The European Union set an effective date of May 25, 2018, for the General Data Protection Regulation, which replaces its Data Protection Directive of 1995 and significantly expands personal privacy rights for EU residents.
Not only is the GDPR more enforceable compared to the DPD, it applies to entities with no physical EU presence if they control or process covered personal information of EU residents.
US institutions with EU-based operations or significant numbers of EU residents as students — particularly those delivering distance education programs to such students within the EU — should be in the final stages of implementing GDPR-compliant practices now.
In April 2016, the European Union (EU) formally adopted the General Data Protection Regulation (GDPR) with an effective date of May 25, 2018. The GDPR, which replaced the EU's Data Protection Directive of 1995, represents a significant expansion of personal privacy rights for EU residents. EU regulations are akin to federal law in the United States and are legally binding across all 28 member states, whereas EU directives are broad consensus frameworks that must be individually legislated by member states.
The politically challenging task of escalating privacy protection from a directive to a binding regulation began in 2009 and involved protracted negotiations among the European Commission (the EU executive body) and its two legislative chambers, the Council of the European Union and the European Parliament. This arduous effort was partially motivated by the desire for uniform protections for all EU residents and partially necessitated by the needs of regulated entities for consistent compliance requirements across the EU.
Why Should US Institutions Pay Attention to GDPR?
Not only does the GDPR have a more enforceable legal status in comparison to the Data Protection Directive, it is also substantively more robust in a number of important ways. The most notable of these for US entities is that, unlike the Data Protection Directive (which mandated compliance by entities with a physical EU presence, such as a processing center or even a server), the GDPR's coverage extends to entities with no physical EU footprint if they "control" or "process" covered personal information of EU data subjects residing in the EU. This limited extraterritoriality, while a significant expansion of the reach of EU law to entities outside the EU, does not attach to EU citizens abroad. A US entity involved in a data transaction with an EU resident in the US, for example, would not be subject to the GDPR; the same entity engaging in significant and intentional cyber-transactions with EU residents would be.1
In terms of its likely effects on non-EU institutions of higher education, the GDPR clearly applies to EU-based operations of foreign institutions, including semester-abroad programs, even if they primarily enroll US residents who may only be temporarily attending programs in one of the member states.2 Arguably, given their physical presence in the EU and their familiarity with local implementations of the Data Protection Directive, affected institutions would have sufficient awareness of EU privacy mandates to already have engaged in changes to their systems and processes to be in compliance with GDPR. (It is worth noting that in a recent survey of privacy professionals within the EU, 61 percent of corporate respondents indicated that they had not started GDPR implementation as of mid-2017.)
The tier of US institutions newly affected by the extraterritorial reach of GDPR are those that target distance education programs to EU residents who are physically located in one of the member states. Such programs were generally not subject to EU privacy law under the Data Protection Directive if they did not have infrastructure within the EU, but will be covered under the black letter of the GDPR, even if they have no physical presence within the EU at all. However, Article 3 of the GDPR strongly suggests that incidental transactions, such as the mere availability of goods or services via a website, are not automatic grounds for subjecting non-EU entities to the GDPR.
It is tempting to believe that American institutions that enroll EU residents in the US are entirely exempt from compliance with the GDPR. This would certainly be true for EU residents who initiate their admission application process from outside the EU, but most EU applicants start the admissions process from their home countries and obtain visas to enter the US after gaining admission to eligible programs. In theory, active student recruitment campaigns targeting EU residents could subject the data collected from such students, whether via automated or non-automated means, to compliance requirements under the GDPR.3
It will take a few years for a more precise understanding of how the GDPR will be further defined, interpreted, and enforced by the EU and national data protection authorities of its member states. It seems unlikely that the most expansive interpretation of the regulation's extraterritorial application would be immediately enforced against non-EU entities. Clearly, institutions with significant engagement with the EU, either in the form of physical presence or of distance-delivered services, should take immediate steps to engage in good-faith compliance. Others should be paying close attention to the evolution of the law's compliance requirements over the coming years. These requirements, while not conceptually dissimilar to the existing array of US privacy and data safeguarding statutes and regulations, are decidedly both more rigorous and more high-stakes.
Whose Data Does the GDPR Protect?
Personal information of all natural persons — i.e, people, but not legal entities like corporations or nonprofits — physically within the EU ("EU data subjects") are covered by the GDPR. The regulation makes no distinctions based on individuals' permanent places of residence or nationality. The GDPR applies to all such individuals' personal data, defined as any information that can be used to, directly or indirectly, identify a person. These include not only such obvious information as educational, financial, employment-related, and health data, but also photographs, personal phone numbers, and IP addresses. This definition is virtually identical to the one used in US educational privacy law, i.e., "personally identifiable information" as defined in regulations (34 CFR 99.3) issued under the Family Educational Rights and Privacy Act (FERPA) [https://www2.ed.gov/policy/gen/guid/fpco/pdf/ferparegs.pdf]. However, FERPA treats directory information as public by default, while giving individuals the right to opt out. GDPR, in contrast, subjects all personally identifiable data to its core requirements and provides additional protections for "sensitive personal data" that include racial and ethnic origin, religion, sexual orientation, political views, etc. It also recognizes the improved security of anonymized and encrypted or fragmented (pseudonymous) data, which it subjects to less stringent requirements.
Whose Data Practices Does the GDPR Regulate?
