This paper is part of the e-conference on « Data protection Issues and Covid-19: Comparative Perspectives » which consist in a daily publication at 12 p.m. (GMT+1) except on Sundays until the Summer break. A new session will start again at the beginning of the academic year 2020-21. Please subscribe to blogdroiteuropeen, so you don’t miss a publication. This e-conference was organised by Dr. Yseult Marique, Senior Lecturer at the University of Essex and FÖV Speyer and Dr. Olivia Tambou, Associate Professor at the University of Paris-Dauphine, External Scientific Fellow at the Max Planck Institute of Luxembourg, and Founder- Editor of Blogdroiteuropeen. If you are interested to contribute for our September session feel free to contact us at email@example.com
Italy claims the sad record of having been the first European epicentre of SARS-CoV-2. After the identification of epidemic outbreaks in several municipalities in the regions of Lombardy and Veneto on 21 February, the situation worsened rapidly, leading the Italian government to take unprecedented measures to fight the spread of the contagion (as known, such efforts will culminate in the lockdown of the whole country on 9 March).
One of the first measures enacted was the blocking of all in person activities run by educational institutions, i.e. schools, universities, institutes for high artistic and musical education (see, Law decree of the 23rd of February 2020, no. 6 and, in particular, the implementing decree of the President of the Council of Ministers of the 4th of March 2020). On 5 March the whole Italian system of education had to migrate online to ensure the continuity of teaching. A drastic measure that was later followed by other European countries.
An unexpected teleportation to Ludus
The shift toward distance learning (promptly labelled “Emergency Remote Teaching” or ERT) had the undoubted merit to make the provision of education possible when schools and universities were physically inaccessible.
However, such a paradigmatic change was far from being a silver bullet and raised several issues in terms of pedagogy, digital divide and inequalities, students’ and teachers’ well-being.
Major concerns also arose regarding the legal implications attached to the adoption of specific online instruments, tools, and platforms used for ERT, but not necessarily “educational native”.
Few recent scandals had unveiled how the technological choices made for ERT can affect privacy (see, here, here, and here) security (here and here), and creativity (see here) of the actors involved, thus leading scholars and policymakers to investigate these aspects further.
The Italian Data Protection Authority instructions
In Italy, the ERT phenomenon has been primarily scrutinised under the data protection lens. With the decision of the 26th of March 2020, the national Data Protection Authority (hereinafter “DPA”) released the first set of instructions for the sector. Such act, issued on the basis of Article 57(1)(b) and (d) GDPR, aimed at enhancing the awareness of educational institutions and their members about the risks, principles, guarantees and rights involved in the processing of personal data commenced when teaching activities migrated online. The instructions were also addressed to the Ministries of Education, University and Research, and Family and Equal Opportunities, in order to foster a transparent and proactive collaboration with the concerned institutional actors.
From a comparative point of view, the Italian case is a relevant model to consider for two main reasons: the DPA has been the first supervisor in Europe to intervene on the matter; and, the instructions resolve some practical issues, which, given the harmonised framework provided by the GDPR, can represent a baseline for other national systems.
The DPA’s decision titles “Distant teaching: preliminary instructions” and touches upon five core data protection aspects which universities and schools shall take into account before adopting an online service for ERT and during its use. These are:
1) the bases for the lawful processing;
2) the implementation of the principles of data protection by design and by default;
3) the data protection roles and the allocation of responsibilities among the actors involved;
4) the establishment of limitations to the processing;
5) the respect of the principles of lawfulness, fairness, and transparency in the processing by school and universities.
- With reference to the lawful bases, i.e. the legal grounds enlisted in the GDPR to legitimise the processing of personal data, the DPA clarifies that, even if teaching is performed with new and innovative services, ERT falls within the institutional functions of schools and universities. As a consequence, ERT processing can be grounded on the necessity to perform a task carried out in the public interest (Article 6(1)(e) and, for the case of sensitive data, Article 9(2)(g) GDPR. See, also Articles 2-ter and 2-sexies of the Italian Data Protection Code). On the practical side, this means that there is no need to require the specific consent from the data subjects in the ERT context.
- The primary organisational duties in ERT lie with schools and universities. By deciding the purpose and the means of the processing, educational institutions act as data controllers (Articles 4(7) and 24 GDPR). Therefore, the DPA recalls the importance for universities and schools to choose the most appropriate ERT service provider, taking into account not only the functionalities and pedagogical features of the tool but also its guarantees in terms of data protection. The principles of data protection must guide such a choice by design and by default (Article 25 GDPR). As controllers, universities and schools shall also verify whether the processing entails “high risks” for the rights and freedoms of individuals. High risk is likely to occur when the processing concerns vulnerable subjects, or a new technology is introduced (see, in particular, the WP29 Guidelines on DPIA). That might be the case for some innovative tools adopted for ERT (e.g. proctoring software), and this will oblige the controllers to perform a data protection impact assessment (Article 35 GDPR). In this regard, the DPA clarifies that educational institutions will not be subject to such obligation as long as the processing does not entail additional risks for students and teachers. For example, the adoption of a videoconferencing tool that is not privacy-invasive (e.g. it does not allow the systematic monitoring of users) might not require an impact assessment.
