Data Protection Laws
Data Protection in the European Union
Using and sharing personal information for research and other purposes is even more challenging when the data is collected in the European Union where statutory protections for personal data generally exceed those which the United States imposes. While in the U.S. only certain types of personal data are subject to data privacy and security regulations, the European Union Data Protection Directive (the “Directive”) is comprehensive and covers any type of personal information. The Directive requires each EU member state to enact its own data protection law implementing the framework of the Directive. As a result, EU member state data privacy laws vary somewhat from country to country.
The Directive sets strict guidelines regarding what types of personal information may be gathered and under what circumstances personal information can be collected, and not all research activities may qualify. Furthermore, because the European Union believes that the United States has inadequate privacy protections, personal information cannot be transferred from the EU to the U.S. unless the data subject unambiguously consents to the transfer, Yale signs an EU-approved data transfer agreement with the EU entity transferring the data that grants certain protections to the data, or one of a few other limited exceptions applies.
Yale researchers collecting personal information in the EU or collaborating with EU institutions should be prepared to provide assurances to local regulators, research subjects, collaborating institutions, and other third parties as to compliance with the Directive’s provisions. For additional guidance, view this fact sheet.
Use the “Contact Us” link on the upper right to request assistance or obtain additional information about navigating non-U.S. data protection laws with respect to Yale activities abroad or on campus.