GDPR International Regulations: What Do We Know After One Year?

• Presented by: Julia Funaki AACRAO Richard Levin University of Toronto Mark McConahay Indiana University Tuesday, 4/2/19, 3:45pm • Session ID: 1982 Session Rules of Etiquette

• Please silence your electronic devices. • Please complete the session evaluation using the AACRAO mobile app. • If you must leave the session early, please do so as discreetly as possible • Please avoid side conversation during the session

Thank you for your cooperation! Learning Outcomes of this session:

• First Learning Outcome: GDPR compliance practices • Second Learning Outcome: How to coordinate compliance among many campus entities • Third Learning Outcome: Project management Disclaimer

• The information contained in this presentation is not legal advice and reflects only the opinions of the presenters.

• If you have a legal issue related to EU Privacy or Data Protection, please contact a licensed attorney for guidance specific to your situation. General Data Protection Regulation implemented May 25, 2018

• Data privacy is a fundamental right, and cannot easily be bargained away

• There must be a lawful basis for all data processing (e.g., consent, necessary to perform a contract, required by law, “legitimate interests” balanced against impact on individuals)

processing subject to principles Since Implementation…

• In various surveys/self-reports, full compliance with GDPR is still not widespread. TrustArc survey of 600 companies in EU, UK, and US 20% believed they were GDPR compliant; 53% in implementation phase 27% not yet started • Unexpected Consequences: In UK the Royal Mail saw its revenues from addressed letters drop 7% as unsolicited mail (junk mail) was reduced in order to meet GDPR requirements • Expected Consequences: GDPR inspired data protection regulations push toward adoption China Internet Security Law, California Consumer of 2018; Brazil Data Protection Bill of Law… https://www.endpointprotector.com/blog/two-months-later-living-in-a-post-gdpr-world/ Largest Fines (4% or €20 million) – have yet to be enforced on any company Range of corrective measures/powers that may be utilized. Cease Processing – temporary or definitive ban on processing Europe Reactive Priority Getting right with Data Subjects Rights Breach Notification Transparency Max Schrems and .eu Forced Consent Complaints filed against Google (Android), Facebook, WhatsApp and Instagram Enforcement and Fine-Tracking

GDPR Enforcement Actions since October 2018 October, 2018 Austria – small, local business – €4,800 A local business had a CCTV camera Why: capturing too much public space. November, 2018 Germany – Knuddels.de (social media/chat platform) – €20,000 Knuddels reported a data breach, the local data protection agency determined the site had been storing user passwords in plaintext without hashing. Why: The fine was issued over the data storage practices, not the breach itself. Enforcement and Fine-Tracking December, 2018 Portugal – Hospital near Lisbon – €400,000 Three Violations: Allowing indiscriminate access to an excessive number of users; non- application of technical and organizational measures to prevent unlawful access to personal data; Violation of country's supervisory authority Why: Violation of Minimization Principle, Violation of the processing basic principles; Violation of the incapacity of the defendant to ensure the continued confidentiality, integrity, availability and resilience

January, 2019 France – Google – €50,000,000 Google was fined from France’s data regulator Why: citing a lack of transparency and consent in advertising personalization, including a pre- checked option to personalize ads. Higher Education

• Awareness of GDPR - although a wide range of GDPR readiness and compliance, like many other industries • Enforcement and Fines - To date there has been no Enforcement or fines, on any higher education institutions • Still in phase of organizing and managing by government enforcement officials • Roles and Scenarios – Institutions need to consider role of Controller and Processor and GDPR scenarios • Data, Data, Data – Importance of a data audit. Data and Purpose limitation principles of GDPR Institutional First Steps

Form EU-GDPR Working Group Working Group Charge • University Counsel • GDPR - context of your institution • University Security Office • Identify populations affected • University Information • Identify functional/business areas Technology Services • Examine processes and • University Data scenarios to measure scope of Administration Officials impact (Stewards) • Analyze/Identify common elements • Functional unit • Recommend practices/strategies to representatives comply with GDPR • Identify implementation costs and strategies IU Student Records and the EU GDPR

