Italy: Garante fines Luigi Bocconi University €200,000 for use of US proctoring software, citing third country assessment failures
The Italian data protection authority ('Garante') published, on 29 September 2021, a decision, issued on 16 September 2021, to fine Luigi Bocconi University €200,000 for using Respondus, a US proctoring app used to invigilate examinations remotely during the COVID-19 pandemic, for various violations of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'). In particular, the Garante outlined that students were not sufficiently informed of the processing of their personal data carried out through the proctoring software, including failing to mention the tracking of students' behaviour during the test (including face position and disconnections from the internet network, among other things), the subsequent processing by profiling, the audio-video recording of the test, and the photograph taken by the system at the beginning of the test, therefore violating Article 5(1)(a), 12 and 13 of the GDPR. In addition, in consideration of, among others things, the plethora of information collected on students during the examinations, which exceeded what was strictly necessary for the purposes of the examinations, both the principles of data minimisation under Article 5(1)(c) and of Data Protection by Design and by Default under Article 25 of the GDPR had been breached. Additionally, the Garante identified shortcomings in relation to University's obligation to conduct a Data Protection Impact Assessment ('DPIA'), notably in terms of the proportionality and necessity of the processing carried out by Respondus, in violation of Article 35 of the GDPR.
Furthermore, the Garante found that the processing of biometric data carried out through the Respondus application had been carried out without a suitable legal basis, in violation of Article 9 of the GDPR. More specifically, the Garante outlined that the University had identified consent as the appropriate legal basis, but in light of the imbalance of power between students and the University, consent could not be relied upon in these circumstances.
Notably, the Garante also identified violations with respect to the transfer of data to Respondus, a company established in the US, which processes the personal data in question as a data processor, on the basis of a processing agreement under Article 28 of the GDPR. Referencing the decision of the Court of Justice of the European Union ('CJEU') in Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems (C-311/18) ('the Schrems II Case'), which requires that for data transfers taking place under Standard Contractual Clauses ('SCCs'), the data controller is obliged to verify, case by case, and possibly in collaboration with the recipient of the transfer, whether the law of the third country of destination guarantees adequate protection, in the light of European Union law, of the personal data which are transferred, providing, if necessary, additional guarantees with respect to those offered by the SCCs, the Garante outlined that the documentation provided by the University contained no evidence of such an assessment. The Garante further outlined that the same considerations were applicable to the transfer of data to the sub-processor, as identified in the University's SCCs, Amazon Web Services Inc., which is also established in the US. Consequently, the Garante found that the University had transferred personal data to a third country, the US, without having proved that it has verified and ensured that the transfer in question was carried out in compliance with the conditions referred to in Chapter V of the GDPR, in violation of Articles 44 and 46 of the GDPR.
In the calculation of the fine amount, the Garante notably outlined that it had favourably considered, firstly, that in the context of the COVID-19 pandemic, the University had to make choices and adopt technical and organisational measures quickly in order to ensure the continuity of the teaching activities and the conduct of exam sessions, and secondly, that the consequences of the principles of law from the Schrems II Case are complex to implement, and, more generally, that the legal framework on international transfers is still evolving.
You can read the decision, only available in Italian, here.