The School Official exception to FERPA, the federal student privacy law, allows schools to provide student data to principals, teachers and school employees to use for educational purposes. But what about contractors who may work for the school, like a bus company or an email service provider? The original sponsors of FERPA talked about “schools and their agents” on the Senate floor, but unlike almost all other later privacy laws the law itself does not directly address how to deal with vendors who might run a school cafeteria, or even parent volunteers who access data by working in a class room or calling parents on a class list. Nevertheless, schools have regularly used third parties of various sorts….bus companies, parent volunteers, year book publishers, photographers…and as tech needs evolved – internet service providers, on-line assignment tools, scheduling programs, emergency alert systems, back up data centers….and more. Schools and the Department of Education always considered these companies to be acting as de facto school employees providing a service as a vendor.
In 2008, DOE amended the FERPA rule to officially recognize this ongoing practice and to set boundaries around the use of vendors as school officials. DOE took formal comments on this issue as part of the rulemaking process and updated the rule. DOE made it clear that parent volunteers, bus companies, cafeteria operators and technology providers could act as de facto “School Officials”, as long as they perform an institutional service or function for which the agency or institution would otherwise use employees; are under the direct control of the agency or institution with respect to the use and maintenance of education records; and are subject to restrictions governing the use and re-disclosure of personally identifiable information from education records. In 2011, the rule was updated yet again with further clarifications.
Government agencies of every sort, like public schools today, rely on vendors for a wide range of services. Banks, hospitals, and businesses of every sort rely on vendors to handle tasks that those specialized providers can handle more effectively.. Contractual controls over how the data is collected, used, maintained and destroyed are the key factors to ensure the privacy and safety of data handled by these providers. Many new state student privacy laws now in effect now legally mandate these privacy rules for vendors.
The FERPA rule specifically calls for schools to have direct control over vendors. Many districts and postsecondary institutions comply with this by using using physical or technological controls to protect education records. Under the final regulations, districts and institutions may rely on contractual and administrative policies for controlling access to education records by school officials. The schools don’t need to be able to walk into the server rooms of vendors such as cloud providers or back up data centers, but they do need legally be in control of what happens to the data.
Some have called the school official designation for contractors a “loophole” that creates privacy risks because it allows vendors access to student data. But it is in effect simply a manner of designating a vendor to be acting as an agent of a school, in the same way the web site provider of a bank is in practice the “banker” a consumer is using to check their balance online.
Are vendors being properly restricted by schools, with proper contracts and controls as required? That’s a fair question to ask of schools and vendors. But the school official exception, if implemented properly, is a sound legal concept that is similar in concept to privacy laws in other sectors.
It is useful to re-read the text of the 2008 rulemaking by DOE, which demonstrates that the issues involved with the interpretation of the school official exception were thoroughly discussed. DOE used the interpretation of FERPA to set firm limits on the activities of vendors – who must be under direct control and whose contracts must clearly indicate that vendors can only use data for appropriate education uses
Following are selected portions of the DOE rulemaking discussion: read it for yourself and let us know what you think! (For ease of reading, we have edited out extensive side material that we didn’t think central to this discussion – read the full rulemaking at the link below.)
