University System of Maryland and co-editor of the International Journal of Innovations in Online Education,
State-by-state legislation following the European Union's General Data Protection Regulation (GDPR) is creating an impossible compliance environment for online education.
KEY WORDS: privacy, legislation
In an Editor's Note to IJOIE (vol. 2, issue 1, 2018) I asked, “What Is GDPR and Why Should You Care?” The focus of that note was the then near arrival of the European Union's General Data Protection Regulation (GDPR). The message for the online education community was that if one has European residents in online courses or European faculty teaching online courses, then this regulation will apply to you after May 25, 2018. From my experience with online courses offered by University System of Maryland institutions, where I am the system CIO, some institutions had substantial risk exposure and many did not. Those with GDPR exposure undertook serious policymaking and implementation to comply with GDPR, and the others took a watch-and-wait attitude.
The main difference between the GDPR perspective and the traditional Personal Data Privacy Protection common in the United States was that enterprises in the US typically had responsibilities to protect personally identifiable information (PII) and to inform individuals if that protection is breached. GDPR, however, is based on the European view that control over PII is a personal right, and individuals have a wide range of legal expectations regarding the collection, processing, maintenance, sharing, and protection of PII held by enterprises.
This Editor's Note is an update on legislation in the US based on the GDPR perspective. Since GDPR has now been in force for over two years, this note will not try to reiterate all of the terms of that regulation. That said, with the continuing cases of misuse of PII by enterprises large and small in the US, there has been a plethora of legislative initiatives with GDPR-like underpinnings. While there have been discussions at the federal level, there seems to be little confidence that federal personal privacy legislation will occur in the near future. Given this legal vacuum, states have taken the initiative to develop state-level personal privacy protections—most with the GDPR orientation. As of October 15, 2019, seventeen states had introduced such legislation, three had signed law, and six had postponed further consideration. † There has been wide variation in applicability as well as components of consumer rights and enterprise obligations. For example, the California Consumer Privacy Act applies to relatively large businesses and exempts public and nonprofit entities. However, in the 2020 legislative session, Maryland passed the Maryland Higher Education Data Privacy Act that specifically introduces GDPR-like expectations for public higher education in the state. The article referenced in the footnote gives a synopsis of the rights and obligations articulated in the various state bills.
The intent of this Editor's Note is not to delve into personal privacy law but to alert the online learning community of the patchwork of state-by-state laws that is emerging and the absence of any overarching federal law that will make sense of the obligations of those who provide services. To reiterate—these laws give rights to individual citizens of a state and obligations to those, such as online education providers, who hold personal information of such citizens.
Thus, if an institution has a course with students from multiple states, each of those students has a legal expectation that the personal information related to that course will be managed according to the personal privacy law of his/her state. Additionally, this expectation will continue for as long as the institution continues to hold that information. If one thought that the confusion related to interstate certification of postsecondary distance education, which resulted in the State Authorization Reciprocity Agreement (SARA) framework, was challenging, this is potentially many times more difficult and is only getting worse as states introduce additional personal privacy consumer protection legislation.
Unfortunately, this Editor's Note can only describe the problem and not offer any solutions. That said, online education is not the only activity with this problem. One thing that institutions can do is to educate government relations staff and have them join the chorus for a national solution to this emerging chaos.