Worldwide: Practical Strategy For School Compliance With Domestic And International Privacy Laws

I. Introduction

Privacy is the newest frontier in cybersecurity. The European Union sparked the movement in 2018 with the adoption of the General Data Protection Regulation or GDPR. Many other countries have followed suit since then, some of the more prominent being the United Kingdom, Canada, Australia, and (more recently) China.

Though the United States Congress has remained silent, states are filling that void. California led the way in 2020 with the California Consumer Privacy Act. That wave then spread across the country. Twelve other states now have broad and generally applicable privacy laws: Colorado, Connecticut, Delaware, Florida, Indiana, Iowa, Oregon, Tennessee, Montana, Texas, Utah, and Virginia. Moreover, similar bills are currently pending in many other state legislatures.

Unlike previous security laws, which apply to a relatively smaller pool of personally identifiable information or PII (e.g. Social Security, governmental identification, and financial account numbers), privacy laws encompass an expansive scope of personal information. These laws govern any information that either identifies or is identifiable to an individual. Even just an individual's name, email or physical address are personal information governed by privacy laws.

Additionally, privacy laws apply extra-territorially. Thus, under certain circumstances, a school in one state that educates students from other states and foreign countries will be subject to the privacy laws adopted in those other domestic and international localities. Indeed, many schools have recently become concerned about the potential extra-territorial applicability to them of China's privacy law, called the Personal Information Protection Law or PIPL.

Question: What are schools to do? Answer: Adopt a practical strategy for compliance with all of the privacy laws that apply or might apply now and in the foreseeable future.

The swirling currents of domestic and international privacy law can be confusing to chart. Therefore, section II of this article explains the jurisdictional reach of these statutes. However, instead of attempting to navigate that route, the wiser course for schools is to adopt a strategy that complies with domestic and international privacy laws. Accordingly, section III summarizes the content of those laws, and section IV outlines a compliance strategy for schools.

II. Applicability of Privacy Laws

Though the language of domestic and international privacy laws is not uniform, all of them apply to schools located both in the states and countries that enacted them (intra-territorial jurisdiction) as well as outside of those places (extra-territorial jurisdiction). Also, domestic laws contain threshold requirements and exclusions, which are not present in international laws.

A. Intra-Territorial Jurisdiction

Privacy laws apply to schools that conduct business or engage in certain activities in the locality that adopted the law.¹ Thus, schools with a permanent campus in a place that has adopted a privacy law will be subject to at least its privacy law.

However, intra-territorial jurisdiction also applies to schools that lack a permanent campus in such locations. While the laws lack specificity about the particular activities necessary to do so, and while most of the laws are too young to have regulatory or judicial interpretations of that issue, there are some circumstances that would almost certainly subject schools to intraterritorial jurisdiction.² Examples include the following.

• Maintaining a temporary campus or classroom in the state or country.
• Operating consistent academic, extra-curricular, summer or other types of courses or trips in or to the state or country.
• Employing a person who resides in the state or country, as long as the employee or school processes personal information related to the employee's activities in that place (e.g. a resident employee-recruiter of foreign applicants).³

Whether a school is subject to intra-territorial jurisdiction depends on a mixture of the quantity and quality of the activities and presence in that state or country.⁴ Thus, if a school conducts some activities in a locality with a privacy law, it should conduct a fact specific analysis to determine if intra-territorial jurisdiction applies to it.

B. Extra-Territorial Jurisdiction

Privacy laws also apply to schools extra-territorially, if they engage in certain activities related to individuals in those places. For example, many domestic laws apply if a school provides products or services "targeted" to residents of those states.⁵ However, other domestic laws apply extra-territorially if schools merely provide products or services to their residents, notwithstanding whether the schools target them.⁶ Thus, if read literally, schools will be subject to the privacy laws in this latter category if they accept applications, enroll, or provide any other services to students from those states.

The language of international laws falls between the two categories of domestic laws. Thus, foreign laws apply to schools that process personal information outside of those countries for the purpose of offering or providing products or services to individuals in them.⁷

While privacy laws, again, lack specificity about the quantum of products or services that an organization must provide to individuals within those localities, there are some situations that would likely subject schools to extra-territorial jurisdiction. Examples include the following:

• Providing consistent remote education to students in other states or countries.
• Conducting routine in-person or virtual recruiting events for prospective students and families in other states or countries.
• Hosting repeated in-person or virtual events for parents, alumni, donors or other constituents in other states or countries.⁸

It is less clear, however, if certain other activities more incidental to a school's operations would subject it to extra-territorial jurisdiction. ⁹ Examples include the following.

