You are here
- Home
- Regulatory Developments
- Blogs
- US/EU Data Protection Comparison
Group administrators:
Recent members:
US/EU Data Protection Comparison
Europe and the USA are often seen as having very different approaches to personal data: Europe has an over-arching law covering all personal data, the US has some specific laws on particular uses of personal data. One area that is covered by US legislation is the use by universities and colleges of information about their students; since there is increasing exchange of both students and their data across the Atlantic, it seemed worth spending a bit of my time to compare the two laws. TERENA have now published the resulting paper on Student Information in the US and EU: as with all my publications, it is not intended as legal advice.
Initial impressions are promising: the US Act (FERPA) has very similar requirements to European law on minimising processing of personal data, informing individuals what processing is taking place, and protecting data using both technical and organisational means. Indeed the US law on processing by consent is stricter than in Europe, insisting that consent be given in writing.
However these provisions do not apply to "directory information", a category that each university and college can define so long as it only includes "information contained in an education record of a student that would not generally be considered harmful or an invasion of privacy if disclosed". That sounds OK, except that the Act gives as examples: name, address, phone number, e-mail address, student ID, login ID, photograph, date and place of birth, weight and height of athletes. In Europe those would be considered an invasion of privacy (and possibly harmful, given the number of services that use that information as a "secret") and processing of them will almost always be subject to European Data Protection legislation.
However FERPA does not force organisations to adopt such a wide definition of directory information and, whatever definition is used, the law does entitle individual students to opt out of processing of their directory information. It therefore seems possible that an organisation subject to FERPA could use its definition and the opt-out to also come close to compliance with European law. Unfortunately there is no formal way to have that recognised by EU authorities, since the US Safe Harbor provisions only apply to commercial organisations, but such behaviour by a US university or college may make it easier for its EU partners to develop acceptable data sharing agreements.