You are viewing an archived webpage. The information on this page may be out of date. Learn about EPIC's recent work at epic.org.

EPIC v. The U.S. Department of Education

Challenging the Department of Education's Family Educational Rights and Privacy Act (FERPA) 2011 Regulations

Top News

  • California Enacts Comprehensive Student Privacy Law: California has passed the "Student Online Personal Information Protection Act," a comprehensive student privacy law. Among other provisions, the new law: (1) prohibits K-12 mobile and online service operators from using student information to target advertisements to students; (2) prohibits online service providers from creating K-12 student profiles for commercial purposes; and (3) forbids companies from selling student information. The law also requires K-12 mobile and online service operators to establish security measures and to delete student information at the request of a school or district. California also passed a law requiring schools that outsource student records to include privacy in contracts, and a law governing school social media monitoring programs. The Student Online Personal Information Protection Act incorporates many proposals EPIC outlined in the Student Privacy Bill of Rights. For more information, see EPIC: Student Privacy, EPIC: EPIC v. Education Dept., and EPIC: Echometrix. (Oct. 2, 2014)
  • Education New York Urges Parents to Protect Student Privacy: Education New York, a leading student privacy rights organization, is urging students and parents to opt-out of the use of educational records for marketing purposes. The data typically includes name, address, telephone number, birth date, and other personal information in student records. Education New York’s founder Sheila Kaplan stated, "I'm thrilled that with greater awareness of the issues, more parents have been joining the fight for students’ privacy rights." EPIC has long supported stronger privacy protections for student records. In 2012, EPIC sued the Education Department concerning changes to the student privacy law. Earlier this year, EPIC a hosted panel in Washington DC with Senator Ed Markey, "Failing Grade: Education Records and Student Privacy." For more information, see EPIC v. the Department of Education and EPIC: Student Privacy. (Sep. 8, 2014)
  • Google Admits to Data-Mining Student Emails: In a sworn statement filed with a federal court, Google has admitted to scanning student emails to serve students targeted advertisements. Although Google does not display ads in Apps for Education, Google "does scan [student] email" to "compile keywords for advertising" on Google sites. Google has gained access to student emails pursuant to the Education Department's recently revised regulations, which significantly weakened the Family Educational Rights and Privacy Act, a federal student privacy law. Still, Google's practices appear to contravene the Education Department's "best practices" for online educational service providers. EPIC had earlier sued the Education Department for weakening the privacy law that protects student data. For more information, see: EPIC Student Privacy and EPIC: EPIC v. Dep't of Education. (Mar. 19, 2014)
  • After Weakening Privacy Law, Education Department Proposes "Best Practices" for Student Data: The Education Department has issued recommendations for schools that transfer student records to online educational service providers. Following the Department's changes to a federal student privacy law, private companies and government agencies have access to student records without obtaining student consent. In the recommendations, the agency explained that the current regulations do not require written agreements for schools to disclose student information to private companies. The Education Department recommended that schools establish policies for approving online educational services, create written contracts with private companies for the use of student data, and explain to parents and students how schools collect, use, and disclose student information. The agency warned that student data held by private companies may not be protected under federal privacy laws. EPIC had earlier sued the Education Department for weakening the privacy rule that prevented companies from getting access to student data. On March 13, 2014, the Education Department will hold a webinar on its student privacy best practices. For more information, see: EPIC: Student Privacy and EPIC: EPIC v. Dept. of Education. (Mar. 7, 2014)
  • EPIC FOIA - EPIC Uncovers Information About Debt Collector Practices from Education Dept.: Pursuant to a Freedom of Information Act lawsuit against the Education Department, EPIC has obtained documents which reveal that many private debt collection agencies maintain incomplete and insufficient quality control reports. As government contractors, debt collectors are required to follow the Privacy Act, a federal law that protects personal information. The Education Department also requires student debt collectors to submit quality control reports indicating whether the companies maintain accurate student loan information. The documents obtained by EPIC in this FOIA lawsuit reveal that many companies provide small sample sizes to conceal possible violations of the Act. The documents also show that many companies do not submit required information about Privacy Act compliance to the Education Department. EPIC has recently settled the case and obtained attorneys fees for making this information available to the public. For more information, see EPIC v. Education Department - Private Debt Collector Privacy Act Compliance. (Nov. 1, 2013)
