The Impact of the GDPR on Higher Education in the United States Blog Series

Colleges, universities, institutions of higher education– however you want to frame it — are organizations devoted to the development of academic subjects. They create environments ripe for intellectual exploration and the exchange of information. They provide a platform for individuals from across the globe to collaborate on ideas and develop the innovations of tomorrow. These institutions are a treasure-trove of data.  Inherent in the functioning of any higher-education organization is the free flow of ideas (i.e. data):  data related to the individual students, data related to studies conducted by these institutions, data related to research and development.  Basically, they are institutions of data.

And, with that data, comes responsibility, liability, and costs.  Never are these facts more evident than with the introduction of forthcoming European Union’s General Data Protection Regulation (“GDPR”). These institutions will need to review their internal data systems and make significant changes to comply with the GDPR’s many technological, administrative, and legal requirements.  For further discussion on the GDPR, please see our prior post, “Sticking Your Head in the Sand:  How NOT to Approach the GDPR”.

Lest you think this is solely a concern for Europeans, US-based institutions are just as susceptible (i.e., liable) to the requirements of the GDPR.  More and more, US-based universities are offering opportunities to their students to travel and study abroad, while also opening their doors to international students to study and connect with the US academic community.  And, this makes sense:  exposing to students, both abroad and in the US, to a wider, diverse group of people creates a more dynamic environment to share knowledge and learn.

But, by opening up these global opportunities (which we at XPAN fully support and encourage), it brings these institutions under the purview of the GDPR. The GDPR applies to “the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to: (a) the offering of goods or services . . . to such data subjects in the Union; or (b) the monitoring of their behaviour as far as their behavior takes place within the Union.”  Personal data is defined as “any information relating to an identified or identifiable natural person (‘data subject’).”  Art. 4(1).  By opening locations within Europe, and offering educational services and academic opportunities to students located in the EU, US-based universities are directly subject to the GDPR.

Additionally, the GDPR is not a regulation to be taken lightly: it empowers supervisory authorities to assess fines that are “effective, proportionate and dissuasive.” Art. 83.  There are two “tiers” of fines established under the GDPR:  the lower fine threshold is 2 % of an “undertaking’s” worldwide annual turnover or 10 million euros, whichever is higher; or the higher fine threshold is 4 % of an “undertaking’s” worldwide annual turnover or 20 million euros, whichever is higher. Art. 83(4 – 5).

The full extent and breadth of the GDPR and its impact on US-based universities is voluminous; there are many provisions that should be discussed in a broader GDPR assessment, including individual rights, special categories of data, and data security.  Over the next few weeks, we will be posting a series of blogs related to the GDPR’s impact on higher education.  Tune in as this series develops!

* * * * *

Nothing contained in this blog should be construed as creating an attorney-client relationship or providing legal advice of any kind.  If you have a legal issue regarding cybersecurity, domestic or international data privacy, or electronic discovery, you should consult a licensed attorney in your jurisdiction.