In the United States online education must comply with FERPA (Family Educational Rights and Privacy Act), the Technology, Education and Copyright Harmonization Act of 2002 (commonly referred to as the TEACH Act of 2002), intellectual property and copyright laws, Section 508 for accessibility of electronic and information technology, and even HIPAA (Health Insurance Portability and Privacy Act).  Additionally, some states have custom laws on the books, such as Massachusetts, but I would imagine you *might* be in compliance if you’re already covering yourself for the aforementioned laws (but I’m not a lawyer so please investigate this one for your localized needs).

The question I pose is in regards to the new European Data Law: “How will new this new law impact online education in the United States where the servers are located in the United States yet the students are international students?” This would transcend beyond private/public institution status in the U.S. The new law may come into effect as early as within two to three years. The greatest point of contention seems to be the “right to be forgotten” for the user – meaning personal information must be deleted – and not upon request, but as a right and condition of the service being utilized.

In regards to this, I believe a conflict in higher education with this new law is the need for academic records keeping in a tech-enhanced, blended, or online learning environment. I find many U.S. institutions that utilize blended or tech-enhanced learning do not maintain archives of the online portion of the learning – especially when that learning occurs within a learning management system (which is the easiest place to maintain archival records). No one has yet defined for me what the statutes and regulations are for “blended or online course records-keeping”. Indeed, I believe that the technology far outpaces the law and localized policies in these cases.  As a former systems administrator and learning management site administrator, I made it my job to maintain and preserve data, so the thought that folks don’t keep records personally boggles my mind. Yet, it is a foreign concept to many. How long must data be maintained? How secure is the medium for data preservation and protection? What are the parameters for accessing archival information? What are the legalities for preserving and maintaining this data? These are questions that run through my mind – yet the Data Protection Law addresses not archival data, but on demand, instantaneous data from my rudimentary interpretation. That specification should certainly draw the attention of folks who use online as a business practice.

Which brings me to those educational institutions that foster the use of Twitter, Facebook, and other social media and networking platforms in their coursework. How is privacy of student data managed in these instances – for U.S. users as well as international ones?

I may be postulating on many cross-referenced topics, but I must note that any work done online in any medium and that is assessed is a part of an academic record, no? Privacy of information can be minimally protected if done on a system that requires authentication, but the reality is that once you post something online, there are any number of means for someone to capture and share this information. Laws must either be in place to protect your information, or you need to assume (or be explicitly informed) that your participation is open to public sharing. Ultimately, I believe that the key to all of this – for education and private industry alike – is the need for education of the users or at least a place for informing the users; how users choose to share their information is a choice they make, but how institutions save and use their information is subject to legislation.

I need to educate myself more and think on this, but if you have any insight please share with us in the comments!  

I may even look back on this post and split it into more posts on individual topics I’ve brought up here. Forgive me, for this is my first attempt at a brain-dump on this topic and obviously other topics that have been ruminating in my mind for some time.


The actual text for the European Data Law is here:

Wikipedia’s comparison of European Data Law and US Laws is here (but may be dated and not include the most recent changes in EDL):

Then again, this may all be “moot” as the education sector is so far behind the times and there is usually bigger fish to fry in the corporate sector. An interesting historical perspective on the European Union Privacy Directive (2003) and references to education is located here for a good read: http://www.law.northwestern.edu/journals/njtip/v2/n1/5/