Outsourcing – Outside Parties Who Qualify as School Officials
Comment: A few commenters disagreed with the proposal to expand the “school officials” exception to include contractors, consultants, volunteers, and other outside parties to whom an educational agency or institution has outsourced institutional services or functions it would otherwise use employees to perform. They believed that the modifications undermined the plain language of the statute and congressional intent. Several other commenters supported the proposed regulations, saying that it was helpful to include in the regulations what has historically been the Department’s interpretation of the “school officials” exception. A majority of commenters…raised a number of issues concerning the proposal. Several commenters expressed concern that the requirement that an outside party must perform an institutional service or function for which the agency or institution would otherwise use employees is too restrictive and impractical. …Several commenters asked that we clarify in the regulations that [it] also applies to school transportation officials, school bus drivers, and school bus attendants who need access to education records in order to safely and efficiently transport students. …
Discussion: The Secretary does not agree that the proposed changes go beyond the plain reading of the statute and congressional intent. … FERPA’s broad definition of education records includes records that are maintained by “a person acting for” an educational agency or institution. … We disagree with commenters that the requirement that the outside party must perform an institutional service or function for which the agency or institution would otherwise use employees is too restrictive or unworkable. The requirement serves to ensure that the “school officials” exception does not expand into a general exception to the consent requirement in FERPA that would allow disclosure any time a vendor or other outside party wants access to education records to provide a product or service to schools, parents, and students. …The statutory basis for expanding the “school officials” exception to outside service providers is that they are “acting for” the agency or institution, not selling products and services. …FERPA does not otherwise restrict whether a school may outsource institutional services and functions; it only addresses to whom and under what conditions personally identifiable information from students’ education records may be disclosed. Once a school has determined that an outside party is a “school official” with a “legitimate educational interest” in viewing certain education records, that party may have access to the education records, without consent, in order to perform the required institutional services and functions for the school. These outside parties may include parents and other volunteers who assist schools in various capacities, … where they need access to students’ education records to perform their duties. The disclosure of education records under any of the conditions listed … is permissive and not required. …Therefore, schools should always use good judgment in determining the extent to which volunteers, as well as other school officials, need to have access to education records and to ensure that school officials, including volunteers, do not improperly disclose information from students’ education records. …We think it would be impossible to provide a comprehensive listing and believe that agencies and institutions are in the best position to make these determinations. At the discretion of a school, school officials may include school transportation officials (including bus drivers), school nurses, practicum and fieldwork students, unpaid interns, consultants, contractors, volunteers, and other outside parties providing institutional services and performing institutional functions, provided that each of the requirements … has been met. … The Department has long recognized that FERPA does not prevent schools from outsourcing institutional services and functions …
Changes: None.
Direct Control
Comment: Some commenters asked the Department to clarify what the term “direct control” means …. This section provides that in order to be considered a “school official” an outside party must be under the direct control of the agency or institution. Some commenters asked if this term means that the school must monitor the operations of the outside party, and how it affects an agency’s or institution’s relationship with subcontractors or third- or fourth-party database hosting companies. …One commenter stated that institutions should be required to verify that parties to whom they outsource services have the necessary resources to safeguard education records provided to them. …
Discussion: The term “direct control” … is intended to ensure that an educational agency or institution does not disclose education records to an outside service provider unless it can control that party’s maintenance, use, and redisclosure of education records. This could mean, for example, requiring a contractor to maintain education records in a particular manner and to make them available to parents upon request. … as discussed in the NPRM, educational agencies and institutions are responsible under FERPA for ensuring that they themselves do not have a policy or practice of releasing, permitting the release of, or providing access to personally identifiable information from education records, except in accordance with FERPA. This includes ensuring that outside parties that provide institutional services or functions as “school officials” … do not maintain, use, or redisclose education records except as directed … We believe that the use of the “direct control” standard strikes an appropriate balance in identifying the necessary and proper relationship between the school and its outside parties that are serving as “school officials.” … one way in which schools can ensure that parties understand their responsibilities under FERPA with respect to education records is to clearly describe those responsibilities in a written agreement or contract. Exercising direct control could prove more challenging in some situations than in others. Schools outsourcing information technology services, such as web-based and e-mail services, should make clear in their service agreements or contracts that the outside party may not use or allow access to personally identifiable information from education records, except in accordance with the requirements …
Changes: We have revised (this section) to clarify that the outside party must be under the direct control of the agency or institution with respect to the use and maintenance of information from education records.
