Student (K-12) Data Protection in The Digital Age: A Comparative Study
Student (K-12) Data Protection in The Digital Age: A Comparative Study
Student (K-12) Data Protection in The Digital Age: A Comparative Study
Abstract
Schools have traditionally aggregated student education records
themselves, in written formats and with relatively unsophisticated
systems. However, today the amount of record keeping has increased
and schools are ever more reliant on third-party operators, who compile
information and operate databases systematically and more efficiently.
These and other factors have opened opportunities for private vendors
to access student data and to share it with others. In addition, schools
now routinely incorporate various forms of digital technology in the form
of educational software, teaching aids, websites, and programmes that
provide connected devices to each student, allowing and encouraging
teachers to incorporate technology into their lessons. By its very nature,
the internet is a marketing information-sharing environment and the
potential for traceability exists whenever the students are engaged in
online activities. With these advances and developments, data security
and other concerns become of paramount importance. Among the
issues that have been raised are issues such as how can the legal system
engage in harm reduction? Which legal approach is appropriate? What
is the scope of student data that the law should protect? To what extent
should schools and operators be held accountable for compliance? How
do regulators maintain the balance between the need for student data
protection and other interests? To date, proponents of new technology
have given insufficient answers to these questions. This comparative study
aims to find common strengths in different approaches to these issues
relating to student data protection, while at the same time considering
cultural and legal differences that exist among the following jurisdictions:
the United States (US), the European Union (EU), China, and South Africa.
INTRODUCTION
Privacy is becoming the most pervasive issue on the internet worldwide.
Privacy and personal data protection are facing challenges in the digital era,
due to the universal proliferation of internet-based communications, which
are notoriously difficult to police; the rise of data-hungry applications
*
PhD LLM Bachelor of Law; Deputy Director and Associate Professor of America-
China Law Institute, China University of Political Science and Law.
†
BLC LLB LLM (cum laude) (UP); Senior Lecturer University of Pretoria and Chair of the
Law Schools Global League: New Technology and the Law Research Group.
261
1
(K-12) is a term used in education and educational technology in the United States, Canada,
and other countries, and is a shortened term for the school grades prior to college. These
grades are kindergarten (K) and the first through to the twelfth grade (1–12) of school. See
<http://whatis.techtarget.com/definition/K-12> accessed 12 January 2018.
2
A 2014 study released by the Sesame Workshop reported that seventy-four per cent of K-8
teachers use digital games for instructional purposes, with fifty-five per cent of teachers
reporting that they assign digital game playing to their students at least weekly. Lori M
Takeuchi and Sarah Vaala, ‘Level Up Learning: A National Survey on Teaching with Digital
Games’ (October 2014) <http://www.joanganzcooneycenter.org/publication/level-up-
learning-a-national-survey-on-teaching-withdigital-games/> accessed 12 November 2017.
3
A 2014 Politico article pointed out that students are tracked by education technology
companies as they play online games, watch videos, read books, take quizzes, and work on
assignments from home. The data recorded may include information about their locations,
homework schedules, internet browsing habits, and academic progress. Cf Stephanie
Simon, ‘Data Mining Your Children’ Politico (15 May 2014) <http://www.politico.com/
story/2014/05/data-mining-your-children-106676.html.> accessed 12 January 2018.
been raised are issues such as how can the legal systems engage in harm
reduction? Which legal approach is appropriate? What is the scope of
student data that the law should protect? To what extent should schools and
operators be held accountable for compliance? How do regulators maintain
the balance between the need for student data protection and other interests?
To date, proponents of new technology have given insufficient answers to
these questions. This comparative study hopes to find the common points
for better practice in relation to student data protection, while at the same
time taking into account cultural and legal differences that exist among
the following jurisdictions: the United States (US), the European Union
(EU), China and South Africa. The countries chosen represent different
approaches (Western, Eastern, and African approaches) to the question of
student data protection, and in a discussion of China’s position on the topic
it is hoped that the reader will gain some insight into a jurisdiction that is
largely inaccessible and unknown to many by virtue of language barriers.
4
FERPA 20 USC 1232 has played a key role in protecting educational records in the US for
more than forty years. cf Alex Molnar and Faith Boninger, ‘On the Block: Student Data and
Privacy in the Digital Age’ National Education Policy Centre, Annual Report on Schoolhouse
Commercialism Trends (May 2016) 15.
5
See Marc Rotenberg and Khaliah Barnes, ‘Amassing Student Data and Dissipating Privacy
Rights’ (28 January 2013) <http://www.educause.edu/ero/article/amassing-student-data-
and-dissipating-privacy-rights> accessed 15 January 2018.
6
20 USC 1232(b)(1)(D).
7
Molnar and Boninger (n 4).
8
The Secretary of Education designated the Family Policy Compliance Office (FPCO) of
US Department of Education to ‘investigate, process, and review complaints and violations
under [FERPA]’: 34 CFR s 99.60(b)(1).
9
Brandon Griggs, ‘Parents Help Kids Lie to Get on Facebook, Study Finds’ CNN.com.
(1 November 2011) <https://edition.cnn.com/2011/11/01/tech/social-media/underage-
facebook-parents-study/index.html?no-st=9999999999> accessed 12 January 2018.
