproportionate effort or if recording or disclosure is expressly laid down by law. In these cases Member States shall provide appropriate safeguards.
Data-subject rights to inspect records about themselves, object to processing, request correction of erroneous data about themselves, and so on, are affirmed (Article 12). Public registration of processing operations is required (Article 21). The Directive covers all personally identifiable data processed in Europe, regardless of the origins of the data or the data-subject.
For administration and accountability, requirements are set for various supervisory authorities in the E.U. structure and in Member State governments. In most E.U. countries much of this apparatus already is in place, but more will have to be established, and duties will have to be adjusted. Judicial remedies, including compensatory liability, for individuals are required to be made available under Member States' laws for breach of the rights specified in the Directive.
Scope of coverage, and exemptions
Article 8, on "the processing of special categories of data," holds a number of provisions that could be problematic for health research.
¶ 1. Member States shall prohibit the processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and the processing of data concerning health or sex life.
¶ 2. Paragraph 1 shall not apply where... the data subject has given his explicit consent to the processing of those data... [or where some special circumstances, listed, apply].
¶ 3. Paragraph 1 shall not apply where processing of the data is required for the purposes of preventive medicine, medical diagnosis, the provision of care or treatment or the management of health-care services, and where those data are processed by a health professional subject under national law or rules established by national competent bodies to the obligation of professional secrecy or by another person also subject to an equivalent obligation of secrecy.
¶ 4. Subject to the provision of suitable safeguards, Member States may, for reasons of substantial public interest, lay down exemptions in addition to those laid down in paragraph 2 either by national law or by decision of the supervisory authority.
What kinds of health research will be defined as being within the scope of "preventive medicine, medical diagnosis, the provision of care or treatment or the management of health-care services"? (A systematic check should be made against categories of health research such as those described in Chapter 3 of this Report.)
Will governments realize the importance in health research of taking into account factors relating to "ethnic origin" and "health and sex life"? Surely they should. Much essential public- health research is conducted with the very purpose of aiding subpopulations. Because many health factors are related to origin, research often selects groups by such criteria as ethnic origin to study specific afflictions, causes, or interventions. In pharmaceutical risk and efficacy studies, regulators rightly mandate that ethnic and sexual factors be taken account of. Genetics, dietary habits relating to ethnic background, sexual contacts and practices, and other factors strongly determine how health phenomena differ among people.
How broadly will "substantial public interest" be construed? Possibilities are mentioned in the Directive for a variety of national exemptions and derogations; but exemptions will not be recognized unless Member States positively enact them into their national laws. E.U. leaders have been saying publicly that not many "public interest" exemptions should be expected, but that, rather, safeguards should be emphasized.
Who—for instance, epidemiological analysts performing processing tasks in database research—will be considered to be "health professionals" or others "subject to an equivalent obligation of secrecy"? Presumably analysts can be positioned under responsible "data controllers."
Article 6 requires that personally identifiable data must be "collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes." But, no doubt to the relief of many researchers, it goes on to state:
¶ 1(b). Further processing of data for historical, statistical or scientific purposes shall not be considered as incompatible provided that Member States provide appropriate safeguards.
Conditions on international transfer
Article 25 deals with the movement of data, by whatever means, from E.U. Member States to other countries.
¶ 1. The Member States shall provide that the transfer to a [non E.U.] country of personal data which are undergoing processing or are intended for processing after transfer may take place only if ... the [recipient] country in question ensures an adequate level of protection.
How, in practice, will "adequate level of protection" be determined? What criteria will be applied? Article 25 continues:
¶ 2. The adequacy of the level of protection afforded by a [non E.U.] country shall be assessed in the light of all the circumstances surrounding a data transfer operation or set of data transfer operations; particular consideration shall be given to the nature of the data, the purpose and duration of the proposed processing operation or operations, the country of origin and the country of final destination, the rules of law, both general and sectoral, in force in the [non E.U.] country in question and the professional rules and security measures which are complied with in that country.
By whom and by what process will the determination be made? Article 29 establishes an independent Working Party on the Protection of Individuals with regard to the Processing of Personal Data, comprising representatives from all of the Member States (usually, in practice, their privacy commissioners) and representatives from the Commission structure itself. The Working Party has elected as its first chair Peter J. Hustinx, the President of the Registratiekamer of The Netherlands. The "adequacy" question is among the first topics the Working Party is addressing.83,84
Will the transferability determination be made institution-by-institution (medical clinic, pharmaceutical company, university, contract research firm, government agency)? More likely, E.U. officials suggest, the determination will be made on a country-by-country basis, probably sector-by-sector.
Such assessments surely will be more straightforward for non-E.U. recipient countries having strong national or provincial data-protection laws and authority to enforce them. For this reason, E.U. officials strongly encourage the U.S. to pass a such a law. Although no overall data- protection law is under contemplation in the U.S., no doubt a sound Federal medical-records confidentiality law would go a long way toward meeting the E.U.'s concerns and keeping health- research data flowing.
The Directive leaves doors open for Member States to allow data-transfers to recipients in countries not certified as having adequate protection. Article 26(1)(d) mentions "important public interest grounds," for example, and Article 26(2) holds that a Member State may authorize data transfers "where the controller adduces adequate safeguards" in the recipient country, suggesting that "such safeguards may in particular result from appropriate contractual clauses." This seems to encourage parties wishing to transfer data to establish contractual undertakings regarding data protections.
(83) A background review of U.S. law was prepared for the E.U. Commission: Paul M. Schwartz and Joel R. Reidenberg, Data Privacy Law: A Study of United States Data Protection (Mitchie Law Publishers, Charlottesville, Virginia, 1996).
(84) The Commission has requested a study of the "adequacy" issues from Prof. Yves Poullet of the University of Namur; his report is expected to be delivered soon.
According to the Treaty of Rome, under which the E.U. operates, the Member States thus have obligated themselves to bringing their national laws into conformance with the principles of the Directive within three years of adoption (i.e., by October 1998). In this "transposing" they can employ whatever instruments of law—statutes, regulations, decrees, and so on—they deem sufficient. Some believe that their protections already meet most of the Directive's requirements. Others are revising their laws substantially.
The Working Party is to coordinate the implementation with respect to uniform application throughout the E.U., periodically report to the Commission on progress, and eventually give the Commission its opinion on the level of protection in the E.U. and in various non-E.U. countries and "on any codes of conduct drawn up at Community level" (Article 30). A variety of Community implementation requirements are specified.
Some European countries that are not members of the E.U., such as Switzerland, have said that they intend to establish equivalent standards.
Codes of conduct as possible guides
A special provision, which recognizes the sector-specific nature of data, may provide an opening for health professionals to set guidelines to which public authorities could defer
¶ 1. The Member States and the Commission shall encourage the drawing up of codes of conduct intended to contribute to the proper implementation of the national provisions adopted by the Member States pursuant to this Directive, taking account of the specific features of the various sectors.
Some professional societies are considering drafting codes of practice, as are some industry associations. Such codes would have to be adopted by the practitioners in E.U. countries; eventually recognition could be sought from the E.U.
A Dutch example of the usefulness of such a code may be instructive. During the first years of the 1990s the Council for Medical Research, a medical society, voluntarily established a "Code of Conduct for Medical Research" covering research on pre-existing medical data.85 The Privacy Commission (Registratiekamer) was invited to monitor its implementation. Over several years the government found the Code to be effective, and in 1995 adopted the Code as national law.
(85) The organization is the Stichting Federatie van Medisch Wetenschappelijke Verenigingen. See description of the Dutch situation below.