Legal Compliance

On paper, it would seem that a technology infrastructure ought to comply with relevant laws. In practice, this is rarely the case, since most laws are unenforceable, and even for those which are, there is little enforcement. In most countries, ed-tech takes a don’t-ask-don’t-tell approach to compliance.

In the US, where I live, the relevant laws include:

• PPRA, which grants familes a right to see all curriculum.
• FERPA, which grants familes a right to see their students’ data, privacy protections for that data, and a right to correct errors in that data
• COPPA grants extensive rights to privacy and to receive copies of data for parents of kids under 13
• The Common Rule provides further protections if students are also research subjects (a common use-case for our a research-focused technology infrastructure)

In addition, many states have local laws granting rights beyond that. For example, in California, CCPA is modeled on the European GDPR.

In practice, for most ed-tech systems, it is impossible for parents to:

1. Get access to curricula on commercial servers
2. Gain meaningful access to student data (e.g. estimates of skills in an ICT)
3. Gain access to detailed student data (e.g. click-log level data)
4. Correct errors (e.g if a friend pranks a student by typing in racist content, that stays in that student’s log forever).

Since all of those live on proprietary servers. Data is also widely distributed (click on the “cookie” link on any web page!), and there is no way to effectuate something like a right-to-be-forgotten request if data isn’t track. This is doubly true of research data living on graduate student (and employee) laptops. A request to be forgotten ought to cascade everywhere data went, and this isn’t currently tracked.

Of course, laws vary across the ≈200 jurisdictions in the world.

For 15 minutes, discuss:

• What are the relevant laws to data governance in Poland? Cultural norms? How do those compare to the US-based ones above?
• How would a technology infrastructure need to be structured to be compliant with those laws?