New digital privacy regulations will go into place in Europe on May 25, and in order to avoid fines and protect students, Penn will be taking steps to comply with these changes. The University will join many United States-based companies and schools by complying with the new General Data Protection Regulation.
The change that will be going into effect in May is the expansion of these pre-existing rules to apply to entities outside of the European Union. "Unlike the previous E.U. Data Protection Directive, the GDPR will apply not only to organizations with a physical presence in the E.U., but also to any organization worldwide that processes the personal information of E.U. residents," Inside Higher Ed reported.
The GDPR requires all data hosted in the E.U. to be regulated by the law's protections, which aim "to protect all E.U. citizens from privacy and data breaches in an increasingly data-driven world that is vastly different from the time in which the 1995 directive was established."
This 1995 directive was adopted by the E.U. in order to protect and regulate the processing of personal information and is focused on making personal information more secure and increase accountability when it comes to processing information.
While Penn students who neither live in nor travel to Europe may not be impacted by these policies, Penn is required to implement them because it is liable for the data used by students who will travel to those places. American businesses and schools who do not comply could be fined up to $23 million.
According to Penn Law School professor Christopher Yoo, all data stored by Penn students or faculty in the E.U. after the GDPR is enacted will be subject to its policies.
“If Penn students are traveling in Europe and generate data about personal information about themselves, it will probably be subject to the GDPR,” Yoo said.
This means that any time a student sends an email through their Penn email account or logs onto Canvas or Penn InTouch while in Europe, Penn will be responsible for making sure this data transfer complies with the GDPR.
Engineering and College junior Ming Zhang, who is studying in France this semester, said he uses both his email and Penn InTouch while abroad. Zhang said he hadn’t been made aware of these changes, which will come into effect after he leaves.
Scott Schafer, the University privacy and institutional compliance officer, wrote in an email to The Daily Pennsylvanian that Penn will be “developing a strategy for compliance that involves appropriate stakeholders from across different sectors of the University.”
“Data mapping, documenting data processing activities, and review of privacy notices and policies are key components to identifying what processes will be implemented as part of Penn’s GDPR compliance strategy,” Schafer wrote.
The GDPR creates protections around several types of digital information. The requirement that all digital data of residents of the E.U. is processed in compliance with the GDPR, no matter where the information is being processed, is one of the more substantial changes the new regulations will bring. Another new policy makes it possible for organizations not in compliance with these regulations to be fined "up to 4 [percent] of annual global turnover or €20 Million (whichever is greater)."
These policies also require greater conditions for consent, which make it more difficult for companies to manipulate users with confusing language. In addition, all data will be subject to greater protections and those who have personal data hosted in the E.U. will have greater rights to any data on them which is digitally stored.
Director of Penn Global Nigel Cossar wrote in an email to the DP that Penn Global will “comply with any regulations as we are advised by the Office of General Counsel, Privacy, or any other authoritative entity at Penn as it relates to our global programs.”
“Where we have study abroad and exchange agreements in place for our students in Europe, these will continue to be reviewed and amended on the advice of these entities to ensure that we are in compliance with [U.S.] and international laws,” Cossar wrote.
All comments eligible for publication in Daily Pennsylvanian, Inc. publications.