• Providing updates to parents in other states or countries about the performance of their students while at school.
• Providing tuition, financial aid, billing, payment and other financial services to parents in other states or countries.
• Soliciting donations and other support from parents, alumni, donors or other constituents in other states or countries.¹⁰

The jurisdictional contours of privacy laws are certainly subtle, arguably ambiguous, and potentially conflicting. Thus, instead of risking such uncertainty, the wiser decision for schools is to adopt a strategy that complies with these laws.

C. Thresholds and Exclusions of Domestic Laws

While a few domestic privacy laws have no threshold requirements,¹¹ most only apply to schools that process personal information about a certain number of residents of that state. The threshold amounts differ, from 35,000 to 175,000, with the most common being 100,000.¹² Each threshold only applies to residents of that state, but every such resident about whom a school has personal information counts. Since schools typically collect personal information about a broad spectrum of constituents (e.g. students, parents, siblings, other family members, alumni, donors, and trustees), and since schools typically have collected such information historically and retain it currently, schools can find that they satisfy these thresholds without expecting it.

In addition to threshold requirements, domestic privacy laws provide exclusions for certain organizations. One exclusion in most (though not all) domestic privacy laws that is potentially applicable to schools is for nonprofit organizations.¹³

However, schools seeking shelter in threshold requirements or exclusions should consider that other factors may justify or mandate compliance. For example, threshold requirements are inapplicable if intra-territorial jurisdiction exists, and will be unavailing if the state in which the school is located adopts a privacy law. Moreover, international laws lack threshold requirements and exclusions for nonprofits. Finally, and perhaps most importantly, influential constituents (particularly some parents, alumni, donors, and trustees) may care little for jurisdictional technicalities and insist that the school comply with privacy laws.

To view the full article, click here.

Footnotes

1. Domestic privacy laws typically apply to organizations that "conduct business" in the state. See Colo. Rev. Stat. § 6-1-1304(1)(a); Conn. Gen. Stat. § 42-516; Del. Code § 6-12D-103(a); Fla. Stat. § 501.703(1)(a); Ind. Code § 24-15- 1(a); Iowa Code § 715D.2(1); Or. Rev. Stat. § 180.095-2(1); Mont. Code Ann. § 30-14-3; Tenn. Code Ann. § 47-18- 3202; Tex. Bus. & Com. § 541.002(a)(1); Utah Code Ann. § 13-61-102(1)(a)(i); Va. Code Ann. § 59.1-576(A). See also Cal. Civ. Code § 1798.140(d)(1) (applies to entity that "does business" in California). European Union (EU or Union) and United Kingdom (UK) laws apply to "processing of personal data in the context of the activities of an establishment of a controller or processor in the [EU and UK]," and China's law applies to "processing of the personal information ... within ... China."

2. There is, however, one such regulation adopted under GDPR, and judicial interpretations of GDPR and its predecessor. See Guideline 3/2018 on the Territorial Scope of the GPDR, Version 2.1 (Nov. 12, 2019) (Guideline). While regulations have been adopted under California law and proposed under Colorado law, those laws do not address intra or extra-territorial jurisdiction.

3. See Guideline, p. 6 ("in some circumstances, the presence of one single employee or agent of a non-EU entity in the Union may be sufficient to constitute a stable arrangement .... Conversely, when an employee is based in the EU but the processing is not being carried out in the context of the activities of the EU-based employee in the Union (i.e. processing related to activities of the controller outside the EU), the mere presence of an employee in the EU will not result in that processing falling within the scope of the GDPR. In other words, the mere presence of an employee in the EU is not as such sufficient to trigger the application of the GDPR, since for the processing in question to fall within the scope of the GDPR, it must also be carried out in the context of the activities of the EU-based employee.")

4. See Guideline, p. 6 ("to determine whether an entity based outside the Union has an establishment in a Member State, both the degree of stability of the arrangements and the effective exercise of activities in that Member State must be considered in light of the specific nature of the economic activities and the provision of services concerned.")

5. See Colo. Rev. Stat. § 6-1-1304(1)(a); Conn. Gen. Stat. § 42-516; Del. Code § 6-12D-103(a); Ind. Code § 24-15- 1(a); Iowa Code § 715D.2(1); Mont. Code Ann. § 30-14-3; Utah Code Ann. § 13-61-102(1)(a)(ii); Va. Code Ann. § 59.1-576(A). But see Tenn. Code Ann. § 47-18-3202 (applies to organizations that "conduct business in [Tennessee] producing products or services that target [its] residents").

