Category Archives: Privacy Law

Minimizing the Risks of GDPR for U.S. Academic Institutions

Contributed by Jacqueline Lentini McCullough, December 10, 2019

keyboard labeled “data protection”

After the implementation of the General Data Protection Regulation (GDPR) in May 2018, U.S. academic institutions continue to grapple with compliance issues. Institutions must address areas where there is exposure to risk and train their employees to minimize that exposure.

One area of risk is the flow of data. Who on campus is the gatekeeper handling the data? Most universities will have a Data Protection Officer (DPO) as required by Article 37 of the GDPR. Other campus GDPR actors may include University Counsel, Information Technology Officers, Information Security Officers, Human Resources, Admissions, Financial Aid, Research, International Programs, Online Education and others specific to an institution. Therefore, all of these employees must be well versed in the rules and consequences of GDPR.

A second area of risk is with third party vendors processing data. It may be difficult to ascertain who the responsible party is with more than one entity touching personal data. For example, a foreign national consents to personal data being processed in the U.S. However, some of the data processed by the U.S. institution may be transferred and stored in another non-EU country. Vendor negotiations, contracts and agreements are critical in this regard to protect institutional data.

The extraterritorial scope of the GDPR applies to U.S. institutions, especially those that have campuses in the European Union (EU) for study abroad. Additional documentation is required for student travel to the EU depending on where the personal data is stored, and separate acknowledgements are necessary for photos and video recording. A US institution with EU students within the EU must also comply with the GDPR.

Yet another area of risk is the GDPR’s Article 17, which indicates EU residents have the“right to be forgotten.” In other words, they can request erasure of stored personal data “without undue delay,” which may be problematic for institutions. Conflicting relevant U.S. federal or state laws prohibit the immediate deletion of such data. For universities, domestic laws take precedence over the GDPR. There is also a growing threat from fraudulent data requestors. Suspicious GDPR data requests often involve a generic template and must be evaluated individually to determine if it’s a legitimate inquiry. In the end, making sure your institution has the right structure in place, to respond to data requests, is critical. Indeed, you may risk a data compromise or data breach (whereby you allow unauthorized access) simply by not having the requisite protocols in place to verify legitimate inquiries.

Deep GDPR fines have been assessed on certain EU companies across a wide range of industries, but little as of the date of this publication in the area of higher education. Case law highlights include: Google (France fined $57 million), British Airways (U.K. $230 million before Brexit), Unicredit Bank S.A. (Romania over $143k), and a Medical Sector Controller (Austria over $60k).

The GDPR and other privacy laws are still evolving. In 2020, California will enact the California Consumer Privacy Act (CCPA), coined “GDPR Lite,” and detailed in a recent article by my colleagues. It will be one of the most sweeping data collection regulations affecting all U.S. based companies acting as private processors.

Illinois Employer Faces Class Action for Using Fingerprints to Track Attendance

Contributed by Suzanne Newcomb, October 5, 2017

Data Protection Keyboard

Technology allowing employers to use biometric data tools to track attendance and maintain worksite security abounds. Purveyors hype the advanced technology’s ability to accurately validate time entries, eliminate fraud, and better control access to the workplace or to sensitive areas within the workplace. If these systems are so readily available, it must be legal for employers to use them, right? As with seemingly everything involving HR and the workplace, it depends.

Last week, a group of Chicago-area employees filed a class action suit, alleging their employer’s use of worker fingerprints for time-tracking purposes violates the state’s biometric information privacy law. Specifically, the employees claimed that their employer failed to:

  • Properly inform them in writing of the specific purpose for which their fingerprints were being collected and the length of time their fingerprints would be stored and used;
  • Provide a publically available retention schedule and guidelines for permanently destroying their fingerprints; and
  • Obtain their written consent before obtaining fingerprints.

In 2008, Illinois became the first state to explicitly regulate the use of “biometric identifiers” which it defines as a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry and their derivatives, regardless of how that information is captured, converted, stored, or shared. 740 ILCS 14/10. The Illinois Biometric Information Privacy Act (BIPA) applies broadly to any individual or entity other than the government, and therefore encompasses all private-sector employers operating within the state.

Illinois Biometrics Legislation Sets Trend

Until recently, Illinois and Texas were the only states with laws addressing biometrics. However, a new wave of high-exposure litigation under BIPA has had an impact on other states’ decisions to introduce legislation on the matter. Many states, including Illinois, have data breach notification laws that cover biometric information, as well as other sensitive personal information.

Employers operating exclusively in jurisdictions that have not regulated the use of biometric information specifically could still face breach of privacy or negligence claims if their employee’s biometric information is compromised.

Tips for Employers

Due to the growing number of data breaches, employers are encouraged to ensure they have protocols in place to safeguard all of the personal information they possess, particularly biometric information.

Whether you are thinking about adopting and using biometric data or have already implemented this technology, it is vital that employers take the following steps before collecting any biometric data to ensure their use complies with the growing regulation in this area:

  1. Assemble a team of experienced legal, cyber-security, and data-breach experts prior to selecting or implementing any technology that uses biometrics. Involve this team in vetting potential vendors, negotiating the terms of vendor contracts, and developing protocols.
  2. Carefully draft policies and procedures to safeguard and properly destroy biometric information, as well as protocols in case of a breach. Ensure those policies, procedures, and protocols (and those of your outside vendors) comply with all applicable laws, including notice and disclosure requirements.
  3. Clearly disclose to your employees, in writing, your intent to collect and use biometric information, the ways the information will be used, the means by which the information will be collected, maintained, and eventually destroyed, as well as the safeguards the company has put in place to secure this information.
  4. Obtain each employee’s informed written content prior to collecting any biometric information. Consider good faith objections and requests for accommodation and analyze and address those requests in accordance with all applicable laws.
  5. Continue to monitor changing federal, state and local regulations in this area.