Since 1996, the Republic of Estonia has had data protection legislation that omits any of the exemptions for the processing of personal data for historical, statistical or scientific purposes provided by EU Directive 95/46/EC. This article describes the consequences of this legislation for public health monitoring and research. It assesses how the work of the Estonian Cancer Registry has been impaired, so that available data are now misleading, and examines the impediments that have been placed in the way of legitimate medical research. The article explains how this legislation came to be enacted and considers the reasons why this happened and why there is resistance to remedy the situation. It provides a cautionary tale about the overzealous implementation of data protection as it affects health surveillance and research.