Protection of Records by Outside Parties Serving as School Officials
Comment: We received several comments (regarding) an outside party serving as a “school official” … subject to the requirement … regarding the use and redisclosure of personally identifiable information from education records. One commenter stated that …the proposed regulations did not go far enough to clarify that these outside third parties could not use education records …to engage in activities not associated with the service or function they were providing. …
Discussion: An agency or institution must ensure that an outside party providing institutional services or functions does not use or allow access to education records except in strict accordance with the requirements established by the educational agency or institution that discloses the information. …FERPA regulations appl(y) to employees and outside service providers alike and prohibit the recipient from using education records for any purpose other than the purposes for which the disclosure was made. This includes ensuring that outside parties do not use education records in their possession for purposes other than those specified by the institution that disclosed the records. …
Changes: None.
Control of Access to Education Records by School Officials
Comment: Many commenters supported (the) proposed (rule), which requires an educational agency or institution to use reasonable methods to ensure that school officials have access to only those education records in which the official has a legitimate educational interest. In this section, we also proposed that an educational agency or institution that does not use physical or technological access controls must ensure that its administrative policy for controlling access to education records is effective and that it remains in compliance with the “legitimate educational interest” requirement. …
Discussion: (This section) requires that a parent or eligible student provide written consent for a disclosure of personally identifiable information from education records unless the circumstances meet one of the exceptions to consent, such as the release of information to a school official with a legitimate educational interest. Thus, a district or institution that makes a disclosure solely on the basis that the individual is a school official violates FERPA if it does not also determine that the school official has a legitimate educational interest. The regulations … are designed to clarify the responsibility of the educational agency or institution to ensure that access to education records by school officials is limited to circumstances in which the school official possesses a legitimate educational interest. We believe that the standard of “reasonable methods” is sufficiently flexible to permit each educational agency or institution to select the proper balance of physical, technological, and administrative controls to effectively prevent unauthorized access to education records, based on their resources and needs. In order to establish a system driven by physical or technological access controls, a school would generally first determine when a school official has a legitimate educational interest in education records and then determine which physical or technological access controls are necessary to ensure that the official can access only those records. …The Department expects that educational agencies and institutions will generally make appropriate choices in designing records access controls, …(as) contractors are subject to the same conditions governing the access and use of records that apply to other school officials. … Schools have the flexibility to decide the method or methods best suited to their own circumstances… The regulations do not designate all volunteers as school officials. Rather, the regulations clarify that schools may designate volunteers as school officials who may be provided access to education records only when the volunteer has a legitimate educational interest. Schools can and should carefully assess and limit access by any school official, including volunteers. … FERPA prohibits school officials from having access to education records unless they have a legitimate educational interest.
Changes: None.
Leading Research Presented at Annual Privacy Papers for Policymakers
On Wednesday evening, the Future of Privacy Forum hosted the Sixth Annual Privacy Papers for Policymakers, an annual presentation and discussion of leading privacy research. The top papers, all published in 2015, were selected by a subcommittee from the FPF Advisory Board as the best papers to inform any conversation about regulatory privacy initiatives in Congress, as well as at the Federal Trade Commission and other government agencies. Click here to read the 1-page executive summaries of the winning papers.
At the event, which included two panels, the authors discussed a broad range of subjects, including the ethics of big data release policy, the design of effective privacy notices, theories of trust and marketplaces and privacy, and the “golden age of surveillance” in law enforcement. Authors discussed their individual papers, followed by audience Q&A.
In addition, special guests, Julie Brill, FTC Commissioner, and Dr. Lorrie Faith Cranor, FTC Chief Technologist discussed the impact of privacy research on FTC work. Dr. Cranor said sometimes there’s a “mismatch” between what policymakers are asking and what researchers are trying to answer. “Stronger dialogues” are needed between researchers and policymakers “so that our academic research can be more relevant and useful” to government and corporate decision-makers. Commissioner Brill also discussed her interest in the theoretical frameworks of privacy, noting that privacy research affects her work by identifying key issues and sources of disagreement in privacy debates.
From left to right: Jeff Brueggeman, Vice President, Global Public Policy, AT&T; Dr. Rebecca Balebako, RAND Corporation; Dr. Florian Schaub, Carnegie Mellon University School of Computer Science; Adam Durity, Google; Professor Neil Richards, Washington University School of Law.