  • Senator Markey Investigates Student Data Disclosures: Senator Edward Markey has sent a letter to the Education Department, requesting information on the "impact of increased collection and distribution of student data" on student privacy rights. Among other questions, Senator Markey asks why the Department made changes to the Family Educational Rights and Privacy Act, a federal student privacy law; whether the Department "performed an assessment of the types of information" that schools disclose to third party vendors; and whether students and their families can obtain their information held by private companies. The letter states, "By collecting detailed personal information about students' test results and learning abilities, educators may find better ways to educate their students. However, putting the sensitive information of students in private hands raises a number of important questions about the privacy rights of parents and their children." EPIC has sent a letter to the Senate and House Committees on Education, urging Congress to restore privacy protections for student data. For more information, see EPIC: Student Privacy and EPIC: EPIC v. The Deptartment of Education. (Oct. 24, 2013)
  • Judge Rules that EPIC Lacks Standing to Challenge Education Department's Unlawful Regulations: A federal court dismissed EPIC's lawsuit against the Education Department. EPIC has challenged the agency's 2011 changes to the Family Educational Rights and Privacy Act (FERPA) which allow the release of student records for non-academic purposes and undercut parental and student consent provisions. The court held that neither EPIC nor any of its Board of Director co-plaintiffs "have standing to bring the claims asserted in the complaint." The judge did not reach EPIC's substantive claims asserted in the complaint. EPIC argued that the Education Department exceeded its authority with the changes and that the revised regulations violate the federal student privacy law. Before initiating the lawsuit, EPIC submitted extensive comments to the Education Department, opposing the unlawful regulations. EPIC intends to take further steps to safeguard student privacy. For more information, see EPIC: EPIC v. The U.S. Department of Education and EPIC: Student Privacy. (Oct. 1, 2013)
  • EPIC to Defend Student Privacy Rights in Federal Court: On July 24, EPIC President Marc Rotenberg and EPIC Administrative Law Counsel Khaliah Barnes will present arguments in federal district court in Washington, DC in support of student privacy. In EPIC v. Dept. of Education, No. 12-327, EPIC is challenging recent changes to the Family Educational Rights and Privacy Act (FERPA) that allow the release of student records for non-academic purposes and undercut parental consent provisions. In 2011, EPIC submitted extensive comments to the agency opposing the changes. After the Education Department failed to modify the proposed regulation, EPIC filed a lawsuit and argued that the agency exceeded its authority with the changes, and also that the revised regulations are not in accordance with the 1974 privacy law. EPIC is joined in the lawsuit by members of the EPIC Board of Directors Grayson Barber, Pablo Garcia Molina, Peter Neumann, and Deborah Peel. For more information, see EPIC: EPIC v. The U.S. Department of Education and EPIC: Student Privacy. (Jul. 23, 2013)
  • EPIC Testifies Before Colorado Board on Student Privacy: EPIC Administrative Law Counsel Khaliah Barnes testified before the Colorado State Board of Education on privacy issues concerning inBloom and other companies that acquire student information. In response to public outcry over a pilot program which grants these companies access to sensitive student data, the Colorado Board of Education hosted a public session. Representatives from inBloom, the Colorado Attorney General's Office, a local school district, and EPIC participated. EPIC recommended that Colorado ensure that students and parents have access to education records maintained by third party providers, and that students and their parents should be able to limit disclosure to third parties. In 2012, EPIC sued the Education Department for issuing regulations that failed to safeguard student privacy. For more information, see EPIC: EPIC v. The U.S. Department of Education and EPIC: Student Privacy. (May. 21, 2013)
  • In Federal Court EPIC Defends Student Privacy: In documents filed with a federal court in Washington, DC, EPIC is challenging changes to the Family Educational Rights and Privacy Act (FERPA). The revised regulations, issued by the Education Department, allow the release of student records for non-academic purposes and undercut parental consent provisions. The rule change also promotes the public use of student IDs that enable access to private educational records. In 2011, EPIC submitted extensive comments to the agency, opposing the changes and arguing for the need to safeguard privacy. After the Education Department failed to make necessary changes, EPIC filed a lawsuit and argued that the agency exceeded its authority with the changes, and also that the revised regulations are not in accordance with the 1974 privacy law. EPIC is joined in the lawsuit by members of the EPIC Board of Directors and Advisory Board Grayson Barber, Pablo Garcia Molina, Peter Neumann, and Deborah Peel. For more information, see EPIC: EPIC v. The U.S. Department of Education and EPIC: Student Privacy. (Jan. 22, 2013)

