Addressing GDPR Uncertainties for U.S. Universities

GDPR goes into effect tomorrow, and while universities across the country have been working diligently to prepare for the regulation, there are still significant uncertainties surrounding compliance.

This post, our second of three regarding GDPR, will discuss some of the ambiguity in the regulation as it pertains to universities.  This includes broad language used in the regulation and the uncertainties around enforcement.  This post is meant for Data Privacy Officers (for the compliant universities out there), CISOs, and Chief Privacy Officers that would like to quickly identify areas where universities have had difficulty interpreting the law.

The information for this post has been compiled through research on Data Privacy Directive enforcement (predecessor to GDPR), JISC and Educause discussions, published opinions from law firms, universities and data processors, and conference content.  Also, please note that this guide is for informational purposes only and should not be relied upon as legal advice. We encourage you to work with legal and other professional counsel to determine precisely how the GDPR might apply to your organization.

Compliance

There are several Articles within the regulation that contain broad legal language, leaving the implications for Higher Ed open to interpretation and subject to future case law.  I have identified three areas in particular that universities should focus on:

Article 3 – Territorial Scope

The first question regarding GDPR compliance should be “does it apply to my institution”?  I touched on the topic in our last post, and I’ll mention it again here since I’ve read several opinions.

“2.   This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:

 (a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or” [1]

Strict interpretation: Every US institution.  Since almost every university will either have a student, faculty, alumni or applicant from the EU who’s data they have stored, this should apply to basically every US institution.

Looser interpretation: “The offering of goods or services” can be interpreted to focus on institutions marketing in the EU.  The main focus of GDPR is creating a concept of privacy rights to protect EU citizens from invasive sales and marketing campaigns, potentially unethical algorithms, and data security risks (among other things).  Universities in the US with little or no EU footprint (or marketing focus), an altruistic mission, and a general sense of data protection will not be targeted.  Blackboard agrees with this interpretation, stating “Just having students from the EU enrolled is not enough for GDPR to apply. The GDPR generally applies to institutions that are established in the EU. It also applies to universities outside the EU, but only if they offer goods and services to individuals in the EU or monitor the behaviour of individuals in the EU. To be considered “offering services” requires some degree of targeting”. [2]

Analysis: Every US institution should be prepared for GDPR, whether or not they believe they are at-risk of prosecution.  It encourages controllers and processors of data to treat data security and data privacy more seriously, and this can have numerous benefits for the organization.

Article 6: Lawfulness of Processing

Potentially the most critical concept for universities is the “Lawfulness of processing”, which describes what data you may store and process.  The implications for this article are far reaching:

“1.   Processing shall be lawful only if and to the extent that at least one of the following applies: 

(a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;

(b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;

(c) processing is necessary for compliance with a legal obligation to which the controller is subject;

(d) processing is necessary in order to protect the vital interests of the data subject or of another natural person;

(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.”[3]

Strict Interpretation: US institutions will primarily consider (a), (b), and (f) when determining whether data processing for its EU subjects is lawful. The hardest of these three conditions to achieve is (a), explicit consent, but it is also the least ambiguous.  Universities could get consent to store all personal information for EU citizens from their application to their interactions with their digital properties (website, applications, HR systems, LMS, calendar, ID cards, email), assignments and grades, payment and financial information, etc.  However, doing so will have downstream consequences.  Using (b) and (f) will be more appropriate for mission-critical data.

Looser Interpretation: There may be a significant amount of cases where (b) and (f) apply, removing the need for the university to get explicit consent at all of these touchpoints.  It may be possible to consider a student’s enrollment in the university or in a class as a contract (thus removing the need to get consent to store academic data, or potentially more personal data that could be relevant for academic outcomes).  It may also be possible to argue that data processing is in the “legitimate interest” of the university and is not overridden by the rights of the student, thus removing the need for consent.  More information on “legitimate interest” is provided here by the EU.[4]

Analysis: Universities should approach the question of “lawful processing” differently depending on the type of data they are processing and the way they use it.  Consider factors proposed in the regulation like how necessary is data to the function of the university and to a student’s genuine interest before using (b) and (f).  Requiring students to consent for grades or assignment data will not be viable options for the university, and using data for things like campus and system security should fall outside of the scope of consent (the EU uses an example of “fraud detection” for a legitimate interest).[5]  Data for student success analytics (SIS, LMS, card-swipe, CRM, WIFI, app, etc.) has not been meaningfully addressed in guidance or existing case law, but European universities seem to be seeking consent, at the very least, for any data they intend to use for interventions.[6]

Article 17: Right to erasure (right to be forgotten)

The “Right to Erasure” article has been another point of contention among university administrators due to its relatively broad terms.