From left to right: Frank Torres, Director of Consumer Affairs & Senior Policy Counsel, US Government Affairs, Microsoft Corporation; Professor Arvind Narayanan, Princeton University Department of Computer Science; Professor Peter Swire, Georgia Tech Scheller College of Business; Professor Joel R. Reidenberg, Center on Law and Information Policy, Fordham University
Read the full papers at the links below, in alphabetical order:
These papers illuminate concerns that will continue to drive privacy debates in 2016. We look forward to accepting submissions for 2016 beginning in Fall 2016.
Passing the Privacy Test as Student Data Laws Take Effect
On January 1, 2016, “ SOPIPA”—the recently passed California student data privacy law that defines how edtech companies can use student data became effective. About 25 other states have passed similar laws that are already in effect, or will become effective. At the same time, more than 200 school service providers have now signed the Student Privacy Pledge, a legally enforceable commitment which has language closely aligned with these laws.
What’s covered by the new laws and the Pledge? Read todays op-ed by Brenda and Jules op-ed at EdSurge
Winning 2015 Privacy Papers for Policymakers to be Presented
The Future of Privacy Forum is pleased to publish our annual compilation of winning privacy papers, Privacy Papers for Policymakers. These five top papers along with two honorable mentions, all published in 2015, were selected by a subcommittee from the FPF Advisory Board as the best papers to inform any conversation about regulatory privacy initiatives in Congress, as well as at the Federal Trade Commission and other government agencies.
This evening (Jan. 13th), we look forward to hosting the authors of the selected papers at our annual panel and reception, an event which has sold out.Authors will discuss their individual publications across two panels, to be followed by Q&A. In addition, special guests, Julie Brill, FTC Commissioner, and Dr. Lorrie Faith Cranor, FTC Chief Technologist will make comments.
Click here to read the 1-page executive summaries of the winning papers.
FTC Releases Report on Benefits and Risks of Big Data
This week the FTC released a report exploring the use of Big Data analytics. The 33-page document, Big Data: A Tool for Inclusion or Exclusion? Understanding the Issues, is based on the FTC’s Big Data Workshop on September 17, 2014. The report outlines some of the benefits and risks of Big Data use, and surveys the existing consumer-protective legal framework, including the Fair Credit Reporting Act (FCRA), the Federal Trade Commission Act (FTC Act), and a spectrum of equal opportunity laws.
In the report, we were pleased to see a thoughtful discussion of some of the benefits of Big Data use, including to provide better education, access to credit, and tailored healthcare. Included were many of the examples described in FPF’s report co-authored with the Anti-Defamation League, Big Data: A Tool for Fighting Discrimination and Empowering Groups. In this publication, we highlighted many of the ways in which data can be harnessed to combat discrimination, including to increase workplace diversity and access to employment opportunities. Featured prominently in the FTC’s report were many of the panel comments of FPF Founder Christopher Wolf, who spoke at the 2014 workshop on the uses of Big Data for combating discrimination.
Also highlighted were some of the comments of Senior Fellow Peter Swire, who has written that existing anti-discrimination laws in some sectors—such as housing, access to credit, and employment—already apply to online advertising. These laws, most notably ECOA, Fair Housing Act, and Title VII, prohibit discrimination in both online and offline marketing, and the online ecosystem may in fact lend itself to better disparate impact analysis.
The FTC’s report will certainly not be the last word on the subject in the world of Big Data and privacy. Followers of the ongoing conversation around Big Data should look next to the upcoming White House report (following up on a 2015 Interim Report) exploring the implications for big data technologies for civil rights, including for broadening opportunities and preventing discrimination.
Parent’s Guide to Student Data Privacy Now Available in Spanish!
The Future of Privacy Forum (FPF), Connect Safely, and the National PTA are proud to announce that the Parent’s Guide to Student Data Privacy is now available in Spanish, both on-line and in hard copy formats.
