Is Online Exam Surveillance during COVID-19 Lawful, Effective & Desirable?
Cultural, GDPR & Contextual Perspectives on Student Privacy Concerns
First published: 5 May 2020
Updated: 26 May 2020
Revised and added text in blue
This article was first published on 5 May 2020, in response to the ongoing discussion around universities’ use of online proctoring during the COVID-19 pandemic measures in the Netherlands. The article was subsequently updated on 26 May 2020 to include updated information and new insights on i) data storage location as (a potential) part of the legitimate interests assessment and ii) opportunities and limitations for universities to invoke legitimate interests, depending on whether their proctoring is part of their public task. Revised and added text in blue.
“We only use those means that are strictly necessary. As a Professor, you need to make sure that it is Jan de Vries sitting opposite from you, so there must be some form of identification. You also want to make sure there is no-one else there helping Jan de Vries, nor that he is going through his materials, if the exam format doesn’t allow for this. That Jan de Vries is not secretly searching Google for answers, or e-mailing a fellow student. This is necessary to ensure that the student possesses the knowledge and skills to obtain a diploma. It’s what society expects from us (1) and what we are obliged by law to do (2). You might even say that regular on-campus exams pose a greater privacy infringement (3). The examiner might check your bag or remove your smartphone. And in the case of fraud, they may even verbalize a student in front of all others. Even in non-corona times, privacy is not absolute.”
– Sijtsma, Tilburg University Rector, 2020
The above statement was made by Tilburg University Rector Sijtsma in response to a recent petition launched by a Tilburg University Psychology student, calling for an alternative to online proctoring software Proctorio.1)Original quote in Dutch: “Zoals ik al zei gebruiken we alleen de hoogstnoodzakelijke instrumenten. Maar als docent wil je wel weten dat Jan de Vries aan de andere kant zit, je zult dus een vorm van identificatie moeten laten zien. Je wil ook weten dat er niemand bijzit die Jan de Vries helpt en dat hij niet tijdens een tentamens boeken naslaat als dat niet de bedoeling is. Dat Jan de Vries niet stiekem op internet zit of op google of mailt met een medestudent. Dat is nodig om vast te stellen dat die student ook daadwerkelijk de kennis en vaardigheden heeft voor een diploma. Daar moet de samenleving van op aankunnen en dat zijn we bovendien ook wettelijk verplicht. Bij een fysiek tentamen gaat de privacy-inbreuk misschien zelfs wel verder. Een surveillant kan dan in je tas willen kijken, of je smartphone weghalen. En als hij fraude vaststelt, kan die je zelfs verbaliseren waar iedereen bijzit. Ook in niet-corona tijden is privacy niet absoluut.” In: A. van den Eeerenbeemt (2020), ‘Rector Klaas Sijtsma: ‘Digitaal surveilleren onmisbaar om waarde diploma te behouden’, Univers: Tilburg University’s Independent News Source. Proctorio and similar online proctoring software are deployed by Tilburg University and other universities around the Netherlands to prevent cheating in the exams currently conducted online because of COVID-19. Features include access to a student’s webcam, microphone, location data, browsing history and details of which programmes they are using. In some cases, the software allows universities to track students’ eye movement, body movement and key strokes. The artificial intelligence software flags any irregularities to the responsible Professor or Board of Examination, who review and/or penalise the event. Students claim the software constitutes a severe privacy infringement and demand that alternative ways of examination are made available. The petition was signed by thousands of students from all over the Netherlands and received backing from the Dutch Students’ Union as well as various legal professionals.2)K. Schaps (2020), ‘Dutch students raise privacy concerns over online exam surveillance’, Reuters.
Whether or not one agrees with Rector Sijtsma on this matter, his quote contains three interesting anchor points for understanding student privacy concerns in the context of current online exam surveillance:
- ‘What society expects’: cultural norms
- ‘Obliged by law’: General Data Protection Regulation (GDPR) meets Higher Education and Research Act (WHW)
- ‘Regular exams are a greater privacy infringement’: context and interests
The Data Protection Authority and the Education Minister
On 23 April, it was announced that the Dutch Data Protection Authority is investigating the matter, stating that education institutions will be held accountable for their online proctoring and, in particular, for the measures taken by education institutions to ensure their students’ data is protected by software providers.3)Autoriteit Persoonsgegevens (2020), ‘Zorgen om dataverzameling bij thuisonderwijs’, Nieuwsbericht. Five days later on 28 April, Ingrid van Engelshoven, Dutch Minister of Education, Culture and Science, in a written response to questions asked by opposition parties, made three noteworthy remarks about universities’ online proctoring practices: “as long as all legal requirements are met, universities’ use of online proctoring software is GDPR-compliant”, “if students want [their special category data, such as medical information or information about race or religion] to not be collected, then they are free to, as much as possible, keep physical appearances that reveal such information away from the proctoring” and “also, students are free to not participate in this form of examination.”4)TK 2019-2020, 2619.
This article aims to elucidate the necessary cultural, legal and contextual perspectives in order to adequately address the challenges arising from universities’ online proctoring activities. Furthermore, it strives to help shape the direction of the discussion with the view of doing justice to all the interests at stake.
Although the 14 Dutch ‘WO’ universities (institutions for academic university education) differ in terms of scale and operability of online exam surveillance5)Please note that in this article, the terms ‘online exam surveillance’ and ‘online proctoring’ are used interchangeably. Technically, however, there are slight differences. ‘Online exam surveillance’ can entail three forms of control over online examination: 1) live proctoring by an online human proctor (comparable to the real-life human proctor in the exam room), 2) recording footage and logs, which are checked afterwards, 3) automated proctoring, whereby software signals moments of potential fraud to a proctor. Automated online proctoring is the form of online exam surveillance that is under scrutiny here, because of its potentially far-reaching effects on students’ privacy and personal data., none have principally rejected it. Some had started testing online proctoring well before COVID-19 ‘smart lockdown’ measures were taken by the government, particularly VU University and Erasmus University Rotterdam, which have taken the lead in the KA2 Strategic Partnership Erasmus+ project, that brings together higher education institutions throughout Europe for the purpose of furthering online proctoring.6)OP4RE (2019), ‘Online Proctoring for Remote Examination’. Other WO universities, such as Radboud University Nijmegen, have recently started online proctoring pilots and feasibility studies and have yet to decide whether to deploy it and if so, at what scale.7)Radboud University (2020), ‘Digitaal toetsen met Cirrus en online proctoring’. Further details about university characteristics and the proctoring software used, drawing from the information on their websites, are found below in Fig.1.
|Name||Profile||Establishment||Applicable law||Employees||Proctoring software|
|1||Leiden University||All academic disciplines||By government||Public law||Civil servants||ProctorExam|
|2||Groningen University||All academic disciplines||By government||Public law||Civil servants||Unknown|
|3||VU University||All academic disciplines||By private party (association)||Civil law||Employees||ProctorExam &
|4||Delft University of Technology||Technology||By government||Public law||Civil servants||RP Now (human) &
|5||Eindhoven University of Technology||Technology||By government||Public law||Civil servants||Cirrus (and possibly Proctorio)|
|6||Erasmus University Rotterdam||All academic disciplines (social sciences focus)||By government||Public law||Civil servants||ProctorExam|
|7||Maastricht University||All academic disciplines|
(social sciences focus)
|By government||Public law||Civil servants||Unknown|
|8||Utrecht University||All academic disciplines||By government||Public law||Civil servants||Educate IT|
|9||University of Amsterdam||All academic disciplines||By government||Public law||Civil servants||ProctorExam|
|10||Radboud University Nijmegen||All academic disciplines||By private party (association)||Civil law||Employees||Cirrus|
|11||Tilburg University||All academic disciplines (social sciences focus)||By private party (association)||Civil law||Employees||Proctorio|
|12||Twente University||Technology||By government||Public law||Civil servants||Unknown|
|13||Wageningen University & Research Centre||Technology||By government||Public law||Civil servants||Software Secure|
|14||Open University||n/a||By government||Public law||Civil servants||Unknown|
Fig. 1. List of Dutch WO universities & characteristics
Update 1 (26 May 2020): data storage location in the online proctoring discussion
In the initial publication of this article, Fig. 1 contained an extra column detailing the data storage location of each proctoring software provider. However, in conversations between the author and proctoring software company representatives, it became clear that the data storage location of at least one proctoring software company was in fact different than initially documented in Figure 1 (i.e. Proctorio stores data of its European clients in the EU, as opposed to initial mentioning of US storage). Given the fact that the geographical location in which the data are stored, is not a decisive factor in the initial discussion on the lawfulness, effectivity and desirability of online proctoring within the Dutch context, the column detailing this information was removed, so as to not create unnecessary discussion. It should be noted though, that the data storage location can play a role in a later stage of this discussion, as part of the legitimate interests assessment on the part of universities, when assessing the type of software used, the contractual caution taken by universities in relation with software providers and the technical and organisational measures taken by universities and software companies to protect the data in accordance with GDPR and UAVG requirements. As detailed in the second update to this article, however, it remains to be settled 1) whether universities are, under the GDPR and UAVG, allowed to invoke legitimate interests as a legal basis for data processing and, 2) if it is determined that they are: how the other considerations that should form part of the legitimate interests assessment, such as effectivity, equity etc., would play out, in order to assess what role data storage location might play in this deliberation. Hence, if the legitimate interests assessment turns out to be applicable and it comes so far as to assess data storage locations of software providers, then data storage locations of individual software providers would need to be assessed on a case-by-case basis, depending on software company practices, agreements between universities and software providers and other measures taken to ensure legal compliance – whereby local EU data storage and other GDPR compliance enhancing measures may be considered as a relevant measure on the part of universities.8)I. Kamara & P. De Hert (2018), Understanding the Balancing Act behind the Legitimate Interest of the Controller Ground. In E. Selinger, J. Polonetsky, & O. Tene (eds.), The Cambridge Handbook of Consumer Privacy, pp. 321-352.
Conversely, of the 36 ‘HBO’ universities (universities of applied sciences), two have already stated that they will not engage in online exam surveillance, because “it is too much of a privacy infringement, it is too challenging technically and, most importantly, it doesn’t fit our principles of trusting our students”.9)Ad Valvas (2020), ‘Al twee hogescholen passen voor online proctoring’. Instead, these HBO universities are concentrating on alternative examination, such as open-book exams, assignments and essays. In cases where this proves impossible, they intend to postpone exams until it is once again possible to organise them on campus. Other HBO universities are also reluctant, stating they would “rather schedule less than more of such exams”.10)Ibid. This fundamentally different approach to online exam surveillance between WO and HBO universities is worthy of a research project of its own, but one may assume that the more theoretical make-up of the WO university education, as well as differences in quality assurance programs, might have something to do with it.11)Centraal Bureau voor de Statistiek (Statistics Netherlands) (2010), ‘Wo bachelors require more time than hbo bachelors’. Below, the three anchor points derived from Rector Sijtsma’s statement are explored and suggestions are made on how to include them in cultural, legal and contextual analyses of universities’ online proctoring practices.
1. Cultural norms: EU-Asia focus differences & the American perspective
When it comes to Rector Sijtsma’s claims, firstly, it is no surprise that for the justification of their teaching and examination practices, universities – before citing the law – refer to societal expectations. Not only are institutions for higher education in most cases funded with public resources, they are moreover expected to play an important role in the intellectual development of young people, the creation and dissemination of scientific knowledge and its valorisation in society.12)B. Huber (2016), ‘The Role of Universities in Society’. In: Liu N.C., Cheng Y., Wang Q. (eds) ‘Matching Visibility and Performance. Global Perspectives on Higher Education’, pp. 91-99, SensePublishers, Rotterdam. As a result, cultural norms play an important role in the governance and functioning of higher education systems. Hence, it is important to understand just how these cultural norms shape the legal frameworks and impact student privacy.
1.1. EU-Asia focus differences
In order to fully grasp the impact of cultural norms on student privacy, it is crucial to understand the three main privacy frameworks and their influence on the various legal systems around the world. Hoel et al. analysed the three main privacy frameworks, which have inspired legal development in all parts of the world and put the frameworks and selected countries on a scale with values between a focus on the individual and a focus on the organisation (Fig. 2).13)T. Hoel, D. Griffiths & W. Chen, ‘The influence of data protection and privacy frameworks on the design of learning analytics systems’ (pp. 243–252). Presented at the Seventh International Learning Analytics & Knowledge Conference, New York. New York, USA: ACM Press; 2017.
