The European Union’s General Data Protection Regulation (GDPR): Overview and Guidance SUNY Office of General Counsel Spring 2019

EU GDPR The General Data Protection Regulation (GDPR) was adopted by the European Commission in order to strengthen and unify data protection for all individuals within the European Economic Areas. The UK passed the new UK Data Protection Act of 2018, which effectively mirrors the GDPR for the purposes of our discussion. The GDPR: Primarily deals with the processing of personal data; Extends jurisdiction with extra-territorial applicability; Provides for penalties for non-compliance; Establishes stronger conditions for seeking informed, explicit consent Provides additional rights for data subjects, including mandatory data breach notification and data erasure (“right to be forgotten”)

EU GDPR It came into effect on May 25, 2018 and applies in European Economic Areas (“EEA”) which includes the EU members + Iceland, Liechtenstein and Norway.

EU GDPR Generally, two types of personal information: Personal Data Personally identifiable information which mirrors that covered under FERPA Special Category Personal Data (Sensitive) Race, ethnicity, political affiliation, religious beliefs, sexual orientation, sexual activities, genetic or biometric data processed to uniquely identify a person

General Personal Data Entities must have at least one (of six) legal basis for processing personal data: Consent Contract Legal obligation Vital interests Public task Legitimate interests Article 6(1) of the GDPR

Special Category Personal Data Entities must have valid legal basis and an approved specific justification for processing this data including, without limitation: Explicit Consent of the Individual Necessary to Archive Public Interest/Scientific/Historical/Statistical Purposes Data made public by individual (e.g., Social media) Public Interest in the area of public health Article 9(2) of the GDPR

EU GDPR GDPR applies distinct requirements to two groups of entities: A controller is an entity that, alone or jointly with others, determines the purposes and means of processing personal data. A processor is an entity that processes personal data on behalf of the controller.

Three Primary ways Personal Data is Gathered: When is GDPR Triggered Three Primary ways Personal Data is Gathered: Information Transmitted from EU to US institution – e.g., application for admission Information Gathered from EU resident while at US Institution (student or employee) Information Transmitted from EU to US Institution after termination of association with US institution – e.g., Alumni data

Three Primary ways Personal Data is Gathered: When is GDPR Triggered Three Primary ways Personal Data is Gathered: Information Transmitted from EU to US institution Information Gathered from EU resident while at SUNY (student or employee) Information Transmitted from EU to US Institution after termination of association with US institution Generally, buckets 1 and 3 are covered by GDPR but bucket 2 is not (unless data bleeds over into bucket 3)

When is GDPR Triggered It also applies if Institution is monitoring behavior occurring within the EEA Study Abroad by SUNY Students Employees that do research, etc. SUNY created a waiver for students to sign when they study abroad so that program directors and/or faculty members can share information with the campus.

EU GDPR GDPR only applies to those in the EU and to data we collect from those while they are within the EU. That narrows the field to applicants and applicant data (students and employees) and our students who study abroad in the EU or SUNY employees who work in the EU. For student applicants in the EU, we have a legitimate basis to ask for most of the data and therefore do not need their affirmative consent to collect it. However, there is certain data we ask for on the student application that is considered sensitive information where we do need consent—race and ethnicity. Ask for affirmative consent. If they don’t give us consent, we will not collect that data.

Withdrawal/Right to be Forgotten For the right to be forgotten, if there is a legitimate EU business purpose to keep the data, campuses do not have to honor. For sensitive information, we must honor a withdrawal of consent with limited exception.

Penalties for Non-Compliance Maximum: 20 MIL Euros or 4% of Annual Turnover, whichever is greater ($22.46 MIL US Dollars) For example, Hilton was fined $700,000 for a data breach that caused the information of 350,000 cardholders to be exposed. Hilton’s annual global turnover for the previous year was $10.5 billion, so the company could have been fined a maximum of $420 MIL for the breach under the harshest fine or $1,200 per person affected.

Penalties for Non-Compliance Maximum: 20 MIL Euros or 4% of Annual Turnover, whichever is greater ($22.46 MIL US Dollars) Google was fined 50 million euros, or about $57 million, for not properly disclosing to users how data is collected across its services — including its search engine, Google Maps and YouTube — to present personalized advertisements.

GDPR & RESEARCH The GDPR may be applicable to a range of research activities: Acting as a sponsor of research occurring in EEA member states; Serving as the core data facility or lead site for a multi-national research study with EEA-based sites; Conducting research in the US in which participant data are transmitted to sponsors, servers, or data core facilities in the EEA; and, Research studies that collect data online from EEA residents

GDPR & RESEARCH Pseudonymized Data Definition: De-identified data where a data key is also created that could be used to re-identify the data Under the GDPR, this data is considered identifiable personal data and therefore remain subject to GDPR protections This is true even if the dataholder does not have access to the needed key to link the data to the subject’s identity. This contradicts the position under many US research and privacy laws, such as the Common Rule and HIPAA

GDPR & RESEARCH GDPR does not apply in the following instances: No collection of personal data from individuals within the EEA; Studies that do not collect information that is linked to a subject’s identity, such as anonymous survey-based studies in which the identities of participants cannot be tracked to the individual; Data that has been completely anonymized – no key to re-identify the data (traditional deidentification is not enough) *Note the Research slides are taken from a presentation by AAHRPP in October 2019 – reproduction is prohibited.

SUNY and GDPR Already Occurred: Consent for Sharing of Information by SUNY students participating in Study Abroad GDPR Compliant Privacy Notice for Campus Adaption Coming Soon: Expansion of GDPR Coverage in Data Breach Insurance Joint SUNY/RF OGC Guidance for Researchers Add’l contract terms for GDPR Obligations between parties For contracts, we are working to find standard contract language. Many vendors are trying to push GDPR obligations on us, but we are pushing back for the time being. Our position is that we have security programs in place, which protects all information we store and we will comply with GDPR as applicable.

Questions?