Last year, FPF partnered with ConnectSafely and the National PTA to create the Parent’s Guide to Student Data Privacy. This guide offers information specifically designed to provide parents with easy-to-understand FAQs explaining student rights to their educational data under current law. With the many recent changes in the role of technology in schools, and the increase in student data collected by schools and districts, it’s important that parents and student have a clear understanding of their rights to access and control over that information. This guide has been distributed to, and accessed on-line, by parents from schools across the country. Thanks to a grant from Sheila Kaplan, we are now able to offer the Guide in Spanish as well. This will enable schools to reach an even wider audience and help educate more parents about their child’s data.
Future of Privacy Forum and Houston ISD Announce Winners for Student Privacy Video Competition
The Future of Privacy Forum (FPF) in partnership with Houston ISD’s Office of Educational Technology have introduced a student-created video campaign to encourage public school students to engage about how to safeguard their privacy and personal data. In October, students from the Houston Independent School District (HISD) were offered the chance to create short videos to discuss pertinent privacy issues aimed at their peers, on topics which rotated monthly.
HISD elementary school students created videos on the importance of strong passwords as a key to responsible digital citizenship. Out of 8 submissions, 5 students from two schools demonstrated their mastery of this concept, winning the top prizes in the video production contest. Harvard Elementary School students won four of the five prizes (first and second, as well as two honorable mentions), while a student from Eastwood Academy took home the third-place prize.
The competition was created as a part of Houston ISD’s Digital Awareness program to increase students’ web savvy while also giving them an opportunity for creative expression.
“This has been such a great outlet for the students,” said Harvard Elementary School Instructional Technologist John Schaff. “We have been trying to create movies that fit into our curriculum, and we will be recommending other cyber safety and digital citizenship topics for future competitions.”
Students received gift cards of $150, $100, $50, and $25 for honorable mentions, provided by the Future of Privacy Forum. FPF has pledged to support the HISD program in the future.
For more information about Houston Independent School District please go here
For more information about the program please go here
In-Store Location Tracking: A Holiday Guide
In these final remaining days before Christmas, last-minute holiday shopping is in full swing. The window for online delivery is closing, and more shoppers this week will be doing their holiday shopping the old-fashioned way—in the store.
For those of us who prefer brick and mortar shopping, our smartphones have revolutionized the experience. Mobile devices can bring all sorts of good tidings: recommendations, discounts, and new abilities to find precisely the item we’re looking for, even down to the aisle. It’s safe to say that most major retailers have a mobile strategy these days—not to mention the proliferation of general retail shopping apps that offer discounts and deals at a range of partnered stores.
But hark! As you shop, you should understand that many of these services, in order to deliver on their promises, rely on location technology. Location tracking allows apps to provide helpful services (like finding an item in a store), and is also used for secondary purposes, such as marketing, advertising, and business analytics. This Holiday Guide explores how these location tracking technologies work, and how consumers who wish to do so can opt out.
There are many ways that your location can be assessed using the sensors on your phone. A few are precise enough to detect your movements inside a single store or a particular aisle, while others are more general or rely on aggregated data. Location data can be collected via cell towers, mobile Location Services, mobile location analytics, in-store Wi-Fi networks, beacon technologies, and emerging sensor technologies (lights and audio). Each method evokes different privacy issues and permits different consumer choices.
1. Location Services
Needs Permission? Yes
Can you opt out? Yes
When is it collecting? Depends on the app settings
Mobile operating systems use a variety of positioning systems within your phone—including the GPS, cellular triangulation, Wi-Fi, and Bluetooth—and combine it together under an umbrella called Location Services. This service, which is controlled by the operating system, provides a more accurate location than any individual system.
Apps and websites must get your permission to access this source of data. Some of them need it to provide you with the service you want (think about car-sharing apps, or “find my phone” apps). Shopping apps might use it to help you locate a nearby store, or send you a location-based advertisement. But apps that have no location feature often ask you for your location anyway. Many of these apps, regardless of their purpose, may do this to create a behavioral profile of you as a shopper, and share this info with third party advertisers and online data companies.
