The requirements of the European Union (“EU”) General Data Protection Regulation (“GDPR”) come into effect on May 25, 2018. These regulations promise to usher in sweeping changes to the way institutions, companies, and other organizations collect and handle the personal data of EU residents.
The GDPR is a holistic set of data privacy requirements that address the entire life cycle of collection, use, and disclosure of the “personal data” of EU residents. While we anticipate jurisdictional challenges that may someday limit the GDPR’s reach outside of the EU, the law as currently drafted purports to affect institutions of higher education, companies, and other organizations, such as boarding schools, worldwide. This means that the GDPR will affect not only institutions that do business with or operate inside of the EU, but will also affect institutions in the United States that processes the personal data of persons residing in the EU.[1]
Colleges, universities, and boarding schools may be impacted by the GDPR in numerous ways. For example, educational institutions that receive applications from EU residents or enroll students from the EU should consider if and how the institution should modify its current data privacy program to comply with GDPR’s requirements. It is unclear, however, who constitutes an EU resident and at what point students who move from the EU to the United States cease being EU residents within the meaning of the regulation.
The following provides an overview of several key features and requirements of the new law, including:
- An expansive the definition of “Personal Data.” The GDPR defines “personal data” more broadly than U.S. federal statutes such as the Family Education Rights and Privacy Act (FERPA), as any information that can directly or indirectly identify a person, including photographs, social media posts, medical information, or even an IP address.[2] This definition may also be much broader than how an institution’s current data privacy policies define personal or student data.
- Transparency and Consent. The GDPR will require organizations to obtain an EU resident’s prior written consent in order to process such EU resident’s personal data. When the processing has multiple purposes, the processor or controller must obtain consent for each purpose.[3]
- Right of Access. Higher education institutions subject to the law may need to provide copies of personal data upon request and free of charge to EU residents. [4]
- Right to be Forgotten. Institutions must erase personal data of EU residents, and ensure that third-party processors of such data (e.g. vendors) erase it, when certain conditions are met.[5]
- Data Portability. EU residents have the right to receive their personal data and transfer it to other institutions.[6]
- Privacy by Design and Default. Institutions subject to the law must design new data processing systems with a focus on the protection of personal data, such as employing “pseudonymisation,” a process by which data can no longer be attributed to a specific person without possessing some piece of additional information that is stored separately. Further, they must ensure that, from their inception, they collect only that personal information which is necessary for a specific purpose.[7]
- Prohibition on Automated Decision-Making. Subject to specific exemptions, EU residents have the right to object to automated decision making, such as the automatic refusal of an online credit application or e-recruiting practice without any human intervention.[8] This would include applications to educational institutions.
- Data Protection Officers. Institutions subject to the law that engage in large scale systematic monitoring of EU residents’ personal data or that engage in large scale processing of such personal data must appoint data protection officers (DPOs).[9] However, groups of institutions can appoint a single DPO. The GDPR defines neither “systematic monitoring” nor “large scale processing.”
- Breach Notification. When an institution subject to the law becomes aware of a data breach, it must notify the data privacy supervisory authority in the EU member states of which the affected individuals are residents within 72 hours, unless it can demonstrate that the data breach is “unlikely to result in a risk to the rights and freedoms of natural persons.”[10] Such institution must also report the breach to affected EU residents “without undue delay” where the personal data breach “is likely to result in a high risk to the rights and freedoms of the natural person.”[11]
Further, institutions not located in the EU, but that are nevertheless subject to it, are required to designate in writing a representative in the EU in each EU member state where the EU residents live.[12]
Moreover, institutions that out-source various data processing functions, must ensure that they have contracts in place with those processors and that the processors provide sufficient guarantees that they are able to implement “appropriate technical and organisational measures in such a manner that the processing will meet the requirements of the GDPR.”[13] The GDPR contains a wide range of requirements for data processors, such as the prohibition on a processor hiring yet another processor without the consent of the institution controlling the data, and the maintenance of records regarding data processing activities.[14]
It should be noted that, while the GDPR contains many general requirements regarding the handling and protection of personal data, it does not specify the technical procedures or technologies institutions must use to carry them out. While the GDPR does encourage EU member states to draw up codes of conduct, and to establish “data protection certification mechanisms,” it does not, currently, enforce a particular set of technical standards.[15]
In determining whether and how the law may affect them higher education institutions should consider the following.
Does your institution have an establishment in the EU?
The GDPR applies to the control or processing of data by institutions with “establishments” within the EU. The GDPR does not define what an “establishment” is, other than to say that the term “establishment” “implies the effective and real exercise of activity through stable arrangements. The legal form of such arrangements, whether through a branch or a subsidiary with a legal personality, is not the determining factor in that respect.”[16] In determining whether they have “establishments” in the EU, within the meaning of the GDPR, higher education institutions and boarding schools may want to consider factors such as: whether they operate a satellite campus in an EU state, whether they employ staff in an EU state, whether they rent office or other space in an EU state, whether they have relationships with other colleges, universities, or boarding schools in EU states, whether they have partnerships with corporations in the EU, and whether they send study abroad students to EU states.
Whose data does the GDPR affect?
For entities that do not have establishments in the EU, the law affects the control and processing of data of EU residents only. Higher education institutions should consider which categories of individuals may constitute EU residents. These categories may include: applicants from EU states, students who live in the EU and attend an American education institution for a study abroad program, visiting professors or researchers, contributing scientists or researchers stationed in EU states, and individuals performing a residency rotation in the United States. They should also consider whether they solicit information from alumni or donors living in EU states and whether they engage in recruitment activities in the EU.
Does your institution have a “critical mass?”
Some institutions may find that they have such a high number of individuals affected by the GDPR, that trying to implement procedures to handle their data in compliance with the GDPR (separately from the data of non-EU residents) carries such a high burden that applying the GDPR across the board to the handling of all personal data makes more sense. As discussed above, institutions should consider carefully whether they have an establishment within the EU and should take careful inventory of the individuals whose data may be affected, keeping in mind that the GDPR applies to the personal data of any individual, not just students.
Is compliance feasible?
Some institutions may have no clear establishment in the EU and may have few if any individuals who are clearly EU residents within the meaning of the GDPR. Given that the EU’s ability to enforce the GDPR in other jurisdictions is unclear at this time, such institutions will have to weigh the burden of complying with the GDPR against the risk that the EU will take enforcement action against them and successfully impose a penalty of some type.
Ultimately, institutions will need to make the determination as to whether the GDPR applies to them, and, if so, how to address it, on an individual basis. For more information, you can visit the European Commission’s website. You may also contact members of our Privacy and Data Protection Team.
[1] Article 3, Section 2(a)
[2] Article 4, Section 1; see also Article 9 (discussing special categories of personal data); see also Whereas clauses 26, 30 (digital identifiers), 34 (genetic data), 35 (health data), 51 (particularly sensitive data)
[3] Articles 6, 7, and 12;
[4] Articles 13-15; see also Whereas clauses 59 and 63
[5] Article 17; see also Whereas clauses 65 and 66
[6] Articles 20-22; see also Whereas clauses 68, 111, 116
[7] Article 25; see also Whereas clauses 49 and 78
[8] Article 21; see also Articles 18 and 19 (right to restriction of data processing); see also Whereas clause 71
[9] Article 37; see also Whereas clause 80
[10] Article 33; see also Whereas clause 85
[11] Article 34
[12] Article 27.
[13] Article 28
[14] Article 30
[15] See Articles 40-43
[16] Whereas clause 22