On May 25, 2018, the European Union’s (“EU”) General Data Protection Regulation (“GDPR”) went into effect. The privacy law is designed to protect the personal data1 of individuals located in the EU (also known as “data subjects.”)2 It aims to do so through regulation of the processing of data by entities classified, under the law, as “data controllers” and “data processors.” As explained further below, many U.S. institutions of higher education may meet the definition of “data controllers” and those universities’ servicers may meet the definition of “data processors.”
Applicability of the GDPR to Your U.S. Institution
As the GDPR is a European Union law, you may have incorrectly assumed that it is only applicable to institutions located within the countries comprising the member states of the EU. However, in addition to applying to EU institutions, the GDPR also reaches those higher education institutions within other countries, including the United States, which (1) process personal data (2) of natural persons who are in the EU (3) when the processing is related to the offering of goods or services, regardless of whether the goods or services are provided free of charge.3
Processing is defined very broadly within the GDPR as:
any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. Article 4(2), GDPR.
Therefore, entities within the scope of the GDPR’s territorial jurisdiction, described further below, that so much as “use” individuals’ personal data must comply with the law. This essentially means that if a university, college, or career school located within the United States directly communicates with an individual located in the EU in connection with any of the services that it provides, it likely is subject to the GDPR.
For example, routine activities of institutions such as: (1) communicating with former students located in the EU; (2) direct marketing to students located in the EU; (3) accepting applications from students located in the EU; (4) provision of distance education programs to students located in the EU; or (5) partnering with higher education institutions located in the EU to provide services to individuals located in the EU would involve the “processing” of personal data and subject U.S. institutions to the GDPR.
In the examples provided above, the U.S. institutions would likely be classified as “data controllers” or entities that determine the purposes and means of the processing of personal data.4 In addition to regulating the data processing activities of data controllers, the GDPR also regulates the data processing activities of “data processors” or entities that process personal data on behalf of controllers.5 As explained in more detail below, under the GDPR, data controllers must take certain measures to ensure that their relationships with data processors are in compliance with the requirements of the GDPR.
Steps to Potential Compliance
Because of the GDPR’s broad jurisdiction, many U.S. institutions may be subject to its mandates. If you believe that your institution falls under the law’s jurisdiction, you may want to consider taking the following steps to begin to come into compliance with the law.6
Under the GDPR, when a data controller (i.e., a higher education institution) collects personal data from a data subject, the data controller must provide the data subject with specific pieces of information including, but not limited to: (1) the purpose for which the data is being processed; (2) the legal basis of the processing including, if applicable, the legitimate interests of the controller in processing the data; (3) the categories of personal data concerned; and (4) if applicable, the recipients of the data.7
Additionally, at the time of collection of the personal data, the institution must inform the data subject of: (1) the period of time for which personal data will be stored; (2) his or her rights as a data subject;8 (3) the right to withdraw consent (if the lawful bases of the data processing is consent provided by the data subject); and (4) the right to lodge a complaint with a supervisory authority.9
- Ensure that Your Institution Has Implemented Appropriate Security Measures To Protect Personal Data
Data controllers must implement appropriate security measures and protect personal data against accidental or unlawful destruction, loss, alteration, or disclosure. Your institution’s data security measures should include mechanisms for detecting personal data breaches.
- Update Your Institution’s Agreements with its Data Processors
When an institution engages another party to process personal data on its behalf, the parties must enter into a contractual relationship to ensure that the data processor complies with the requirements of the GDPR. Article 28 of the GDPR outlines specific content that should be included within these data controller/data processor contracts. Consequently, if a university’s vendor will process personal data within the scope of the GDPR, the applicable contract likely needs to be updated.
