Due to its extraterritorial scope, the GDPR applies to U.S. entities, even if they have no physical presence in the EU.
Any higher education institution in the United States that processes personal data relating to individuals in the European Union may be subject to the EU’s comprehensive privacy rules, regardless of physical EU presence. With penalties ranging from $11.79 million to $23.58 million (at current euro to dollar conversion rates), it is important to establish whether the General Data Protection Regulation (GDPR) applies to your U.S. institution.
What Is the GDPR?
The GDPR became effective on May 25, 2018. It provides a fundamental right of privacy for all natural persons located in the EU, known as “data subjects,” by regulating the processing of personally identifiable information. It is essential to remember that a data subject is entitled to GDPR protection whether or not they are a citizen of an EU member state.
Due to its extraterritorial scope, the GDPR applies to U.S. entities, even if they have no physical presence in the EU. However, the GDPR’s extraterritoriality does not attach to EU residents or citizens abroad. For example, if a U.S. entity is involved in a data transaction with an EU resident living within the United States, the GDPR does not apply.
Maximum penalties of up to 4 percent of annual global turnover (gross revenue) or €20 million ($23.58 million at current conversion rates), whichever is greater, can be imposed for severe violations. Penalties of up to 2 percent of gross revenue or €10 million ($11.79 million at current conversion rates) can be imposed for other offenses, such as improper recordkeeping or failure to notify authorities and customers affected by a data breach. In addition, data subjects may also bring actions for damages or compensation against an entity for GDPR violations.
Whose Data Is Protected by the GDPR?
The GDPR applies to all EU data subjects’ “personal data,” defined as any information that can be used to identify an individual directly or indirectly. Examples of personal data include not only educational, financial, employment-related and health data, but also email addresses, names, photographs, personal phone numbers and IP addresses.
Should the GDPR apply to your institution, any information that falls under the scope of personal data as defined by the GDPR must be handled in accordance with the new regulation.
Does This Apply to My School?
The GDPR does not apply in all instances where personal data from the EU is collected or processed. For example, the mere accessibility of a U.S. website by an EU data subject or access to the email address or other contact details of the non-EU established data controller or data processor does not by itself mean that the GDPR applies. That is a big help for “nonpurposeful” gathering of EU personal data. Rather, a business must show intent to draw EU data subjects as its customers.
In order to avoid risk of having the GDPR apply, schools can choose to block access to their website so that consumers with IP addresses associated with any EU country will no longer have access. Minimally, schools should revisit their privacy policies to clearly state that the website is directed solely to U.S. residents.
The GDPR may apply if your institution engages in the following activities:
- Participate in EU study abroad programs
- Recruit and/or accept applications from individuals located in the EU
- Offer distance learning to individuals located in the EU
- Possess a campus in any of the 28 EU countries
- Hold personal data on students, alumni, professors or donors who live in the EU
- Receive information from and distribute information to students, alumni, professors or donors who live in the EU (e.g. online donations, e-newsletters, emails)
What schools must do to comply will be very fact-specific. Even within the education community, a slightly different approach by different schools may require different responses to the GDPR. Each school needs to first determine whether it will have personal data (as defined by the GDPR) in relation to EU data subjects. If yes, then the school needs to go through a fact-specific assessment to determine whether the collection of this data subjects them to compliance with the GDPR.
Although the regulation took effect on May 25, 2018, not all institutions are fully compliant with the GDPR’s requirements. In addition to recruitment and admissions operations, schools must review all policies and practices relating to personal data to work towards compliance. GDPR compliance is not a one-off project. It requires continual monitoring and engagement by all relevant business functions.
For Further Information
Duane Morris recently hosted a webinar series on GDPR strategic planning and compliance. If you have any questions about the GDPR and your educational institution, please contact Michelle Hon Donovan, any member of the Higher Education Practice Group or the attorney in the firm with whom you are regularly in contact.
Disclaimer: This Alert has been prepared and published for informational purposes only and is not offered, nor should be construed, as legal advice. For more information, please see the firm's full disclaimer.