Edtech and the EU General Data Protection Regulation

If you’ve opened your inbox recently, you likely already know about the EU’s General Data Protection Regulation, which came into effect on May 25, 2018.  Under the legislation, both EU companies and those located abroad that do business in the EU will become obligated to disclose how they are handling individual’s private data. For edtech companies, the impact of the EU’s new General Data Protection Regulation may have far-reaching consequences, but ultimately, data protection falls on those institutions that contract edtech companies and not the edtech companies themselves. This article offers an overview of edtech and the EU General Data Protection Regulation.

The EU General Data Protection Regulation (GDPR)

In a nutshell, the EU General Data Protection Regulation replaces the existing Data Protection Directive that was already in place in Europe. As stated in the EU’s GDPR information portal, there are three key changes that hold the potential to impact educators and the edtech sector.

First, the GDPR strengthens the existing regulation’s language concerning consent. Second, the GDPR introduces specific language protecting the data subject’s “right to be forgotten.” In other words, the legislation makes it easier to request that information that is no longer relevant be reindexed. Finally, the GDPR recognizes that children and even adolescents may require special protections.

The GDPR’s Impact on Edtech

For edtech companies, the EU General Data Protection regulations may have implications, but a recently issued report by Emily G. Cramer published by the International Association of Privacy Professional concludes that the impact of the GDPR’s new guidelines will, in fact, depend a great deal on whether or not the company in question is identified as a controller or processor. As Cramer observes, “Any offer of ISS directly to a child must obtain parental consent.” Notably, ISS refers to “any service normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient of services.” However, as Cramer further observes, it is the “sole responsibility of the controller to make reasonable efforts to verify consent” so, “This means that an EdTech company that provides an ISS as a service for an educational institution may not be held responsible for obtaining consent under Article 8; the key issue is whether the ISS is a controller or a processor.”

So, what’s the difference? By definition, the controller is a natural or legal person, public authority, agency or any other other body that alone or with others makes decisions about the purposes and means of the processing of personal data. In short, this refers to any entity that holds personal information about someone (e.g., a school). The processor is also a natural or legal person, public authority, agency or any other body that processes personal data on behalf of the controller. In short, this refers to any entity that processes personal data on behalf of a controller (e.g., the company that a school is sharing information with in order to carry out a specific task).  So, let’s say X Middle School contracts with Y Solutions to help it track student attendance. In this fictional scenario, X Middle School is the controller but Y Solutions is the processor, so X Middle School, the controller, would be obligated to make a reasonable effort to verify consent, but Y Solutions would not.

Edtech and the EU General Data Protection Regulation may not be foes, but there is cause for concern.  First, data is a key part of edtech, especially on a research and development level. If institutional subscribers are able to provide less data on users, there may be a risk that the evolution of edtech platforms, which are frequently fueled by access to large data sets, slows down. Second, there is a risk that the edtech sector may experience a market slump as schools and universities choose not to renew subscriptions or pursue new ones at the same pace they have in the past simply because the process of obtaining consent is too onerous. While only time will tell if either research and development and/or the market itself are impacted by the GDPR’s new regulations, given the increased focus on consent, data erasure and children’s specific privacy rights, it does seem likely that especially in EU countries, edtech may experience at least a temporary bump in the road as the new regulations are implemented.