Background

In April 2011, the U.S. Department of Education(ED) issued a notice of proposed rulemaking (NPRM), inviting public comments on its proposed regulations amending the Family and Educational Rights and Privacy Act of 1974 (FERPA). The proposed regulations removed limitations prohibiting educational institutions and agencies from disclosing student personally identifiable information, without first obtaining student or parental consent. For example, the proposed FERPA regulations reinterpreted FERPA statutory terms "authorized representative," "education program," and "directory information." This reinterpretation gives non-governmental actors increased access to student personal data.

On May 23, 2011, EPIC filed comments with the ED, noting the illegality of the agency's amendments, including the illegality of the agency's reinterpretation of the statutory terms "authorized representative," "education program," and "directory information." EPIC's comments stated that "the ED's proposals expand a number of FERPA's exemptions, reinterpreting the statutory terms 'authorized representative,' 'education program,' and 'directory information.' These proposals remove affirmative legal duties for state and local educational facilities to protect private student data." EPIC also noted that the proposed regulations ignored the FERPA's purpose and relied on a "fundamental misreading of appropriations legislation." EPIC's comments stated that by designating non-governmental actors as "authorized representatives" of state educational institutions, the ED would perform an "unauthorized, unlawful sub-delegation of its own authority." EPIC's comments further stated that by expanding the definition of "educational programs," the ED would expose "troves of sensitive, non-academic data." EPIC's comments stated that the proposed regulations permitting schools to "disclose publicly student ID numbers that are displayed on individuals cards or badges . . . insufficiently safeguard[] students from the risks of re-identification." EPIC recommended to the ED that the proposed regulations should be withdrawn because they were contrary to law and exceeded the scope of the agency's rulemaking authority.

On December 2, 2011, the ED issued final regulations implementing its proposed amendments, despite the agency's admission that "numerous commenters . . . stated that they believe the Department lacks the statutory authority to promulgate the proposed regulations contained in the NPRM." The final regulations' definitions for statutory terms "authorized representative," "education program," and "directory information" did not differ from the proposed regulations.

On February 29, 2012, EPIC filed a lawsuit under the Administrative Procedure Act against the ED. EPIC's lawsuit argues that the agency's December 2011 regulations amending the Family Educational Rights and Privacy Act exceed the agency's statutory authority, and are contrary to law. EPIC is joined in the lawsuit by co-plaintiffs Grayson Barber, Pablo Garcia Molina, Peter G. Neumann, and Dr. Deborah Peel. The Education Department filed its answer to EPIC's complaint on May 4, 2012, requesting that the Court dismiss EPIC's complaint.

On July 23, 2012, EPIC filed a Motion to Supplement the Administrative Record and Consider Extra-record evidence with the Court. In its motion, EPIC requested the Court to order the Education Department to supplement the administrative record to include four document sets that were before the Education Department at the time of its decision, and were considered by the agency when it issued its NPRM and subsequent final regulations. Additionally, EPIC requested that the Court consider extra-record evidence that is highly relevant to the final regulations and necessary for effective judicial review. For example, at the time that the agency issued the final regulations, it had not offered guidelines on student data and cloud computing. After the Education Department issued its regulations, the agency created a document which provided cloud computing guidance. Importantly, this document explains that even though "outsourcing information technology (IT) functions" would not "traditionally be considered and audit or evaluation," the Education Department will consider outsourcing IT functions as "auditing" or "evaluating" under FERPA regulations. FERPA permits nonconsensual disclosure of education records to "authorized representatives" for audits and evaluation of federal and state education programs.

