• Law, Policy -- and IT?

    Tracy Mitrano explores the intersection where higher education, the Internet and the world meet (and sometimes collide).


Implications of 'Schrems' Decision

A key privacy ruling.

October 24, 2015

The EU Court of Justice recently issued a landmark ruling in Maximillian Schrems v. Data Protection Commissioner. The decision in this case invalidated the Safe Harbor agreement that allowed the U.S. to handle personally identifiable information (PII) of EU citizens under less robust rules and practices than the EU requires. Now, any entity that holds PII of EU citizens must treat that information according to EU data protection law or face legal action in the EU that would jeopardize assets of US companies in the EU. As was demonstrated almost 20 years ago by the Yahoo v. France case, when faced with the potential loss of assets or reduction in the size of markets, even Internet giants take notice. The implication of this decision does not rest with US industry alone, however.  It affects higher education, and higher education should embrace the Schrems decision with enthusiasm. This decision presents an opportunity to demonstrate the importance of privacy principles and practices for higher education’s missions.  It provides higher education leaders a mantle upon which they can demonstrate how higher education’s missions uphold citizenship and democracy in the United States.
As a general matter, the EU has “comprehensive” privacy laws that protect PII across categories of data sets. For example, protected PII includes medical and education records, subscriber services, and transactional websites that collect personal information. By contrast, the United States has “sectoral” privacy laws that protect whole data sets of an individual such as medical or education records, but not personally identifiable information as its own data set. PII in the US is minimally protected. There is no federal law.  At the latest count, there are 42 states have data breach notification laws.  All of these states define PII very narrowly, a name plus very specific data elements such as credit card number. None of these require the proactive management of (PII) through fair information practices (notice, relevancy, informed consent and security, see below) although many do allow encryption as a defense.  There are some commonalities among those laws, but no one is identical to any other. In some cases — Massachusetts and California, for example — laws contradict each other. 
As a result of the Schrems decision and Safe Harbor’s invalidation, entities holding data of PII of EU citizens are now required to treat that information according to EU law. The EU has a broader definition of PII.  For example, it includes information that tracks people, such as by Internet Protocol addresses.  The entity must also adhere to fair information practices. These practices include:

  • Notice: Giving notice to the individual of the retention of that information.
  • Relevance: Describing the business purpose for which that information is used.
  • Informed Consent: Allowing the individual to consent actively and purposefully to the entities’ retention and use of that information, as well as allowing the individual to correct any mistakes in the record.
  • Security: Detailing the administrative, technical and physical security used to protect the record, as well as providing the schedule for retention and destruction of the record.

Having worked with FERPA over the years, we are at least familiar with, if not already equipped to handle, the basics of these principles. Here is my prayer: since colleges and universities are required to do so for citizens of the EU, it would be beneficial if they handled the data of everyone in our community in the same manner.

As a practical matter, academic leadership, legal counsel and information privacy and security specialists should work together to determine how institutions should manage PII of at least their EU constituents – particularly those institutions that identify as “international” and have campuses abroad.  This management approach should include applications and admissions and education records, in addition to PII from institutional research and data analytics, or information about individuals that are data-mined and recombined in economic, social, regional, geographic, academic (per SAT, GRE, or other scores and grade point averages) determiners for any variety of advertising, marketing or evaluative study.

What are the public policy implications of the Schrems decision? In the wake of Safe Harbor’s invalidation, now more than ever, there is a need for a new, consistent and harmonized manner by which U.S. entities treat personally identifiable information – not merely of EU citizens, but for people of all countries. New harmonized standards would enhance business processes and improve efficiency, which would ultimately help U.S. companies, as well as higher education institutions, be more competitive in the global marketplace.  

Higher education institutions compete intensely for international talent – students, faculty and staff. If the United States wants to remain the global academic leader, it must also learn to play nicely with others. As shown by the Snowden disclosures, the United States has much to learn about the meaning of fundamental human rights from nation-states that have been through the refiner’s fire of malevolent regimes that used otherwise “benign” PII to hunt people down, confiscate their property, arrest them because of their ethnicity or religion, send them to work and death camps.  In this century, information has become more valuable, not less, than it was in the twentieth century.  It is worth our while to understand that background without the assumptions that “it could never happen here” or the notion that the US is so exceptional that it transcends both history and human nature. 

U.S. constitutional law and the U.N. Declaration of Human Rights deem privacy a fundamental human right. These statements act in concert with our foundational notions of democracy and citizenship. Similarly, privacy is also an essential component of higher education institutions’ missions, central to critical thinking, free speech and expansive inquiry which, in turn, informs teaching, research and public service. The invalidation of the Safe Harbor agreement presents an opportunity to put privacy first and strengthen the protections afforded to individuals in the EU, U.S. and across the world. Higher education institutions should embrace this decision and its implications, not only as a matter of compliance for EU citizens and their own EU assets, but for all constituents, and most important, to take our turn holding up an essential principle of human rights.



Back to Top