Fig. 2. Individual vs. organisational focus, privacy frameworks and countries (Hoel et al., 2017).
In a variety of case studies on student privacy, it was found that concerns about the rights of the individual to data control are a predominantly western phenomenon. Whereas, in the east, the organisation is more prominent in the discourse, as the interests of the individual more often are projected against the interest of the group. This difference is echoed by the legal developments, ranging from the adoption of the individual-focused GDPR in Europe at one end of the spectrum, to the continued adoption of principles derived from the OECD Privacy Guidelines & the APEC Privacy Framework by Asian states.
In addition to the already varying normative bases for data protection policy, states’ diverging responses to major world events including the war on terror, trade promotion, digital economies, climate action and currently of course the COVID-19 pandemic response, have put data sharing at the forefront of nearly every policy debate, with greatly varying outcomes per state. In order to have the right perspective when navigating current challenges, it is of the utmost importance to understand the cultural foundation of the individual learner underlying our legal framework and to ensure that this is done justice to, amidst the haste and panic of COVID-19 remote measures adoption.
1.2. Lessons from the US
Furthermore, if one wishes to truly understand the intricacies of online student surveillance from cultural, legal and contextual perspectives, then developments in the United States cannot be overlooked. In a very recent article, American legal scholar Amy Cyphert writes: “when the [American Civil Liberties Union] and others decried the use of [sentencing algorithms and predictive policing] in the criminal justice sector, software companies shifted their focus to schools, [after which] the practice of schools using third parties to conduct online surveillance of their students became surprisingly widespread.”14)A.B. Cyphert (2020), ‘Tinker-ing with machine learning: the legality and consequences of online surveillance of students’, Nevada Law Journal, Vol. 20: 2, pp. 457-501. Developments have been so rapid, that the software deployed by even high schools across the US, goes as far as trawling students’ social media posts in search of “keywords or features that may be flagged and forwarded to school administrators, who can decide whether the post requires an intervention and whether the student requires discipline.”15)Ibid. Although the present-day Dutch higher education landscape is far removed from this reality, the legal and socio-economic questions that were unlocked by the US developments can serve as important input for the discussion at hand.
Legally, the US situation is complicated for three reasons, all of which are rooted in distinctive cultural norms. Firstly, although the Family Educational Rights and Privacy Act (FERPA) is a federal law which requires all states to ensure core privacy protection standards, additional rules vary per state, yielding very different levels of privacy protection across states. Secondly, as courts have not yet specifically ruled on the legality of schools entering into contracts for third-party surveillance, uncertainty remains and surveillance persists. Thirdly, the legality question is further complicated by the fact that every state has a cyberbullying law (‘to prevent school shootings’) that arguably requires schools to police their students’ online speech, which is cited as a justification for student online surveillance.16)Ibid. From this, we learn that diverging privacy norms and legal uncertainty can cause a void that is easily filled by elaborate student surveillance.
2. Legal framework: online proctoring and the GDPR
In Rector Sijtsma’s claims, we find an anchor point for evaluation of the lawfulness of online exam surveillance. Stating that ‘universities are obliged by law’ to engage in online exam surveillance indicates universities’ approach to the legal grounds for data processing under the European Union’s General Data Protection Regulation (GDPR). As compliance with a legal obligation can constitute a legal basis for lawful processing, provided that certain requirements are met. It is envisioned, however, that universities will invoke various legal grounds to justify their online exam surveillance under the GDPR. The GDPR and the respective national implementation acts (in the Netherlands, this is the UAVG), therefore, are the most important starting point for understanding and scrutinising the universities’ claims.
2.1. Roles: controller, processor & data subjects
In order to explore the legal aspects of online proctoring, the roles arising from its data processing under the GDPR, must be defined. As per Article 4(7) GDPR, the university is the controller, as they determine the purposes and means of the processing of personal data. The company providing the proctoring software is the processor, as defined in Article 4(8) GDPR, since they process the personal data on behalf of the controller. Article 28 GDPR obliges controller and processor to enter into a data processing agreement, that sets out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller. The agreement should also detail the controller’s instructions with regard to data transfers, confidentiality and technical and organisational measures that are to be taken. It must be noted, however, that if the software company also processes the data for its own purposes, then they are controller with respect to this processing of the data. The students are the data subjects, as it is their personal data (Article 4(1)) that is being processed. Recital 75 of the GDPR details in which cases processing is likely to result in high risk and therefore require additional safeguards. This includes situations where ‘data of vulnerable data subjects are processed’. The WP29 Guidelines have elucidated who qualifies as ‘vulnerable data subjects’. This includes children, employees, mentally ill persons, asylum seekers, or the elderly, patients and where there is an imbalance in the relationship between the position of the data subject and the controller.17)WP29 (2017), ‘Guidelines on Data Protection Impact Assessment (DPIA) and determining whether processing is “likely to result in a high risk” for the purposes of Regulation 2016/679’, WP248. In the case of online proctoring, there can be two reasons for qualifying (certain) students as vulnerable data subjects. Firstly, because they might be asylum seekers, however, it is expected that these make up a small minority of students. Secondly, one may argue that all students are vulnerable data subjects because of the imbalance in the relationship between data subject and controller, particularly when during a crisis such as this one, when confronted with unprecedented measures, potentially affecting their studies.18)V. Bongers & S. van Loosbroek (2020), ‘Hoe gaan we toetsen (en mag Big Brother ook meekijken)?’, Mare, Leids Universitair Weekblad. The alleged imbalance in this relationship is further explored below, when discussing whether universities can invoke the legal basis of ‘consent’ to justify the data processing that comes with online proctoring.
2.2. Categories of data collected
The data collected and processed by online proctoring, need to be qualified under the GDPR. Any identifiable data of individuals – even if only indirectly identifiable, are considered personal data under the GDPR (Article 4 GDPR). Depending on the situation, proctoring can also generate ‘special categories of personal data’ (Article 9 GDPR), such as information about: racial or ethnic origin (visible in video), religious beliefs (e.g. through students’ features and decorations), political opinions (e.g. through students’ room decorations), sexual orientation (e.g. partner’s gender is revealed through visible/audible background), health information (e.g. through visible indications of handicap (wheelchair) or illness (coughing, nose-blowing, etc.), biometric information (in the case of voice recognition, keystroke analysis and/or eye-tracking).
2.2.1. Video footage exemption
The Dutch Data Protection Authority, however, has clarified that video footage is not considered to process special category personal data if: 1) the aim of the processing is not to process special category personal data or to discriminate on the basis of special category data, 2) to the controller, it is not reasonably foreseeable that processing of this video footage will lead to discrimination on the grounds of this special category data, and 3) the processing of this special category data is inevitable for this processing. Although the second requirement may pose a challenge – is it a stretch to consider that examination outcomes might be affected either negatively (because examiners’ disapproval of beliefs, opinions or orientation) or positively (through approval of the former or sympathy for health situations) as a result of the processing of special category data? – universities are likely to claim that these criteria are met, in order to avoid the additional requirements that apply to the processing of special category data. In any case, claiming that the exemption criteria are met, would be more credible than to claim that students can prevent their special category data being processed by “keeping it away from the proctoring process” – which might prove hard to do if a student has, let’s say: a surge of allergies, a religious ornament worn out of conviction or politically-inspired wall paper covering his or her room walls.
2.2.2. Distinct nature of (certain) biometric data
If one were to follow the anticipated claim of universities that special category data obtained through online proctoring video footage are exempt of Article 9 GDPR safeguards because the three requirements for exemption are met, this still leaves open the question of biometric data which is most likely processed through proctoring software. In the absence of detailed Dutch DPA guidance on this matter, one may look to the UK Information Commissioner’s Office’s deliberations. The ICO, in explanation of Article 9 GDPR, provides examples of what it considers biometric data, distinguishing between physical or physiological biometric identification techniques (e.g. facial recognition, fingerprint verification, iris scanning, retinal analysis, voice recognition, ear shape recognition) and behavioural biometric identification techniques (including keystroke analysis, handwritten signature analysis, gait analysis, gaze analysis (eye tracking)). In at least two of the stated examples that can be part of online proctoring – voice recognition and keystroke analysis – it is not the video footage that is generating the special category data, but rather other sensory or recording technologies. Hence, the special category data that are processed as a result, cannot fall under the video footage exemption and would have to count as special category data to which the safeguards of Article 9 GDPR unequivocally apply.19)Information Commissioner’s Office website (2020), ‘What is Special Category Data?. If universities wish to prevent this discussion, they would – aside from having to provide a detailed account of how the three requirements for video footage exemption are met, need to make sure that no special category data is obtained in a way other than through video footage.
2.3. Legal basis for data processing
One of the central principles of the GDPR, is that processing of personal data can only be lawful if based on one of the legal bases for processing mentioned in Article 6 GDPR: 1) the controller has obtained the data subject’s consent, 2) the processing is necessary for contract performance, 3) the processing is necessary for compliance with a legal obligation, 4) the processing is necessary to protect vital interests, 5) the processing is necessary for the performance of a task carried out in the public interest, or 6) the processing is necessary because of legitimate interest on the part of the controller. It is expected that universities, in defence of their online exam surveillance activities, will invoke multiple legal bases. Below, an evaluation is conducted of the GDPR legal bases for data processing and suggestions are made on which legal basis is most appropriate for universities’ online proctoring.
As per Recital 40 and Article 6 (1)(a) GDPR, processing of personal data is lawful if the data subject has consented to it. Conditions apply as to what constitutes valid consent. Recitals 41 and 42 demand that consent be ‘informed’, whereby the data subject is made aware of the controller’s identity and the purposes for which the data are processed, the information is provided in a manner that is appropriate and accessible for an average member of the target group. Most importantly for the question of online proctoring, consent must be ‘freely given’. Kostic & Vargas Penagos show that “under the GDPR, the term ‘freely given’ is not explicitly defined. From Recital 42, it can be inferred that freedom of choice and the ability to withdraw consent could be regarded as the main elements. Furthermore, Article 7(4) provides a circumstance that may affect ‘freely given’ consent: the performance of a contract, including the provision of a service that is made dependent on the consent to data processing, which is not necessary for the performance of said contract.”20)B. Kostic & E. Vargas Penagos (2017), ‘The freely given consent and the bundling provision under the GDPR’, Computerrecht, Vol. 4:153, pp. 217-222.
220.127.116.11. ‘Freely given consent’ and significant imbalance
Recital 43 holds that consent cannot be considered ‘freely given’ if there is a clearly significant imbalance between the data subject and the controller. As clarified in various WP29 Opinions, consent can only be valid if the data subject is able to exercise a real choice, and there is no risk of deception, intimidation, coercion or significant negative consequences (e.g. substantial extra costs or other disadvantages) if he/she does not consent. Consent will not be free in cases where there is any element of compulsion, pressure or inability to exercise free will.21)WP29 Opinion 15/2011 on the definition of consent (WP 187), pp. 12-14 , WP29 Opinion 8/2001 on the processing of personal data in the employment context (WP 48), Chapter 10, WP29 Working document on the surveillance of electronic communications in the workplace (WP 55), paragraph 4.2 and WP29 Opinion 2/2017 on data processing at work (WP 249), paragraph 6.2. Particularly, if the controller is a public authority, the data subject will most likely have no realistic alternatives to accepting the processing (terms) of this controller.22)WP29 Guidelines on consent under Regulation 2016/679, WP259. Hence, public authorities cannot rely on consent as a legal basis for data processing. So, for the 11 Dutch universities that are public organisations, consent cannot be invoked for online proctoring data processing (see also Fig. 1). Also in other situations, where the controller is not a public authority, but when there is a clearly significant imbalance between data subject and controller, consent as a legal basis for data processing cannot apply. Hence, for the three privately-established universities, it is also unlikely that consent can be relied upon. In the case of online exam surveillance, it will most likely be very hard for universities to provide students with realistic alternatives. In absence of Dutch precedents, a Swedish case may provide relevant input. In August 2019, the Swedish DPA ‘Datainspektionen’ fined a municipality 200 000 Swedish Kroner (approximately 20 000 euros) for using facial recognition technology to monitor the attendance of students in school. This was done as a pilot in one class on the basis of consent, but the Swedish DPA ruled that this consent was invalid in view of the clear imbalance between the students and the school. In such cases, other legal bases may be invoked to justify the data processing, which would each need to be judged on its own merit.23)European Data Protection Board (2020), ‘Facial recognition in schools renders Sweden’s first GDPR fine’.