10
COPPA s 312.2 defines collects or collection as the gathering of any personal information
from a child by any means, including but not limited to: (1) Requesting, prompting, or
encouraging a child to submit personal information online; (2) Enabling a child to make
personal information publicly available in identifiable form. An operator shall not be
considered to have collected personal information under this paragraph if it takes reasonable
measures to delete all or virtually all personal information from a child’s postings before they
are made public and also to delete such information from its records; or (3) Passive tracking
of a child online.
11
See the related opinions in Katherine McGrath, ‘Developing a First Amendment Framework
for the Regulation of Online Educational Data: Examining California’s Student Online
Personal Information Protection Act’ (2016) 49 University of California Davis LR 1160.
12
Molnar and Boninger (n 4).
13
SOPIPA (the Senate Bill 1177) was approved on 29 September 2014 and is operative from 1
January 2016.
14
See USC 22584(d).
15
Duane Morris, ‘Student Data Protection in an Era of Education Technology Innovation’
(7 August 2015) <http://www.duanemorris.com/alerts/student_data_protection_education_
technology_innovation_0815.html?utm_source=Mondaq&utm_medium=syndication&
utm_campaign=View-Original> accessed 10 October 2018.
16
Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on
the protection of natural persons with regard to the processing of personal data and on the
free movement of such data, and repealing Directive 95/46/EC (General Data Protection
Regulation) (Text with EEA relevance) OJ L 119, 4.5.2016. The GDPR or Regulation
2016/679 heralds some of the most stringent data protection laws in the world and applies in
the EU from 25 May 2018.
17
See GDPR 2016/679 art 8(1) and the related Recital 38 relating to the special protection of
children’s personal information.
18
Tay Nguyen, ‘GDPR Matchup: The Children’s Online Privacy Protection Act’ (CIPP/
US 5 April 2017) <https://iapp.org/news/a/gdpr-matchup-the-childrens-online-privacy-
protection-act/> accessed 5 January 2018.
19
Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on
the protection of individuals with regard to the processing of personal data and on the free
movement of such data (Data Protection Directive) OJ L 281, 23.11.1995.
20
Guo Yu, Study on the Personal Data Protection (CUPL Press 2012) 48–49.
21
Data Protection Working Party, Opinion 2/2009 on the Protection of Children’s Personal
Data (General Guidelines and the Special Case of Schools) 398/09/EN, WP 160, (adopted
11 February 2009) < http://www.redipd.org/actividades/seminario_2009/common/opinion_
2-2009_menores_colegios_en.pdf > accessed 16 January 2018.
22
A comprehensive approach on personal data protection in the European Union – EU
Communication COM (2010)609/3 <https://ec.europa.eu/info/policies/justice-and-
fundamental-rights_en> accessed 10 October 2018.
23
Ethan Williams, Online Privacy Laws, European Union & Select Foreign Countries (Nova
Science Publishers 2013) 15.
24
According to the GDPR Regulation 2016/679, art 8(1), where art 6(1)(a) applies, in relation
to the offer of information society services directly to a child, the processing of the personal
data of a child shall be lawful where the child is at least sixteen years old; where the child is
below the age of sixteen years, such processing shall be lawful only if and to the extent that
consent is given or authorised by the holder of parental responsibility over the child. Member
states may provide by law for a lower age for those purposes provided that such lower age is
not below thirteen years.
25
Recital 38 of the GDPR Regulation 2016/679.
26
The State Council entrusted some experts to study the legislative issues on the personal
data protection in 2003, and the expert’s advisory draft by the Chinese Academy of Social
Sciences was completed in 2006 and submitted to the State Council for consideration. And
more scholars, for example Qi Aimin, also made related drafts.
27
The National People’s Congress (NPC) is the national legislature of the People’s Republic of
China.
28
At least ten proposals are provided each year, involving hundreds of NPC deputies or
commissioners. See Ou Yangwu, To Strengthen the Legal Protection of Personal Data and
Improve its Legislation, Research on Front Issues of Personal Information Protection (Law
Press China 2006).
29
For example, as the result of the reform of the Chinese Ministry System in 2008, the former
information management authority was merged into the newly established Ministry of
Industry and Information Technology (MIIT). Just a couple of years later, the Cyberspace
Administration of China (CAC) was founded and is to some extent sharing part of the power
with MIIT.
30
The Provisions were issued by Ministry of Industry and Information Technology of the
People’s Republic of China on 28 June 2013 (effective on 1 September 2013).
data,31 regulating the principles and rules of data collection or use, agent
management, and the reasonable measures to maintain data security.
However, the Provisions only emphasise student data protection through
the traditional consent doctrine32 and it is the authors’ opinion that the
sanctions are too lenient.33
Two additional important laws in China are the Cyber Security Law
(CSL)34 and the General Provisions of the Civil Law (GPCL),35 which are
effective as from 2017. The CSL requires internet operators to follow the
principles of legality, justice, necessity, and openness when collecting and
using the personal data, clarifying the purpose, manner and scope, and
obtaining the consent of the owner of the data.36 This law imposes certain
duties upon operators, for example, forbidding them to disclose, alter, or
destroy the collected data of minor students.37 Given its notable legislative
importance in China,38 the CSL is widely praised for taking the first step
in building a line of legal protection.39 The GPCL does not provide for
separate protection for children40 but, for the first time, China has personal
data protection laws that will have an enormous impact in the future.
