Regulatory Developments

Last updated: 
2 months 3 days ago
Blog Manager
Log in to request membershipHide blog description
One of Jisc’s activities is to monitor and, where possible, influence regulatory developments that affect us and our customer universities, colleges and schools as operators of large computer networks. Since Janet and its customer networks are classified by Ofcom as private networks, postings here are likely to concentrate on the regulation of those networks. Postings here are, to the best of our knowledge, accurate on the date they are made, but may well become out of date or unreliable at unpredictable times thereafter. Before taking action that may have legal consequences, you should talk to your own lawyers. NEW: To help navigate the many posts on the General Data Protection Regulation, I've classified them as most relevant to developing a GDPR compliance process, GDPR's effect on specific topics, or how the GDPR is being developed. Or you can just use my free GDPR project plan.

Group administrators:

Recent members:

US/EU Data Protection Comparison

Wednesday, June 6, 2012 - 10:51

Europe and the USA are often seen as having very different approaches to personal data: Europe has an over-arching law covering all personal data, the US has some specific laws on particular uses of personal data. One area that is covered by US legislation is the use by universities and colleges of information about their students; since there is increasing exchange of both students and their data across the Atlantic, it seemed worth spending a bit of my time to compare the two laws. TERENA have now published the resulting paper on Student Information in the US and EU: as with all my publications, it is not intended as legal advice.

Initial impressions are promising: the US Act (FERPA) has very similar requirements to European law on minimising processing of personal data, informing individuals what processing is taking place, and protecting data using both technical and organisational means. Indeed the US law on processing by consent is stricter than in Europe, insisting that consent be given in writing.

However these provisions do not apply to "directory information", a category that each university and college can define so long as it only includes "information contained in an education record of a student that would not generally be considered harmful or an invasion of privacy if disclosed". That sounds OK, except that the Act gives as examples: name, address, phone number, e-mail address, student ID, login ID, photograph, date and place of birth, weight and height of athletes. In Europe those would be considered an invasion of privacy (and possibly harmful, given the number of services that use that information as a "secret") and processing of them will almost always be subject to European Data Protection legislation.

However FERPA does not force organisations to adopt such a wide definition of directory information and, whatever definition is used, the law does entitle individual students to opt out of processing of their directory information. It therefore seems possible that an organisation subject to FERPA could use its definition and the opt-out to also come close to compliance with European law. Unfortunately there is no formal way to have that recognised by EU authorities, since the US Safe Harbor provisions only apply to commercial organisations, but such behaviour by a US university or college may make it easier for its EU partners to develop acceptable data sharing agreements.

Access Management
Data Protection Directive
Privacy
  • Twitter logo
  • LinkedIn logo
  • Google+ logo
  • Reddit logo
  • StumbleUpon logo