18.104.22.168. Consent-based data processing
Although consent as a legal basis is not feasible for online exam surveillance and although there are ongoing discussions about whether GDPR’s concept of consent is – in practice – successful at strengthening individual data control over personal data24)S.Y. Soh (2019), ‘Privacy Nudges: An Alternative Regulatory Mechanism to ‘Informed Consent’ for Online Data Protection Behaviour’, 5:1, European Data Protection Law Review, 65-74., it can still be useful to further conceptualise consent in order to choose and substantiate the appropriate legal basis to scrutinise online proctoring. As consent was chosen by GDPR lawmakers as a central instrument to strengthen individual control over personal data, the GDPR promotes consent throughout its legal provisions.25)In addition to consent being its cornerstone legal basis for data processing, the GDPR affords data subjects elaborate control-rights, including rights to information and access to personal data, rectification and erasure, and the right to object to automated individual decision-making. Please see also:.S. Ramírez López (2018), ‘Informing Consent: Giving Control Back to the Data Subject from a Behavioral Economics Perspective’, 9 (1), Journal of Intellectual Property, Information Technology and Electronic Commerce Law, 35-50. Ooijen & Vrabec demonstrate how consent-based data processing is characterised by three consecutive stages that together allow for ‘informed consent’ under the GDPR (Fig. 3). “In the first stage, the right to information is a key source of control, preparing a data subject for the data processing and its consequences. The right to information is closely tied to consent, since consent is only valid if it is informed, i.e., if the individual receives all the necessary information to approve or disapprove data processing. Consent facilitates control in the second stage of data processing, as it means yes or no for subsequent data processing. In the third stage, “control rights” are of particular importance, because they can ensure control over personal data also in the later stages of data processing (for instance, when data is reused by third parties).” 26)I. van Ooijen & H.U. Vrabec (2018), ‘Does the GDPR Enhance Consumers’ Control over Personal Data? An Analysis from a Behavioural Perspective’, 42, Journal of Consumer Policy (2018), 91-107.
Fig. 3. Graphical representation of the typical consent-based data processing timeline (Ooijen & Vrabec, 2018).
GDPR legal bases & the concept of consent
Hoel et al. in 2017 developed a scaled depiction of the GDPR legal bases’ relation with the concept of consent (Fig. 4).27)Hoel et al. (2017). This shows that besides consent itself, three other GDPR legal bases – contract, legitimate interests and public interest – have, in one way or another, a relationship with the concept of consent. In the case of contract as a legal basis, the concept of consent plays a role, as the data subject’s initial consent to the contract, although data processing might not have been explicitly mentioned in the contract, may imply consent to other – related – activities that are necessary to reach the goals set out by the contract, including (certain types of) data processing. In the case of legitimate interests as a legal basis, the concept of consent plays an implicit role in the balancing of interests, because the GDPR requires the processor in the legitimate interest assessment, to account for ‘reasonable expectations’ of data subjects. Might the data subject reasonably expect data processing (of this kind) in this situation, then this is an indication that the controller’s interests may be legitimate. This implies that data processing that is perceived as natural and logically expected, does not pose a too great violation of data subject’s rights and freedoms, and might even be an intuitive counterpart of consent. In the case of public interest as a legal basis, consent plays a role, albeit to a lesser extent, as the data subject’s interests are presumed to be included in the public interest and – although it might appear somewhat far-fetched – the data subject is expected to consent to activities that serve their interests. By contrast, the remaining two GDPR legal bases – legal obligation and vital interests – the concept of consent does not come into play, as the basis for data processing is one of ‘pressing nature’, leaving little to no room for consideration of data subjects’ desires and inclinations. These observations may prove helpful for choosing the appropriate legal basis for online proctoring.
Fig. 4. Legal basis for data processing & the question of consent (Hoel et al., 2017).
As per Article 6(1)(b) GDPR, processing is lawful if it is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract. What constitutes a valid contract, is to be determined by member state national law. In the Netherlands, as well as in many other countries, there is much debate on how to characterise the student-university relationship: is it purely contractual, or mostly a public service? In Dutch case-law, the accepted view is that the student-education institution relationship is governed by public law. Government-funded schools and education institutions, in particular, are considered to primarily perform a public task, and therefore any ‘education contract’ – which students are sometimes obliged to sign in order to partake in their studies – are not governed by civil contract law. Even the relationship between students and privately-funded education institutions cannot logically be considered to be governed (solely) by contract law, as higher education contracts contain standard ‘take-it-or-leave-it’ provisions from which students cannot deviate or renegotiate. Contract can therefore not be invoked as a legal basis for data processing in the case of online proctoring.
2.3.3. Legal obligation
As per Article 6(1)(b) GDPR, processing is lawful if it is necessary for compliance with a legal obligation to which the controller is subject. The GDPR, in Recitals 41 & 46, requires that ‘such a legal basis or legislative measure should be clear and precise and its application should be foreseeable to persons subject to it’. To determine if Dutch law contains such a legal obligation, that justifies universities processing data on this legal basis, it is important to distinguish between public and private universities.
22.214.171.124. Universities governed by public law
For the 11 Dutch universities that are, by virtue of their establishment and legal form, governed by public law (see Fig. 1), the starting point is Article 1.3 of the Dutch Higher Education and Research Act (WHW). Under Article 1.3 WHW, universities are, amongst other things, tasked with ‘providing academic education for the benefit of society’. Furthermore, under Article 7(10) WHW, universities have broadly defined responsibilities with regard to examination, i.e. that examination should comprise of an investigation of examinees’ knowledge, insights and skills. Paragraph 3 of this Article states that the institution’s board is responsible for the practical organisation of examination. Given the fact that, in Dutch law, there are no legal provisions specifying this further, it is unlikely that universities will be able to rely on WHW provisions for their online proctoring data processing. Finally, if one were to interpret the WHW provisions as legal obligations under the GDPR, then new challenges might arise with regard to the adoption of online proctoring in Teaching and Examination Regulations (‘OER’), given that universities have policies that require amendments to the OER cannot be made without receiving advice from the representative advisory board (‘medezeggenschapsraad’).28)Studenten Overleg Medezeggenschap (2020), Handleiding Online Proctoring, Student en Politiek. It may be such, that in current circumstances, this type of advice cannot be timely provided, or would advise against online proctoring, after which the claim of online proctoring as part of a legal obligation, would be even more difficult to uphold.
126.96.36.199. Universities governed by civil law
For the 3 Dutch universities that are governed by civil law, the first hurdle is the fact that they are not automatically included in laws specifying public tasks of universities. However, as per Article 1.1(i), universities that, because of their different legal personality, are governed by civil law, are still subject to the provisions of the WHW. Consequently, the same logic applies, the WHW provisions will likely not contain a sufficient basis to justify the data processing of online exam surveillance and, if it did, would raise other questions around adoption in Teaching and Examination Regulations (‘OER’).
2.3.4. Vital interests
As per Article 6 (1)(d), processing is lawful if it is necessary in order to protect the vital interests of the data subject or of another natural person. This legal basis is most often associated with protecting life in life-and-death situations, which is hardly the case in online proctoring and hence cannot apply.
2.3.5. Public interest
Pursuant to Article 6(1)(e) GDPR, processing is lawful if it is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. Similar to ‘legal obligation’, Article 6(3) and Recitals 41 & 45 hold that data processing because of public interest, should be based on a legal basis or legislative measure that is clear and precise and its application should be foreseeable to persons subject to it. For this reason, universities cannot base their data processing on public interest. Also, as mentioned before in paragraph 188.8.131.52., the legal basis of public interest is one that hardly references the broad concept of consent. If one were to invoke the legal basis of public interest, there is likely to not be a balancing of interests, expectations and context, like one would have if the legal basis of legitimate interests were invoked. Given the fact that online proctoring – particularly during the current COVID-19 crisis, and most likely, far beyond – it is appropriate and desirable for universities to invoke legitimate interests as a legal basis, because then all relevant interests and circumstances need to be weighed, and any abcences or inconsistencies can efficiently be addressed.
Update 2 (26 May 2020): are universities public authorities & may they invoke legitimate interests?
Following the initial publication of this article, the author engaged in fruitful Twitter discussions with fellow privacy professionals Sarah Eskens, Joost Gerritsen and Walter van Holst around the legal bases available to universities for their online proctoring activities.29)For a detailed account of the viewpoints discussed, please also see: S. Eskens (2020), ‘Online proctoring en de Algemene Verordening Gegevensbescherming’, accessed through: <https://www.saraheskens.eu/blog/online-proctoring.html>. Most importantly, the question whether universities can invoke legitimate interests as a legal basis, was asked and discussed. A persuasive argument was made that universities are restricted to rely upon either one of two legal bases for data processing:
- ‘legal obligation’ (Article 6 (1)(c) GDPR); or
- ‘public interest’ (Article 6 (1)(e) GDPR).
The rationale for this argument is found in the final sentence of Article 6 (1) GDPR, which states that “[Article 6 (1) (f)] shall not apply to processing carried out by public authorities in the performance of their tasks.” As discussed by Eskens, in absence of a GDPR definition of ‘public authority’, the decision whether universities are public authorities within the meaning of GDPR provisions, is determined by national law.30)Ibid. In essence, there are two main reasons to believe that universities fall within the ‘public authorities’ category of Art. 6 (1) final sentence GDPR – preventing them from invoking legitimate interests as a legal basis for data processing – being their legal status and their funding structure – both of which are discussed in more detail below.
Universities’ online proctoring: public authorities carrying out a public or non-public task?
The below discussion of legal status and funding structure demonstrates that (public) universities are likely to be viewed as public authorities in the sense of Art. 6 (1) final sentence GDPR. Even if this is the case, however, invocation of legitimate interests as a legal basis may still be possible, if it can be established that online proctoring was carried out as part of a non-public task – given the fact that the inhibition for public authorities to rely on legitimate interests for data processing, applies only to ‘processing carried out in the performance of their tasks’. An example of a ‘non-public task’ carried out by public authorities for which they may rely on legitimate interests when processing data, discussed in the authoritative Tekst & Commentaar Privacyrecht handbook, is access security of government buildings.31)“Omdat het op grond van de verordening aan de wetgever wordt overgelaten om de rechtsgrond voor gegevensverwerking door over heids instanties te creëren, mogen over heids in stan ties in het kader van de uitvoering van hun taken verwerking van persoonsgegevens niet baseren op de rechtsgrond gerechtvaardigd belang. Overheidsinstanties kunnen andere verwerkingen, bijvoorbeeld in het kader van de toegangsbeveiliging van overheidsgebouwen wel baseren op de grondslag gerechtvaardigd belang.” In: G.J. Zwenne (Ed. 2018), ‘Algemene verordening gegevensbescherming (AVG): inclusief Uitvoeringswet AVG (UAVG)’. Tekst & Commentaar Deventer: Wolters Kluwer. The access security of government buildings being a situation in which public authorities can invoke legitimate interests32)It should be noted, of course, that – as per Article 6(1)(f) and Recital 47 of the GDPR – the legitimate interests of the public authority to process data for the purpose of securing access to its buildings needs to be weighed against the rights and freedoms of data subjects in a LIA, so as to determine whether the legitimate interests of the public authority as the controller outweigh the rights and freedoms of data subjects in the given situation, as it would in the case of any other controller invoking legitimate interests as their basis for data processing., may serve as an interesting point of departure to consider universities’ options and limitations to rely on legitimate interests as a legal basis for the data processing that takes place during their online proctoring activities. As such, the below discussion of legal status and funding structure of universities sheds further light on the specific nature and circumstances of universities and their online proctoring, in order to determine how this task on the part of the universities should be understood and what this means for their eligibility to rely on legitimate interests as a legal basis. Illustratively, one may ask the question: is universities’ online proctoring similar to a mayor’s public task of issuing identity documents (for which they must base their data processing on a legal obligation or public interest)33)This legal obligation is laid down in the Paspoortwet and the Paspoortuitvoeringsregeling. or is it similar to a mayor’s (or municipality’s) non-public task of access security of their government building (for which they may base their data processing on legitimate interests)?
