Educause Security Discussion mailing list archives

Re: GDPR Question - Part 2

From: Todd Watson <todd () USG EDU>
Date: Fri, 9 Feb 2018 13:54:19 +0000

I certainly appreciate the perspective, Steve. I think most of us would agree the Regulation seems to have varying 
degrees of ambiguity, at least from a U.S. point of view.

I wrote “without distinction” because of my interpretation reading the plain language of the foundational principles, 
which in part say, “…the protection of individuals with regard to the processing of their personal data should, 
whatever the nationality or residence of natural persons, respect their fundamental rights and freedoms,” as well as 
Article 1(1) of the Regulation, which says, “Member States shall protect the fundamental rights and freedoms of natural 
persons…” On its face, citizenship or residency does not appear to be a significant criterion.

I agree with your pragmatic assessment, as well. Although the Regulation tries to have global reach, I expect intra- 
and extra-jurisdictional tests are on the horizon.

V/R,
Todd

----
Dr. W. Todd Watson, Sr., CISSP
Information Security Officer
University System of Georgia
Cybersecurity
706-583-2008

From: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> on behalf of "Lovaas,Steven" 
<Steven.Lovaas () COLOSTATE EDU>
Reply-To: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU>
Date: Thursday, February 8, 2018 at 6:16 PM
To: "SECURITY () LISTSERV EDUCAUSE EDU" <SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] GDPR Question - Part 2

I'm certainly not a lawyer, but I've been listening to a lot of them over the past several months. It's my 
understanding that yes, the scope is formally defined as any resident of the EU (where 'resident' is anticipated to 
mean 'currently physically present'). But I'm not so sure about the "without distinction" clause.

Practically speaking, while a student on a study-abroad semester or even a university-supported vacation trip might 
fall within scope, that's not going to be the kind of thing that raises a lot of attention from enforcers, compared to 
a more permanent university presence like an ongoing partnership or EU facility or regular student exchange.

Steve

================================
Steven Lovaas
University Information Security Officer
Colorado State University
steven.lovaas () colostate edu<mailto:steven.lovaas () colostate edu>
970-297-3707
Mit der Dummheit kämpfen Götter selbst vergebens.
================================

________________________________
From: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> on behalf of Todd Watson 
<todd () USG EDU>
Sent: Thursday, February 8, 2018 3:36 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] GDPR Question - Part 2

I agree, Ken.

I think the scope includes all individuals located within physical EU territory. Thus, the regulation applies without 
distinction to residents, visitors, and citizens. It also appears to be in scope for persons outside the EU if their 
data is stored, processed, or maintained within the EU.

Regards,
Todd

----
Dr. W. Todd Watson, Sr., CISSP
Information Security Officer
Board of Regents of the University System of Georgia
Cybersecurity
706-583-2008

On 2/8/18, 5:04 PM, "The EDUCAUSE Security Constituent Group Listserv on behalf of Ken Connelly" <SECURITY () LISTSERV 
EDUCAUSE EDU on behalf of ken.connelly () UNI EDU> wrote:

    On 2/8/18 3:55 PM, Jim Cheetham wrote:
    > Excerpts from Penn, Blake C's message of February 9, 2018 10:09 am:
    >> From my understanding, GDPR protections apply solely to EU residents,
    >> not citizens – that is, anyone actually in the EU and only while they
    >> are in the EU.
    >
    > Is that a formally-defined "Resident", or anyone who happens to simply
    > be on EU soil as part of a short-term visit or trip?
    >
    > -jim

    My understanding is the latter, e.g., a student on a study abroad visit
    or a professor traveling and doing research.

    --
    - Ken
    =================================================================
    Ken Connelly                       Director, Information Security
    Information Security Officer          University of Northern Iowa
    email: Ken.Connelly () uni edu   p: (319) 273-5850 f: (319) 273-7373

    Any request to divulge your UNI password via e-mail is fraudulent!

Current thread:

Re: GDPR Question - Part 2, (continued)
- - Re: GDPR Question - Part 2 Madl, Michael (Feb 08)
    - Re: GDPR Question - Part 2 Karl Kowalski (Feb 08)
    - Re: GDPR Question - Part 2 Madl, Michael (Feb 08)
  - Re: GDPR Question - Part 2 Brad Judy (Feb 08)
  - Re: GDPR Question - Part 2 Penn, Blake C (Feb 08)
    - Re: GDPR Question - Part 2 Ken Connelly (Feb 08)
    - Message not available
    - Re: GDPR Question - Part 2 Jim Cheetham (Feb 08)
    - Re: GDPR Question - Part 2 Ken Connelly (Feb 08)
    - Re: GDPR Question - Part 2 Todd Watson (Feb 08)
    - Re: GDPR Question - Part 2 Lovaas,Steven (Feb 08)
    - Re: GDPR Question - Part 2 Todd Watson (Feb 09)