Furthermore, China also has a 2016 Draft of Minors’ Online Protection
Regulations (hereinafter the Draft). Due to the limited privacy-protection
approach and the advances of big data in China, the Draft was opened for
public comments in October 2016. The Draft is currently seen as the most
specialised law relating to a minor’s online protection, with its Articles 11,
31
Article 4 of the Provisions defines personal data through its core legal characteristics such as
‘personally identifiable’ and listing its varieties like the user’s name, date of birth, address
and identity number.
32
Article 9 of the Provisions.
33
It only sets a warning and imposes a fine of no more than thirty thousand yuan for the offenses.
cf ‘2013 Provisions for the Protection of Personal Information of Telecommunications and
Internet Users’ Articles 14 and 20.
34
The Cyber Security Law became effective on 1 June 2017.
35
The General Provisions of the Civil Law were issued on 5 March 2017 and became effective
on 1 October 2017.
36
Article 41 of CSL.
37
Article 42 of CSL.
38
As a law issued by the Standing Committee of NPC, the Cyber Security Law has raised a
professional requirement on the personal data protection and will be an important guide in
making further regulations and implementation rules.
39
Sai Di and Li Jianwu, ‘CSC has Built a Legal Defense for Personal Information Protection’
<http://www.cac.gov.cn/2016-11/10/c_1119889943.htm> accessed 15 January 2018.
40
Under Article 111: ‘The personal information of a natural person shall be protected by the
law. Any organization or individual needing to obtain the personal information of other
persons shall legally obtain and ensure the security of such information, and shall not
illegally collect, use, process or transmit the personal information of others, nor illegally
market, provide or disclose the personal information of other persons.’
41
Under the Draft of ‘Minors’ Online Protection Regulations’ art 11, the schools (together
with other public places as cultural centres or adolescent places) are required to install minor
online protection software; under art 15, the schools (from primary to high schools) shall
give a course for safe and reasonable use of the internet for educational purpose and art 16
imposes liabilities.
42
Dana van der Merwe and others, Information and Communications Technology Law (2 edn,
LexisNexis 2016) 189–191; Sylvia Papadopoulos and Sizwe Snail (eds), Cyberlaw at SA
III: The Law of the Internet in South Africa (Van Schaik 2012) 276; cf Johann Neethling and
others, Neethling’s Law of Personality (LexisNexis 2005) 221–252, 253, 267–280; Johann
Neethling and others, Neethling’s Law of Delict (LexisNexis 2015) 370–373.
43
Papadopoulos and Snail (eds) (n 42) 291.
44
Preamble to POPI Act.
45
Section 1 Part A of Ch 5, ss 112–113 of the POPI Act came into operation in accordance with
the provisions of Proclamation No R25 in GG 37544 (11 April 2014).
remainder of the provisions.46 To date, the president has not yet announced
the commencement of the remainder of the provisions of the POPI Act.47
The purpose of the POPI Act is to give effect to the constitutional
right to privacy by safeguarding personal information when processed
by a responsible party, subject to justifiable limitations that are aimed at
balancing the right to privacy against other rights, particularly the right of
access to information. It also has the purpose of establishing conditions that
prescribe the minimum threshold requirements for the lawful processing of
personal information, providing persons with rights and remedies to protect
their personal information from processing that is not in accordance with
the POPI Act. The Act establishes voluntary and compulsory measures,
including the establishment of an Information Regulator, to ensure respect
for and to promote, enforce and fulfil the rights protected by the POPI Act.48
Prior to the enactment of the POPI Act, children’s information or data
was not a specifically designated category of information to be protected.
The only direct mandate relating to children was found in section 28(2) of
the Constitution stipulating that a child’s best interests are of paramount
importance in every matter concerning the child. However, with the POPI
Act, children’s personal information is designated as a separate category
of personal information where the conditions related to processing of this
type of information are more stringent than the processing of other personal
information.49 As with the EU, the POPI Act also follows a competent
person, consent-based doctrine.50
REGULATORY APPROACHES
The US Regulatory Approach
The US prefers what it calls a ‘patchwork’ approach, or a sectoral approach
to data protection (as opposed to a unified overarching system of protection),
which relies on a combination of legislation and self-regulation for different
sectors of American society such as children and finance.51 Scholars
describe this kind of regulatory system as supplementing the existing law
(mainly privacy law) and combining it with self-regulation.52 That is, new
46
Section 43(1)(l) of POPI Act.
47
At the time of publication of this text, the Information Regulator’s office was in the process
of being set up and the indication is that the POPI Act is set to commence by the end of
2018. See also Pansy Tlakula, ‘Briefing on The Work of The Information Regulator’ (13
February 2017) <http://www.justice.gov.za/inforeg/docs/sp-20170213-InfoRegBriefing.
pdf> accessed 28 February 2017; and the website of the Information Regulator (South
Africa) <http://www.justice.gov.za/inforeg/index.html> accessed 28 January 2017.
