Skip to content

Global Engagement

Office of the Provost

Guidance Regarding International Data Privacy Laws

By

Overview

Data privacy and security laws exist at the federal and state level in the U.S and in numerous other countries. When the University conducts activities abroad, those activities may be subject to foreign data protection laws. As of this writing, over 100 countries have enacted some form of data privacy regulation. The purpose of this guidance is to provide a brief overview of the privacy and security laws and regulations that may apply to the University’s activities outside of the United States, as well as to identify resources for the University community consult for further guidance.

U.S Privacy and Security Laws:

Currently, the U.S. does not have a comprehensive federal data privacy law. Data privacy and security regulation is legislated by industry sector or type of data involved. One of the main federal laws addressing data protection at the federal level and which impacts the University is the Health Insurance Portability and Accountability (HIPAA), which protects the privacy and security of protected health information (PHI). In addition, the Family Educational Rights and Privacy Act (FERPA) protects the privacy of certain student educational records.

If you are a researcher conducting activities in a foreign country, U.S. data privacy law may be applicable to identified information when it is brought into the U.S. and (in the case of health information) held by a HIPAA Covered Entity. For example, HIPAA likely will apply to identified health information in overseas treatment/intervention studies conducted by URMC or other HIPAA-covered entities with which URMC collaborates, and to URMC studies that collect medical record information about non-U.S. subjects.  Your RSRB Specialist will consult with the Privacy Office as needed to determine applicability of U.S. law.

State laws also provide for data protection. The University is subject to the New York Stop Hacks and Improve Electronic Data Security Act (SHIELD Act) that requires businesses to implement safeguards for the private information of New York residents and broadens New York’s security breach notification requirements. A compilation of state privacy laws can be found here.

EU General Data Protection Regulation (GDPR)

The European Union’s General Data Protection Regulation (GDPR) went into effect on May 25, 2018, and has broad application. The GDPR applies not only to organizations in the European Economic Area (EEA) that “process” “personal data” of individuals, but also applies to the processing of personal data by an organization that offers goods or services to, or monitors the behavior of, individuals located in the EEA, even if that organization is located in the U.S. GDPR compliance may also be relevant where the University is collaborating in research with an institution located in the EEA.

The University has made available several resources regarding the GDPR on its GDPR Resources webpage. As described in the GDPR Resources webpage, the GDPR may apply to numerous University activities, including through education abroad, employment, admissions, alumni activities, and research.

It is common for research collaborators and research sponsors located in the EEA to present contracts to the University that include GDPR compliance provisions. All such contracts should be reviewed by the Office of Counsel prior to execution by a University authorized signatory.

China Personal Information Protection Law

The Personal Information Protection Law (PIPL) enacted by China may also apply to the University’s activities in certain circumstances. Like GDPR, PIPL has both domestic and extraterritorial application. PIPL protects “personal information” processed within the borders of China. PIPL may also apply to the University’s processing activities outside of China if the data relates to one or more individuals within China, and is either for the purpose of providing products or services to one or more individuals located within China, or analyzing or assessing activities of one or more individuals located within China. PIPL also contains stringent requirements regarding the transfer of data out of China.

As with the GDPR, PIPL may apply the University’s regular business activities, as well as research activities.

Other Data Privacy and Security Regulations:

As stated above, well over 100 countries have adopted privacy regulations. University faculty and personnel conducting business, educational, or research activities outside of the U.S. should understand the applicability of local privacy or security laws in the country where the work is located. These laws may apply to the collecting, storing, transferring, disseminating or breach of data.

Best Practices:

Regardless of the specific jurisdiction you are operating in or which data protection laws may apply to your activities, it is recommended that you follow certain principles for protecting personal University’s data.

  1. Plan ahead.
  2. Know what data you will collect.
  3. Collect and store the minimum necessary information.
  4. Where possible, substitute codes for identifiers, and maintain the matching key separate from the data (known as “pseudonymization” under GPPR).
  5. Comply with University Research Data Classification guidance regarding access, use, storage and transmission of high-risk data. Follow RSRB and local IRB procedures for all human subject research and keep in mind that local (host-country) IRB requirements may differ from U.S. regulations.

Rely on local partners. The University encourages researchers to work with established partner organizations located in countries where projects will take place. Local partners are better positioned to meet the requirements of local laws, including local privacy laws.

Request assistance. Contact the Office of Counsel to inquire whether University attorneys are able to provide you with privacy law advice regarding your particular project. Although the Office of Counsel may not be able to advise you on each international privacy law, it may be able to identify whether a data privacy law applies to your activities. If your activities involve research, you may also contact the HIPAA Privacy Office.

If you are presented a contract or agreement that contains requirements that you or the University must comply with GDPR, PIPL or other data protection laws, contact the Office of Counsel for assistance in reviewing the contract.

Consult the University’s Data Security Classification Policy and Research Data Security Classifications, which each contains requirements for the handling of certain data. Visit University IT’s Information Security website for more information security tools.

Follow University and local requirements for human subjects research.

Questions and Additional Support

If you have questions about international privacy and security laws, contact the Office of Counsel or Global Engagement or other contacts noted above.