New EU Data Protection Law to Impact US Institutions

In April 2016, the European Parliament adopted the General Data Protection Regulation (GDPR), which specifies how consumer data of citizens in the European Union (EU) should be used and protected. The regulation, effective May 2018, has been the source of much confusion for U.S. colleges and universities, particularly with regard to whether it applies to institutions outside of the EU, reported Inside Higher Ed.

The new law results from the need to protect data and privacy rights of individuals as highly sensitive personal information on their students, employees, and others become increasingly digitized. It applies to all institutions involved in processing data about citizens in the EU, regardless of whether the organization is located within the EU. As such, the GDPR would almost certainly apply to all U.S. higher education institutions. Failure to comply could lead to fines of up to 4 percent of global turnover or €20 Million, whichever is higher.

The regulation represents a significant expansion of protection for the personal data of EU residents, explained Gian Franco Borio, a lawyer who spoke last week at an Educause session on the new law. Unlike the previous EU Data Protection Directive, the GDPR will apply not only to organizations with a physical presence in the EU, but also to any organization worldwide that processes the personal information of EU residents.

Many U.S. institutions have physical outposts in Europe, but even those that do not will need to look carefully at the new rules because they interact with faculty, students or prospective students based in the EU, said Borio. Any institution that receives admissions from residents in the EU will need to process their data according to the stipulations of the GDPR. Additionally, European study abroad programs will certainly be affected. So too will information on alumni or donors based in the EU, Borio continued.

The definition of data that are protected under the GDPR is broader than U.S. federal laws for data protection under Family Educational Rights and Privacy Act (FERPA), said speakers at the session, Inside Higher Ed reported. In addition to protecting students' names and addresses, institutions will now also need to protect individual's IP addresses. Under the GDPR, any unique identifiers assigned to students or their electronic devices by institutions, such as in the admissions process, will also need to be protected.

Additionally, the law requires that data breaches be reported to European national state authorities within 72 hours, among other things.

AACRAO is hosting a series of webinars on the GDPR. The first webinar—Building Awareness of the EU's General Data Protection Regulation (GDPR) (view archive)—provides an overview of the regulation and discusses a range of implementation concerns. The second in the series—GDPR: A Legal Interpretation for Higher Education (register)—will take place on Tuesday, November 14 from 2-3 p.m. ET. It will examine various legal interpretations of the regulation and provide insight into the affected university systems relevant to AACRAO members.   

For additional information on the GDPR and its implementation, please visit:


Related Links

Inside Higher Ed