Educause Security Discussion mailing list archives
Re: GDPR Question - Part 2
From: Todd Watson <todd () USG EDU>
Date: Fri, 9 Feb 2018 13:54:19 +0000
I certainly appreciate the perspective, Steve. I think most of us would agree the Regulation seems to have varying degrees of ambiguity, at least from a U.S. point of view. I wrote “without distinction” because of my interpretation reading the plain language of the foundational principles, which in part say, “…the protection of individuals with regard to the processing of their personal data should, whatever the nationality or residence of natural persons, respect their fundamental rights and freedoms,” as well as Article 1(1) of the Regulation, which says, “Member States shall protect the fundamental rights and freedoms of natural persons…” On its face, citizenship or residency does not appear to be a significant criterion. I agree with your pragmatic assessment, as well. Although the Regulation tries to have global reach, I expect intra- and extra-jurisdictional tests are on the horizon. V/R, Todd ---- Dr. W. Todd Watson, Sr., CISSP Information Security Officer University System of Georgia Cybersecurity 706-583-2008 From: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> on behalf of "Lovaas,Steven" <Steven.Lovaas () COLOSTATE EDU> Reply-To: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> Date: Thursday, February 8, 2018 at 6:16 PM To: "SECURITY () LISTSERV EDUCAUSE EDU" <SECURITY () LISTSERV EDUCAUSE EDU> Subject: Re: [SECURITY] GDPR Question - Part 2 I'm certainly not a lawyer, but I've been listening to a lot of them over the past several months. It's my understanding that yes, the scope is formally defined as any resident of the EU (where 'resident' is anticipated to mean 'currently physically present'). But I'm not so sure about the "without distinction" clause. Practically speaking, while a student on a study-abroad semester or even a university-supported vacation trip might fall within scope, that's not going to be the kind of thing that raises a lot of attention from enforcers, compared to a more permanent university presence like an ongoing partnership or EU facility or regular student exchange. Steve ================================ Steven Lovaas University Information Security Officer Colorado State University steven.lovaas () colostate edu<mailto:steven.lovaas () colostate edu> 970-297-3707 Mit der Dummheit kämpfen Götter selbst vergebens. ================================ ________________________________ From: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> on behalf of Todd Watson <todd () USG EDU> Sent: Thursday, February 8, 2018 3:36 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] GDPR Question - Part 2 I agree, Ken. I think the scope includes all individuals located within physical EU territory. Thus, the regulation applies without distinction to residents, visitors, and citizens. It also appears to be in scope for persons outside the EU if their data is stored, processed, or maintained within the EU. Regards, Todd ---- Dr. W. Todd Watson, Sr., CISSP Information Security Officer Board of Regents of the University System of Georgia Cybersecurity 706-583-2008 On 2/8/18, 5:04 PM, "The EDUCAUSE Security Constituent Group Listserv on behalf of Ken Connelly" <SECURITY () LISTSERV EDUCAUSE EDU on behalf of ken.connelly () UNI EDU> wrote: On 2/8/18 3:55 PM, Jim Cheetham wrote: > Excerpts from Penn, Blake C's message of February 9, 2018 10:09 am: >> From my understanding, GDPR protections apply solely to EU residents, >> not citizens – that is, anyone actually in the EU and only while they >> are in the EU. > > Is that a formally-defined "Resident", or anyone who happens to simply > be on EU soil as part of a short-term visit or trip? > > -jim My understanding is the latter, e.g., a student on a study abroad visit or a professor traveling and doing research. -- - Ken ================================================================= Ken Connelly Director, Information Security Information Security Officer University of Northern Iowa email: Ken.Connelly () uni edu p: (319) 273-5850 f: (319) 273-7373 Any request to divulge your UNI password via e-mail is fraudulent!
Current thread:
- Re: GDPR Question - Part 2, (continued)
- Re: GDPR Question - Part 2 Madl, Michael (Feb 08)
- Re: GDPR Question - Part 2 Karl Kowalski (Feb 08)
- Re: GDPR Question - Part 2 Madl, Michael (Feb 08)
- Re: GDPR Question - Part 2 Madl, Michael (Feb 08)
- Re: GDPR Question - Part 2 Brad Judy (Feb 08)
- Re: GDPR Question - Part 2 Penn, Blake C (Feb 08)
- Re: GDPR Question - Part 2 Ken Connelly (Feb 08)
- Message not available
- Re: GDPR Question - Part 2 Jim Cheetham (Feb 08)
- Re: GDPR Question - Part 2 Ken Connelly (Feb 08)
- Re: GDPR Question - Part 2 Todd Watson (Feb 08)
- Re: GDPR Question - Part 2 Lovaas,Steven (Feb 08)
- Re: GDPR Question - Part 2 Todd Watson (Feb 09)