Legal status, funding structure & lessons from the UK
With national law being the decisive factor for determining whether universities are public authorities under the GDPR, below is an evaluation of universities’ status under Dutch administrative law.
I. Legal status of universities
The Netherlands has many “organisations that play a role in the pursuit of public interests, as a result of which they are somehow connected to the government. This may be the case if the organisation 1) was instituted by law, 2) was founded by the government, 3) if the government holds shares in it, 4) if the government has some other type of statutory or contractual decision-making power in it and/or 5) if it is subsidised or regulated by the government. The role that these organisations play in the pursuit of public interests is not determined by the form or intensity of their relationship with the government: rather, this relationship is the result of a variety of factors, including the way in which the concerned public interest is guaranteed by the government (for instance through market functioning or representative consultation of stakeholders), but also political and historical developments.”34)The Dutch text reads: “Er bestaan in ons land talloze organisaties en instellingen die een rol spelen bij de behartiging van publieke belangen, en om die reden op de een of andere manier met de overheid zijn verbonden. Dat kan zijn doordat ze bij of krachtens de wet zijn ingesteld, of door de overheid zijn opgericht, de overheid aandeelhouder is of op een andere manier statutair of contractueel zeggenschap heeft, die door de overheid worden gesubsidieerd of door overheidswet- en regelgeving worden gereguleerd. De betekenis die deze organisaties hebben voor een goede behartiging van het publieke belang heeft geen relatie met de vorm of de intensiteit van de relatie met de overheid: die relatie is de resultante van een veelheid van factoren, zoals de wijze waarop het betrokken publieke belang overigens is geborgd (bijvoorbeeld door marktwerking, of zeggenschap van andere stakeholders), maar ook politieke en historische ontwikkelingen.” In: S.E. Zijlstra (2019a), ‘Onafhankelijke ondergeschikten: Zbo’s, rijksinspecties, planbureaus, privacy-officers, het WODC: tijd voor chaos in de orde!, Nederlands Tijdschrift voor Bestuursrecht, Vol. 2019: 2, pp. 39-47. Historically, debates on how to characterise and legally structure these government-connected organisations have been fierce, as this goes back all the way to constitutionally-ordained parliamentary control over government functioning.35)Ibid. In the Netherlands, the relationship between government and parliament is laid down in Article 42, paragraph 2 of the Constitution.36)Article 42, paragraph 2 Grondwet. The principle of ‘ministerial accountability’ is central to the parliamentary control on the exercise of public authority by the government: ministers and secretaries of state are accountable to parliament for government functioning, both collectively and individually. However, ministers and state secretaries are not accountable for the execution of public tasks and competences that have by law been assigned to bodies which are not hierarchical subordinates of (one of) those Ministers. Most of these bodies are referred to as ‘semi-autonomous public bodies’ (zelfstandige bestuursorganen, in short: ‘zbo’s’).37)Kamerstukken I 2013/14, Q.C.
The relationship between government and government-connected organisations was discussed in more detail, in 2019, in a ‘scientific reflection lecture’ of Dutch constitutional and administrative law professor Zijlstra. “When it comes to the administrative authority of the government, legally, there are three options. The first and most frequently observed one: the authority is assigned, by law, to the Minister who delegates it further onto her department by mandate (such as the case with the Dutch Immigration and Naturalisation Service IND). The Minister is in charge, parliament has full control over how the authority is carried out. The second: the authority is assigned, by law, directly to a subordinate institution, such as the Dutch Food and Drug Administration or the Tax Authorities. The Minister remains in charge, parliament has full control over how the authority is carried out. The third option: a zbo. The Minister does not have the power to issue specific instructions and, hence, parliament does not have full control over how the authority is carried out.”38)The Dutch text reads: “Als het gaat om bestuursbevoegdheid bij het Rijk, zijn er juridisch drie smaken. De eerste en eigenlijk meest gebruikelijke: de wet kent de bevoegdheid toe aan een minister, die haar via mandaat binnen het departement spreidt. Denk aan de IND. Minister is de baas, parlement kan de taakuitoefenig volledig controleren. Dan de tweede: de wet kent de bevoegdheid rechtstreeks toe aan een ondergeschikte dienst. Denk aan Nederlandse Voedsel en Warenautrteit, of de belastingdienst. Minister blijft de baas, parlement kan de taakuitoefening voleldig controleren. Derde variant: een zbo. Minister kan individuele beslissingen niet bepalen, parlement kan dus ook niet volledig controleren.” In: S.E. Zijlstra (2019b), ‘Het drama van de zbo’s: geschiedenis, analyse, oplossing’, Wetenschappelijke Reflectie, Ministerie BZK: Den Haag.
Given the proliferation of zbo’s, in 2006, the Semi-autonomous Bodies Framework Act (Kaderwet zelfstandige bestuursorganen) was adopted39)Kaderwet zelfstandige bestuursorganen (27.426); publicatie wet (Staatsblad 2006, nr. 587). with the view of 1) restoring political control over zbo’s exercise of public authority and their finances, and 2) harmonisation of procedures for the zbo’s that were to be established in the future.40)Zijlstra (2019b). However, it was immediately clear that not all zbo’s would fall under its scope, as certain zbo’s were considered to be subject to complex regulatory standards of their own that should take precedence over the general rules of the Framework Act. Universities are considered to fall within this category. In the 2019 Evaluation of the Semi-autonomous Bodies Framework Act, the Secretary of State for the Ministry of Interior and Kingdom Relations reiterated that – in spite of the Framework Act’s harmonization efforts – certain clusters of zbo’s are not suited to be included under the Framework Act, “because they are regulated by sector-specific laws and would, for their functioning, not benefit from inclusion under the Framework Act, for example notaries and universities.”41)The (more elaborate) Dutch text reads: “Het aantal (clusters van) zbo’s dat onder de Kaderwet valt, bedraagt, uitgaande van het zbo-register, thans 88. In totaal zijn er thans 151 (clusters van) zbo’s. Zelfstandige organisaties die niet onder de Kaderwet vallen, betreffen voor het grootste gedeelte keuringsinstanties, zogenoemde conformiteitsbeoordelingsinstanties, zoals bijvoorbeeld de keuringsinstanties die producten keuren op grond van de Warenwet. Er kunnen goede redenen zijn om deze niet onder de Kaderwet te brengen. Zo kan bij keuringsinstanties de tucht van de markt de marktprijs en kwaliteit ook waarborgen. Daarnaast betreft het privaatrechtelijke rechtspersonen, waarvoor geldt dat de Minister in de regel geen benoemingsrecht heeft. Verder zijn er andere clusters te identificeren waarvoor specifieke wet- en regelgeving is ontworpen, bijvoorbeeld notarissen en universiteiten. De consequenties zijn daarom beperkt, omdat deze groepen op een andere manier zijn gereguleerd. Het is voor deze groepen ongewenst geoordeeld deze onder de Kaderwet te brengen, omdat de wet- en regelgeving het toezicht op deze groepen onnodig complex maakt en dit het functioneren van de organisaties niet verbetert.” In: Kamerstukken II 2019/20, 33147, nr. 8, verslag van schriftelijk overleg. Hence, although they are not expressly mentioned in the Dutch zbo register42)The register is said to be an illustrative, rather than exhaustive, overview of the Dutch zbo’s: Overheid.nl, ‘Zelfstandige bestuursorganen’, accessed through <https://almanak.overheid.nl/Zelfstandige_bestuursorganen/>., the 10 public universities are considered to be zbo’s with a public legal personality43)Inspectie Overheidsinformatie en Erfgoed, ‘Publiekrechtelijke zelfstandige bestuursorganen’, accessed through: <https://www.inspectie-oe.nl/toezichtvelden/overheidsinformatie/geinspecteerde-instellingen/publiekrechtelijke-zelfstandige-bestuursorganen>. and the 3 special universities are considered to be ‘part-time’ or ‘hybrid’ zbo’s with a private legal personality.44)Dutch text reads: “[…] er zijn ook instellingen die maar voor een deel van hun werkzaamheden een publieke taak uitoefenen, en daarnaast ook andere, vaak commerciële activiteiten verrichten: de ‘deeltijd-’ of ‘hybride zbo’s’ (zoals de APK-keurders, bepaalde certificerende instellingen, maar ook de bijzondere universiteiten).” S.E. Zijlstra (2019c), ‘Zelfstandige bestuursorganen: een volledig gejuridiseerde organisatievorm’. In S. Riezebos, & T. van Rijn (Eds.), ‘Zbo’s tussen droom en werkelijkheid: Over het verleden, heden en de toekomst van zelfstandige bestuursorganen’, Ministerie van BZK: Den Haag, pp. 122-123. For the carrying out of their public authority, they are not governed by the Framework Act, but by the sector-specific WHW.
Furthermore, the public nature of the 10 public universities may be indicated by the fact that:
- public university staff are civil servants, as opposed to the staff of ‘special’ universities, who are employees under labour law);
- legal action against the decisions of public universities is taken in administrative court – after having followed the applicable objection procedure with the institution. This is opposed to ‘special’ universities whose (ultimate) decisions are appealable in civil court – except where their decisions involve conferring the of certain legal rights and competences, such as the right to pursue doctoral studies or the granting of ‘civiel effect’ (which is required to pursue a career as a lawyer, judge or prosecutor in the Netherlands);45)J. Peters (2017), ‘Onderwijs aan de Radboud Universiteit; een niet vanzelfsprekende vanzelfsprekendheid!’, Bulletineke Justitia. and
- the Freedom of Information Act (Wet Openbaarheid Bestuur, WOB), which allows persons to request government information from an administrative body through a WOB request (freedom of information, FOI), applies to public universities. NB. A few years ago, there was discussion on whether the WOB should also apply to special universities46)F. Bardoel (2012), ‘‘WOB-procedure geldt ook voor bijzondere universiteiten’’, Univers., however, given their establishment under private law, this is currently not the case.47)C.N. van der Sluis (2017), ‘Commentaar op Wet openbaarheid van bestuur art. 3 (WOB)’, SDU Uitgevers.
As per the above, there are convincing reasons to hold that public universities are public authorities in the sense of Article 6 (1) final sentence GDPR, because there are various indications under national law that lead to this conclusion. It should be noted, however, that universities because of their semi-autonomous public bodies status with corresponding highly specified competences and regulations, are very different from general public authorities under administrative law.
II. Funding structure of universities
Further indication of the nature of universities is found through examination of funding structures. Rather detailed information about the funding of Dutch universities is found on the website of the VSNU (Vereniging Samenwerkende Nederlandse Universiteiten, in English: the Association of Universities in the Netherlands) – the trade group of the fourteen Dutch universities which acts a consultative body for its members and which represents universities in the national media and in the Dutch political system and the European Union.48)VSNU, ‘About VSNU’, accessed on 20 May 2020: < https://www.vsnu.nl/en_GB/about-vsnu.html>.
The revenue of the Dutch universities can be roughly divided into three flows of funds. In addition to state funding (direct government funding or ‘first flow of funds’), universities also receive funds from the Dutch Organisation for Scientific Research (NWO) and the Royal Netherlands Academy of Arts and Sciences (KNAW) for specific research projects (indirect government funding or ‘second flow of funds’). The ‘third flow of funds’ (contract research funding) consists of other revenue, such as contract education or research, and ‘collecting box’ funds. Lastly, student fees are a source of revenue. Universities are allowed to charge a government-set tuition fee for the programmes that they offer. Some of the students that are not eligible for funding pay student fees set by the institutions (the so-called ‘instellingscollegegeld’), an amount that in many cases is higher than the normal government-set tuition fee.