48
Section 2 POPI Act.
49
Sections 26, 27, 34 and 35 POPI Act.
50
ibid.
51
See Robert Schriver, ‘You Cheated, You Lied: The Safe Harbor Agreement and Its
Enforcement by the Federal Trade Commission’ (2002) 70 Fordham LR 2779.
52
See Zhang Xinbao, ‘From Privacy to Personal Information: Theory of Re-evaluation of
Interests and System Arrangement’ (2015) 3 China Legal Science 38, 39.
53
For example, COPPA s 1302(9) requires that, before collecting, using or disclosing personal
information from a child, an operator must obtain verifiable parental consent from the child’s
parent.
54
The FTC has many dealings with the operators while the Department of Education is
authorised to be in charge of the student businesses, so they are more likely to take the
efficient and timely measures.
55
Xinbao (n 52) 39.
56
Williams (n 23).
exception to the general rule that the circumstances of minor students and
their best interests should be taken into account. For example, the inaccurate
or incomplete student data must be erased or corrected and that the right of
access can be exercised either by the student based on his maturity level or
by the student’s representative.57
The GDPR eventually settled that should the processing of a child’s
personal data be based on consent, children under the age of sixteen could
not give that consent themselves. Instead, consent is required from a person
holding ‘parental responsibility’. However the GDPR does permit member
states to lower the age in law, so long as it is not below the age of thirteen.58
The member states of the EU have followed the legal principles of
Directives, while taking various measures to meet the new challenges
brought about by technology. In France, except for one clause specifically
mentioning minors, the 1978 law does not explicitly mention the privacy
rights of minors.59 However, it favours informing children about the
responsible use of the internet. It also provides a range of alternative methods
to achieve the goal of student data protection. These include organising
major communication campaigns for minors; investing in funding privacy
awareness programme; creating special websites for minors; requiring
schools to teach students how to develop a critical and reflective approach
to the use of online communications during civic education classes; and
informing the students of all their rights under the 1978 law.60 Similarly,
Germany has no age-specific privacy provisions either. However, many
states provide educational programmes to make young people aware of the
online attacks on privacy, including online privacy education in the school
curricula.61
57
Id 9.
58
Article 8(1) GDPR.
59
France’s data protection law dates back to 1978 with the enactment of Law 78-17 on
Information Technologies, Data Files and Civil Liberties. This law is said to have inspired
the drafting of European Union Directive 95/46/EC on personal data protection. The 1978
law has been amended on several occasions to comply with more recent European Union
Directives. Personal data must be collected and processed fairly and lawfully for specified,
explicit, and legitimate purposes, and with the consent of the data subject. In addition to the
right to consent, data subjects have been given the following rights: right to be informed, right
to object, right of access, right to correct and delete information, and right to be forgotten.
‘Loi 78-17 du 6 janvier 1978 relative à l’informatique, aux fichiers et aux libertés’ (version
consolidée au 27 août 2011) [Law 78-17 of 6 January 1978 on Information Technologies,
Data Files and Civil Liberties (consolidated version as of 27 August 27 2011)] <https://
www.loc.gov/law/help/online-privacy-law/2012/france.php> accessed 12 February 2018.
Unofficial English version available on CNIL <http://www.cnil.fr/fileadmin/documents/en/
Act78-17VA.pdf> accessed 12 February 2018.
60
Id and Williams (n 23) 59.
61
Id 73.
62
cf Zhou Hanhua, Personal Data Protection Law (Expert’s Advisory Draft) and Its Legislative
Research Report (Law Press China 2006).
63
Xinbao (n 52) 53.
64
Privacy and other personal data were covered by ‘Provisions of the Supreme People’s Court
on the application of laws concerning the use of information networks in the infringement
of personal rights and interests in civil disputes’ (art 12); in the GPCL, the right to privacy is
regulated in art 110, while the personal data protection is regulated in art 111.
65
Some scholars hold that art 111 of the GPCL just provides a remedy to solve personal data
issues by a tort liability approach. See Xue Jun, ‘No Conflicts Exist Between “right to
personal data” and “right to privacy”’, Role of Law Weekend Edition, 9 April 2017. On the
other hand, some scholars hold that an independent ‘right to personal data’ is established
by the GPCL. See Huang Chunlin, ‘The Brief Comment on the Personal Data Right under
GPCL’ <http://article.chinalawinfo.com/ArticleFullText.aspx?ArticleId=99179> accessed
10 October 2018.
66
See Guo Yu, Study on the Personal Data Protection (CUPL Press 2012) 90.
67
For example, Zhao Hong points out that the public law research on the information disclosure
should be turned to the information protection. cf Zhao Hong, ‘From the Information
Disclosure to the Information Protection the Wind Direction and Core Issue of Public Law
Research on Information Protection’ (2017) 2 Journal of Comparative Law 31.
68
See definition of child in s 1 read with ss 34–35 of POPI.
69
Article 8(1) GDPR.
70
Section 35(1)(e) of POPI.
71
Sections 8–25 of POPI.
72
Section 20 USC 1232f (a)(4)(A).
