As we head into the fifth year of EEA General Data Protection Regulation (GDPR) enforcement, XL Law & Consulting has tracked a total of 45 GDPR enforcement actions against educational institutions, producing some valuable takeaways for higher education institutions in the U.S. and worldwide.
Education Industry vs. Other Industries
Educational institutions remain a relatively small target of GDPR enforcement actions. The 45 actions against educational institutions represent just under 3% of the total GDPR enforcement actions tracked. Furthermore, enforcement actions against educational institutions have generally resulted in lower fines as compared to actions against organizations in other industries, with average fines of $32.6K and $1.8M, respectively. In some cases, penalties against educational institutions were significantly reduced expressly in consideration of the institutions’ non-profit educational missions.
While actions against educational institutions appear to be infrequent and, on average, result in relatively small penalties, some educational institutions have incurred substantial fines. The largest was a fine of $300,589 issued to a Norwegian K-12 public school district that self-reported a data breach stemming from an inadequately secured third-party software application.
Additionally, a private university in Italy incurred the second largest fine, $236,262, following a student’s complaint regarding the university’s requirement for students to use remote proctoring software in order to take exams remotely during the COVID-19 pandemic. The Italian data protection authority held the university accountable for multiple violations, including failure to fully and transparently inform students of how their personal data was being collected and processed; failure to obtain the students’ freely given consent; retention of personal data for longer than necessary; and unauthorized transfer of personal data to the United States.
Higher Education Institutions vs. Other Educational Institutions
Higher education and continuing education institutions appear to be at greater risk of enforcement compared to educational institutions below the post-secondary level. The number of actions against higher education and continuing education institutions alone is almost equal to the total number of actions against K-12 schools/districts, primary schools, junior high schools, and secondary schools combined.
Common Violations by Educational Institutions
Almost three-quarters of enforcement actions against educational institutions involved violations where the institution processed personal data without a sufficient legal basis or failed to implement adequate technical and organizational measures to ensure information security.
Insufficient Legal Basis Violations
Insufficient legal basis violations were most commonly incurred by institutions that published students’ or employees’ personal data for non-journalistic/expressive purposes without obtaining any consent. For example, a Spanish continuing education institution was fined $11,757 after it published online, for convenience purposes, the results of an application process, including applicants’ full names and application scores.
Such enforcement actions typically ensued after students or employees discovered that their personal data had been published online without their consent and exercised their rights to complain directly to supervisory authorities, or they demanded the institution to unpublish their personal data and did not have their demands fulfilled. While theoretically consent is not required to publish personal data if there is another applicable legal basis, in practice consent is usually required because there are very few situations where any other legal basis would allow an educational institution to publish students’ or employees’ personal data for purposes other than journalism or academic, artistic, or literary expression.
Insufficient IT Security Violations
Enforcement actions based on failure to implement adequate technical and organizational information security measures typically occurred after educational institutions experienced data breaches. Some data breaches were reported to supervisory authorities by affected individuals or third parties, but many data breaches were self-reported by educational institutions. Institutions that self-reported data breaches in a timely manner may have avoided additional penalties for failure to report in accordance with the GDPR, but the act of self-reporting did not shield them from substantial fines, some of which exceeded fines imposed on institutions that did not self-report.
Data breaches subject to enforcement actions varied widely in terms of the types of parties responsible and the types of systems affected. Such enforcement actions included external breaches where third-party bad actors gained unauthorized access to personal data held by educational institutions, as well as internal breaches where institutions inadvertently granted employees access to personal data that the employees should have been restricted from accessing. And while some data breach enforcement actions were brought against educational institutions whose own internal systems were breached, others were brought against institutions using third-party software applications that were breached, highlighting the importance of conducting thorough vendor due diligence in accordance with the GDPR.
Countries of Frequent Enforcement Against Educational Institutions
Of the 30 EEA countries that enforce the GDPR, just five countries are responsible for over 80% of the tracked enforcement actions against all types of educational institutions: Italy, Spain, Poland, Norway, and Greece.
When focusing exclusively on GDPR enforcement actions brought against higher education and continuing education institutions, Spain, Italy, and Poland remain the top three enforcement countries, responsible for over 65% of such enforcement actions.
Extraterritorial Enforcement Actions
So far, 100% of tracked GDPR enforcement actions against educational institutions have involved institutions that have one or more physical campuses or offices within the EEA country of enforcement. Furthermore, every such enforcement action has stemmed from violations that occurred in the context of activities that took place within the EEA country of enforcement.
Even though the GDPR also applies to institutions located exclusively outside the EEA insofar as they offer goods or services to people located within the EEA or monitor the behavior of people located in the EEA, we have not yet tracked any GDPR enforcement actions against educational institutions that have no physical campuses or offices within the EEA. However, one action was brought against a college in Greece that is owned and operated by a U.S. nonprofit corporation and accredited by the New England Commission of Higher Education. And a separate action was brought against a college located, owned, and operated in Greece, which has a longstanding cooperative education program with a U.S.-based university system.
Recommendations for U.S. Higher Education Institutions
Based on the trends we have identified from tracking GDPR enforcement actions against educational institutions, U.S. higher education institutions can significantly reduce their GDPR compliance risks by taking the following actions:
Document an appropriate legal basis for each of the institution’s processing activities that are subject to the GDPR, paying special attention to activities that usually require consent as a legal basis (e.g., publishing personal data).
Create or refine the institution’s processes for responding to individuals demanding to exercise GDPR rights, and fulfill each demand as quickly and completely as possible.
Implement globally recognized IT security standards, and regularly review the institution’s data privacy and security policies, procedures, and practices.
Conduct thorough vendor due diligence to ensure that vendors will provide adequate protection of any personal data the institution entrusts to them.
Before a data breach occurs, draft or refine the institution’s data breach policies and procedures to ensure that they appropriately address GDPR requirements and account for the risks associated with self-reporting a data breach or failing to self-report a data breach.
Prioritize compliance efforts by first focusing on personal data processing activities at the institution’s campuses or offices located within the EEA.