How to edit a page on GDPRhub
DATA SECURITY UNDER QUESTION IN THE UNIVERSITY, SPAIN.-
Complaints have been filed along 2020 and January 2021 with the public Spanish University Carlos III in Madrid, Spain, for presumably not taking into account the data protection rights of their employees, while possibly exporting them to a non EES country through the platform Google Entreprise for Education. Concerns about data security of these transfers are a recurring reason for such complaints.
Most of these complaints take as a basis the landmark Case C-311/18, known as the Schrems II case, which invalidated the EU-US Privacy Shield on July 16, 2020. Details:
• In September 2020, a first complaint was filed with the University DPO for the holding of Academic Department Conferences through the medium of the Google Meet application, as a part of the Apps Enterprise for Education platform. DPO response laid mainly in the conventional guarantees offered by the standard clauses, or SCCs.
• In October 2020, a second complaint was filed with the University DPO, asking for transparence about the contracts signed between the University and Google Inc./LLC. This complaint is presently under study by the Spanish Council for Transparency.
• In January 2021, a new complaint was filed with the University DPO asking for the guarantees of “equivalent data security” in the framework of likely data transfers to non UE countries.
Up to this date, no satisfactory response has been given by the University’s DPO, which has defended the current use of the Standard Contractual Clauses (SCCs), routinely included in some Educational contracts with the Google trillion dollar monopoly.
It is hoped, however, that the Spanish Data Protection Agency, Agencia Española de Protección de Datos, will soon launch a thorough assessment of the data transfers in the University, on account of the presumable lack of guarantees evidenced by US surveillance practices (i.e., UPSTREAM, PRISM) and relevant US laws (principally Section 702 of Foreign Intelligence Surveillance Act, or FISA 702, and Executive Order 12333).
Given the reluctance of the Spanish University Carlos III de Madrid to introduce supplementary measures, the judgement by the Spanish DPA will be crucial in determining whether the present tools are sufficient or additional tools will be required. It is expected that a careful mapping of the international data flows and the existing transfer mechanisms via Google LLC will result in a deep revision of present practices in the University.