73
Id 1232f (a)(4)(B).
74
Id 1232g (a)(5).
educational agency, despite the fact that the students also create marketable
profiles when they take surveys or standardised tests in school.75
When compared to FERPA, Californian laws have interpreted the concepts
in different ways and further expanded the scope of protected student data.
On the one hand, the definition of operators is expanded. Under SOPIPA,
the ‘operator’ means the operator of an internet website, online service,
online application, or mobile application with actual knowledge that the site,
service, or application is used primarily for K-12 school purposes and was
designed and marketed for K-12 school purposes.76 On the other hand, the
student data included in its scope constitutes a wide array of information and
includes so-called ‘covered information’ and persistent unique identifiers.77
FERPA excludes such items as data collected by education technology
websites and applications and ‘pupil-generated content’ (essays and so on),
while the Californian interpretations include almost all the possible student
data available.
Unfortunately, the operators can maintain and use de-identified or
anonymous student data to develop or improve their own educational products
and services, which means that only PII (Personal Identifiable Information)
is covered by the law. Yet, it has been shown that in many circumstances
de-identified information (non-PII) can be linked to individuals; that it can
be re-identified; and that there is a risk that information deemed non-PII at
one point in time could be transformed into PII at a later juncture.78 Thus,
75
Molnar and Boninger (n 4) 9.
76
SOPIPA, 22584(a). ‘K-12 school purposes’ means purposes that customarily take place
at the direction of the K-12 school, teacher, or school district or aid in the administration
of school activities, including, but not limited to, instruction in the classroom or at home,
administrative activities, and collaboration between students, school personnel, or parents,
or are for the use and benefit of the school (SOPIPA, 22584(k)).
77
SOPIPA, 22584(i). ‘Covered information’ means personally identifiable information or
materials, in any media or format that meets any of the following: (1) is created or provided
by a student, or the student’s parent or legal guardian, to an operator in the course of the
student’s, parent’s, or legal guardian’s use of the operator’s site, service, or application for
K-12 school purposes; (2) is created or provided by an employee or agent of the K-12 school,
school district, local education agency, or county office of education, to an operator; (3) is
gathered by an operator through the operation of a site, service, or application described in
subdivision (a) and is descriptive of a student or otherwise identifies a student, including,
but not limited to, information in the student’s educational record or email, first and last
name, home address, telephone number, email address, or other information that allows
physical or online contact, discipline records, test results, special education data, juvenile
dependency records, grades, evaluations, criminal records, medical records, health records,
social security number, biometric information, disabilities, socioeconomic information, food
purchases, political affiliations, religious information, text messages, documents, student
identifiers, search activity, photos, voice recordings, or geolocation information.
78
See Paul Schwartz and Daniel Solove, ‘The PII Problem: Privacy and a New Concept of
Personally Identifiable Information’ (2011) 86 New York University LR 1814.
79
Some scholars suggest abandoning PII as a central concept in information privacy law, for
example, Paul Ohm argues that the concept of PII is unworkable and unfixable, and the
attempt to define PII is as futile as the classic carnival game of ‘whack-a-mole’. See Paul
Ohm, ‘Broken Promises of Privacy’ (2010) 57 UCLA LR 1702–1704; considering PII’s
crucial function to have established the boundaries of privacy regulation, Paul Schwartz
and Daniel Solove hold that abandoning PII is problematic and that we should opt for a
reconceptualisation of a standard for PII, cf Schwartz and Solove (n 78) 1871.
80
‘An identifiable’ person is defined as ‘one who can be identified, directly, or indirectly, in
particular by reference to an identification number or to one or more factors specific to his
physical, physiological, mental, economic, cultural, or social identity’, Council Directive
95/46, on the Protection of Individuals with regard to the Processing of Personal Data and on
the Free Movement of Such Data, art 2(a) 1995 O.J. (L 281) 31, 38.
81
cf Durant v Financial Services Authority [2003] EWCA Civ. 1746.
82
Recital 26 Directive 95/46/EU.
83
Article 2(a) Directive 95/46/EU.
84
Article 4 Definitions in GDPR Regulation 2016/679.
85
Schwartz and Solove (n 78) 1875.
86
Guo Yu, Legal Protection of Personal Data (Peking University Press 2012) 123–125.
87
Article 4 of the Provisions.
88
Article 76(5) of the CSL.
89
Article 35(3) of the Draft of Minors Online Protection Regulations.
90
Section 1 of POPI defines personal information as meaning information relating to an
identifiable, living, natural person, and where it is applicable, an identifiable, existing
juristic person, including, but not limited to—(a) information relating to the race, gender,
sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation,
age, physical or mental health, well-being, disability, religion, conscience, belief, culture,
language and birth of the person; (b) information relating to the education or the medical,
financial, criminal or employment history of the person; (c) any identifying number, symbol,
e-mail address, physical address, telephone number, location information, online identifier or
other particular assignment to the person; (d) the biometric information of the person; (e) the
personal opinions, views or preferences of the person; (f) correspondence sent by the person
that is implicitly or explicitly of a private or confidential nature or further correspondence
that would reveal the contents of the original correspondence; (g) the views or opinions of
another individual about the person; and (h) the name of the person if it appears with other
personal information relating to the person or if the disclosure of the name itself would reveal
information about the person.