6. See Or. Rev. Stat. § 180.095-2(1); Fla. Stat. § 501.703(1); Tex. Bus. & Com. § 541.002(a)(1).

7. See GDPR Art. 3 § 2(a); PIPL Art. 3 § (I). These laws also apply to extra-territorial processing of personal information to monitor or analyze the behaviors or activities of individuals in those countries, but schools rarely if ever do so. See GDPR Art. 3 § 2(b); PIPL Art. 3 § (II). China's law also will apply extra-territorially to "other circumstances provided by laws and administrative regulations," though none exist to date. See PIPL Art. 3 § (III).

8. 8 For example, the Guideline discusses a hypothetical Swiss university operating an online application process open to any individual proficient in German or English, without targeting residents of the EU or making distinctions for applications or acceptance of EU residents. See Guideline, Ex. 16 p. 19. In that situation, "without other factors to indicate the specific targeting of students in EU member states, it ... cannot be established that the processing in question relates to the offering of an educational service to data subjects in the Union, and such processing will therefore not be subject to" the extra-territorial application of GDPR. Id. By contrast, if that same university "also offers summer courses ... and specifically advertises this offer in German and Austrian universities in order to maximise [sic] the courses' attendance, ... there is a clear intention ... to offer such services to data subjects who are in the Union, and the GDPR will apply to the related processing activities." Id. (emphasis added).

9. See Guideline, p. 18 ("when goods or services are inadvertently or incidentally provided to a person on the territory of the Union, the related processing of personal data would not fall within the [extra-]territorial scope of the GDPR.")

10. For example, the Guideline discusses a hypothetical "private company based in Monaco [that] processes personal data of its employees [in France and Italy] for the purposes of salary payment." Guideline, Ex. 15, p. 18. Such activities would not subject that company to GDPR because, even though "the processing ... relates to data subjects in France and Italy, ... [it] does not relate to the offer of goods or services to data subjects in the Union ...." Id.

11. See Tex. Bus. & Com. § 541.002(a); Fla. Stat. § 501.703(1)(a).

12. See Cal. Civ. Code § 1798.140(d)(1)(B) (100,000 residents); Colo. Rev. Stat. § 6-1-1304(1)(a) (100,000 residents); Conn. Gen. Stat. § 42-516 (100,000 residents); Del. Code § 6-12D-103(a)(1) (35,000 residents); Ind. Code § 24-15-1(a) (100,000 residents); Iowa Code § 715D.2(1)(a) (100,000 residents); Or. Rev. Stat. § 180.095-2(1) (100,000 residents); Mont. Code Ann. § 30-14-3 (50,000 residents); Tenn. Code Ann. § 47-18-3202 (175,000 residents); Utah Code Ann. § 13-61-102(1)(c)(i) (100,000 residents); Va. Code Ann. § 59.1-576(A) (100,000 residents). California's privacy law also applies to any organization that does business in that state and generates at least $25,000,000 in annual revenue irrespective of the threshold, whereas Utah's law only applies to an organization if it meets the threshold and generates at least that amount in annual revenue. See Cal. Civ. Code § 1798.140(d)(1) (A); Utah Code Ann. 13-61-102(1)(b).

13. See Cal. Civ. Code § 1798.140(d); Conn. Gen. Stat. § 42-517(a)(3); Fla. Stat. § 501.703(2)(d); Ind. Code § 24-15- 1(b)(4); Iowa Code § 715D.2(2); Mont. Code Ann. § 30-14-4(b); Tenn. Code Ann. § 47-18-3210(a)(5); Tex. Bus. & Com. § 541.002(b)(4); Utah Code Ann. § 13-61-102(2)(d); Va. Code Ann. § 59.1-576(B)(iv). But see Colo. Rev. Stat. § 6-1-1304(1)(a) (contains no exclusion for nonprofits); Del. Code § 6-12D-103(a) (only excludes nonprofits engagement in activities related to child abuse, domestic violence, human trafficking, sexual assault, violent felony, and insurance crimes); Or. Rev. Stat. § 180.095-2(2)(r) and (s)(C) (only excludes certain nonprofit activity related to radio or television broadcasting and preventing insurance crime).

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.