• On IUB Undergraduate EU students/potential students • ~3,000 students in recruiting cycle • ~500+ applicants/~500 Admits • ~75 Enrollments/AY • ~500 EU Enrolled Students • Undergraduate EU Students for All Campuses • ~4,000 students in recruiting cycle (Estimated) • ~600+ applicants/~500 Admits • ~100 Enrollments/AY • ~700 EU Enrolled Students IU Student Records and the EU GDPR • Discussions regarding campus response to the GDPR • Led by University Counsel • IU Chief Privacy Officer • Operational/Functional Officers • e.g., Registrar, Office of Online Education, etc. • Primary operational categories for Student Records: • Admissions and Recruitment • Enrolled Students • Post Enrollment IU Student Records and the EU GDPR Admissions and Recruitment

• Person is GDPR data subject if home address within the EU • Recruited using digital technologies (tracking behavior) • Privacy notice upon first contact describing: • DS rights under GDPR and how to invoke them, • IU’s collection, rationale, use of the data • DS given the opportunity to end all contact. • Privacy notice nearly complete • Developing Privacy Notice Template IU Student Records and the EU GDPR Admissions and Recruitment

Right to Object

You may object to the processing of your personal data where: [option] the legal basis for processing is based on: public interest, exercise of official authority, or legitimate interests. [option] personal data is processed for direct marketing purposes (includes profiling to the extent Privacy Notice Template that it is related to such direct marketing). [option] personal data is processed for scientific or historical research purposes or statistical purposes unless the processing is necessary for the performance of a task carried out for reasons of public interest. [option] (Not applicable)

Harvard’s privacy statement and separate EEA privacy PRIVACY NOTICE for disclosures ______(“APPLICATION” / “SITE”) located at

(https://www.harvard.edu/privac ______(“URL”) y-statement)) provided by Indiana University on behalf of The Office of International Services (“OIS”)(“We”)

Effective: 2018-07-26

Applicability and Scope Indiana University and the Office of the International Services believes in the protection of your personal data. We collect, retain, process, use, disclose and dispose of your personal data exclusively in compliance with the principles described below, applicable data protection legislation and Indiana University (IU) policies. This privacy notice only applies to the privacy practices of the Office of International Services and other supporting internal offices and contracted service providers relative to data collected via our interactions concerning your interest in Indiana University. IU Student Records and the EU GDPR Admissions and Recruitment

• IU is refining practice for deleting EU DS data if requested • IU is formalizing admissions data retention cycles. • IU has documented its interpretation of GDPR and practices. • IU is reviewing/obtaining agreements with operational “processors" (CRM vendors, others) to insure GDPR compliance. IU Student Records and the EU GDPR Admissions and Recruitment

• Upon admission no longer be considered GDPR DS • consuming educational services within the US • Comply with Federal (SEVIS) documentary practices. IU Student Records and the EU GDPR Enrolled Students

• A student who enrolls in IU and resides within the US will be considered subject to US privacy laws and, by default, not subject to the provisions of the GDPR.

• If an enrolled student is participating in an online course and resides within the EU, their data may need to be treated as if they were a GDPR data subject. • Note – numbers are small enough to handle by exception IU Student Records and the EU GDPR Enrolled Students - Overseas Study

• Consortia • Partner institution is with EU • EU institution performs instructional services • EU institution performs data collection activities supporting instruction • EU institution comply with GDPR

• IU Program • IU must comply with GDPR IU Student Records and the EU GDPR Post Enrollment

• Domestically enrolled students will not be viewed as GDPR data subjects. Thus, processes to transfer information between IU and its affiliates (e.g., Alumni, etc.) should remain unchanged.

