Personal Data Protection Authority's stance against distance learning platforms
08 April 2020
The PDPA's public announcement is accessible online here in Turkish.
New measures are being taken each day by the governments across the globe to cope with the ongoing crisis the Covid-19 pandemic has evolved into.
While isolation is argued to be one of the most effective ways to prevent further spread of the coronavirus, it has resulted in changes in the rooted habits of the society. Education is one of the main impacted areas in several countries,since educational institutions are closed down to minimize human contact. Turkey is one of the countries in which the educational institutions have been physically closed down for weeks now. In this respect, distance learning was offered to prevent prospective disruptions on accessing education while staying at home.
Although the implementation of distance learning is considered as an effective way of keeping students isolated, it has raised eyebrows in terms of the extent to which the personal data of the students are being protected. As a response to this concern, the Turkish Data Protection Authority (PDPA) issued a public announcement on 7 April 2020 (Announcement), emphasizing the importance of protection of personal data during the process of using the distance learning platforms. The Announcement points out the data processing issues that may arise during the use of the distance learning platforms as follows:
- most of the distance learning platforms provide services through cloud servers;
- data processing centres of the cloud servers are often located abroad;
- in case of use of such cloud servers for provision of online educational services, personal data of the users are transferred abroad;
- as a result of the foregoing, lack of compliance with the data transfer provisions under the Law on Protection of Personal Data No. 6698 (Law) when transferring personal data outside Turkey may result in a breach of the Law.
A great amount of personal data belonging to the students are indeed being processed while accessing such platforms. For instance, processing of personal data starts with requiring the user to enter his/her Turkish identification number while logging into the distance learning platform initiated by the Turkish Ministry of Education. Then, based on the user's identification number, the system associates the student with the relevant classes to take adequate lectures. Such association is only an example of how students' personal data is being processed.
With the above being taken into account, the PDPA reiterates that the conditions of lawful processing of personal data are set forth under the Law, and personal data of students are required to be processed and/or transferred in compliance with the relevant provisions of the Law.
What about the EU and the US?
In Italy, the European country hit first by the pandemic, educational institutions have been closed down since the beginning of March. This decision was soon followed by the rest of the European countries as the disease spreads. Sweden has been the only country left that has not closed the educational institutions completely. Elsewhere in Europe, education is provided in different ways, mostly by distance learning methods. Some countries announced a break period to make a smooth transition from physical educational institutions to distance learning platforms, but now nearly all European countries are implementing distance learning at some level, to say the least.
In the U.S., while a nationwide shut down has not occurred, the educational institutions are closed down in every state by separate executive orders. The U.S. Department of Education declared that it will provide broad approval to the distance learning platforms without going through the standard approval process, even if the platform would normally be required to seek approval from the Department of Education to offer such services.
Although there is no collaborative approach from the European Union as to distance learning platforms' compliance with the General Data Protection Regulation (GDPR), GDPR calls for appropriate technical and organisational measures to safeguard personal data at all times. Determining the appropriate technical and organisational measures requires a regular risk assessment to properly assess the impact and likelihood of risks of using distance learning platforms.
Norway has been, on the other hand, the first European country to offer data protection guidance relating to distance learning platforms. Accordingly, students are encouraged to use the distance learning platforms that are previously approved by their educational institutions and are reminded to delete all unnecessary information once they stop actively using the platforms. Although this statement is a rather general one compared to the PDPA's statement explained above, it provides a good start for a discussion on this matter. Moreover, the similarities between Norway's statement above and the PDPA's statement illustrates the closeness of the PDPA's operations and mechanisms to the international standards.
No announcement has been provided from the U.S. authorities targeted at the protection of personal data while using the distance learning platforms. However, the provisions under the Federal Educational Rights and Privacy Act (FERPA) may give an idea about the way this process is being handled. The FERPA is enacted to initiate the collaboration between school workers and healthcare workers during the COVID-19 outbreak, and to set standards for sharing of personal data of students, such as exam grades, with healthcare professionals and/or third parties in the meantime. Accordingly, it is not possible to access students' exam grades without explicit consent. It is noted that, processing of personal data belonging to students without their explicit consent while using the distance learning platforms may constitute a breach as well. In this respect, allowance for the distance learning platforms to operate without procedural approval may be considered as a method that is highly open for exploitation. In conclusion, regardless of the fragile nature of the use of distance learning platforms as their tendency for data processing, the U.S. is similar to Turkey in the sense that it refrained from enacting a legal regulation directed at personal data protection law while using such platforms, for the time being.
In the light of the above, the statement of the PDPA is solely for emphasizing the one and only framework for personal data protection in Turkey that is the Law. Accordingly, the Law will remain applicable even though during the extraordinary conditions that are being experienced throughout the pandemic. PDPA's announcement leaves room for further discussions and practice that will take its shape over time. The best would be to keep an eye for the further announcements of the PDPA to accommodate the ever-changing environment of the outbreak