US and International Privacy Laws
Data privacy laws exist within the US (federal and state) and in numerous other countries. Personal information collected and processed by GW in the course of university operations is protected by these national and international privacy laws.
In the US, data privacy is legislated by sector (or type of personal data), resulting in a series of laws that address the privacy and security of specific categories of data. Some of the main federal laws that provide for data protection include:
- Family Educational Rights and Privacy Act (FERPA)
- Gramm-Leach-Bliley Act (GLBA)
- Health Insurance Portability and Accountability Act (HIPAA)
- Payment Card Industry Data Security Standards (PCI DSS)
US State laws also address data privacy and protection, and include, for example, legislationon data breaches and protection requirements for sensitive personal information such as social security numbers. Additionally, several US States have enacted consumer data privacy laws, such as, for example, the California Consumer Privacy Act (CCPA), the Virginia Consumer Data Protection Act (VCDPA), the Maryland Personal Information Protection Act (PIPA), the Colorado Privacy Act (CPA) and others.
For information on specific US State or Federal privacy laws and regulations, contact the GW Privacy Office.
Over 120 nations have enacted data privacy and protection laws. Some countries have sectoral privacy laws, meaning different industries or trades in the country have their own data privacy laws. Other countries have omnibus (comprehensive) data privacy laws.
- EU General Data Protection Regulation (GDPR)
-
The European Union’s General Data Protection Regulation (GDPR) is a regulation that went into effect on May 25, 2018. The regulation provides for the privacy protection of individuals residing in the the European Economic Area (“EEA”). The EEA includes EU countries and also Iceland, Liechtenstein and Norway.
- UK General Data Protection Regulation (UK GDPR)
-
The Data Protection Act 2018 is the UK’s implementation of the General Data Protection Regulation (GDPR).
- China’s Personal Information Protection Law (PIPL)
-
PIPL is the Personal Information Protection Law of the People’s Republic of China, effective November 1, 2021. China’s PIPL is similar to GDPR and other international privacy laws protecting the privacy and security of personal information of individuals residing in mainland China.
- Other Countries’ Data Privacy Laws
-
Many non-EU countries (e.g., Argentina, Canada) have followed the EU model and have created comprehensive laws regarding data privacy and security . Other countries have less stringent privacy regimes (e.g. Russia, Brazil, Saudi Arabia), but they may still have certain data privacy and security requirements that GW staff, faculty and researchers must be aware of before collecting, storing, transferring or disseminating personal information of individuals located in those countries.
For information on specific International privacy laws and regulations, contact the GW Privacy Office.