If you manage learner data, ensuring privacy is a major concern. You’ve probably implemented physical protections, like backup systems and passcodes to enter data storage areas. You likely also use encryption, user authentication, and VPN access. But these protections are not enough if you’re storing your data in the wrong place. The best technical and physical security features only go so far to protect learner data.
Different parts of the world have regional data privacy guideline. Your choice of data storage location could have a profound impact on learner privacy, so you need to choose the right region, country, or province. Whether you’re deciding the location for hosting your own data or you are evaluating a technology vendor, it’s important to understand what privacy laws will protect it. Ultimately, it’s your reputation on the line if inadequate security measures compromise user data.
Storing data in the European Union is the obvious option for anyone who wants the most stringent data privacy protections. The General Data Protection Regulation (GDPR) is the current gold standard of data privacy. Every member state of the union is subject to these guidelines, which went into effect in 2018.
At the time of their drafting, the new privacy guidelines were several degrees of magnitude stronger than everything that came before. They still represent the most stringent data privacy laws in the world today.
The GDPR includes the following rights:
- Right to consent – users must give explicit permission for their data to be stored
- Right to portability – users can transport or move their data
- Right to disclosure – organizations must tell users how data is being used
- Right to erasure – organizations must erase data if the user requests them to
- Right of access – users can see the data related to them
- Right to rectification – users can correct incorrect information
- Right to restrict processing – users can ask that the data be stored but not used
- Right to object – users can prevent their data from being used for specific purposes, including direct marketing
In addition to this extensive list of rights, GDPR created guidelines about how data could be used in automated decision-making. For example, online pre-approval of a loan where no human is involved. Using data for this process requires specific consent and a way for the individual to challenge the result of the automated process.
The Broad Scope of GDPR
Previous privacy laws applied only to businesses based in the EU. GDPR changed that. Under its guidelines, any organization that processes the personal data of EU citizens is subject to its regulations. That includes non-profits, individual users, and international companies. In short, if you process any kind of data you are subject to GDPR, it doesn’t matter what type of entity you are.
Not only does GDPR apply to the broadest range of entities, but it also protects the widest range of data. Everything from marital status and race to political opinions and health and genetic data is covered. Both Canada and parts of the United States have crafted regulations that reach toward, but don’t quite achieve the scope of GDPR.
If you plan to do any sort of business in the EU, storing your data there makes sense. Data storage providers in that region have the most practice with GDPR compliance, so you’re less likely to run afoul of those guidelines. Plus, your data will be protected by the world’s most comprehensive privacy laws.
Even if you’re not doing business in the EU, it might still make sense to store your data with a service provider there. Having the strongest protection is always a good idea.
US Data Privacy Guidelines
At first glance, you might think it makes sense to store your data in the United States. The U.S. is a technology hub with many well-known hosting companies and tech industry leaders. Price and service-level considerations might make the U.S. seem like an attractive place to store data. However, a deeper look may reveal some uncomfortable truths about U.S. data privacy regulations.
First, the United States has not yet passed a national data privacy law. Instead, privacy guidelines vary by state. So if some of your data is stored in California and some in Virginia, you might get two different levels of protection.
And it gets worse. So far, only three states have signed comprehensive data privacy laws: California, Nevada, and Maine. An additional nine states are reviewing proposed legislation in committee. Meanwhile, Texas, Louisiana, and Hawaii have chosen not to create a comprehensive bill. Instead, they’ve assigned task forces to investigate privacy concerns on a case-by-case basis.
U.S. firms are increasingly aware of these privacy issues and may allow non-US clients to store their data outside the U.S.
California Consumer Privacy Act
Among the three states that have comprehensive consumer privacy regulations, California’s are the strongest. They most closely resemble the standard set by the European GDPR.
The California Consumer Privacy Act passed in 2018 and went into effect in January 2020. It included the following rights:
- Right of access
- Right of deletion
- Right of portability
- Right of opt-Out
Under CCPA, businesses must provide notice of how they’ll collect and use data. Similar to the GDPR guidelines, California’s privacy regulations apply to any business that stores the data of California residents, even if the business is located outside of California.