The first flow of funds
Universities receive a financial contribution from the government in order to perform their statutory obligations in the field of education, research and knowledge valorisation. This forms the basis of the universities’ financing for its educational and research tasks. The amount of this state funding is set by the Cabinet and its distribution is based on legislation (a student-based part and a non student-based part). The universities receive these funds directly, in the form of a lump sum. A university therefore makes its own decisions about how the money is distributed among its faculties. Over the past forty years the government has been investing less and less (a smaller percentage of GDP) in the higher education sector. Given that the number of students is growing, this means that state funding per student is continuing to fall.
The second flow of funds
The second flow of funds encompasses grants from the Dutch Organisation for Scientific Research (NWO) and the Royal Netherlands Academy of Arts and Sciences (KNAW). This research funding is often distributed among researchers and research institutions on the basis of competition. A lot of grants have specific target groups, such as the Veni, Vidi, Vici grants for up-and-coming scientific talent. Much of the second flow of funds is given to researchers in the form of grants linked to individuals or projects.
The third flow of funds
The third flow of funds relates to the universities’ other revenues. For example, universities receive funds for the implementation of contract education and contract research. In addition, ‘collecting box’ funds and specific targeted subsidies from Dutch ministries and the European Union, such as the European Framework Programmes (FP7 and Horizon 2020), represent a significant part of the third flow of funds. Furthermore, a large part comes from business revenue, e.g. from the student union, leasing and copying/reproduction. The third flow of funds has seen a massive increase over the past few years, in contrast to the first flow of funds.
Fig. A shows “that the Netherlands receives relatively little public funding compared to other EU countries. Dutch universities obtain a relatively large amount of supplementary funding.”49)VSNU (2016), ‘Funding’, accessed on 20 May 2020: < https://www.vsnu.nl/en_GB/funding-of-universities.html>. Although the relative amount of public funding in the UK is approximately 40% (less than half public) compared to 60% in the Netherlands, similarities in UK and Dutch additional funding levels (in purple), may be an interesting bridge to the final part of the legal status discussion, namely the lessons to be learned from the UK in this regard.
Fig. A. International Comparison Funding of Universities
III. Lessons from the UK
As discussed above, even if it is found that Dutch universities are public authorities under the GDPR, there may still be a chance of them invoking legitimate interests as a legal basis for data processing (Article 6 (1)(f) GDPR), if it can be established that the activities carried out were not part of the universities’ public task, but rather were similar to the access security of government buildings. In absence of detailed guidance on this point, it may prove useful to engage in comparative law review of how this GDPR provision was implemented and interpreted in the UK.
Although the UK officially left the EU on 31 January 2020, there is currently a transition period in which EU rules and regulations continue to apply to the UK.50)Government of the Netherlands, ‘Brexit: where do we stand?’, accessed through: < https://www.government.nl/topics/brexit/brexit-where-do-we-stand>. And so, understanding UK legal dynamics with regard to the invocation of legitimate interests by universities, seems to still be a valuable exercise.
“When the GDPR was announced, it restricted public authorities from relying upon legitimate interests as a legal basis for processing in cases where processing is carried out by a public authority in “the performance of its tasks”. The restriction caused concern for public authorities, particularly large organisations and universities who operate a portfolio of processing activities (public and non-public), outside of the usual performance of its tasks. In these circumstances organisations rely on the legitimate interests exception as the legal basis for its processing activities and being unable to rely on it would have been problematic. […] The amendment to the Data Protection Bill adopted by the House of Lords on 11 December 2017 makes it clear that all public sector bodies will only be treated as public authorities for data protection purposes (and therefore subject to the restriction on legitimate interests in the GDPR) “when performing a task carried out in the public interest or in the exercise of official authority vested in it” […] The amendment is particularly useful for universities, schools and colleges who, prior to the amendment, were concerned that they could not process the personal data of alumni for fundraising purposes. The amendment changes this and permits use of the legitimate interests’ exception for processing of personal data in these circumstances.”
In a way, the amendment to the UK Data Protection Bill ‘codifies’ what can already be derived from close reading of art. 6 (1) final sentence GDPR: public sector bodies are only considered public authorities for data protection purposes (and therefore subject to the restriction on legitimate interests in the GDPR) ‘when performing a task carried out in the public interest or in the exercise of official authority vested in it’.51)A. Deighton (2018), ‘UK public sector will be able to rely on legitimate interests ground in some circumstances’, Lexology, accessed through: < https://www.lexology.com/library/detail.aspx?g=b8d1e0fd-9114-4968-b0f4-2f23db252f84>. UK lawyer Martin Sloan called the 13 December 2017 UK amendment “an early Christmas present for universities and public authorities with hybrid activities”52)M. Sloan (2017), ‘DP Bill amended to provide clarity on legitimate interests and public authorities’’, Lexology, accessed through: < https://www.lexology.com/library/detail.aspx?g=07a48396-b2ae-4c77-8cd7-06855acb7859>., which is said to include universities’ ability to invoke the legitimate interest of fundraising for the processing of alumni personal data. Now, the Dutch DPA is generally known to hold ‘stricter’ views than other member state DPA’s when it comes to GDPR interpretation. Illustratively, also in the area of legitimate interests, the Dutch DPA in its 2020 ‘Explanation of norms ‘legitimate interests’ excluded purely commercial interests and profit maximisation from qualifying as legitimate interests under Article 6(1)(f) GDPR.53)Autoriteit Persoonsgegevens (2020), ‘Normuitleg grondslag ‘gerechtvaardigd belang’’, accessed through < https://autoriteitpersoonsgegevens.nl/sites/default/files/atoms/files/normuitleg_gerechtvaardigd_belang.pdf>. This was criticised by various industry practitioners for two reasons. Firstly, it was considered to be a deviation from the broad interpretation put forth by the 06/2014 Opinion of the WP29 (the predecessor of the EDPB: European advisory body on data protection and privacy, which is still considered authoritative in areas where the GDPR doesn’t differ from its predecessor, the European Data Protection Directive), which held that “the notion of legitimate interest could include a broad range of interests, whether trivial or very compelling, straightforward or more controversial. It will then be in a second step, when it comes to balancing these interests against the interests and fundamental rights of the data subjects, that a more restricted approach and more substantive analysis should be taken.”54)Working Party, Opinion 06/2014 on the notion of legitimate interest of the controller pursuant to Article 7 of Directive 95/46/EC, WP 217. Following this, the UK ICO’s viewpoint is quoted by practitioners to challenge the Dutch DPA’s stance, as “[the ICO] stands by the Working Party’s opinion, explicitly stating on its website that the legitimate interests ground is a flexible one and that the commercial interest of a company can constitute a legitimate interest. The legitimate interests can be your own interests or the interests of third parties. They can include commercial interests, individual interests or broader societal benefits.”55)C. Hermes (2020), ‘The Dutch Data Protection Authority explains the “legitimate interests” ground’, AKD Benelux Lawyers, accessed through: < https://www.akd.eu/insights/the-dutch-data-protection-authority-explains-the-legitimate-interests-ground>.
It is from interpretational differences such as this one that we conclude the evolving nature of EU data protection law and the importance of using cases such as universities’ online proctoring to test and try the available definitions and viewpoints.
IV. Definitions, political realities & the significance of a broad interest assessment
Following the above, there are three aspects that beg special scrutiny when interpreting Article 6 (1) final sentence in the case of online proctoring by Dutch universities:
- the semi-autonomous legal status of Dutch universities (following the hybrid nature of their activities)
- the funding structure of Dutch universities (with relatively little public funding);
- the UK amendment (expressly stating that universities can rely on legitimate interests for non-public activities).
Hence, the question of how to characterise online proctoring in the light of universities’ public education task under the WHW, is not a straightforward one. One may argue that online proctoring is inherent to the way scientific education is (currently) structured and, for this reason, universities may rely only on the data processing that is allowed for them under the WHW. Another viewpoint may be however, as pointed out by Gerritsen, is that online proctoring is more like universities’ use of anti-plagiarism software, ‘it’s related to education, but doesn’t belong to the core of the public education task’ – which would potentially make it similar to access security of government buildings. Answering this question will be important and likely challenging. The municipality’s non-public task of access security of its government building is somehow linked to the mayor’s public task of (amongst other things) issuing identity documents and yet it is sufficiently distinguishable to assume that one should be based on a legal obligation or public authority vested in the controller, whereas for the other, the controller may invoke legitimate interests. One view is that, when it comes to access security of buildings, public authorities act in a capacity that is similar to a private party, and thus do not require a legal obligation or public interest to rely on for their data processing.56)Centrum voor Informatiebeveiliging en Privacybescherming (2019), ‘Grip op privacy: de privacy baseline, de Algemene Verorderning Gegevensbescherming ontrafeld voor toepassing in organisaties’, CIP. So, whilst there is some link between public tasks such issuing identity documents and the non-public task of access security of government buildings (the latter would most likely not be necessary (in the same way) without the former, since there would be fewer people visiting the municipality government building if there were no identity documents issued), it is believed that they are sufficiently distinguishable to assume different legal bases for data processing. The question whether universities’ online proctoring activities may be viewed as a non-public task (for the purpose of ensuring information security, fraud prevention or scientific integrity) rather than related to its WHW-mandated public task (education provision), is yet to be answered.
In any event, it remains important to understand the political realities of GDPR classifications such as ‘public authority’, before such an answer is formulated. Hereby, it is noteworthy that classifying universities as public authorities that may, for their data processing rely only on a clear foreseeable public task laid down in the WHW, may fail to appreciate the assumptions underlying the ‘public authorities’ notion. In the Dutch DPA’s explanation on the primacy of the weighing of interests being done by the (national) legislator, it states that “general and specific laws can directly allow and necessitate certain types of data processing. [In this], the legislator has autonomously weighed the general interests and (fundamental) rights (of third parties) against the fundamental right to data protection. This conflict of interests – in which the legislator believes that both sets of interests deserve legal protection – has been foreseen, weighed and decided upon by the legislator.”57)Dutch text reads: “[Algemene] en specifieke wetgeving. Wetgeving die als het ware rechtstreeks verwerkingen mogelijk en noodzakelijk maakt. En waarin de wetgever zelf algemene belangen en (grond)rechten (van derden) afweegt tegen het grondrecht op bescherming van persoonsgegevens. Deze botsing van belangen – waarbij de wetgever vindt dat beide belangen wettelijke bescherming verdienen – heeft de wetgever dan voorzien, gewogen en daarin keuzes gemaakt”. In: Autoriteit Persoonsgegevens (2020). When one holds this rationale against the legal and political reality of zbo’s under Dutch law, one may want to remember that “zbo’s do not have a general, unspecified public task, they have a very specific one. They only have those competences that are necessary to perform their tasks. They have a closed housekeeping. There is little to no democratic legitimation.”58)Zijlstra (2019c). Therefore, the ‘public authority’ question to ask is not just whether universities should, for their online proctoring activities, only be allowed to rely on their WHW-mandated public task, but also: whether the WHW contains provisions that can reasonably be expected to be the outcome of the legislator’s weighing of interests that is assumed by these GDPR provisions.
In sum, the decision of whether universities’ online proctoring qualifies as public authorities carrying out a public task – preventing them from invoking legitimate interests for their data processing – may be based on a variety of factors, including but not limited to: the legal status of universities as zbo’s (supported and controlled by the government and, yet, at a distance from it), their funding structure, their distinct relationship with the democratically elected legislator and comparative review of GDPR implementation and interpretation by other states, such as the UK. Finally, the choice on whether or not universities may rely on legitimate interests for data processing will determine the nature and scope of the interest assessment that is expected of the universities engaged in it. It is not inconceivable that a broad discussion involving all relevant aspects of the digital and automated era (which would follow from the Art. 6 (1) (f) LIA), may be required and desirable to have in the context of the university – given the role it is expected to play in intellectual, societal and moral debates because of its very tasks and responsibilities. If it is found that universities are not excluded from relying on legitimate interests for their online proctoring activities, then the below suggestions for the legitimate interests assessment may prove to be useful starting points.
