GDPR and Higher Education in the US: An Overview
Welcome to the first in HMBR’s series of FAQ’s developed to inform colleges and universities in the United States (US) about the GDPR and how various activities may bring them under the jurisdiction of European Union (EU) data protection authorities, even when they have no established presence in the EU.
What is the GDPR?
The General Data Protection Regulation (“GDPR”) is the omnibus data protection law for the EU. The GDPR establishes protections for the privacy and security of “personal data” of individuals located in the EU, known as “data subjects” under the GDPR. It is important to note that data subjects enjoy this protection regardless of whether or not they are a citizen of any EU member state. The GDPR applies to the “processing” of a subjects’ personal data, which is broadly defined to include collecting, organizing, structuring, storing, altering, retrieving, using, disclosing, transmitting, erasing or destroying that data.
The GDPR will be the law in all 28 EU member states. In the United Kingdom (UK), which has voted to leave the EU, the GDPR will be applicable until March 2019, at which point whatever version of the GDPR the UK adopts in the interim will be in effect.
The GDPR is EU law, so it can’t possibly apply to colleges and universities in the US that have no established presence in the EU, such as a study-abroad site, right?
Wrong. Importantly, for non-EU based colleges and universities, including those in the US, the GDPR applies to the processing of data subjects’ personal data, even if the processor has no establishment in the EU, when that processing relates to the offering of goods or services to the data subjects, including free goods and services, or the monitoring of data subjects’ behavior. This expansion of territorial scope is significant and means, for example, that US colleges and universities that collect personal data when recruiting students located in the EU will be subject to the GDPR, even if they have no established presence in any EU member state.
Well, if a college or university in the US already protects personally-identifiable information in compliance with FERPA, does that mean it is in compliance with GDPR?
Unfortunately, no and it’s not even a close call for a number of reasons. First, FERPA only applies to students, while the GDPR’s definition of data subjects includes all individuals located in the EU, so faculty and staff in the EU, as well as students in the EU.
Second, the type of information protected by FERPA, “education records,” expressly excludes information that is personal data under GDPR, such as the employment records of non-student individuals, application records of individuals that are not enrolled and alumni records that are not related to student attendance. Moreover, the definition of personal data under the GDPR includes more types of information such as IP addresses and location information.
Third, the GDPR imposes affirmative information management and transparency obligations on those US colleges and universities to which it applies. Broadly speaking, these obligations include:
- Implementation of a comprehensive set of data protection safeguards, including a privacy notice, and in some instances, the designation of a data privacy officer;
- Allowing data subjects to exercise their individual rights to control their personal data, including the “right to be forgotten” which does not exist under US law, yet; and
- Complying with GDPR’s data breach notification requirements.
That seems like a lot of work. When does the GDPR go into effect?
For most US colleges and universities, it will be a lot of work to comply with the GDPR. The GDPR becomes effective May 25, 2018 and EU data protection authorities have re-iterated on numerous occasions that there will be no “grace period.”
OK, what are the penalties and risks associated with non-compliance?
Regulators enforcing the GDPR have a range of enforcement tools, ranging from the ability to issue warnings to the imposition of monetary fines. The maximum fine for violations of the GDPR is the greater of 20 million euros or 4 percent of global revenue. In addition, data subjects may also bring actions for damages or compensation against an entity that violates its obligations under the GDPR.
That got my attention. If a college or university in the US has not already begun to address its compliance with GDPR, where should they start?
First, consider whether it is possible to avoid coming under the jurisdiction of the GDPR. A US college or university that does not have any presence in the EU and does not process the personal data of, or monitor the behavior of, any individuals located in the EU would not be subject to the jurisdiction of the GDPR. However, among other things, this would likely entail that the US college or university not:
- Recruit and accept applications from students who are located in the EU;
- Allow its students, faculty or staff to participate in study-abroad programs located in the EU;
- Offer distance learning to individuals located in the EU;
- Conduct research utilizing personal data sets from the EU; or
- Provide newsletters or networking opportunities to its alumni located in the EU.
In addition, it may be necessary to revise the website of the US college or university in order to effectively avoid the jurisdiction of the GDPR – a topic that will be addressed in a subsequent set of FAQ’s.
Alternatively, if the activities of a US college or university do implicate the GDPR, the college or university should immediately begin to take steps toward compliance. The UK Information Commissioner’s Office, among others, has a useful introductory guide to complying with the GDPR, Preparing for the General Data Protection Regulation (GDPR): 12 Steps to Take Now. It may also be beneficial to consider focusing initial compliance steps on those requirements of the GDPR where the enforcement risk is greatest, e.g., areas where non-compliance might be or become visible. Depending on the particular college or university, such non-compliance could include:
- Lack of a compliant, updated privacy notice;
- Failure to obtain a data subject’s valid consent to collect their personal data when required; and
- Failure to notify the relevant supervisory authority within 72 hours in the event of a personal data breach.
Lastly, it is important to recognize that the GDPR is new and many of the data protection issues that US colleges and universities confront with respect to compliance would undoubtedly benefit from further clarification and guidance. Therefore, it is incumbent upon US colleges and universities to continue to monitor developments as the GDPR matures, while expeditiously taking reasonable steps to comply with its requirements.