Key Takeaways: Chapter 24 — Sector-Specific Governance: Finance, Health, Education

Core Takeaways

  1. Sector-specific governance exists because some data creates disproportionate harm. Financial data can bankrupt a family. Health data can determine treatment and insurance coverage. Education data creates a permanent record shaping a child's future. General-purpose data protection law provides a baseline, but these sectors demand governance calibrated to their specific consequences.

  2. Sector-specific governance layers on top of general-purpose law — it does not replace it. A European health-tech company must comply with both the GDPR and sector-specific health data rules. A US financial institution must comply with federal banking regulations, state privacy laws, and industry standards like PCI-DSS. This layering creates complexity but also depth.

  3. HIPAA protects health data within the traditional healthcare system but leaves vast gaps. HIPAA applies to covered entities and business associates — not to fitness apps, mental health apps, genetic testing services, or consumer health technology. As health data increasingly originates outside the clinical setting, HIPAA's scope limitation becomes a critical governance gap.

  4. HIPAA's three rules — Privacy, Security, and Breach Notification — create a comprehensive framework for covered entities. The Privacy Rule restricts use and disclosure of PHI with the "minimum necessary" standard. The Security Rule mandates administrative, physical, and technical safeguards for ePHI. The Breach Notification Rule requires timely disclosure when unsecured PHI is compromised.

  5. Open banking demonstrates that regulation can create markets and redistribute power. PSD2 and equivalent frameworks break banks' data monopoly by requiring API-based data sharing with customer consent. This has enabled innovation, competition, and financial inclusion — while creating new governance challenges around consent complexity, data security, and aggregator concentration.

  6. PCI-DSS illustrates effective industry self-regulation backed by market enforcement. As a private standard enforced through contractual relationships (rather than government authority), PCI-DSS demonstrates that non-governmental governance can be highly effective — particularly when non-compliance carries immediate and severe market consequences.

  7. FERPA provides important but limited student privacy protections. FERPA grants students (and parents) the right to access and challenge education records, and restricts disclosure without consent. But it lacks a private right of action, has never been enforced through funding withdrawal, and its "school official exception" has been stretched to accommodate data-intensive ed-tech platforms far beyond the exception's original intent.

  8. The pandemic exposed the inadequacy of educational data governance. Emergency ed-tech adoption occurred without privacy assessments, governance frameworks, or meaningful consent. Online proctoring tools collected biometric and environmental data. Engagement trackers monitored students in their homes. The aftermath has driven reforms — privacy impact assessments, approved vendor lists, standardized contracts — but structural gaps remain.

  9. Regulatory arbitrage is a persistent challenge in sector-specific governance. Companies can structure their operations to fall outside sector-specific frameworks — health apps avoiding HIPAA by not being "covered entities," fintech avoiding banking regulation by not being "banks," ed-tech relying on consent exceptions designed for school employees. Addressing this requires either expanding scope definitions or enacting comprehensive baseline protections.

  10. Cross-sector patterns reveal universal governance principles. Despite their differences, financial, health, and education data governance share common principles: fiduciary duty (act in the subject's interest), confidentiality (restrict access to authorized parties), minimum necessary access (share only what is needed), informed consent (ensure subjects understand and agree), accountability (maintain audit trails and enforcement mechanisms), and purpose limitation (use data only for its stated purpose).

Key Concepts

Term Definition
Sector-specific regulation Data governance frameworks tailored to the unique characteristics and risks of a particular industry (finance, health, education).
HIPAA The Health Insurance Portability and Accountability Act — US federal law governing the privacy and security of protected health information.
HIPAA Privacy Rule Establishes standards for the use and disclosure of PHI, including the "minimum necessary" standard.
HIPAA Security Rule Requires administrative, physical, and technical safeguards for electronic PHI.
PCI-DSS Payment Card Industry Data Security Standard — an industry standard for organizations processing payment card data.
PSD2 The EU Payment Services Directive 2 — regulation requiring banks to provide API access to customer data, enabling open banking.
Open banking The regulatory and technical framework enabling customers to share their financial data with authorized third-party providers.
FERPA The Family Educational Rights and Privacy Act — US federal law protecting the privacy of student education records.
School official exception A FERPA provision allowing disclosure of education records to parties performing institutional services without student consent.
Regulatory arbitrage Structuring operations to fall outside the scope of sector-specific governance frameworks.
Layered governance The interaction of general-purpose and sector-specific regulation, with sector-specific frameworks adding obligations beyond the general baseline.

Key Debates

  1. Should HIPAA's scope be expanded to cover all health data, regardless of who collects it? The current scope (covered entities and business associates) leaves consumer health technology unregulated. Expanding scope would close the gap but impose compliance costs on a broad range of companies. Is targeted expansion (covering health apps above certain thresholds) preferable to universal expansion?

  2. Is the school official exception still justified? The exception was designed for narrow, well-defined services performed under direct institutional oversight. Its application to data-intensive ed-tech platforms that collect far more data than necessary for educational purposes strains the exception beyond recognition. Should the exception be narrowed, or should alternative consent mechanisms be developed?

  3. Can consent work in complex data ecosystems? Open banking's consent model is sophisticated, but users struggle to manage multiple consent relationships. HIPAA's consent model is limited by the power asymmetry between patients and providers. FERPA's consent is largely delegated to institutions. Is meaningful consent possible in sectors where the data subject has limited bargaining power?

  4. Should financial data aggregators be regulated as financial institutions? As companies like Plaid accumulate financial data from millions of users, they become systemically important without being subject to prudential regulation. Should the governance framework evolve to address new concentrations of data power within regulated sectors?

Looking Ahead

Part 4 concludes with Chapter 25: Enforcement, Compliance, and the Limits of Law. Having surveyed the regulatory landscape (Chapter 20), examined the AI Act (Chapter 21), explored organizational governance (Chapter 22), navigated cross-border flows (Chapter 23), and dissected sector-specific frameworks (this chapter), we now turn to the critical question: Do these laws actually work? Chapter 25 examines enforcement patterns, regulatory capture, the gap between compliance and ethics, and the fundamental limits of what law can achieve. Eli testifies before the Detroit city council, and Sofia Reyes brings the DataRights Alliance's enforcement advocacy to the foreground.

Use this summary as a study reference and quick-access card. The sector-specific governance principles introduced here will be applied in Part 5's examination of corporate responsibility and in Part 6's discussion of society, justice, and emerging frontiers.