In less than three weeks, strict privacy regulations will go into effect for the European Union. And that’s forcing companies and colleges around the globe to reevaluate their data policies and practices.
For massive open online courses, which straddle colleges and universities and the private sector, expectations around compliance are murky.
The new law, known as the General Data Protection Regulation (GDPR), will require that any entity that processes personal data for E.U. residents honor the right of individuals to have their information removed. The law also requires that companies get explicit consent from users before sharing data, and includes many other data protections as well. Preparing for the regulation has been a dizzying experience for organizations across industries.
“The biggest challenge a lot [of entities] are facing is that they’re trying to implement for a law that isn't yet in effect, and is broadly written,” says Matthew Johnson, a lawyer with Cooley who focuses on higher education institutions and edtech companies.
Colleges and universities may fall subject to Europe’s strict privacy laws in a number of instances. For example, colleges will be governed by the rule when a faculty member working in the E.U. is interacting with a college’s learning management system, or when a prospective student in Europe applies for admission to a U.S. institution.
Many institutions are struggling to prepare for the upcoming regulations, Inside Higher Ed previously reported. And the issue gets even stickier for colleges hosting massive open online courses with outside learning platforms, which host free or low-cost digital courses for millions of learners around the globe.
MOOC-provider Coursera, for example, claims to have 6.5 million in Europe. Across all geographies, Europe has one of the highest concentration of MOOC users in the world. A study by Class Central, a review site for the free online courses, found that nearly 20 percent of its users were based in Europe. (U.S. users made up a third of survey respondents.)
“We have a significant number of European students in my course,” says Justin Dellinger, associate director of the LINK Research Lab at the University of Texas at Arlington, who teaches a MOOC on Learning Analytics Fundamentals on edX.
Both Dellinger and Johnson say that much of the responsibility for GDPR compliance will fall on the MOOC platforms, but that it is still often unclear given the prevalence of student data-sharing with partnering institutions.
For their part, some MOOC providers have already made steps towards compliance. A spokesperson for Coursera said in an email that the company is “overhauling its terms of use, privacy policies, and creating a new cookies policy to let learners know how we are using their data. This also meant introducing new product features including consent tracking, data portability, and the right to be forgotten.”
Coursera has already released updates to its terms of service addressing GDPR requirements. And when asked if the company plans to review instructor data-collection practices, the spokesperson said Coursera is “working closely with university partners to mutually take measures required for GDPR compliance.”
The GDPR will go into effect on May 25, and failure to comply could result in fines of 20 million euros or 4 percent of the entity’s global annual revenue, depending on what is greater. But there’s a caveat: “Each supervisor authority that enforces this will determine what [consequence] should be applied,” explains Johnson. “A lot of provisions are open to interpretation.”
The question around interpretation has Dellinger wondering about the role of instructors like himself, who gather information on student support issues like technical challenges or grading to later follow-up. And that kind of personal data, which the instructor gleans from his edX course, is stored locally on his personal device. It’s a common practice for online and in-person instructors, but the privacy regulations has Dellinger questioning what instructors in his position might need to do to comply.
Dellinger says he has reached out to edX, but as of May 1, the platform had not shared if there were specific steps in place that the institution or instructor would need to follow in order to be compliant.
EdSurge also asked edX about its plans for data-sharing between institutions and instructors, and if either have been notified about compliance plans or if they need to take any steps. The nonprofit MOOC platform provided only broad plans for its privacy updates: “In preparation for GDPR, the privacy policy for the edX website is being updated to help ensure that learners understand the kinds of information that may be collected and how it may used. The updates also clarify how learners can manage their data," a spokesperson for edX wrote in an email.
The uncertainty raises another consideration around the GDPR’s “right to be forgotten” rule. If a student wishes to have their data removed from a MOOC platform, will the institution and instructor all be notified to have that information removed? At Coursera, it depends on the contract with the school. “Such requests are governed by data protection amendments we have signed with university partners,” the spokesperson said. “Removal of personal data will be handled in accordance to the data protection provisions and GDPR amendments, which specifies the responsibilities of Coursera and the institutions.” Meanwhile, edX did not provide an answer to the particular question.
Some MOOC instructors are less concerned. “Basically this is up to Coursera, the company,” says Donald Patterson, an associate professor at UC Irvine who teaches a MOOC on Coursera. “I don’t manage any of the student’s info or progress.”
If you ask Johnson, some questions will only be answered in time. “We don't have an enforcement history to look back on,” he says. “A couple of years from now I think we will know a lot more.”