General Data Protection Regulation (GDPR) and Career Education

By Michelle Donovan, Partner and Diane Byun, Diversity Fellow, Duane Morris LLP

In a world of daily digital interactions, the General Data Protection Regulation (GDPR) offers individuals in the European Union (EU) more control on the collection, disclosure, and use of their personal data, both within and beyond EU borders. Any career education institution in the United States (US) that processes or collects personal data relating to covered individuals may be subject to GDPR compliance, regardless of physical EU presence. With penalties ranging from €10 – 20 million ($11.79 to $23.58 million under current exchange rates), career education institutions in the US (Schools) that collect and maintain EU personal data should review policies and practices to ensure compliance with this law.

Understanding the GDPR

Adopted in April 2016, the GDPR provides a fundamental right of privacy for all natural persons located in the EU by regulating the processing of personal data. The new regulation became effective on May 25, 2018, repealing and replacing the EU’s 1995 Data Protection Directive 95/46/EC (DPD). Although the DPD also covered data privacy, its reach was limited to the geographic boundaries of the EU. Due to its extraterritorial scope, the GDPR can be applied against US entities, even without a physical presence in the EU.

The Articles of the GDPR state the requirements necessary for the processing of personal data.

For the purposes of the GDPR, ‘personal data’ means any information that can be used to directly or indirectly identify a natural person located in the EU, known as ‘data subjects.’

Examples of personal data subject to the GDPR include names, addresses, email addresses, telephone numbers, and IP addresses. The GDPR does not just apply to customers but can cover suppliers and professional contacts.

Key roles in data transactions

The GDPR introduces a new nomenclature to define the parties to whom this law applies: (i) data subject, (ii) data controller, and (iii) data processor.

A ‘data subject’ refers to an identified or identifiable natural person (i.e., people, not legal entities) located within the EU. Notably, a data subject does not need to be a citizen of an EU member state to be protected under the GDPR. The data subject need only be physically located in the EU at the time the data is collected. This also means that the GDPR does not apply to data that is collected from EU residents when they are not located in the EU. Data subjects with whom Schools interact may include applicants, students, faculty, staff, alumni, and business contacts.

The ‘data controller’ determines the purpose and means of processing personal data. An organization is considered a data controller if it controls why and how personal data is collected and used. If there is more than one organization that determines why and how personal data should be processed, each would be a ‘joint controller.’ In such cases, each joint controller must have an agreement on upholding respective responsibilities in regard to GDPR compliance. Individuals whose data is being processed must be notified of the essential aspects of this agreement.

The ‘data processor’ processes the personal data on behalf of the controller. The ‘processing’ of personal data includes data collection, maintenance, use, and retention. Examples of processing include sending promotional emails or posting a photo of an EU data subject onto a website. A School may become a data controller, a data processor, or even both.

A School could be a data controller in relation to determining the purpose and means of processing personal data of students or staff if either are EU data subjects.

It could be a data processor if there is in-house processed data such as storing and maintaining student records for EU data subjects.

Where the data processor is an external third-party (e.g., IT company), the processor’s duties must be specified in a contract documenting what information processors have access to and what the processor is doing with the information. The contract must also address what happens to the data upon termination of the contract. Examples of third-party processors may include cloud-based student and learning management system providers, lead generators, email campaign service providers, and advertising agencies. If the GDPR applies, Schools must ensure that third-party processors are also compliant. Any noncompliance on the provider’s part means that the School will be subject to penalties.

Applicability determined by intent and nature of operations

The GDPR does not apply in all instances where personal data from the EU is collected or processed. For example, mere accessibility of a non-EU hosted data controller’s or data processor’s website by an EU data subject does not by itself mean that the GDPR applies. That is a big help for “non-purposeful” gathering of EU personal data.

Non-EU institutions processing EU data subjects’ personal data in connection with offering goods and services in the EU must analyze their intent to target EU data subjects as customers. Do not try and game the system by avoiding these specific pitfalls; instead, have a business plan that identifies which programs will be made accessible to EU data subjects. The following GDPR factors will help institutions make this assessment:

1. Whether the institution offers goods or services in an EU language or currency.
2. Whether the institution allows EU data subjects to make a purchase in the local language.
3. Whether the institution refers to EU customers when marketing its goods and services.

Case examples

General intent

Linda, based in the UK, surfs the net and finds a school in the US offering goods and services. Just because she makes a purchase from an English language website, uses her Visa to pay for the products in USD ($), and puts her postcode in a ZIP code box, does not mean the company is caught by the GDPR. However, if the website offers her a choice of paying in Pounds or Euros and has a drop-down box to select the EU country where she is a resident, then there is a clear intent to target EU data subjects and the school must be GDPR compliant.

Traditional enrollment

For most Schools enrolling EU data subjects, it is likely the GDPR applies. However, there may be situations where the GDPR may not apply for an EU data subject studying in the US in the context of traditional enrollment (i.e., non-digital means). For example, a UK resident passport holder who is living in the US under an appropriate visa and decides to apply for a program in the US. If the School does not target EU data subjects and does not have a common practice of interacting with EU data subjects, the GDPR likely does not apply.

Online lead forms

If an EU data subject fills out an online lead form requesting information and a School responds by phone, email or text, the GDPR may apply.

It is not the act of responding that triggers the GDPR, but the content and motivation of the response.