2.3.6. Legitimate interests
Following Article 6(1)(f) GDPR, processing is lawful if it is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. Whether or not the controller has legitimate interests that outweigh the rights and freedoms of the data subject, allowing it to process personal data without consent, is established through a legitimate interests assessment. If it is found that the controller has such legitimate interests, then this needs to be set out in relevant information notices, in accordance with Article 13(1)(d) and 14(2)(b) GDPR. It is also required to have in place a specific, enhanced objection procedure in which individuals are able to object to processing based on legitimate interests, after which the burden to prove they have compelling grounds to continue processing the data, is on the controller. Below, suggestions are made on how to construct the legitimate interests assessment for universities’ online proctoring activities.59)E. Ustaran (2018), ‘European Data Protection: Law and Practice’, International Association of Privacy Professionals.
184.108.40.206. Legitimate interests assessment (LIA)
Universities’ online proctoring is conducted for the broad purpose of maintaining academic teaching and examination during the COVID-19 crisis. If academic teaching and examination are preserved, as much as possible, it is possible for: students to continue progressing with their studies, education institutions to continue their activities and receive funding for them, and society at large to continue benefiting from the knowledge dissemination and valorisation that takes place at universities. Oppositely, if academic teaching and examination are not preserved, students’ study progress will greatly suffer, as will universities’ core activities and corresponding funding options, as well as societal benefits from the education of new generations of academics and uninterrupted dissemination and valorisation of knowledge. To reach these goals, sub-goals of the data processing are expected to include: 1) authentication, 2) fraud prevention, 3) time-frame control, 4) implementation and legislation. Incorporation of other (sub)goals are also plausible, as universities are likely to hold themselves (and, expectantly, their software providers) to a purpose limitation, whereby the LIA can be so concrete as to weigh the controller’s interest against the methods used (including their features and capacities to reach the pursued goals) against the rights and freedoms of data subjects.
Fraud prevention and diploma value
The broad theme of fraud prevention (which may include authentication and time-frame control) is considered to be at the heart of universities’ interests to engage in online proctoring, as (large-scale) fraud with academic examination compromises the value, integrity and reputation of diplomas, study programmes, universities and academic education an sich60)M.A. Eckstein (2003), ‘Combating academic fraud: towards a culture of intergrity, International Institute for Educational Planning, UNESCO., The GDPR, in Recital 47, provides an indication for fraud prevention to be weighed as a controller’s justified interest in the LIA. It should be noted, however:
“A processing operation which supports [the purpose of the prevention of fraud (Recital 47 GDPR)], is unlikely to be based on one of the other grounds of art. 6 GDPR [other than legitimate interests of the controller]. […] The legitimate interest of the controller would qualify for the prevention of fraud, on the condition that the requirements are met and the principles of art. 5 GDPR are respected. A generic ‘prevention of fraud’ purpose is not a legitimate interest prevailing over the data subject’s interests. Specific circumstances that justify the processing for the prevention of fraud in each case as the proportionate measure are necessary.”
– Kamara & De Hert, 2018
Hence, the invocation of fraud prevention as a pressing interest on the part of the controller, must be tested, particularly for proportionality, as only the specific circumstances can justify this data processing for the purpose of fraud prevention. In the proportionality test, attention needs to be paid to the principles laid out in Article 5 GDPR, especially principles of accuracy, data minimisation, storage limitation and confidentiality, which are addressed at the proportionality test (paragraph 220.127.116.11.) and the measures taken to protect data subjects’ rights (paragraph 18.104.22.168).
After having demonstrated universities’ interests, the requirement of ‘necessity’ must be met. For the necessity criterium to be fulfilled, ‘proportionality’ and ‘subsidiarity’ tests must be conducted.
In terms of proportionality, the purpose of data processing should outweigh the (possible) disadvantages for data subjects. It should be noted, that online exam surveillance will presumably not have only negative effects for students. When it comes to transparency of examination and grading practices, having video or other footage to look into, if necessary, might actually serve the students’ interests if students feel they can demonstrate that a) they did not cheat, if they are accused of it, b) they are deserving of a higher grade. In spite of these potential advantages for students, disadvantages are also very conceivable. If the footage and information through online exam surveillance obtained (special category data, in particular), were to be leaked – either through a human error in archiving or more major events such as system hacks, the risks of severe consequences for the student are high, including but not limited to: prolonged negative assessment (if their witnessed performance was bad or fraud was (potentially) committed), fewer study or career opportunities, racial, age or health status discrimination, or reputation damage. In addition to these generally anticipated risks, the current crisis situation is shedding light on other possible risks, including risks on mental and emotional levels, such as the one documented by online student newspaper, the Leids Universitair Blad, of 19-year-old technical physics student Xander Dangerman who claims he was so distraught by the many interventions of online proctoring that he struggled to focus on the exam questions and, as a result, scored a 2,5 grade (out of 10).61)V. Bongers & S. van Loosbroek (2020), ‘Hoe gaan we toetsen (en mag Big Brother ook meekijken)?, Mare, Leids Universitair Blad. Although Xander’s objections were honored by the Board of Examination, the alternative he was offered, entails not taking part in exams until it possible to do so on campus again, which he considered to not be a useful alternative.62)Ibid. Obviously, this is merely ‘anecdotal evidence’, however, it is not unthinkable that online proctoring can negatively impact students’ focus, anxiety, wellbeing and overall study success. A 2019 American study, assessing the effect of online proctored exams on student test anxiety and exam performance, found that “high trait test anxiety results in lower exam scores and that this is especially true for those students with high text anxiety taking exams in an online proctored setting.”63)D. Woldaeb & T. Brothen (2019), ‘21st Century Assessment: Online Proctoring, Test Anxiety, and Student Performance’, International Journal of E-learning & Distance Education, Vol. 34:1. It is of the utmost importance that in its legitimate interests assessment of online exam surveillance, universities take account of these potentially grievous effects and document how they will 1) foster research into these effects in the context of Dutch academic education, 2) design a robust objection procedure that does justice to the real risks that students face and provides genuine alternatives.
Proportionality: effectivity & equity
Another pressing issue for the proportionality test, is the question of effectivity. It should be demonstrated whether the means chosen to achieve the desired goals are actually capable to do so. The use of software and (semi-)automated processes for decision-making poses clear effectivity questions. Firstly, there is the question of whether such software is actually capable of detecting fraud, particularly as the students under surveillance are probably (highly) tech-savvy. Or, as Twente University of Technology put it, “There are various ICT solutions for supervised remote examination. We are convinced that our students are smart enough to bypass these systems. Rather than trying to optimize in this direction, we are presently convinced that it is better to develop a way of working where we check the originality of the work afterwards. Based on the knowledge we have now, using an online proctoring system may lead to more problems than that it solves.”64)L. Bergmans et al. (2020), ‘UT Framework for Remote Assessment During the COVID-19 Crisis’, Twente University of Technology. Legitimate interests assessments should include a joint effort of universities and software providers to demonstrate how the software used is actually capable of achieving the desired goals. Particularly where the online proctoring results obtained (through pilots) deviate from the results in regular exams, or from the results benchmarked by other universities, this is reason for concern and documentation. Prof. Noordzij, Head of Social Sciences at Erasmus University College, remarked: “we expected unusual activity in about ten percent of the exams [.] But in the end it was only four percent. And those irregularities happened mostly because of bad wifi. The internet connection has to be strong enough to follow the screen and to let the webcam film. It’s more about things like that, than about students doing anything weird.”65)Bongers & van Loosbroek (2020). Along with a positive spirit, such surprising percentages should give rise to questions about effectivity. Are fewer students committing fraud, or is the software not picking it up? And if not, is it worth the privacy infringement to maintain a (potentially false) sense of security? In addition to ‘underachieving’ online proctoring software, there might also be ‘overachieving’ proctoring software, whereby false positives, in particular, are important to address. As indicated by SURF, the cooperative IT facilities association of Dutch educational and research institutions, in its recently updated White Paper Online Proctoring, “incorrect fraud detection occurs with every form of online proctoring. This is because some software providers flag every type of gaze change. The Chronicle of Higher Education wrote in 2013 about Software Secure: ‘the company’s subcontractor in India, Sameva Global, said it notes ‘minor suspicions’ in 50 percent of exams; ‘intermediate’ suspicions in 20 to 30 percent; and ‘major’ incidents in 2 to 5 percent.’”66)SURF (2020), White Paper Online Proctoring. These are technical specifications that should be explored and explained by universities, as they may affect students’ learning outcomes, reputation etc. Detailed investigation of this is also necessary with view of GDPR’s foundational principle of data accuracy (Article 5 (1)(d)), as inaccurate fraud qualification (as well as other inaccuracies) pose serious risks for students. Secondly, there are highly topical, wider ethical questions of bias in machines, robots, algorithms and other types of artificial intelligence systems, which may end up copying and propagating negative human behaviour (both consciously and subconsciously). Amazon’s recruitment algorithm that unjustly discriminates against women and the US COMPASS-system that incorrectly attributes higher recidivism rates to African-Americans compared to white Americans with an identical criminal history, are two main present-day examples of how software can copy and magnify social disparities.67)S.J. Bellens (2018), ‘Neuro-informaticus Sennay Ghebreab strijdt tegen racistische machines’, filosofie.nl. In the Netherlands, there was the example of Eritrean-Dutch Neuro-Informatics Professor Sennay Ghebreab who was, because of his darker skin color, not recognized by automated revolving door software deployed by his employer, the University of Amsterdam, at the entrances of new buildings in 2005.68)Ibid. Universities’ legitimate interest assessment of online exam surveillance should therefore address questions of fairness and equity, such as: a) how does eye-tracking software function on students with glasses, squint, ‘lazy eyes’? b) (how) does keystroke analysis work for students with twitches or spasms? (how) does the software register differences in students’ gender, skin color, facial hair and clothing, and can this – in any way – affect the outcomes of the surveillance? Universities’ legitimate interests assessments should go into detail answering these questions, in order to have a real balancing of interests.
Finally, the proportionality test should address the question of ‘reasonable expectations’ of the data subject based on the relationship with the controller. Recital 47 asks from the controller to assess whether the data subject reasonably expects the collection of the personal data at the time and the context of the collection for the specific purpose. More concretely, “a reasonable expectation relates strongly to the circumstances before the processing takes place, including the provision of clear and timely information to the data subject. A reasonable expectation of processing therefore relates to the foreseeability and acceptance from the side of the data subject of the processing operation. While the foreseeability needs to be articulated objectively (clear, timely, and transparent information notice, justified for the purposes it serves, etc.) by the data controller, the acceptance of the data subject can also be implied (otherwise, we would refer to ‘consent’).”69)Kamara & De Hert (2018). There is a multitude of challenges surrounding the concept of reasonable expectations. On the one hand – if timely informed and justified for the purposes – one may argue that students might expect online proctoring in times like these and they may consent, as it is also in their benefit to continue their studies and exams. On the other hand, as discussed, it is debatable whether transparent information notices can be given at all for data processing activities that may potentially affect students in ways that are hardly known nor debated. Hence, the underlying concept of consent discussed in paragraph 22.214.171.124. and illustrated in Fig. 4, which needs to be ‘freely given’ in order to be valid, might become the center of the legitimate interests assessment. Also, “scholars raise a flag of overlying on reasonable expectations; what is reasonable might be influenced by previous (not necessarily fair) practices of dominant players in a field.”70)Ibid. Hence, it is important that a standard set by one or more universities should not lead to inferred acceptance or consent by students at other universities – or even for a different study programme at the same university. All relevant factors should be taken into consideration: e.g. university and student characteristics, physical and psychological context, availability of hardware and software, budgetary situations of the university and students, as well as characteristics of the software used and the university’s history of information security and privacy (e.g. the hack at Maastricht University71)W. Bos (2020), ‘Cyberhack: Maastricht University pays ransom’, Observant Online.).
The subsidiarity test should address the question of whether the pursued aims cannot be achieved with different, less privacy pervasive means. Once again, the answer to this question is highly contextual, but should in any case address: class size, nature of the course, characteristics and maturity of students, availability, effectivity and consequences of other methods and risks of postponement. Other methods to be considered may be take-home exams, essay assignments, online oral exams or postponement. When dismissing methods that are considered suitable by peers, such as HBO universities or other universities, it should be detailed, why – in the case of this specific university and study programme – they cannot achieve the goals.72)Ustaran, 2018
126.96.36.199. Compelling legitimate interests
Depending on the outcome of proportionality and subsidiarity tests, case-by-case decisions need to be made about whether or not universities have compelling legitimate interests that outweigh the privacy rights and freedoms of students, to engage in online exam surveillance. Most importantly, LIA outcomes may vary per university, depending on differences in types of data collected, type of software used, contractual caution taken in relation with software providers, technical and organisational measures taken, etc.