The takeaway? When an app or a website asks you to enable Location Services, be aware of why it’s making the request; give a glance over its privacy policy; and know that you have always the option to limit collection by turning off access in the phone’s Settings.
2. Mobile Phone Carriers
Needs permission? Yes
Can you opt out? Apps using this service must provide an opt-in
When is it collecting? Always (when the phone is on)
When your phone is on, in order for it to receive (and make) phone calls, it must be identified by the nearest cell tower with reasonable accuracy. Cell towers collect the device’s Cell ID, location relative to the tower, and signal strength. The accuracy can be relatively low in rural areas with fewer cell towers (to within several miles) and is more accurate in cities.
Cell phone carriers offer location-based services on an individualized basis, to enable functions like tracking of minor children, locating a lost cell phone, or for apps that offer location-based marketing to users. These services are based on an “opt in” process by which the owner must provide clear consent.
3. Mobile Location Analytics (MLA)
Needs permission? No
Can you opt out? Yes (online for participating companies or by turning off Wi-Fi and Bluetooth on the phone)
When is it collecting? Passively collected when you’re in the physical store using this technology
Many retailers (and other facilities, like airports and hotels) use Mobile Location Analytics (MLA) technology to understand the traffic patterns of people in their stores. Most MLA technologies operate by detecting your phone’s Bluetooth signal, as well as the Wi-Fi MAC address, a 12-digit string of letters and numbers assigned to your device by the manufacturer. This information can provide useful insights, such as how long customers stand in line, and how they generally move around within an area.
Smartphones typically broadcast their MAC address whenever they are passively scanning for Wi-Fi—that is, whenever you have Wi-Fi turned on in Settings. This is how your phone automatically recognizes your home or work network when you arrive in those locations. Since most people carry their phones all the time and generally leave Wi-Fi turned on, a store can scan for MAC addresses and get a pretty accurate idea of how many people are in the store.
For iPhone users running iOS 8 or later (i.e., most of the newer phones, including the 4S and later models), the iPhone randomizes the MAC address being emitted every time the phone searches for a Wi-Fi network. This limits venues from tracking unique devices over time.
Nonetheless, if you’re running an older version of the iOS or simply uncomfortable with the practice, there are ways to opt out: users can enter their Wi-Fi and MAC addresses at smart-places.org to alert participating companies that they do not wish to be tracked. Alternatively, shoppers can turn off the Wi-Fi and Bluetooth on their devices when they’re out of the house or away from a trusted network.
4. Wi-Fi in the Store
Needs permission? Yes
Can you opt out? Yes (by declining to use the service)
When is it collecting? When you’re using the in-store Wi-Fi (some retailers capture location information even if users are not logged in)
Many retail stores are now offering free Wi-Fi to their customers as an added benefit to the shopping experience. This can certainly be convenient, especially for users with limited data plans, permitting easy access to the Internet while shopping.
In addition to the information collected by mobile location analytics (MLA), described above, stores offering free Wi-Fi can generally collect more information, including any web browsing you do in the store. If you are required to provide an email address or name to log in to the service, the retailer may be able to associate your location with other individualized information (purchasing habits, or other online activities, such as social media behavior).
5. Bluetooth Beacons
Needs permission? On by default (user may disable)
Can you opt out? Yes
When is it collecting? Depends on the app settings
Increasingly, major retailers are installing beacons in their physical stores. Beacons are simple—essentially just small radio transmitters. They emit a low power, one-way Bluetooth signal that can be picked up by your mobile app or computer. Ranging in size from quarter-like to palm-sized, they all look a little different and are sometimes designed to blend into their environments.
Beacons only send signals one-way, so they don’t actually collect any data. Rather, it is the app that collects data, by detecting when a beacon is nearby. Thus, if a brick and mortar store chooses to deck the halls with beacons, a shopping app can pick up their signal as you walk in the aisles or browse for items.
Beacon-detecting apps can use this information to send you location-specific notifications. For example, when you walk up to a display of holiday sweaters in your favorite store, the app could pop up with a discount for sweaters. Shopping apps can provide loyalty programs that give points for walking into stores, often allowing linkage between location data and other consumer behavior information (such as social media activity) that can be collected and shared across ad networks and other third parties.
