New European Union Privacy Regulations Require Changes in Policies and Operations
Higher education institutions active in the European Union should be aware that in 2018 new EU privacy regulations will require changes in policies and operations that affect applicants, students and faculty located in the EU.
The General Data Protection Regulation (Regulation (EU) 2016/279) replaces the EU Data Privacy Directive (Directive 95/46/EU) on May 6, 2018. It covers the personal information of persons located in the EU, which may mean U.S. students studying abroad or U.S. faculty or staff posted to or hired in the EU or EU residents applying for and then enrolling in a U.S. college or university. It regulates the actions of data “controllers” even if not headquartered or with a significant presence in the EU, so long as that controller offers goods or services to individuals in the EU or monitors such persons’ activities while in the EU. The new regulation will also govern the privacy rights of EU residents participating in research projects, as well as development and alumni relations activities in the EU.
The regulation provides persons in the EU with important new rights, which will impose compliance obligations on U.S. institutions active in the EU. For example, there are extensive disclosure obligations attached to notifying persons in the EU regarding how their data is to be processed, and in connection with EU obtaining consent to using their personal data, strict time limits on providing access to data and the rights to have information corrected, removed and transferred. While data may be used by controllers for their “legitimate interests,” these interests must be balanced against such factors as the impact of that processing on the subjects and the proportionality of measures taken to protect data privacy rights.
An institution should now begin to assess which of its facilities or activities in the EU may be affected, determine what is its legal basis for processing EU resident data, review, and if necessary, revise existing policies and procedures, and address issues surrounding data transfers from the EU to the U.S. The significant changes effected by the new Regulation, and the significant potential penalties for non-compliance, should make this a priority effort for institutions active in the EU.