- In the Event of a Security Breach, Notify the Relevant Supervisory Authority
In the event of a security breach, controllers must notify the relevant supervisory authority if the breach is likely to result in a risk to the rights and freedoms of natural persons. This notification must be given within 72 hours of the controller’s discovery of the breach.11 Additionally, under certain circumstances, the data controller will also be required to report the data breach to affected data subjects.12
- Obtain Students’ Consents to Send Unsolicited, Direct Marketing Communications
GDPR guidance provides that if an entity plans to send direct email marketing communications to particular individuals located in the EU with whom it does not have a prior relationship, the entity must obtain the consent of the individual before doing so.13
This obligation to obtain consent applies to “direct” marketing—meaning the advertisement is directed to a particular individual. Indiscriminate blanket marketing (e.g., advertisements appearing on a website) generally does not meet the definition of direct marketing. The guidance further provides that the clearest way of obtaining consent is to invite customers to check an opt-in box confirming that they wish to receive marketing messages.
Institutions should also be aware that they may be subject to certain liabilities and penalties under the GDPR should they be found in violation of the law. For example, data subjects have the right to submit complaints with the relevant supervisory authority should they feel their data has been processed in violation of the law.14 Data subjects also have the right to an effective judicial remedy against data controllers and processors when their rights have been violated as a result of noncompliance with the GDPR as well as right to compensation if he or she has suffered damages.15 Supervisory authorities may also impose administrative fines based on infringements of the law of up to 20,000,000 euro or 4% of the total worldwide annual turnover of an institution for the preceding financial year, whichever is higher.16 The head of the newly created European Data Protection Board has indicated that the EU will take a “good faith” effort approach to GDPR compliance at present. In addition, the EU has not yet provided guidance regarding how European data protection authorities will establish jurisdiction over American companies with no physical presence in the EU for enforcement purposes.
In conclusion, if your institution processes the data of individuals located in the EU in connection with offering its goods and services, your institution may be subject to the GDPR and should consider taking appropriate steps to ensure its compliance.
1 “Personal data” means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Article 4(1), GDPR.
2 A “data subject” is an identified or identifiable natural person. Article 4(1), GDPR.
3 Article 3(1),(2)(a), GDPR. The GDPR also applies to entities outside of the EU that monitor the behavior of individuals in the EU. While some higher education institutions’ activities may bring them within the scope of the jurisdiction of the GDPR due to this provision, it is more likely that a higher education institution’s provision of goods and services to persons located in the EU subject it to the jurisdiction of the GDPR.
4 Article 4(7), GDPR.
5 Article 4(8), GDPR.
6 This article does not constitute legal advice. The appropriate steps to be taken by an individual institution will vary depending upon the institution’s particular circumstances. Institutions should review their practices and consult with their advisors to ensure they take appropriate steps regarding compliance.
7 Article 13(1). GDPR.
8 The individual rights of data subjects under the GDPR include the: right to be informed; right of access; right to rectification; right to erasure (right to be forgotten); right to restrict processing; right to data portability; right to object; rights relating to automated individual decision-making, including profiling; and right to withdraw consent. Articles 15-22, GDPR.
9 A supervisory authority is an independent public authority which is established by a Member State of the EU to monitor the application of the GDPR . Article 4(21), GDPR.
10 Institutions may also be subject to, and need to account for, other federal and state privacy laws, such as the Family Educational Rights and Privacy Act (“FERPA”), within such policies.
11 Article 33(1), GDPR.
12 Article 34, GDPR.
13 Information Commissioner’s Office, Privacy & Electronic Communications Regulations: Direct Marketing (Mar. 6, 2018), https://ico.org.uk/media/for-organisations/documents/1555/direct-marketing-guidance.pdf. The guidance also provides that organizations may not send an initial, unsolicited email in order to obtain required consent. (“…organisations cannot email or text an individual to ask for consent to future marketing messages. That email or text is in itself sent for the purposes of direct marketing, and so is subject to the same rules as other marketing texts and emails. And calls asking for consent are subject to the same rules as other marketing calls.”)
14 Article 77, GDPR.
15 Article 79, 82, GDPR.
16 Article 83, GDPR.
Janell Johnson is an associate in the Powers Pyles Sutter & Verville Education practice group. She advises educational institutions regarding compliance with state and federal standards and monitors legislative, regulatory, interpretive guidance, and other developments on a variety of federal education matters. Janell can be reached at Janell.Johnson@PowersLaw.com or 202-872-6724.