If there is no intent to enroll EU data subjects, and the School notifies the individual that the program is not open to EU data subjects, the GDPR should not apply. Ideally, a School website will state this clearly to avoid opening itself up to liability. Should the School respond to the inquiry with the intent to enroll the individual, the GDPR likely applies because the response is an active effort to recruit an EU data subject.

Online education programs

A) Actively recruiting EU data subjects as students.

If an institution has an online or distance education program for which it advertises online in the EU and accepts applications from EU data subjects, there is clear intent, triggering GDPR compliance.

B) Does not actively recruit but accepts applications and enrolls students located in the EU.

Even in a situation where the same institution does not actively solicit but accepts applications from EU data subjects, the GDPR may still be relevant. The consensus is that institutions outside of the European Economic Area (EEA) should not accept applications for online or distance education programs from EU data subjects as the accessibility of such programs puts them at risk of being held to be showing an intention to attract EU data subjects.

C) Actively recruits military personnel who may be assigned an EU duty station.

While the GDPR does not apply to certain foreign policy, national security, and law enforcement data practices, it does apply to commercial and professional transactions such as online education programs.

Due to the GDPR’s coverage of any natural persons located in the EU regardless of nationality or citizenship, military personnel may be considered EU data subjects.

Although a US military base is unlikely to be within the reach of the GDPR, service members and their families may live and work outside of their duty stations. Additionally, even if a service member is not yet in the EU, if a School’s website mentions customers based in the EU, this can be interpreted as intent. Therefore, if a School actively recruits military personnel who may be assigned an EU duty station, the GDPR may apply. It is worth noting that the GDPR would likely not apply if a service member remained in the US military base at all times.

Study abroad programs

A) When EU students study abroad in the US.

If an EU data subject applies for a study abroad program from the EU and then travels to the US to attend, the GDPR likely applies. Typical study abroad arrangements require a formal agreement between institutions. A formal agreement with an EU institution shows clear intent to draw EU data subjects. Even if there is no formal agreement with a particular institution, a School’s conduct of routine interactions with EU data subjects will likely trigger GDPR compliance.

B) When US students study abroad in an EU country.

If a US student studies abroad in an EU country, it would be difficult to avoid the GDPR. Whether it is students or faculty that engage in a study abroad program in the EU, the School will be collecting personal data on EU data subjects in a purposeful way. Study abroad programs necessarily involve obtaining personal data of the student whose educational records must be transmitted to the School in order to ensure proper credit. However, it likely also involves obtaining personal data from the employees of EU host institutions and EU providers of accommodation.

Alumni relations

Schools are required to comply with the GDPR if newsletters are sent to alumni located in the EU. Sending newsletters to alumni is a form of direct marketing – it is nothing to do with the fulfilment of the original contract with those alumni. Any School partaking in this behavior would need to comply with the GDPR.

Note that an institution cannot send direct marketing to a data subject unless there is express and unambiguous consent from the data subject.

This has been the subject of much debate. Where only an “opt out” option was provided for the initial capture of personal data and its use for marketing purposes, the consensus is that you need to obtain express consent before you send out such materials. Indeed, there is an argument that if you have not already obtained such consent, then reaching to obtain this may in itself be a breach of the GDPR (as you are using the personal data without consent).

Penalties

Maximum penalties of up to four percent of annual global turnover (gross revenue) or €20 million ($23.58 million), whichever is greater, can be imposed for severe violations. Penalties of up to two percent of gross revenue or €10 million ($11.79 million) can be imposed for other offenses, such as improper recordkeeping or failure to notify authorities and customers affected by a data breach. In addition, data subjects may also bring actions for damages or compensation against an entity for GDPR violations.

Compliance

What institutions must do to comply will be very fact-specific. Even within the career education community, a slightly different approach by different Schools may require different responses to the GDPR. Each School needs to first determine whether it will have personal data (as defined by the GDPR) in relation to EU data subjects. If yes, then the school needs to go through a fact-specific assessment to determine whether the collection of this data subjects them to compliance with the GDPR.

Conclusion

Although the regulation took effect on May 25, 2018, not all institutions are fully compliant with the GDPR’s requirements. In addition to recruitment and admissions operations, Schools must review all policies and practices relating to personal data to work towards compliance. GDPR compliance is not a one-off project. It requires continual monitoring and engagement by all relevant business functions.

It is important to keep in mind that this article is meant to provide an overview of the GDPR in relation to Schools. It is not intended to be taken as legal advice, and Schools looking to ensure that they are fully compliant with the GDPR should seek the advice of qualified legal professionals.

References

Directive 95/46/EC of the European Parliament and of the Council of (October 1995). Retrieved from http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:31995L0046:en:HTML

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 (April 2016). Retrieved from http://ec.europa.eu/justice/data-protection/reform/files/regulation_oj_en.pdf

MICHELLE DONOVAN is a Partner at Duane Morris, LLP. She serves on the firm’s Diversity and Inclusion committee and chairs the San Diego Diversity and Inclusion Initiative. Ms. Donovan’s practice is largely focused on the career college sector and the specialized legal issues that arise for schools in the sector, including issues related to the protection of student records, privacy, online marketing, lead generation, trademarks, copyrights, and domain names. Duane Morris serves all sectors of postsecondary education and the businesses that support postsecondary education, providing deep experience and guidance in all legal aspects of this complex industry, as well as strategy, operations, finance and policy.

Diane Byun is working as a Diversity Fellow in the San Diego office of Duane Morris LLP. Ms. Byun holds a B.A. in English Literature from the University of California, Santa Barbara and is currently pursuing her Juris Doctor at the University of San Diego, School of Law.