Generally, apps should provide notice to users when Bluetooth is being used to track location by detecting beacons. Although Bluetooth is frequently being used in conjunction with Location Services (which requires permission), some apps that use beacons may continue to collect data when Location Services is turned off. Thus, users should be aware of how beacons work, so that they may choose to limit this collection by turning off Bluetooth on their phone when it is not in use. Another option is to keep the app but turn off its ability to trigger notifications.
6. Sensor Data: Audio, Light
Needs permission? Yes (for camera and microphone)
Can you opt out? Sometimes
When is it collecting? Depends on the app settings
Holiday shoppers should also be aware of emerging methods of location tracking that make use of the phone’s array of other sensors to detect signals emitted from devices placed within physical stores.
For example, “audio beacons” may be used within a retail store to emit ultrasonic audio signals. In much the same way as Bluetooth beacons, described above, the devices emit audio signals outside the range of human hearing, and a mobile app can detect those signals using the device’s microphone. Similarly, LED signals can be emitted via lights installed in a store, and detected by an app that has received permission to access the phone’s camera.
Because of the requirements of mobile operating systems, users can control which apps are given permission to access the device’s microphone and camera. Nonetheless, apps requesting permission to access these sensors may not always be clear about why they are asking, or for what (sometimes unexpected) secondary purposes the data may be used. As a result, users should read carefully and be informed about why shopping apps request these permissions.
~~~~~~~~~~~~~~~
It’s clear that there are a range of benefits to location-based services. The blessings of saving time, price discounts, and overall convenience give the often weary world of last-minute holiday shoppers a reason to rejoice. However, as we increasingly turn to our smartphones to shop online or make our decisions in the physical world, it’s important for us to understand the scope of location data being collected about us, and the reasons for which that data is being collected, so that we can make informed choices.
Happy Holidays!
The struggle to balance surveillance and privacy in France
In a historic decision last October, the European Court of Justice struck down Safe Harbor, one of the most relied upon legal agreements to transfer data between Europe and the U.S. At stake were some of the surveillance programs put in place by the NSA to gather data about both U.S. and foreign individuals. According to the Court, the U.S. failed to provide an “adequate level of protection” to European data. In this context, Professor Peter Swire and the Future of Privacy Forum released last week a report titled “U.S. Surveillance Law, Safe Harbor, and Reforms Since 2013.” The report addresses serious misunderstandings of U.S. national security laws and covers three critical areas: (1) the fundamental equivalence of the United States and EU member States as constitutional democracies, (2) the Section 702 PRISM and Upstream programs are reasonable and lawful responses to changing technology, and (3) the U.S. Congress and executive branch have instituted over two dozen significant reforms to surveillance law and practice since 2013.
As leaders in both sides of the Atlantic debate the proportionate balance of privacy and intelligence surveillance, we thought it would be useful to study the relevant legal authorities in France. France and its powerful data protection agency have been a fierce defender of the privacy of its citizens. But government authorities have significant powers to conduct surveillance, powers that have been enhanced following the recent Charlie Hebdo and Paris terror attacks.
This new paper takes a deeper look at what is actually happening in France with a view to providing insights into how one leading democracy has structured its balance of the human right to security and to privacy.
EFI Blog | Student Privacy 101: The low down on the laws of the land
On December 14th, Education Framework announced it would begin a series of blog posts to explore the different factors affecting the world of student data. Their goal is to demystify the subject of student data privacy and help bring educators up to speed so they can address this serious topic in their school districts.
To view Education Framework’s blog post, click HERE
![©Vincent Isore/IP3 press; Paris, France le 14 Fevrier 2014 - Illustration de la facade du Conseil d Etat (MaxPPP TagID: maxnewsworldthree433078.jpg) [Photo via MaxPPP]](https://fpf.org/wp-content/uploads/2015/12/conseil_etat_image-300x169.jpg)