IE 11 Not Supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

What Does the GDPR Mean for Education Privacy in the U.S.?

Typically, CDE sticks to what happens in the U.S., but the European Union is working to address privacy in a unique way, that will have an impact on higher education.

What Is the GDPR?

Adopted in April 2016 and effective May 2018, the European Union released the General Data Protection Regulation (GDPR), which, according to its website, “replaces the Data Protection Directive 95/46/EC and was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy. The key articles of the GDPR, as well as information on its business impact, can be found throughout this site.”

How Is the GDPR Different from the Data Protection Directive 95/46/EC?

The EU is looking to harmonize data privacy laws across Europe by implementing key changes between the Data Protection Directive 95/46/EC and the GDPR.

First, the jurisdiction on the law expands vastly. According to the EU, the GDPR, “extends jurisdiction as it applies to all companies processing the personal data of data subjects residing in the Union, regardless of the company’s location. Previously, territorial applicability of the directive was ambiguous and referred to data process ‘in context of an establishment’.” This topic has arisen in a number of high-profile court cases. GPDR makes its applicability very clear that it will apply to the processing of personal data by controllers and processors in the EU, regardless of whether the processing takes place in the EU or not.

An article published by Forbes clarifies what this means for processing data, stating, “To quickly summarize: Article 3 of the GDPR says that if you collect personal data or behavioral information from someone in an EU country, your company is subject to the requirements of the GDPR. Two points of clarification. First, the law only applies if the data subjects, as the GDPR refers to consumers, are in the EU when the data is collected. This makes sense: EU laws apply in the EU. For EU citizens outside the EU when the data is collected, the GDPR would not apply.” The second point is that a financial transaction doesn’t have to take place for the extended scope of the law to kick in. If the organization just collects “personal data” — EU-speak for what we in the U.S. call personally identifiable information (PII) — as part of a marketing survey, then the data would have to be protected GDPR-style.

The GDPR also ups the ante on penalties. According to the national EU website on GDPR, “Under GDPR, organizations in breach of GDPR can be fined up to 4% of annual global turnover or €20 Million (whichever is greater). This is the maximum fine that can be imposed for the most serious infringements e.g.not having sufficient customer consent to process data or violating the core of Privacy by Design concepts. There is a tiered approach to fines e.g. a company can be fined 2% for not having their records in order (article 28), not notifying the supervising authority and data subject about a breach or not conducting impact assessment. It is important to note that these rules apply to both controllers and processors -- meaning clouds’ will not be exempt from GDPR enforcement.” 

GDPR also updates and strengthens consent and points out that “companies will no longer be able to use long illegible terms and conditions full of legalese, as the request for consent must be given in an intelligible and easily accessible form.” This would mean an end to the use of the long forms we now see online and typically accept without really reading or understanding what we are consenting to.

The GDPR also speaks to other changes in breach notification, right to access, right to be forgotten, data portability, privacy by design and data protection officers.

Who Will Enforce the GDPR?

The law will be enforced by supervisory authorities. According to the European Commission, “a ‘lead supervisory authority’ is the authority with the primary responsibility for dealing with a cross-border data processing activity, for example when a data subject makes a complaint about the processing of his or her personal data. The lead supervisory authority will coordinate any investigation, involving other ‘concerned’ supervisory authorities. Identifying the lead supervisory authority depends on determining the location of the controller’s ‘main establishment’ or ‘single establishment’ in the EU.”

What Does the GDPR Mean for Education?

Institutions of higher education will likely be more impacted than K-12, but that’s not to say that districts couldn’t ever engage with the EU and be subject to the newly updated law.

The GDPR makes clear that residents of the EU should not be denied any privacy protection regardless of where a business is physically located. This is big for anyone who has a website that solicits business globally, and also has implications for research. As higher education institutions look to do global studies, they must ensure that all practices are in compliance with the GDPR.

According to Educause, “The GDPR will most likely apply to U.S.-based organizations due to the broad language contained in the GDPR that focuses on where the data subject resides rather than where the organization is incorporated.”

The consent piece is also something universities that plan to conduct work on subjects residing in the EU must consider. Often, privacy wrap agreements are a boiler-plate used no matter where the user is engaging with a product. If a product or service is being used or subscribed to in the EU, a university must ensure that all the legalese is changed to common terms the user can easily understand.


We do have federal laws that govern privacy as a whole for this country. The Family Educational Rights and Privacy Act (FERPA) and the Education Sciences Reform Act (ESRA) are the two main governing laws we use. FERPA speaks more to use of data in the classroom while ESRA governs more of the research uses for data. Both of these laws have not been reauthorized for many years, and the field is mostly in agreement that they are out of date for the technologies and access to data we now have. We will continue to watch what happens in the EU with GDPR, as it may spur Congress to act on the laws we have, especially when data privacy applications are forced in the United States due to the changes in the EU.

What do you think about the GDPR? How might it impact your university, and how are you preparing for changes! Let us know what you think.