Also in 2020, California passed Proposition 24, which expanded and amended the CCPA. The new guidelines gave consumers the right to:
- Prevent businesses from sharing their personal information for marketing or advertising purposes
- Limit the use of their sensitive personal information
- Correct inaccuracies in the personal information
It also prohibited businesses from retaining information for “longer than reasonably necessary” and changed some of the enforcement criteria for the law. These expanded regulations will go into effect in 2023. If you do want to store your data in the United States, California might be your best option for now.
The Patriot Act and Data Privacy
The data privacy laws of individual states protect data from misuse by businesses. Yet they don’t apply to the federal government. Passed in response to the terrorist attacks of September 11, 2001, the Patriot Act included some provisions that worry privacy advocates.
Under the Patriot Act, the guidelines around when and how the federal government could access email and browsing data were fairly broad. Subpoenas could have allowed the government to access credit card and bank account numbers. Internet service providers were empowered to disclose private customer information to assist in criminal investigations.
Parts of the Patriot Act expired in 2005, but most were reauthorized the same year. It expired again in 2020. After a series of deliberations, the House of Representatives postponed their vote. For now, the Patriot Act has expired. However, lawmakers could still resurrect it, or draft something similar. Anyone storing their data in the United States should continue to monitor the situation.
Canadian Data Privacy Laws
Unlike the United States, Canada does have consumer data privacy laws at the federal level. That means data stored in Canada is equally protected regardless of the province where it is stored.
While some provinces have their own data privacy laws, these must be “substantially similar” to the national Personal Information Protection and Electronic Documents Act (PIPEDA) regulations. PIPEDA went into effect in April 2000.
It applies to any private sector organization that collects, uses, or discloses data related to any kind of commercial activity. So if you buy, sell, or lease products or services, collect dues for membership or raise funds, you are likely subject to PIPEDA.
The law details 10 fair information principles to guide the collection, storage, use, and destruction of personally identifiable information. A few of these are:
- Identifying how the data being collected will be used
- Limiting data collection to the essentials necessary for that purpose
- Retaining data only as long as it is needed
- Protecting data with appropriate safeguards
Consumer Privacy Protect Act Under Consideration
Although PIPEDA already goes a long way toward protecting user privacy, Canada is considering an updated privacy act. The Consumer Privacy Protection Act (CPPA) will come up for a vote sometime in 2021. If it passes, Canada’s privacy laws will be among the strongest in the world, rivaling GDPR.
CPPA includes the following rights:
- Right to erasure
- Right to transfer
- Right of action – individuals can bring suit for privacy violations
It also introduces enhanced enforcement and oversight, increases monetary penalties for non-compliance, and requires organizations to maintain a privacy management program.
Whether the CPPA bill passes or not, it seems clear that Canada is taking privacy protection seriously. These regulations are good news for all organizations that store data because they hold service providers responsible for providing adequate protection.
Who Bears Responsibility for compliance?
You do. Under all privacy guidelines, the responsibility for ensuring that privacy guidelines are met rests on both the data controller and the data processor. Whether you collect learner data directly or hire a training or testing firm to do so on your behalf, privacy is your responsibility. Fail to protect learner privacy and you could be subject to fines and other penalties.
Maximum fines under regional privacy guidelines:
- GDPR – €10 million or up to 2% of the firms worldwide annual revenue for less serious infringements, the more serious infringements carry a penalty of up to €20 million or 4% of worldwide revenue
- California Consumer Privacy Act – $2,500 USD for each violation and $7,500 for violations after notice. Plus up to $750 per consumer, per incident or actual damages.
- Canadian CPPA – up to $25 million CAD and 5% of annual gross global revenue
- PIPEDA – Up to $10,000 CAD for summary conviction and up to $100,000 for indictable offences
Perhaps more importantly, your reputation could be at stake. A PWC survey found that 72% of consumers believe companies are better equipped than governments to protect their data and 92% said companies must be proactive about data protection. In short, users put the responsibility squarely on your shoulders.
Where should you store your data?
Data privacy protections are constantly evolving. For organizations that want to protect their reputations and their data, keeping up with these evolving guidelines is essential. For now, storing data in the European Union seems to be the best bet. If you contract with a learning service provider or test administration service, find out where they store their data so you can make informed decisions about your risk exposure.
At Oliver, although we are based in Canada, we choose data storage locations based on where data will be best protected. That means we store all of our data in regions subject to GDPR. Before you partner with any digital learning provider, ask yourself: Can this organization protect my data?