Online collaboration tools and data protection – Are universities allowed to use such services?

Online collaboration tools and data protection – Are universities allowed to use such services?

Sustaining teaching is one of the great challenges universities face in times of no-contact laws. The digital collaboration tools from various providers could help – if the universities manage to dispel the concerns of the data protection authorities. Many universities are currently turning to the experts at KPMG with this task.

Empty lecture halls, closed libraries – the Corona crisis poses major challenges for university teaching. In times when all personal contact is to be avoided or even forbidden, universities must offer their students alternatives to regular university life in order to maintain teaching.

Digital learning offers an opportunity to do just that. However, many universities lack the nationwide infrastructure to enable learning from home. Whereas universities previously had unlimited time to test the digitization of learning processes and gradually integrate it into everyday study, things now have to move quickly in view of the current situation.

Many universities see a contribution to this digital teaching in the services of large, primarily U.S. providers. The applications offer a wide range for both sharing materials and networking with fellow students and faculty, as well as centralized storage of shared content. However, the introduction of these applications is still meeting with concerns, especially from data protection officers and supervisory authorities.

High data protection requirements

When using such services, personal data is collected at various points, for example through the use of user accounts. Data protection law – both the GDPR and state data protection laws – place high demands on the protection of this data. Strict standards are applied in particular to the international transfer of data, as here from German universities to the respective U.S. company. In order for a transfer of data to the U.S. to take place, the receiving companies in the U.S. must ensure an appropriate adequate level of data protection. Many of the major U.S. providers are already certified as data-processing service providers through their participation in the so-called “EU-US Privacy Shield,” which is intended to ensure precisely this appropriate level of protection.

Nevertheless, data protection supervisory authorities sometimes take a critical view of the use of such products, especially in universities. Due to a lack of transparency on the part of many companies, there is a risk that data protection regulations will be disregarded and that personal data will be processed unlawfully.

Central points of criticism by data protectionists

The data protection authorities have criticized the non-transparent handling of user data in particular. A review commissioned by the Dutch Ministry of Justice had revealed that at least one provider, for example, collects telemetry data, transmits it to its U.S. servers and processes it there without adequately informing the clients or users.

There is also criticism of the lack of or unclear demarcation between the respective responsibilities of the university as the client and the service provider as the processor. In the view of the data protection experts, the service providers do not sufficiently disclose to the universities or the users which data are collected in detail and for which purposes they are processed. For example, there is a fear of profiling with the habits of the users of the services. Such potentially unlawful data processing by the service provider could also be imputed to the universities. As the client, they remain responsible for the time being and must monitor the contracted company with regard to compliance with data protection.

Data protection experts also have concerns about the CLOUD Act. This allows U.S. authorities to request user data from companies, for example for law enforcement purposes, without consulting German authorities.

However, some companies have already reacted to this criticism and improved their services in terms of data protection. Responsibilities were redefined and greater transparency was created with regard to data storage locations and access options. Some service providers now also see themselves as strong defenders of civil liberties against unauthorized requests by U.S. authorities for European citizens’ data.

These examples clearly show that although there is a need for further action from a data protection perspective when using online services from U.S. providers, many companies are nevertheless showing a willingness to cooperate and adapt to regulatory requirements. One reason for this is likely to be that both the European and German markets, including the education sector, continue to be seen as commercially very important.

A question of concrete implementation

In our view, the legality of the use of such online services by universities ultimately depends only on the design of the specific usage scenario in line with data protection requirements.

The experts at KPMG AG Wirtschaftsprüfungsgesellschaft and KPMG Law are increasingly receiving requests from universities and other educational institutions to use online collaboration platforms and similar services in the wake of current developments and the urgency to provide learners with alternative learning options. Although educational institutions are usually confronted with the reservations of supervisory authorities and official data protection officers right from the start and are therefore very familiar with the argumentation structures, we were able to gain good experience in the dialog with the supervisory authorities and the data protection officers of the universities and identify more far-reaching options for action that enable the universities to implement their set goals. In many cases, concerns are raised that are not based on a general illegality of use, but on risks that arise only from the inadequate design of the contractual documents and processes of the providers’ standard offerings (according to the supervisory authority’s assessment). It is therefore possible to take legal precautions and technical measures in the specific design of the use that minimize these risks and thus adequately protect the rights and freedoms of students and employees of the University.

Through interdisciplinary collaboration between attorneys and technical consultants, we develop comprehensive and multidisciplinary coordinated packages of measures that can be used by educational institutions as part of a data protection impact assessment.
This includes technical concepts adapted to the specific situation, which serve, for example, to minimize the amount of personal data and the associated risk of retraceability to a specific person. KPMG Law also draws up lines of argument and opinions as part of its legal support for projects. In these, the concerns raised are compared with the concrete planned use, taking into account all the legal bases and legal design options that come into question. In a large number of cases, the remaining legal risks ultimately turn out to be manageable and the concerns of data protection officers – with the application of appropriate measures – can be eliminated.

Conclusion

The use of online collaboration tools at universities was widely discussed even before the current situation due to the Corona pandemic began. The steady change in the perception of digital concepts and the efforts of providers have led to more favorable conditions for the use of such online services, according to our data protection experts. Universities can use these developments now to master the times of crisis and drive forward the digitization of teaching in Germany, taking into account measures that are necessary in the specific case.