Edtech and the EU General Data Protection Regulation
May 28, 2018
If you’ve opened your inbox recently, you likely already know about the EU’s General Data Protection Regulation, which came into effect on May 25, 2018. Under the legislation, companies in the EU and those located elsewhere who do business in the region are now obligated to offer full disclosure about how they are handling your data. For edtech companies, the impact of the EU’s new General Data Protection Regulation may have far-reaching consequences, but the real onus to protect data will ultimately be on the institutions who contract with these service providers rather than edtech companies. This article offers an overview of edtech and the EU General Data Protection Regulation.
The EU General Data Protection Regulation (GDPR)
In a nutshell, the EU General Data Protection Regulation replaces the existing Data Protection Directive that was already in place in Europe. As stated in the EU’s GDPR information portal, “The new legislation was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy.” There are three key changes that hold the potential to impact educators and the edtech sector.
First, the GDPR strengthens the existing regulation’s language concerning consent. As stated in the EU’s GDPR summary, “The conditions for consent have been strengthened, and companies will no longer be able to use long illegible terms and conditions full of legalese, as the request for consent must be given in an intelligible and easily accessible form, with the purpose for data processing attached to that consent.”
Second, the GDPR introduces specific language protecting the data subject’s “right to be forgotten.” Also known as Data Erasure, the “right to be forgotten” entitles the data subject to “have the data controller erase his/her personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data.” While there are some limits (e.g., a politician can’t ask that negative press be deleted from online publications because such data is of interest to the public), in general, if the data is not of public interest, people can request that it be deleted.
Finally, the GDPR recognizes that children and even adolescents may require special protections. The rationale is that because they may be less aware of the risks and consequences of sharing their data, they should also be granted greater protections. Indeed, the GDPR maintains that children, especially those under 16, should be understood as especially vulnerable in this respect. Article 8 of the GDPR explicitly states: “In relation to the offer of information society services directly to a child, the processing of the personal data of a child shall be lawful where the child is at least 16 years old. Where the child is below the age of 16 years, such processing shall be lawful only if and to the extent that consent is given or authorised by the holder of parental responsibility over the child.”
The GDPR’s Impact on Edtech
For edtech companies, the GDPR regulations may have implications, but a recently issued report by Emily G. Cramer published by the International Association of Privacy Professional concludes that the impact of the GDPR’s new guidelines will, in fact, depend a great deal on whether or not the company in question is identified as a controller or processor. As Cramer observes, “Any offer of ISS directly to a child must obtain parental consent.” Notably, ISS refers to “any service normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient of services.” However, as Cramer further observes, it is the “sole responsibility of the controller to make reasonable efforts to verify consent” so, “This means that an EdTech company that provides an ISS as a service for an educational institution may not be held responsible for obtaining consent under Article 8; the key issue is whether the ISS is a controller or a processor.”
So, what’s the difference? By definition, the controller is a natural or legal person, public authority, agency or any other other body that alone or with others makes decisions about the purposes and means of the processing of personal data. In short, this refers to any entity that holds personal information about someone (e.g., a school). The processor is also a natural or legal person, public authority, agency or any other body that processes personal data on behalf of the controller. In short, this refers to any entity that processes personal data on behalf of a controller (e.g., the company that a school is sharing information with in order to carry out a specific task). So, let’s say X Middle School contracts with Y Solutions to help it track student attendance. In this fictional scenario, X Middle School is the controller but Y Solutions is the processor, so X Middle School, the controller, would be obligated to make a reasonable effort to verify consent, but Y Solutions would not.
Edtech and the EU General Data Protection Regulation may not be foes, but there is cause for concern. First, data is a key part of edtech, especially on a research and development level. If institutional subscribers are able to provide less data on users, there may be a risk that the evolution of edtech platforms, which are frequently fueled by access to large data sets, slows down. Second, there is a risk that the edtech sector may experience a market slump as schools and universities choose not to renew subscriptions or pursue new ones at the same pace they have in the past simply because the process of obtaining consent is too onerous. While only time will tell if either research and development and/or the market itself are impacted by the GDPR’s new regulations, given the increased focus on consent, data erasure and children’s specific privacy rights, it does seem likely that especially in EU countries, edtech may experience at least a temporary bump in the road as the new regulations are implemented.