The General Data Protection Regulation (GDPR) and its impact on U of T (PDAD&C #12)

This memo provides initial information regarding the potential application of the GDPR to various University of Toronto activities. Experts from around the world continue to assess this legislation, and various interpretations, with varying impact on the University, are being put forward. As such, views expressed in this memo are preliminary, and further information regarding the application of the law to the University community will be distributed as it becomes available.

What is the GDPR?

The GDPR, a regulation approved by the European Parliament, came into effect on May 25, 2018. The regulation’s stated purpose is “to protect and empower all European Union (EU) citizens’ data privacy and to re-shape the way organizations across the region approach data privacy.” While it is primarily directed at entities operating within the EU, the GDPR can potentially have broader territorial reach, as discussed below.

Conceptually, it is reasonable to view the GDPR as a rough EU analogue of Ontario’s Freedom of Information and Protection of Privacy Act (FIPPA) and the Canadian legislation applying to commercial entities (PIPEDA), albeit with a broader scope of covered activities and a more current approach towards data processing concerns, such as those raised in relation to the collection of personal data by Cambridge Analytica.

What is the territorial Scope of the GDPR?

The GDPR applies to entities which, unlike U of T, have physical operations within the EU. However, the regulation also applies to all entities, regardless of location, that:

• engage in data processing activities relating to the offering of “goods and services” to residents of the EU, or
• monitor the behaviour of EU residents.

An example of the monitoring of behaviour of EU residents would be the data profiling of people within the EU that is derived from internet data sources and that pertains to their personal preferences, behaviours and attitudes.
What kinds of University activities might be covered by the legislation?

The key questions pertaining to application of the legislation are whether activities relate to the offering of goods and services to EU residents, or involve the monitoring of behaviour of EU residents. If either is the case, the GDPR may apply. Some examples pertaining to the University will help illustrate the possible application of the GDPR.

• Student recruitment: The soliciting of applications from residents of the EU to enrol in and become students at the University of Toronto likely falls under the GDPR.
• Research involving EU data: Research involving EU data subjects that seeks to collect and use personal information will likely fall within the GDPR’s scope. It is recommended that if you or your division are conducting such research, you scrutinize the data collection and processing components immediately for potential GDPR compliance. This examination should be done at the REB stage for new research projects involving human subjects, but it will also need to be done for existing research projects. Please ensure that faculty whose research might fall within this category review this memo carefully. Those with questions should consult the Research Oversight and Compliance Office (ethics.review@utoronto.ca).

Situations where U of T is dealing with an EU entity and receiving data back from that entity may also be covered by the legislation.

• Marketing of inventions or other IP to EU residents: The marketing of inventions or other IP to EU residents may also be covered by the GDPR.
• Websites: The University’s initial view is that the hosting of a website designed to solicit interest and engagement in a broad range of the division/unit’s activities would not, by itself, constitute the offering goods or services to EU residents , and any data processing related to the website would not, therefore, fall under the GDPR.
• Alumni relations: Alumni relations matters are not likely to be found within the scope of the GDPR. The initial view is that alumni initiatives wherein no “goods or services” are being offered, but rather where the focus is on maintaining a community of graduates, would not be considered involvement in “offering… services”.

These are just illustrations. It is recommended that in the coming weeks Divisions begin to identify any activities that they think might involve the offering of goods and services to EU residents, or the monitoring of behaviour of EU residents, and that they then seek further guidance, as outlined below.

If a University activity is covered by the GDPR, what will this mean?

Where it is ultimately concluded that a particular activity likely falls within the ambit of the GDPR, there are a number of potential implications. These may include:

• Consent in relation to personal information requires an active opt-in rather than opt-out, and must be free, informed, specific and unambiguous.
• Where the processing of personal information is required for contractual purposes, consent should be built in at the outset.
• The nature of the required consent depends on the kind of information that is being processed, and special rules exist for some situations, with sensitive information requiring specific consent.
• Requirements around the kind of notice that is mandated where consent is necessary.
• Duties related to the protection of data integrity and privacy.
• Appointment of a Data Protection Officer by some institutions (it is not yet clear whether universities fall within this category).
• Mandated notification in cases of a personal data breach.
• Requirement of enabling access to personal data.
• The right of erasure of data in certain circumstances.
• Penalties for non-compliance.

Next steps for divisions, offices, and researchers

The University will continue to monitor interpretations of the legislation as further guidance becomes available from experts and the GDPR regulator, and updates will be provided to the University community as this information becomes available.
In the interim, three steps are recommended:

1. All divisions should assess whether they are undertaking activities involving EU data subjects (basically anyone living in the EU). These activities might involve the processing of data in the course of offering “goods or services” to EU data subjects (including recruitment of future students located in the EU); the monitoring of behaviour of EU data subjects; or the processing of personal information of EU data subjects. This assessment should be made whether it is the University itself doing the data processing, whether the University is having another entity do the processing on its behalf, or whether the University is receiving data regarding EU data subjects from another entity. If any such activities are being undertaken, further guidance regarding the GDPR’s application should be sought first from Dean’s offices; the latter may then direct inquiries to the Provost’s Office (specifically Andrea Russell at andrea.russell@utoronto.ca).
2. If you are currently engaged as a researcher in a human subjects study involving EU data subjects, you must consult the Research Oversight and Compliance Office (ethics.review@utoronto.ca) for guidance on how the GDPR may impact your existing research. Researchers planning future research projects involving EU data subjects should also consult that office to assess how the regulation might impact pending research projects.
3. And finally, because there is such uncertainty regarding the interpretation and scope of the GDPR, the advice is to continue to be vigilant about privacy compliance generally. FIPPA, and the privacy principles derived from such legislation, go a long way, practically speaking, towards satisfying many of the key GDPR requirements. If you have detailed questions about FIPPA compliance and the application of privacy principles, please contact your unit/office’s Freedom of Information Liaison, or Rafael Eskenazi, the Director of the University’s Freedom of Information and Protection of Privacy Office at rafael.eskenazi@utoronto.ca.