91
Section 20 USC 1232f (a)(2)(A).
92
Assembly Bill No 1442 Chapter 799, An Act to add Section 49073.6 to the Education Code,
relating to pupil records, approved 29 September 2014. To some extent aiming to play a joint
role with SOPIPA.
93
Id S49073.6(2)(b) and (3)(A).
94
Id S49073.6(c)(3)(B).
95
Id S49073.6(c).
96
For example, the school district shall destroy data gathered from social media and maintained
in its records within one year after a pupil turns eighteen years of age or within one year after
the pupil is no longer enrolled and shall provide notice to the third party about it. See Id
S49073.6(c)(3)(A).
97
FTC, ‘Complying with COPPA: Frequently Asked Questions’ (FTC Business Center,
Federal Trade Commission, 20 March 2015) <https://www.ftc.gov/tips-advice/business-
center/guidance/complying-coppa-frequently-asked-questions> accessed 12 January 2018.
98
For example, FTC, ‘Two App Developers Settle FTC Charges They Violated Children’s
Online Privacy Protection Act, Companies’ Apps Shared Kids’ Information with Ad
Networks; Will Pay $360K In Civil Penalties’, 17 December 2015 <https://www.ftc.gov/
news-events/press-releases/2015/12/two-app-developers-settle-ftc-charges-they-violated-
childrens> accessed 12 January 2018.
99
Anna Wade, ‘The Children’s Online Privacy Protection Act: Can Website Regulations be
Applied to Mobile Phone Apps?’ 8 (2014–2015) Federal Courts Law Review 197, 213.
100
Among the changes are several expanded definitions closing loopholes that previously
allowed third parties to collect personal information from children via ‘plug-ins’.
101
For example, the operators must post a clear and comprehensive online privacy policy
describing their information practices for personal information collected online from persons
under the age of thirteen; make reasonable efforts to provide direct notice to parents; establish
and maintain reasonable procedures to protect the confidentiality, security, and integrity of
the personal information.
102
It is expected to become a model for other states around the country, and the technology
companies spearheaded a voluntary pledge to protect the student privacy. Future of
Privacy Forum and the Software & Information Industry Association (2014) <http://
studentprivacypledge.org> accessed 10 October 2018.
103
USC 22584.(b).
104
USC 22584.(d).
105
Article 4(7)–(8) describe a ‘controller’ as the natural or legal person, public authority,
agency or other body which, alone or jointly with others, determines the purposes and
means of the processing of personal data; where the purposes and means of such processing
are determined by union or member state law, the controller or the specific criteria for its
nomination may be provided for by union or member state law and a ‘processor’ as a natural
or legal person, public authority, agency or other body which processes personal data on
behalf of the controller.
106
Article 4(7) and 4(8).
107
Recital 43 Regulation 2016/679.
In contrast to the very clear operator-duty approach taken by the US, the
GDPR provides a strong rights-based system instead of directly imposing
duties on the operators. Under this system, the data subject has rights of
access, rights to rectification and erasure, restriction of processing, data
portability, objection and control over automated decision-making, and
so on.108 However, rights and duties go hand in hand, and the more rights
data subjects have, the more the duties are imposed on the operators. In
comparison to the former Directive, the GDPR also imposes stricter
duties on the data controller and processor. For example, under its recital
(64) it is stated that the controller should use all reasonable measures to
verify the identity of a data subject who requests access, in particular in
the context of online services and identifiers.109 In addition, the controller
shall maintain a record of processing activities under its responsibility;
implement appropriate technical and organisational measures to ensure that
only the personal data necessary for each specific purpose of the processing
are processed; maintain a level of security appropriate to the risk; and carry
out an assessment of the impact of the envisaged processing operations
on the protection of (student-data-included) personal data.110 The GDPR
provides new requirements for data processors and expands the liabilities of
controllers to the processors (who mainly acquire duties through contract).111
108
Articles 15–18, 20–22 Regulation 2016/679.
109
Recital 64 Regulation (EU) 2016/679.
110
Articles 25, 30, 32, 35 Regulation 2016/679.
111
Articles 3, 28–31 and Recitals 22–25, 81–82 Regulation 2016/679.
112
Article 111 GPCL.
113
Articles 11–12 of the 2016 Draft of Minors Online Protection Regulations.
114
Id art 31.
The Provisions forbid telecom operators and ISPs from collecting and
using the student data without consent.115 The purpose, mode, and scope
of the collection and use of data, the channels for inquiring and correcting
data, and the consequences of refusing to provide data should be clearly
communicated to the users.116 Further, operators or ISPs are not allowed
to collect or use the user’s personal data outside of the necessary scope or
purpose of their service. In addition, operators and ISPs should not deceive,
mislead or use coercion in violation of laws or administrative regulations
or the agreements.117 They should maintain the secrecy of the collected
or used data and take reasonable measures to prevent the data from being
disclosed, destroyed, altered, or lost.118 Once the duty is breached, the
telecom administration should order the wrongdoer to correct it within a
given timeframe and, together with the warnings given, they could face
possible fines of between ten and thirty-thousand RMB.119 The provisions
put these agencies under the supervision and administration of the operators
and made operators responsible for their agency’s behaviours relating to
student data collection or use.120 This is in accordance with the principle of
‘he who operates is responsible’ or ‘he who entrusts is responsible’, and is
based on the agency system in the Chinese civil law.
