Privacy and Health Research. The European Union Data Privacy Directive


On October 24, 1995, after five years of deliberation, the European Parliament and the Council of the European Union (E.U.) adopted a "Directive on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data" (hereafter, Directive).80

The Directive is extremely broad, covering the processing of all information about individuals. Its dual purposes are aptly expressed in its title. It is not specifically oriented to health data, although at a few points it makes reference to public health and medical data. If enforced literally some of its provisions could be inimical to health research.81

The Directive is a "framework directive" establishing general principles, with which the fifteen E.U. Member States must bring their national "laws, regulations and administrative provisions" into congruence by October 1998 (Article 32).82

"Personal data" and "processing" are defined comprehensively (Article 2).

(a) "Personal data" shall mean any information relating to an identified or identifiable natural person ("data subject"); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity.

(b) "Processing of personal data" ("processing") shall mean any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction.

(80) "Directive 95/46/EC of the European Parliament and of the Council," Official Journal of the European Communities No. L 281, 31–50 (November 23, 1995). Available on the Internet in English, Dutch, French, German, Italian, and Spanish via the European Union Web site < >.

(81) A useful early review was Stefaan Callens, "The Privacy Directive and the use of medical data for research purposes," European Journal of Health Law 2, 309–340 (1995).

(82) The Member States of the E.U. are Austria, Belgium, Denmark, Finland, France, Germany, Greece, Ireland, Italy, Luxembourg, The Netherlands, Portugal, Spain, Sweden, and the United Kingdom.