A main point of difference between the GDPR and American privacy laws is the former's consumer-oriented approach, which regulates virtually all data transactions with people in a non-industry-specific manner. Various US privacy laws, in contrast, address privacy and data practices by sector (FERPA for education, COPPA for children, the Privacy Act vis-à-vis federal data, HIPAA with regard to health data, the FTC privacy and data safeguarding rules in connection with commercial and credit transaction, to name a few). With the notable exceptions of certain foreign policy, national security, and law enforcement data practices, the GDPR applies to all commercial and professional transactions of "controllers" and "processors" of data. Controllers are the principal entities and the main counterparties to transactions with individuals. They are the entities that govern the purposes, uses, and methods related to the "processing" of personally identifiable information. "Processors" are organizations — typically IT firms — that actually carry out the processing activities. The GDPR does not apply to personal or household interactions among individuals, for example on social networks, but it does cover data practices of any commercial or professional platforms that they may use.
What Is "Processing" Under the GDPR?
Another unique feature of the GDPR is that it covers all facets of information management including the collection, retention, deletion, breaches, and disclosures of personal data. No single US privacy or data security law currently governs all of these related issues. The expanded definition of processing under the GDPR has important consequences for privacy practices of covered US institutions for which FERPA has been the primary privacy mandate for over four decades.
Because FERPA only addresses post-collection disclosure practices, American institutions have been generally free to define their own data collection and data retention practices. With minor exceptions, FERPA takes no position on what data institutions may collect or how long they may keep them, focusing instead on who within the institution and which third parties outside it may gain nonconsensual access to the information in question. GDPR, however, subjects the entire lifecycle of all personal information, including the collection of specific data elements, to its strictures and generally mandates the data subject's consent as a precondition for processing activities.
GDPR Article 6 asserts personal consent as a fundamental requirement for most processing activities. Most collections, storage, uses, matching, and disclosures — including subcontracting of processing functions — of personally identifiable information must be based on the data subjects' consent, either directly, or indirectly through a contract to which the data subject is a party.4 That consent, furthermore, must be freely given and specific to the transaction. General waivers of privacy, mandatory consent as a condition of providing services not directly requiring the personal information in question, blanket check-the-box agreements, and automatic opt-ins with optional withdrawals do not satisfy the consent requirement. The consent mandate lies at the heart of the GDPR and includes the right of withdrawal — "the right to be forgotten" — in connection with deletion of personal data that are no longer necessary in relation to the purpose for which they were collected.5 The specificity of the GDPR consent requirement therefore serves the additional purpose of creating a strong incentive for data minimization as a basic privacy principle.
Articles 13 and 14 of the GDPR specify a series of required disclosures to data subjects in cases where data are collected directly from them or would be obtained from other sources. These include the identity and contact information of controllers and their agents, the legal basis and purpose of the data collection, the category of recipients of the data being collected, data retention and deletion policies of the controller, and whether any of the data being collected would be maintained in a third country.
Supervisory Authorities and Fines
The GDPR requires EU member states to designate qualified supervisory authorities with specified oversight, investigatory, and enforcement powers to implement its requirements.6 These authorities will oversee compliance, provide consultation and prior approvals, and receive and administratively adjudicate complaints against controllers and processors. They can also impose fines of up to two percent of a violator's global revenues for some violations, and up to four percent of such revenues for more serious ones. These enormous fines have captured the attention of multinationals, which will drive compliance through contractual indemnification requirements with clients and subcontractors.
Just as important as the supervisory authorities' power to impose penalties is the consultative role they are assigned in reviewing mandatory data protection impact assessments that data controllers and processors must regularly perform in connection with high-risk processing activities prior to implementing them. In addition, GDPR Articles 37–39 describe activities and responsibilities that a subset of controllers and processors, including all non-judicial EU public-sector entities, will have to assign to designated internal data protection officers.
With some exceptions, the GDPR codifies a mandate for controllers and processors to notify their supervisory authorities of any breaches within 72 hours of their discovery and to provide information on the remedial steps they have taken in response. It also requires breach notification to data subjects themselves "without undue delay."7
The restrictions that the EU imposed on transfers of personal data to countries outside the union under the Data Protection Directive will remain in effect under the GDPR. US institutions that are subject to the GDPR should pay particular attention to this issue because legal privacy protections in the US generally do not satisfy EU standards.8 Before October 2015, cross-border transfers were governed by the Safe Harbor agreement between the US and the EU. That agreement, however, was invalidated by a ruling of the Court of Justice of the EU and has been replaced by the Privacy Shield framework, which is thought to be a stopgap agreement pending the negotiation of a new (presumably more robust) safe harbor.
The GDPR took years to be adopted, and it is safe to assume that it will take years before its real impact and practical compliance requirements become fully settled. The core principles that undergird the GDPR are generally similar to the Fair Information Practice principles in the US, but their specific EU implementation is decidedly different than how they have been adopted in American law.
US institutions with EU-based operations and those with significant numbers of EU residents as students — particularly those delivering distance education programs to such students within the EU — should be in the final stages of implementing GDPR-compliant practices now. For those who, like many affected entities inside and outside the EU, haven't even started to map out a strategy, now really would be a good time to start.
- GDPR Article 3 addresses the territorial scope of GDPR application.
- GDPR Recitation item 14: "The protection afforded by this Regulation should apply to natural persons, whatever their nationality or place of residence, in relation to the processing of their personal data."
- GDPR Article 2 indicates that any information that is or is intended to be part of a "filing system" would be covered, regardless of how it is processed.
- The regulation does provide for limited exceptions to the consent rule, such as legal requirements or protection of vital interests of the data subject.
- GDPR Article 17.
- GDPR Articles 54–58.
- GDPR Articles 33 and 34.
- This is partially due to greater legal leeway afforded to data controllers and processors in the US, and partially due to the ability of the US government to gain nonconsensual legal access to data in ways that violate EU data protection mandates.
Barmak Nassirian is director of Federal Relations, American Association of State Colleges and Universities.
© 2017 Barmak Nassirian. The text of this article is licensed under Creative Commons BY-NC-ND 4.0.