• More analysis needs to be performed to determine how to administer data for those students who may return to the EU. IU Student Records and the EU GDPR General Tools

• GDPR Website (https://protect.iu.edu/online-safety/protect-data/gdpr.html) • Erasure Requests • Guidance for handling/routing request • GDPR Checklist • Scope assessment EU General Data Protection Regulation Canadian/ context Canadian

• Not extraterritorial – applies only to Canadian entities • PIPEDA – federal, relatively recent, covers 1) private sector; 2) personal health information and 3) commercial transactions • Every province also has privacy legislation • Ontario: Freedom of Information and Protection of Privacy Act (FIPPA)

23 FIPPA - Ontario

• Regulates collection, use, disclosure, retention and destruction of personal information • FIPPA has no concept similar to directory information. Only “public information” can be disclosed without consent. • Enforced by Privacy Commissioner; breach notifications required • Universities have FIPPA offices and liaisons (FOILs)

24 Collection

• Must have legal authority

• Must collect directly from individual (with some exceptions, e.g., law enforcement or with consent to indirect collection)

• Must provide notice of collection

25 GDPR Principles

• Lawfulness – consistent with law, purposes of organization and program/activity • Purpose – use data only for purpose collected • Data minimization – collect only what is necessary • Accuracy – Keep data up-to-date • Storage limitation – appropriate retention • Integrity & Confidentiality – including security and training • Canada white listed on principles but only based on federal law Areas of applicability

• Recruitment of EU residents (“data subjects”) • Applications from EU residents • Research involving EU • Alumni data collection • Study abroad • Only applicable to data collected in EU Requirements – consent

• Active consent – similar to FIPPA but more extensive and specific: • Clear language • Ability to withdraw consent at any time • Consent may not be given by children under 16 • Opt-out not sufficient

• Processing does not require consent where it is “necessary for the performance of a contract to which the data subject is party.” Consent/Notice of Collection Requirements

FIPPA GDPR Legal Authority Legal basis for collection Purpose of collection Purpose/use of ‘processing’ Contact information Contact information Right to withdraw consent Retention information Right to request correction/erasure Right to file complaint Recipients of data If information is required for contract Rules of automated decision-making U of T sample notice of collection

The University of Toronto respects your privacy. Personal information that you provide to the University is collected pursuant to section 2(14) of the University of Toronto Act, 1971.

It is collected for the purpose of administering admissions, registration, academic programs, university-related student activities, activities of student societies, safety, financial assistance and awards, graduation and university advancement, and reporting to government.

In addition, the Ministry of Advanced Education and Skills Development has asked that we notify you of the following: The University of Toronto is required to disclose personal information such as Ontario Education Numbers, student characteristics and educational outcomes to the Minister of Advanced Education and Skills Development under s. 15 of the Ministry of Training, Colleges and Universities Act, R.S.O. 1990, Chapter M.19, as amended. The ministry collects this data for purposes such as planning, allocating and administering public funding to colleges, universities and other post- secondary educational and training institutions and to conduct research and analysis, including longitudinal studies, and statistical activities conducted by or on behalf of the ministry for purposes that relate to post-secondary education and training. Further information on how the Minister of Advanced Education and Skills Development uses this personal information is available on the ministry’s website.

At all times it will be protected in accordance with the Freedom of Information and Protection of Privacy Act. If you have questions, please refer to www.utoronto.ca/privacy or contact the University Freedom of Information and Protection of Privacy Coordinator at McMurrich Building, room 104, 12 Queen's Park Crescent West, Toronto, ON, M5S 1A8. http://www.acorn.utoronto.ca/fippa.php Current status

• Lawyers from Ontario/Canadian universities continue to discuss

• We have not yet amended our collection notices; under discussion

• Received first Request to be Forgotten in March 2019 Questions to resolve

• Is expanded consent necessary for admission applications and other “contracts?” • Should we have different consent for EU persons or expand consent for all? • Do we need a Data Protection Officer? • How will the apply? Resources • Implications of the General Data Protection Regulation: An Interassociational Guide https://www.aacrao.org/signature-initiatives/trending-topics/gdpr/gdpr- interassociational-guide • Link to GDPR – neatly arranged, easy quick links https://gdpr-info.eu/ • Great Guidance by topic from the UK ICO (UK Data Protection Authority) https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation- gdpr/ • International Association of Privacy Professionals https://iapp.org/ • EDUCAUSE: https://www.educause.edu/ • https://www.insidehighered.com/news/2018/11/01/eu-slow-enforce-new-data- privacy-rules-colleges-told-not-panic-about-lack-compliance Thank You!

Please complete the session evaluation using the AACRAO mobile app.

Session ID 1982