The internet operators are required by CSL to follow the principles of
legality, justice, necessity, and openness when collecting and using student
data, clarifying the purpose, manner and scope, and obtaining the consent
of the owner of the data.121 They are forbidden from disclosing, altering,
or destroying the collected data.122 They should also not collect data that
is irrelevant to the service provided.123 In this respect, China takes a very
similar view to that of the Assembly Bill 1442 of California, aiming to form
a boundary for data collectors. Moreover, under the Draft of Minors Online
Protection Regulations, those who collect and use student data online are
required to mark warning signs in an eye-catching position, indicating the
source, content, and use of the collected information and obtaining the
consent of the minor or his/her guardian.124 The minor student or his/her
guardian also has the right to request an ISP to delete data or shield the
network space relating to the data.125
115
See art 9(1) of ‘Provisions for the Protection of Personal Information of Telecommunications
and Internet Users’.
116
Id art 9(2).
117
Id art 9(3).
118
Id arts 10 and 13.
119
Id arts 23.
120
Id art 11.
121
Article 41(1) CSL.
122
Id arts 42 and 43.
123
Id art 41(2).
124
Article 16 Draft of Minors Online Protection Regulations 2016.
125
Id art 18.
BALANCING-OF-INTERESTS POLICIES
The US Balancing-of-Interests Policies
The US has been struggling to follow a balancing-of-interests legal policy.
The struggle has significantly intensified with the prevalence of big-data
and data-mining technology.130 In summary, the competing factors that
restrict the protection of student data include the rights and freedoms under
the First Amendment, national security, and innovations in technology.
Among them, the conflict between national security and student privacy is
especially prevalent. One camp holds the view that national security takes
priority and persistently fixes the gaps that exist in law. The other camp holds
126
Sections 9 and 1 definition of responsible party in POPI.
127
cf s 1 definitions for ‘competent person’ and ‘child’, ss 34–35 in POPI.
128
cf ss 23, 24, 25, 15 and 71 in POPI.
129
cf ss 17, 10, 13–14 and 19–22 in POPI.
130
Big data analytics and artificial intelligence systems have made it possible to gather,
combine, analyse and indefinitely store massive volumes of data. ‘Big data’ refers to the
practice of combining huge volumes of diversely sourced information and analysing them,
often using self-learning algorithms to inform decisions. cf EDPS Opinion 3/2018 EDPS
Opinion on Online Manipulation and Personal Data <https://edps.europa.eu/sites/edp/files/
publication/18-03-19_online_manipulation_en.pdf> accessed 10 October 2018.
the view that information privacy is a top priority and they sharply criticise
the government’s unwelcome invasion of privacy.131 As for the difficulty of
maintaining the balance between public interest and data protection, Hoang
suggests examining whether the government’s use of data is acceptable
to the community, especially when the personal data collection is large-
scale, and the degree of harm caused to the public may lead to greater data
protection interest than the government’s security concerns.132
An additional concern is how to protect student data while leaving enough
space to educate the students in technology and innovation. Current detailed
regulations have partly achieved this. The most important aspect of the legal
developments in California signal that educators and legislators must work
together to strike a balance with student privacy, technological innovation,
and student data needs. The final legislation, SODPPA, does include some
key accommodations to industry concerns, such as specifying that operators
be allowed to maintain and use de-identified or anonymous student data
to develop and improve their own educational products and services. For
example, it explains that this balancing of interests’ policy is achieved by
allowing limited exceptions133 and thus leaves room for new technological
developments.
EU Balancing-of-Interests Policies
To achieve the goal of balancing rights, it clearly requires a reconciliation
of competing fundamental rights with the student privacy interests. The EU
courts are frequently called upon to weigh these competing interests and
as a result, they do not always decide in favour of personal data or privacy.
For example, the European Court of Justice (CJEU) held in the case of
Volker und Markus Schecke v Land Hessen that the right to protection of
personal data is not an absolute right, but must be viewed in relation to
its function in society and be balanced with any other fundamental human
rights based on the principle of proportion.134 It allows limitations on the
exercise of fundamental rights. However, limitations are only allowed if
they are necessary and genuinely meet the objectives of general public
131
See Daniel Solove and Paul Schwartz, Information Privacy Law (4 edn, Wolters Kluwer:
Law and Business 2011) 247–248.
132
Carolyn Hoang, ‘In the Middle: Creating a Middle Road between U.S. and EU Data
Protection Policies’ (2012) 32 J National Association of Admin L Judiciary 811, 853–854.
133
SODPPA claims that: the law itself does not limit the ability of an operator to use student data
for adaptive learning or customised student learning purposes; does not limit internet service
providers from providing internet connectivity to schools or students and their families; shall
not be construed to prohibit an operator from marketing educational products directly to
parents so long as the marketing did not result from the use of covered information obtained
by the operator through the provision of services covered under this section. USC s 22584
(k)–(p).