188.8.131.52. Technical and organisational measures
Any online proctoring (effort) should put at its forefront the adoption of organisational and technical measures to protect data subjects’ rights. WP29 argues that (proposed) technical and organisational measures, such as pseudonymisation techniques and privacy enhancing technologies (PETs), should be included in the legitimate interests assessment balancing, as inclusion contributes to representation of the actual expected impact of the processing to the data subjects’ rights.73)WP29 Opinion (2014), Overview of results of public consultation on Opinion on legitimate interests of the data controller, 06/2014. By including the measures in the balancing test, controllers are encouraged to take serious measures, both internally in their own IT and organisational situation, as well as in agreements with software providers. Measures that facilitate data minimization, as set out in Article 5 (1)(c) GDPR, deserve specific attention and encouragement, as they are instrumental at safeguarding students’ rights. For instance, although passports, ID cards and drivers’ licenses can serve as extra identifiers along with student cards, it should be noted that these documents make mention of social security (‘BSN’) numbers, which is why collecting pictures of them, poses risks of a.o. identity theft. Measures that prohibit or limit the collection of such information should, in any event, be part of the measures. In sum, mitigation measures and safeguards therefore should be considered, but not play a significant role in determining to which side the scale leans.74)Kamara & De Hert, 2018.
3. Context weighing: circumstances and interests
If we have learned anything in recent years, then it would be that the GDPR, as well as Member State’s GDPR implementation acts, leave much space for the deliberation of circumstances and interests in individual cases. Hence, in a case like this one, there are bound to be many questions that can only be understood by critically reflecting on the specific characteristics of the various contexts in which (proposed) online exam surveillance operates. Two main perspectives of contextual analysis, are that of 1) data protection’s historic relation to privacy and 2) questions around equal opportunity in academic education. The below analysis might therefore serve as extra input for the GDPR legitimate interests assessment balancing test, or as general background understanding of which factors are at stake with online proctoring going forward.
3.1. Fundamental rights definitions
“In the EU, a fundamental right to data protection sits alongside the right to privacy. The Charter of Fundamental Rights of the EU (the Charter) contains a right to the protection of personal data in Article 8 (the right to data protection), in addition to a right to respect for private life in Article 7 (the right to privacy). After its separate recognition in the EU Charter of Fundamental Rights, the right to data protection acquired a prominent position in the EU General Data Protection Regulation.”75)M. Mostert, A.L. Bredenoord, B. van der Sloot and J.J.M. van Delden (2017), ‘From Privacy to Data Protection in the EU: Implications for Big Data Health Research’, European Journal of Health Law, Vol. 24, pp. 1-13. Ongoing scholarly discussion on the degree of overlap and shared objectives between the two rights, have allowed confusion over the distinctness of the two rights to persist. Some clarity on the difference in scope is provided in CJEU cases such as “the Rundfunk judgement, in which the Court held that ‘(…) the mere recording by an employer of data by name relating to the remuneration paid to his employees cannot as such constitute an interference with private life.’ Furthermore, in the Digital Rights Ireland case, the CJEU confirmed that the retention of personal data also directly and specifically affects the right to privacy, when the “(…) data, taken as a whole, may allow very precise conclusions to be drawn concerning the private lives of the persons whose data has been retained, such as the habits of everyday life, permanent or temporary places of residence, daily or other movements, the activities carried out, the social relationships of those persons and the social environments frequented by them.”76)Cases: CJEU, Case C-139/01, Österreichischer Rundfunk and Others, ECLI:EU:C:2003:294, para. 74 and 64 & CJEU, Case C-293/12, Digital Rights Ireland, ECLI:EU:C:2014:238 Finally, there is a clear difference in scope, as the substantive protection offered by both rights differs, since the right to privacy does not guarantee a general right of access to ones data.77)Mostert et al., 2017
3.1.1. Online exam surveillance and both fundamental rights
Given the overlap and distinction between the right to privacy and the right to data protection, one may conclude that online exam surveillance is located at the exact injunction of their overlap. This is because online proctoring is, at its core, the collection of (special category) data and using it to make automated decisions affecting people’s lives. At the other hand, the data generated by online proctoring provides exactly that information on surroundings and habits of everyday life, that they infringe on students’ privacy. This is important as students’ – just like everyone else – currently spend the majority of their time at home and can, therefore, not be expected to make special arrangements for online proctored exams.
3.1.2. Comparison to regular, on-campus exams
As a result, Rector Sijtsma’s third claim, is difficult to uphold. Not only does online exam surveillance generate tremendously more personal data than on-campus exams, it is also data that can potentially be stored longer than intended, or leaked – as opposed to impressions of an on-campus proctor, which potentially infringes their rights to data protection. More importantly, the data that is generated provides insights into the intimate lives of students, infringing on their right to privacy.
3.2. Type of data subject & universities’ responsibility of equal opportunity
The final contextual analysis that is needed to fully grasp the challenges of online surveillance, is the ongoing debate of universities’ role in equal opportunity. Education as an emancipatory tool remains to be a popular mantra. And albeit discussions around accessibility, there is a common consensus that universities have at least some level of responsibility in providing young people with equal opportunities to a bright future.78)Huber, 2016. Below, Linnet Taylor’s response to Rector Sijtsma’s statement, from a culture studies perspective, demonstrates how other contextual factors may even play a role in the legitimate interests assessment and beyond.
Who is ‘our student’ & what does ‘equal opportunity’ mean? Meet Jan & Farhana
[…] We can question whether Jan is the student we should be looking to serve. Jan is the ‘Gewoone Nederlander’ – the Dutch norm. A local student, who grew up in a neighbouring town and has gone home to his parents’ house to weather the lockdown. His parents are middle-class with a spare bedroom in which he can work, and broadband internet access. He was able to retrieve his books before the lockdown and has been able to continue with his coursework and receive answers to his questions. If he can’t graduate on time he may – even if the crisis eases – have to wait months before he can get a job, which he finds unacceptable, given that the world is plunging into recession and the chances of employment are dwindling. Jan is highly motivated to take his final exams.
Also in Jan’s course is Farhana. She is from a lower-income country in the global South. She travelled home to be with her family when the emergency began, before her country restricted incoming travel. Her mother is ill and is self-isolating, so Farhana is looking after her siblings and grandparents. She has no desk and could not bring all the books she needs with her on the plane due to luggage restrictions. She has internet on her smartphone, which she is using for her studies in the evenings, but she cannot access Canvas or library materials due to account authentication problems. Her neighbourhood is noisy and there is no private room in the house where she can work undisturbed. Her laptop is old and needs to be replaced: she was hoping to do that when she got a job in the Netherlands after graduating. If she cannot take her exams she will have a half-year delay and will have to pay her flight back to the Netherlands, her rent for those six months, and her living costs out of a budget that will not stretch that far. The recession is going to hit her country much harder than the Netherlands – people are already hungry and are rioting for the end of lockdown. Farhana is highly motivated to take her final exams.
What is equality of opportunity in this situation? Not all students are in Jan’s position, but neither are they all in Farhana’s. Most are somewhere in-between. While Farhana will score high on the risk index, and Jan low, there will be a huge variance in people’s circumstances, and the level of doubt for authorities about who to check, and for what, will be high.
– Taylor, 2020.
In a passionate plea, Taylor argues that “if we wish to be fair, we must accept that this situation is full of doubt. Instead of jamming it into a technical solution that will artificially reduce doubt by establishing a standard and penalising anyone whose situation deviates, it might be better to behave flexibly and use the resources we have to reduce doubt. Jan de Vries is no longer the only norm, but the systems we are offered, are still built in his image. For that to change, universities have to adopt less technical, more human approaches that allow us to at least claim that we are offering students equal opportunities to succeed.”79)L. Taylor (2020), ‘Online proctoring: how the corona crisis makes some students more equal than others’, Diggit Magazine is a community-driven academic news and information platform (ISSN: 2589-6741) connected to the bachelor ‘Online Culture: Art, Media and Society’ and the Masters in Culture Studies of Tilburg University.
Taylor’s passionate plea is one way of looking at universities’ online proctoring activities and it remains to be decided whether this view, particularly in terms of the nature and level of universities’ responsibility to ensure equal opportunity for all conceivable types of students will be a decisive factor in this discussion. If it is firstly found that universities may, for their data processing that takes place during their online proctoring activities rely on legitimate interests, then the current GDPR legal framework may very well allow the inclusion of all relevant circumstances and interests in the deliberation, in order to come to a balanced weighing of circumstances and interests.
Summary and recommendations
In conclusion, the present day legal frameworks of privacy and data protection allow for such flexible deliberation and even actively call for the weighing of all circumstances and interests at stake. When investigating the lawfulness, effectivity and desirability of online proctoring, it is therefore highly advised that any evaluation pays critical attention to the following circumstances and interests:
- There is a variety of cultural norms on student privacy and the Europe’s focus has always been the individual learner;
- Learning from American developments: diverging privacy norms and legal uncertainty can cause a void that is easily filled by elaborate student surveillance;
- ‘Vulnerable data subjects’:
- may include some students, if they are refugees, ethnic minorities or mentally ill persons (which is not always clear) – making their data processing high-risks; and/or
- may apply to all students, if one finds there to be ‘an imbalance in the relationship between the position of the data subject and the controller’ – making their data processing high-risk;
- Special category video exemption does not apply to certain types of biometric data;
- Legal bases for lawful processing
- ‘Consent’ cannot apply, but is nevertheless an important concept for choosing from the other legal bases;
- ‘Legal obligation’ is not likely to apply, because of broadly defined national law provisions;
- ‘Public interest’ is not likely to apply, because of broadly-defined national law and also, does not provide a sufficient balancing of interests;
- ‘Legitimate interests’: if it is found that universities are not excluded from relying on legitimate interests for online proctoring, then the following viewpoints may be taken into consideration:
- ‘Legitimate interests’ should be applied as it allows for weighing of consent, expectations and context;
- Legitimate interests assessment poses challenges when proportionality and subsidiarity tests are applied to online proctoring (in terms of necessity, effectivity and alternatives, etc.);
- Legitimate interest assessment outcomes may vary per university (because of differences in types of data collected, type of software used, contractual caution taken, etc.)
- ‘Vulnerable data subjects’:
- The implications of the situation’s resemblance to the historical meaning of privacy (personal life behind closed doors);
- accounting for the type of data subject & universities’ responsibility of equal opportunity.