In response to EPIC's motion, the Education Department filed a Consent Motion for Extension of Time Regarding the Dispositive Motion Briefing Schedule that was previously issued by the Court. On July 24, 2012, the Court vacated the briefing schedule and announced that a new briefing schedule would be re-established upon the Court's resolution of EPIC's motion.

On October 26, 2012, the Court issued a Memorandum Opinion and Order granting in part and denying in part EPIC's Motion to Supplement the Administrative Record and Consider Extra-record evidence. The Court granted EPIC's motion to supplement the record with two documents concerning "directory information" that were before the agency at the time of the final regulations. The Court denied EPIC's motion to supplement the record with documents that support the agency's definition of "education program," because the agency admitted that it did not rely on concrete, factual knowledge to support the new definition, and therefore the requested documents do not exist. Finally, the Court denied EPIC's motion requesting that the Court consider extra-record evidence.

Following the resolution of EPIC's Motion to Supplement the Administrative Record and Consider Extra-record evidence, the Court established the following briefing schedule: the Education Department's Dispositive Motion is due by November 30, 2012; EPIC's Opposition and Cross Motion is due by January 18, 2013; the Education Department's Reply and Cross Opposition is due by February 1, 2013; and EPIC's Reply to the Cross Motion is due by February 15, 2013.

On November 30, 2012, the Education Department filed a Motion to Dismiss or, in the alternative, a Motion for Summary Judgment, arguing that: (1) EPIC and its individual co-plaintiffs lack standing to challenge the final regulations; (2) the final rule is entitled to Chevron Deference; (3) none of the challenged definitions ("directory information", "authorized representatives", and "education programs") exceed statutory authority; and (4) the challenged definitions are in accordance with law because they are the product of reasoned decision-making.

On December 19, 2012, EPIC filed a consent motion seeking additional time to coordinate each plaintiff's declaration to support standing.

On January 18, 2013, EPIC filed its Cross-Motion for Summary Judgment and Memorandum Opposing Defendant's Motion to Dismiss and Motion for Summary Judgment. EPIC's motion argued that the individual plaintiffs have standing because there is an imminent risk that their private education records will be disclosed. EPIC also argued that EPIC has standing on its own because EPIC has suffered a concrete and demonstrable injury to its activities, and that EPIC has standing to bring suit on behalf of the members of the Advisory Board and Board of Directors. Concerning the merits, EPIC argued that that: (1) each of the challenged definitions exceeds statutory authority and is therefore not entitled to Chevron deference; and (2) the disputed definitions are not in accordance with law because they are contrary to the FERPA's plain meaning and are not a permissible construction of the statute. EPIC also argued that the definitions are arbitrary and capricious because they are not the product of reasoned decisionmaking. Finally, EPIC requested that the Court hear oral argument on the motion.

On February 1, 2013, the Education Department filed its Opposition to Plaintiffs' Cross-Motion for Summary Judgment and Reply in Support of its Motion to Dismiss or, in the Alternative, for Summary Judgment, reiterating its initial arguments and responding to EPIC's Cross-Motion for Summary Judgment and Opposition to Defendant's Motion to Dismiss.

The Court held oral arguments on July 24, 2013.

On September 26, 2013, the Court dismissed EPIC's lawsuit, holding that neither EPIC nor any of its Board of Director co-plaintiffs "have standing to bring the claims asserted in the complaint." The Court did not reach EPIC's substantive claims asserted in the complaint. The Court further held that its order was a "final appealable order."

Resources

Legal Documents

EPIC v. U.S. Department of Education, Civ. Action No. 12-00327(ABJ) (D.D.C.)

News Items

Share this page:

Defend Privacy. Support EPIC.
US Needs a Data Protection Agency
2020 Election Security