Anderson had hoped that the new data protection regulation would fix a loophole in existing U.K. legislation that was created by defining "personal data" too narrowly. However, the same is now happening with the new E.U. regulation, he said.

One of Anderson's colleagues, Douwe Korff, a professor of international law at London Metropolitan University, has already proposed amending articles 81 and 83 of the regulation in a way that would still allow member states to create exemptions for health care and research, but only for "exceptionally high public interests," with the highest standards of anonymization and with the prior agreement of the privacy regulator.

Anderson, though, wants to go further: he proposes notifying people in advance that their data will be used for research or other purposes, allowing them to opt out.

"Most people don't want wide sharing of information and most people don't want research without consent," he said.

If the articles are not amended, Anderson said, he could picture a situation in which a professor of psychiatry conducting research might lose a file containing 10 million patient records -- with them subsequently being posted to Pastebin, a site often used by hackers to leak stolen personal data. Such losses have already happened, said Anderson, referring to a case in which a laptop containing the health records for almost 8 million Britons was stolen.