134
cf Williams (n 23) 13.
interest recognised by the EU.135 In the different member states of the EU,
law might restrict the rights relating to student data in order to strike a
balance with the freedoms and rights of others and with the general public
interest, subject to the principle of proportionality and the legal systems of
the member states.136
The last ground for processing of personal data under the Directive 95/46/
EC requires a balancing act between the interests of the data subject and
those of the controller or third parties to whom the data has been disclosed.137
Not surprising, both Directive 95/46/EC and the GDPR have made efforts
to achieve a proportionate balancing of interests through the imposition of
restrictions. Under the Directive 95/46/EC, the member states may adopt
the legislative measures to restrict the scope of the obligations and rights
(in Articles 6(1), 10, 11(1), 12, 21) when such a restriction constitutes a
necessary measure that should be safeguarded.138 The GDPR reinforces this
and adds a few more restrictive factors, such as social security pertaining
to important economic or financial interests, the protection of judicial
independence and judicial proceedings and the enforcement of civil law
claims.139
Generally speaking, the EU adopts a pragmatic approach to meet the data
protection requirements by balancing these protection requirements with
their feasibility, while scholars would favour clearer statutory rules for the
purpose of balance.140
135
ibid.
136
Id 3.
137
Directive 95/46/EC had provided six legal grounds for processing, including ‘to pursue
legitimate interests by the controller or third parties who have become privy to such data,
unless the protected interests of the data subject override those of the controller or third
parties.’ See also Senate Committee Report (April 2011) 21–22.
138
A restriction can be: national security; defense; public security; the prevention, investigation,
detection and prosecution of criminal offences, or of breaches of ethics for regulated
professions; an important economic or financial interest of a member state or of the European
Union, including monetary, budgetary and taxation matters; a monitoring, inspection or
regulatory function connected, even occasionally, with the exercise of official authority in
cases referred to in (c), (d) and (e); the protection of the data subject or of the rights and
freedoms of others. Directive 95/46/EC, art 13(1).
139
Article 23(1) Regulation (EU) 2016/679.
140
cf Williams (n 23) 78.
141
cf Han Dayuan, ‘The Concurrence and Conflict of Fundamental Rights’ (1996) 4 Translation
Review of Foreign Law 80.
142
The principle of proportionality has not been written into the Chinese law yet, but many
Chinese scholars accept it as a tool to balance the personal data protection and its conflicting
interests. Opinions can be found in articles provided by Li Chengliang, ‘Boundary
of the Personal Data Protection’ (2016) 4 J of Philosophy and Social Science; Pei Wei,
‘Construction of Procedural Rules for Electronic Investigation and Evidence Collection:
From the Perspective of Proportionality Principle’ (2017) 1 Global LR.
143
cf Xinbao (n 52) 53.
144
Qi Aimin, To Save the Personality in the Information Society (Peking University Press 2009)
100.
145
Section 35(1)(b)–(d) of POPI.
CONCLUSION
This article analyses the legal policies and arguments on K-12 student
data protection from a comparative perspective, focused upon the legal
developments in the US, EU, China and South Africa. It examines key issues
such as the legislative framework, legal pathways, the scope of protected
student data, duties imposed on either the schools or operators, and how to
achieve an equitable balance of interests. Based on the analysis, it identifies
the similarities while considering cultural and legal differences that exist
among the jurisdictions compared. It finds that, despite the differences in
language, legal traditions, and cultural and social values, there has been a
broad measure of agreement on the common topic of student data protection.
The US, EU, and China remain consistent on the key issues of student data
protection, providing the possibilities to learn from each other. It shows
that, with the public concerns increasing, there is a common trend that all
the states in this study are following by pursuing further legislative efforts or
legal reforms, which are necessary to face the new challenges in the context
of the internet and big-data related technology. As the response, the scope
of student data protected by law has been (or is being) largely expanded and
multiple duties have been imposed in the states mentioned above. It is also
widely accepted that technology should facilitate the free flow of data while
ensuring a high level of protection for personal data. Thus, it is inevitable
that to maintain a balancing-of-interests policy, the issue remains on the
extent that this policy should be implemented which has to be weighed
within the respective contexts. In the meanwhile, each country preserves its
specificities deeply rooted in their distinct cultures and historical, political
and economic contexts. This has and will continue to result in the relative
legal policies best suited to meet the different requirements. For example,
as for the legal framework and pathway, the US produces more specialised
regulations and flexible policies on K-12 student data protection, while
the EU insists on a general pathway, uniform but with less efficiency and
specificity. As the representative of a third newly developed and hybrid law
style, China is trying to find a middle course, following the EU in structure,
while also mixed with US practical characteristics of making more
specialised laws. South Africa has adopted an approach that is arguably
a more restrictive one than that of the EU, by following a policy of more
generalised, wide ambits of scope, omnibus type of legislation, relying on
constitutional rights to fulfil the balancing of interests requirements, such
as freedom of expression or access to information. Policymakers could take
note of the benefits of specialised focused legislation and the flexibility to
adapt to new technology.