“1.   The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:  

(a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;

(b) the data subject withdraws consent on which the processing is based according to point (a) of Article 6(1), or point (a) of Article 9(2), and where there is no other legal ground for the processing;

(c) the data subject objects to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2);

(d) the personal data have been unlawfully processed;

(e) the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;

(f) the personal data have been collected in relation to the offer of information society services referred to in Article 8(1).”[7]

The ICO’s Guidance explicitly lists some times that individuals would not have this right, most notably when processing the data is in line with a legal obligation or the public interest.[8]

Strict Interpretation: The letter of the law allows for the individual to request that their data to be erased if “consent” was used to lawfully process the data.  Therefore, any data gathered through consent must be erased upon request.  Data processed to comply with contracts, for the public interest, or for legitimate interest (sometimes) may be exempt. Universities need to carefully consider what justification they use to process data, since that has many downstream effects.  Grades, assignments, and other key enrollment information should be exempt from the “Right to erasure”, but the university should be cognizant of the need to use the appropriate justification.

Looser Interpretation: The ICO uses flexible language around the legitimate interest clause “you are relying on legitimate interests as your basis for processing, the individual objects to the processing of their data, and there is no overriding legitimate interest to continue this processing.” When universities use “Legitimate interest”, they may be exempt from erasing certain types of personal data, but this could certainly be a point of contention in certain cases.

Analysis: When in doubt, ask for consent.  But be prepared – when asking for consent, individual’s have the right to erase their data.

Enforcement:

In addition to the uncertainties around the requirements of GDPR in Higher Ed, there are also uncertainties regarding the enforcement of its policies.

At the most basic level, GDPR will be enforced by the Data Protection Authority (DPA) for each member nation in the EU.[9]  These organizations function similar to consumer protection authorities in the US like the CFPB or FTC, enforcing consumer protection laws and monitoring compliance.

To date, these national authorities have been enforcing the Data Privacy Directive, and now they will be enforcing GDPR.  However, US institutions without EU operations (or data processing equipment within the EU) were not included in the Directive’s territorial scope.

While it is difficult to predict how EU DPAs will respond to the rapid increase of their scope or the new extraterritorial enforcement issues[10], we can still review the case history of DPAs, such as the UK’s Information Commissioner’s Office.[11]  Of the 191 enforcements delivered by the ICO, only one was associated with a university, which was the fine levied on the University of Greenwich on Monday for a significant data breach. [12]

A vast majority of the fines levied by the ICO have been for four primary areas of violations: email spam, SMS spam, nuisance calls, and data breaches.[13]  While the velocity of these fines has increased, the scope remains relatively focused on those types of abuses.

If we use history as a guide, US institutions would seemingly be at a low risk of enforcement unless they suffered a data breach.  This has led several data processors, like Blackboard, to state that the legislation was designed to target “social media and internet companies” that monetize user data.

Existing evidence supports this claim, but given the rapid expansion of DPA resources, the increase in the maximum fines, and the substantial growth in DPA jurisdiction, there are plenty of signals that GDPR enforcement could make a significant departure from what we’ve seen in the past.  My recommendation is that universities diligently pursue GDPR compliance with a particular focus on data breaches.

 Sources

[1] GDPR Article 3

[2] Blackboard white paper (http://www.blackboard.com/images/223/Blackboard_GDPR_WhitePaper_tcm223-71351.pdf)

[3] GDPR Article 6

[4] EU Explanation on Legitimate Interest (https://www.gdpreu.org/the-regulation/key-concepts/legitimate-interest/)

[5] EU Explanation on Legitimate Interest (https://www.gdpreu.org/the-regulation/key-concepts/legitimate-interest/)

[6] JISC post on Learning Analytics and GDPR (https://analytics.jiscinvolve.org/wp/2017/02/16/consent-for-learning-analytics-some-practical-guidance-for-institutions/)

[7] GDPR Article 17

[8] ICO Guidance on Right to erasure (https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-erasure/)

[9] List of DPAs (http://ec.europa.eu/justice/article-29/structure/data-protection-authorities/index_en.htm)

[10] Symposium on extraterritorial issues with GDPR (https://academic.oup.com/idpl/article/5/4/221/2404465)

[11] Information Commissioner’s Office, the UK Data Protection Authority (https://ico.org.uk/)

[12] Media coverage of the University of Greenwich breach (https://academic.oup.com/idpl/article/5/4/221/2404465)

[13] Media coverage on existing fines levied by ICO (https://www.itproportal.com/features/ico-signals-crackdown-with-58-per-cent-rise-in-fines/)

Gary Garofalo / About the Author

Gary is the co-founder and Chief Revenue Officer at Degree Analytics, where he focuses on developing new business relationships and partner success.  He has spent his entire career using data and analytics to improve business operations and strategy. Gary believes the concept of the “Smart Campus” will be pivotal for universities adapt to the future of education, and is passionate about delivering products to enhance the student experience.