- The DPA underlines the relevance of clearly identifying roles and responsibilities of all the actors involved in an ERT processing. When schools and universities (controllers) rely on external online services to guarantee teaching at a distance, such a relationship – also in terms of data protection – shall be regulated by contract (see Article 28 GDPR). Considering the emergency scenario, the DPA suggests checking first the services which are already in the institutions’ portfolio (e.g. the electronic school record), as the online teaching features might be covered in the contract between the parties.
When appointing an online service or platform as a data processor, school and universities shall ensure that the provider will process the data only for the educational purposes. To this end, educational institutions will have to clearly instruct the platform about the processing, in particular regarding the storage and deletion policy.
The DPA contemplates however the possibility that in some cases it might be sufficient to use services available to the public which allow videoconferences restricted to a number of users. In this scenario, the appointment of the service as processor might not be necessary (or viable, we might add).
Furthermore, where it is not possible to use a service specifically designed for education, the processing of data shall be minimised activating by default only the services necessary to the provision of teaching (i.e. geolocalisation or social login systems shall be avoided).
- In principle, when the ERT platform acts as a processor, it shall not carry out autonomous processing on the personal data received from schools and universities. Nevertheless, the DPA contemplates the hypothesis that the platform might legitimately pursue further purposes with those data in some circumstances. In such cases, however, the access to educational services shall not depend on the obtainment of the consent or the conclusion of a contract implying the processing of personal data unnecessary for distance learning. For instance, if the platform would oblige students to either consent to the processing (e.g. for advertising purposes) or interrupt the use of the service, this would have to be considered illegitimate.
- Finally, universities and schools must fulfil their transparency obligations towards teachers, students, and parents. The principle of transparency (Article 12 GDPR) entails the duty to communicate the relevant information about the processing, the actors involved and corresponding responsibilities, in a clear and intelligible language, especially for minors (on this point, see the WP29 Guidelines on transparency). Particularly with reference to the processing of teachers’ data, the DPA recalls the importance of applying the specific provisions in the employment context (see Articles 113 and 114 Italian Data Protection Code, and Article 4 Law of the 20th of May 1970, no. 300), warning against the surveillance risks potentially arising in ERT and their chilling effects on freedom of teaching.
Finally, the Authority reassured it will monitor the services offered by the leading distance learning platforms and their level of compliance with the data protection framework.
The first intervention of the Italian DPA on ERT is certainly welcome. Albeit succinct, it is a plain and reasoned application of data protection principles to a sector that, due to urgency dictated by the situation, had to find the means and solutions for a massive digital transition in a matter of days. The latter was an unprecedented challenge for the majority of institutions in Italy, which are not conceived for the provision of long-distance education. Hence, it is not surprising that, in the absence of tools and services developed internally, many schools and universities looked elsewhere, checking for what was available on the market. The DPA recognised the need to ensure the fundamental right to education, even recurring to less traditional methods (like “generic services” or platforms). Still, it had not envisaged exceptions to data protection rules nor limitations to data subjects’ rights. On the contrary, the DPA’s illustrated the way on how to apply data privacy principles during the hectic period of emergency.
In a recent audition before the Parliamentary Committee on Childhood and Adolescence, the DPA stressed the principles of its March’s decision again. More interestingly, the Authority called for infrastructural, cultural, and regulatory interventions in the field and argued in favour of setting up a public cloud infrastructure, possibly within a context of European cooperation (see here from minute 34).
What digital infrastructures do we want for the future of remote teaching? Time for a critical discussion
If anything, the pandemic revealed the digital lag of our educational infrastructures. The majority of schools and universities had to rely on external hosts and providers simply because there were no internal resources. The involvement of external subjects into the “circle of trust” of the actors processing data for educational purposes is a decision that might entail relevant consequences for the control of information by the universities, schools, and data subjects (even when the solution is formally GDPR-compliant). It also raises serious concerns in terms of technological dependency from providers who are often extra-EU and subject to additional rules (as the controversial U.S. CLOUD Act).
In the emergency’s aftermath, the educational community will have to ponder the results and consequences of the ERT (forced) experiment. Whether remote teaching will remain as it is or in a different form, the discussion over the digital educational infrastructure we need in the long run cannot be further postponed. Encouragingly, the sparks of the debate have already begun in Italy and elsewhere.
Rossana Ducato is Lecturer in IT Law & Regulation at University of Aberdeen. She is also affiliated to the UCLouvain CRIDES, where she runs the Erasmus+ Jean Monnet module “European IT Law by Design”.
Previously she was postdoctoral researcher at UCLouvain and Université Saint-Louis – Bruxelles (with a project on consumer protection in the platform economy) and at the University of Trento (working on data protection and ehealth).
Rossana’s interests range from privacy and data protection, to intellectual property, consumer protection, law and behavioural science, and legal design, with a specific focus on the problems related to new technology and their impact on society.
She holds a Ph.D. in European and Comparative Legal Studies from the University of Trento. She loves windsurf, taekwondo, and sci-fi. She is from Palermo.