New European Union Privacy Regulations Require Changes in Policies and Operations

Higher education institutions active in the European Union should be aware that in 2018 new EU privacy regulations will require changes in policies and operations that affect applicants, students and faculty located in the EU.

The General Data Protection Regulation (Regulation (EU) 2016/279) replaces the EU Data Privacy Directive (Directive 95/46/EU) on May 6, 2018. It covers the personal information of persons located in the EU, which may mean U.S. students studying abroad or U.S. faculty or staff posted to or hired in the EU or EU residents applying for and then enrolling in a U.S. college or university. It regulates the actions of data “controllers” even if not headquartered or with a significant presence in the EU, so long as that controller offers goods or services to individuals in the EU or monitors such persons’ activities while in the EU. The new regulation will also govern the privacy rights of EU residents participating in research projects, as well as development and alumni relations activities in the EU.

The regulation provides persons in the EU with important new rights, which will impose compliance obligations on U.S. institutions active in the EU. For example, there are extensive disclosure obligations attached to notifying persons in the EU regarding how their data is to be processed, and in connection with EU obtaining consent to using their personal data, strict time limits on providing access to data and the rights to have information corrected, removed and transferred. While data may be used by controllers for their “legitimate interests,” these interests must be balanced against such factors as the impact of that processing on the subjects and the proportionality of measures taken to protect data privacy rights.

An institution should now begin to assess which of its facilities or activities in the EU may be affected, determine what is its legal basis for processing EU resident data, review, and if necessary, revise existing policies and procedures, and address issues surrounding data transfers from the EU to the U.S. The significant changes effected by the new Regulation, and the significant potential penalties for non-compliance, should make this a priority effort for institutions active in the EU.

Tweet about this on TwitterShare on LinkedInShare on FacebookShare on Google+Email this to someonePrint this page

Shortsighted Tax Policy: Senate and House Tax Reform Bills Would Increase Burdens on Universities and Students

The New England Journal of Higher Education has published the article, “Shortsighted Tax Policy: Senate and House Tax Reform Bills Would Increase Burdens on Universities and Students” written by Matthew Morris. Below is an excerpt from the article: The House bill and, to a lesser extent, the Senate bill include a package of comprehensive revisions to the […]

Anti-Sexual Harassment Training: What Works and What Doesn’t

In mid-November, Saturday Night Live paid homage to beleaguered Human Resources professionals across the nation by introducing us to “Claire from HR” during Weekend Update. If you haven’t seen the sketch yet, click here. Claire (played by Cecily Strong) arrives to provide a brief anti-sexual harassment training – a “little HR quiz” just to “make sure […]

Current Issues for Higher Education Real Estate Lawyers

The 15th Annual Higher Education Real Estate Lawyers conference was held in San Francisco, where attendees listened to and learned from both in-house and outside counsel at colleges and universities on the following topics. Real Estate Tax Exemption – The Princeton Case. (Hannah Ross General Counsel [Middlebury College], formerly University Attorney at Princeton University).  Princeton University […]

Court Finds Computer Use Policy May Violate First Amendment

The United States District Court for the Northern District of Illinois recently decided that a university’s Computer Usage Policy may violate professors’ First Amendment right to free speech.  Objecting to a faculty-created blog that was often critical of university administration, Chicago State University sent a cease-and-desist letter to a faculty member, claiming that the blog lacked […]

Retroactive Leniency Not a Reasonable Accommodation under the ADA

On October 11, 2017, the 10th Circuit of the U.S. Court of Appeals affirmed the District Court’s ruling that retroactive leniency for past misconduct does not constitute a reasonable accommodation under the Americans with Disabilities Act (ADA).   In this case, Profita v. Regents of the University of Colorado, the Plaintiff was a former student of […]

Combating Opioid Abuse in the Workplace: A Proactive Approach For Employers

Imagine your employee “Bob” has recently missed a lot work for unexplained reasons. Bob’s coworkers notice that he sometimes “nods off” while working, and his supervisor just reported to you that Bob became enraged while speaking with a client. Upon hearing about these serious performance issues, you diligently conduct an investigation and prepare to take […]