Data Privacy Laws

Data privacy and security laws exist at the federal and state level in the U.S and in numerous other countries. When the University conducts activities abroad, those activities may be subject to foreign data protection laws. As of this writing, over 100 countries have enacted some form of data privacy regulation.

The purpose of this guidance is to provide a brief overview of the privacy and security laws and regulations that may apply to the University’s activities outside of the United States, as well as to identify resources for the University community consult for further guidance.

U.S privacy and security laws

Currently, the U.S. does not have a comprehensive federal data privacy law. Data privacy and security regulation is legislated by industry sector or type of data involved. One of the main federal laws addressing data protection at the federal level and which impacts the University is the Health Insurance Portability and Accountability (HIPAA), which protects the privacy and security of protected health information (PHI). In addition, the Family Educational Rights and Privacy Act (FERPA) protects the privacy of certain student educational records.

If you are a researcher conducting activities in a foreign country, U.S. data privacy law may be applicable to identified information when it is brought into the U.S. and (in the case of health information) held by a HIPAA Covered Entity. For example, HIPAA likely will apply to identified health information in overseas treatment/intervention studies conducted by URMC or other HIPAA-covered entities with which URMC collaborates, and to URMC studies that collect medical record information about non-U.S. subjects. Your RSRB Specialist will consult with the Privacy Office as needed to determine applicability of U.S. law.

State laws also provide for data protection. The University is subject to the New York Stop Hacks and Improve Electronic Data Security Act (SHIELD Act) that requires businesses to implement safeguards for the private information of New York residents and broadens New York’s security breach notification requirements. Review a compilation of state privacy laws.

EU General Data Protection Regulation (GDPR)

The European Union’s General Data Protection Regulation (GDPR) went into effect on May 25, 2018, and has broad application. The GDPR applies not only to organizations in the European Economic Area (EEA) that “process” “personal data” of individuals, but also applies to the processing of personal data by an organization that offers goods or services to, or monitors the behavior of, individuals located in the EEA, even if that organization is located in the U.S. GDPR compliance may also be relevant where the University is collaborating in research with an institution located in the EEA.

The University has made available several resources regarding the GDPR on its GDPR Resources webpage. As described in the GDPR Resources webpage, the GDPR may apply to numerous University activities, including through education abroad, employment, admissions, alumni activities, and research.

It is common for research collaborators and research sponsors located in the EEA to present contracts to the University that include GDPR compliance provisions. All such contracts should be reviewed by the Office of Counsel prior to execution by a University authorized signatory.

China Personal Information Protection Law (PIPL)

The Personal Information Protection Law (PIPL) enacted by China may also apply to the University’s activities in certain circumstances. Like GDPR, PIPL has both domestic and extraterritorial application. PIPL protects “personal information” processed within the borders of China. PIPL may also apply to the University’s processing activities outside of China if the data relates to one or more individuals within China, and is either for the purpose of providing products or services to one or more individuals located within China, or analyzing or assessing activities of one or more individuals located within China. PIPL also contains stringent requirements regarding the transfer of data out of China.

As with the GDPR, PIPL may apply the University’s regular business activities, as well as research activities.

Other data privacy and security regulations

As stated above, well over 100 countries have adopted privacy regulations. University faculty and personnel conducting business, educational, or research activities outside of the U.S. should understand the applicability of local privacy or security laws in the country where the work is located. These laws may apply to the collecting, storing, transferring, disseminating or breach of data.