Author: Rosalie Salameh
APEC: Asia-Pacific Economic Cooperation
APEC Privacy Framework: promotes electronic commerce throughout the Asia Pacific region, consistent with the core values of the OECD Guidelines
CJEU: Court of Justice of the European Union
DPA: Data Protection Authority
EDPB: European Data Protection Board
GDPR: General Data Protection Regulation, of the European Union
ICO: Information Commissioner’s Office
OECD: Organisation for Economic Co-operation and Development
OECD Guidelines: OECD Guidelines on the Protection of Privacy and Trans-Border Flows of Personal Data
OER: Onderwijs- en Examenreglement (Teaching and Examination Regulations)
UVAG: Uitvoeringswet Algemene Verordening Gegevensbescherming (Dutch GDPR Execution Act)
WHW: Wet op het hoger onderwijs en wetenschappelijk onderzoek (Dutch Higher Education and Research Act)
WP29: Article 29 Working Party that publishes guidelines explaining European data protection law
References [ + ]
|1.||↑||Original quote in Dutch: “Zoals ik al zei gebruiken we alleen de hoogstnoodzakelijke instrumenten. Maar als docent wil je wel weten dat Jan de Vries aan de andere kant zit, je zult dus een vorm van identificatie moeten laten zien. Je wil ook weten dat er niemand bijzit die Jan de Vries helpt en dat hij niet tijdens een tentamens boeken naslaat als dat niet de bedoeling is. Dat Jan de Vries niet stiekem op internet zit of op google of mailt met een medestudent. Dat is nodig om vast te stellen dat die student ook daadwerkelijk de kennis en vaardigheden heeft voor een diploma. Daar moet de samenleving van op aankunnen en dat zijn we bovendien ook wettelijk verplicht. Bij een fysiek tentamen gaat de privacy-inbreuk misschien zelfs wel verder. Een surveillant kan dan in je tas willen kijken, of je smartphone weghalen. En als hij fraude vaststelt, kan die je zelfs verbaliseren waar iedereen bijzit. Ook in niet-corona tijden is privacy niet absoluut.” In: A. van den Eeerenbeemt (2020), ‘Rector Klaas Sijtsma: ‘Digitaal surveilleren onmisbaar om waarde diploma te behouden’, Univers: Tilburg University’s Independent News Source.|
|2.||↑||K. Schaps (2020), ‘Dutch students raise privacy concerns over online exam surveillance’, Reuters.|
|3.||↑||Autoriteit Persoonsgegevens (2020), ‘Zorgen om dataverzameling bij thuisonderwijs’, Nieuwsbericht.|
|4.||↑||TK 2019-2020, 2619.|
|5.||↑||Please note that in this article, the terms ‘online exam surveillance’ and ‘online proctoring’ are used interchangeably. Technically, however, there are slight differences. ‘Online exam surveillance’ can entail three forms of control over online examination: 1) live proctoring by an online human proctor (comparable to the real-life human proctor in the exam room), 2) recording footage and logs, which are checked afterwards, 3) automated proctoring, whereby software signals moments of potential fraud to a proctor. Automated online proctoring is the form of online exam surveillance that is under scrutiny here, because of its potentially far-reaching effects on students’ privacy and personal data.|
|6.||↑||OP4RE (2019), ‘Online Proctoring for Remote Examination’.|
|7.||↑||Radboud University (2020), ‘Digitaal toetsen met Cirrus en online proctoring’.|
|8.||↑||I. Kamara & P. De Hert (2018), Understanding the Balancing Act behind the Legitimate Interest of the Controller Ground. In E. Selinger, J. Polonetsky, & O. Tene (eds.), The Cambridge Handbook of Consumer Privacy, pp. 321-352.|
|9.||↑||Ad Valvas (2020), ‘Al twee hogescholen passen voor online proctoring’.|
|11.||↑||Centraal Bureau voor de Statistiek (Statistics Netherlands) (2010), ‘Wo bachelors require more time than hbo bachelors’.|
|12.||↑||B. Huber (2016), ‘The Role of Universities in Society’. In: Liu N.C., Cheng Y., Wang Q. (eds) ‘Matching Visibility and Performance. Global Perspectives on Higher Education’, pp. 91-99, SensePublishers, Rotterdam.|
|13.||↑||T. Hoel, D. Griffiths & W. Chen, ‘The influence of data protection and privacy frameworks on the design of learning analytics systems’ (pp. 243–252). Presented at the Seventh International Learning Analytics & Knowledge Conference, New York. New York, USA: ACM Press; 2017.|
|14.||↑||A.B. Cyphert (2020), ‘Tinker-ing with machine learning: the legality and consequences of online surveillance of students’, Nevada Law Journal, Vol. 20: 2, pp. 457-501.|
|17.||↑||WP29 (2017), ‘Guidelines on Data Protection Impact Assessment (DPIA) and determining whether processing is “likely to result in a high risk” for the purposes of Regulation 2016/679’, WP248.|
|18.||↑||V. Bongers & S. van Loosbroek (2020), ‘Hoe gaan we toetsen (en mag Big Brother ook meekijken)?’, Mare, Leids Universitair Weekblad.|
|19.||↑||Information Commissioner’s Office website (2020), ‘What is Special Category Data?.|
|20.||↑||B. Kostic & E. Vargas Penagos (2017), ‘The freely given consent and the bundling provision under the GDPR’, Computerrecht, Vol. 4:153, pp. 217-222.|
|21.||↑||WP29 Opinion 15/2011 on the definition of consent (WP 187), pp. 12-14 , WP29 Opinion 8/2001 on the processing of personal data in the employment context (WP 48), Chapter 10, WP29 Working document on the surveillance of electronic communications in the workplace (WP 55), paragraph 4.2 and WP29 Opinion 2/2017 on data processing at work (WP 249), paragraph 6.2.|
|22.||↑||WP29 Guidelines on consent under Regulation 2016/679, WP259.|
|23.||↑||European Data Protection Board (2020), ‘Facial recognition in schools renders Sweden’s first GDPR fine’.|
|24.||↑||S.Y. Soh (2019), ‘Privacy Nudges: An Alternative Regulatory Mechanism to ‘Informed Consent’ for Online Data Protection Behaviour’, 5:1, European Data Protection Law Review, 65-74.|
|25.||↑||In addition to consent being its cornerstone legal basis for data processing, the GDPR affords data subjects elaborate control-rights, including rights to information and access to personal data, rectification and erasure, and the right to object to automated individual decision-making. Please see also:.S. Ramírez López (2018), ‘Informing Consent: Giving Control Back to the Data Subject from a Behavioral Economics Perspective’, 9 (1), Journal of Intellectual Property, Information Technology and Electronic Commerce Law, 35-50.|
|26.||↑||I. van Ooijen & H.U. Vrabec (2018), ‘Does the GDPR Enhance Consumers’ Control over Personal Data? An Analysis from a Behavioural Perspective’, 42, Journal of Consumer Policy (2018), 91-107.|
|27.||↑||Hoel et al. (2017).|
|28.||↑||Studenten Overleg Medezeggenschap (2020), Handleiding Online Proctoring, Student en Politiek.|
|29.||↑||For a detailed account of the viewpoints discussed, please also see: S. Eskens (2020), ‘Online proctoring en de Algemene Verordening Gegevensbescherming’, accessed through: <https://www.saraheskens.eu/blog/online-proctoring.html>.|
|31.||↑||“Omdat het op grond van de verordening aan de wetgever wordt overgelaten om de rechtsgrond voor gegevensverwerking door over heids instanties te creëren, mogen over heids in stan ties in het kader van de uitvoering van hun taken verwerking van persoonsgegevens niet baseren op de rechtsgrond gerechtvaardigd belang. Overheidsinstanties kunnen andere verwerkingen, bijvoorbeeld in het kader van de toegangsbeveiliging van overheidsgebouwen wel baseren op de grondslag gerechtvaardigd belang.” In: G.J. Zwenne (Ed. 2018), ‘Algemene verordening gegevensbescherming (AVG): inclusief Uitvoeringswet AVG (UAVG)’. Tekst & Commentaar Deventer: Wolters Kluwer.|
|32.||↑||It should be noted, of course, that – as per Article 6(1)(f) and Recital 47 of the GDPR – the legitimate interests of the public authority to process data for the purpose of securing access to its buildings needs to be weighed against the rights and freedoms of data subjects in a LIA, so as to determine whether the legitimate interests of the public authority as the controller outweigh the rights and freedoms of data subjects in the given situation, as it would in the case of any other controller invoking legitimate interests as their basis for data processing.|
|33.||↑||This legal obligation is laid down in the Paspoortwet and the Paspoortuitvoeringsregeling.|
|34.||↑||The Dutch text reads: “Er bestaan in ons land talloze organisaties en instellingen die een rol spelen bij de behartiging van publieke belangen, en om die reden op de een of andere manier met de overheid zijn verbonden. Dat kan zijn doordat ze bij of krachtens de wet zijn ingesteld, of door de overheid zijn opgericht, de overheid aandeelhouder is of op een andere manier statutair of contractueel zeggenschap heeft, die door de overheid worden gesubsidieerd of door overheidswet- en regelgeving worden gereguleerd. De betekenis die deze organisaties hebben voor een goede behartiging van het publieke belang heeft geen relatie met de vorm of de intensiteit van de relatie met de overheid: die relatie is de resultante van een veelheid van factoren, zoals de wijze waarop het betrokken publieke belang overigens is geborgd (bijvoorbeeld door marktwerking, of zeggenschap van andere stakeholders), maar ook politieke en historische ontwikkelingen.” In: S.E. Zijlstra (2019a), ‘Onafhankelijke ondergeschikten: Zbo’s, rijksinspecties, planbureaus, privacy-officers, het WODC: tijd voor chaos in de orde!, Nederlands Tijdschrift voor Bestuursrecht, Vol. 2019: 2, pp. 39-47.|
|36.||↑||Article 42, paragraph 2 Grondwet.|
|37.||↑||Kamerstukken I 2013/14, Q.C.|
|38.||↑||The Dutch text reads: “Als het gaat om bestuursbevoegdheid bij het Rijk, zijn er juridisch drie smaken. De eerste en eigenlijk meest gebruikelijke: de wet kent de bevoegdheid toe aan een minister, die haar via mandaat binnen het departement spreidt. Denk aan de IND. Minister is de baas, parlement kan de taakuitoefenig volledig controleren. Dan de tweede: de wet kent de bevoegdheid rechtstreeks toe aan een ondergeschikte dienst. Denk aan Nederlandse Voedsel en Warenautrteit, of de belastingdienst. Minister blijft de baas, parlement kan de taakuitoefening voleldig controleren. Derde variant: een zbo. Minister kan individuele beslissingen niet bepalen, parlement kan dus ook niet volledig controleren.” In: S.E. Zijlstra (2019b), ‘Het drama van de zbo’s: geschiedenis, analyse, oplossing’, Wetenschappelijke Reflectie, Ministerie BZK: Den Haag.|
|39.||↑||Kaderwet zelfstandige bestuursorganen (27.426); publicatie wet (Staatsblad 2006, nr. 587).|
|41.||↑||The (more elaborate) Dutch text reads: “Het aantal (clusters van) zbo’s dat onder de Kaderwet valt, bedraagt, uitgaande van het zbo-register, thans 88. In totaal zijn er thans 151 (clusters van) zbo’s. Zelfstandige organisaties die niet onder de Kaderwet vallen, betreffen voor het grootste gedeelte keuringsinstanties, zogenoemde conformiteitsbeoordelingsinstanties, zoals bijvoorbeeld de keuringsinstanties die producten keuren op grond van de Warenwet. Er kunnen goede redenen zijn om deze niet onder de Kaderwet te brengen. Zo kan bij keuringsinstanties de tucht van de markt de marktprijs en kwaliteit ook waarborgen. Daarnaast betreft het privaatrechtelijke rechtspersonen, waarvoor geldt dat de Minister in de regel geen benoemingsrecht heeft. Verder zijn er andere clusters te identificeren waarvoor specifieke wet- en regelgeving is ontworpen, bijvoorbeeld notarissen en universiteiten. De consequenties zijn daarom beperkt, omdat deze groepen op een andere manier zijn gereguleerd. Het is voor deze groepen ongewenst geoordeeld deze onder de Kaderwet te brengen, omdat de wet- en regelgeving het toezicht op deze groepen onnodig complex maakt en dit het functioneren van de organisaties niet verbetert.” In: Kamerstukken II 2019/20, 33147, nr. 8, verslag van schriftelijk overleg.|
|42.||↑||The register is said to be an illustrative, rather than exhaustive, overview of the Dutch zbo’s: Overheid.nl, ‘Zelfstandige bestuursorganen’, accessed through <https://almanak.overheid.nl/Zelfstandige_bestuursorganen/>.|
|43.||↑||Inspectie Overheidsinformatie en Erfgoed, ‘Publiekrechtelijke zelfstandige bestuursorganen’, accessed through: <https://www.inspectie-oe.nl/toezichtvelden/overheidsinformatie/geinspecteerde-instellingen/publiekrechtelijke-zelfstandige-bestuursorganen>.|
|44.||↑||Dutch text reads: “[…] er zijn ook instellingen die maar voor een deel van hun werkzaamheden een publieke taak uitoefenen, en daarnaast ook andere, vaak commerciële activiteiten verrichten: de ‘deeltijd-’ of ‘hybride zbo’s’ (zoals de APK-keurders, bepaalde certificerende instellingen, maar ook de bijzondere universiteiten).” S.E. Zijlstra (2019c), ‘Zelfstandige bestuursorganen: een volledig gejuridiseerde organisatievorm’. In S. Riezebos, & T. van Rijn (Eds.), ‘Zbo’s tussen droom en werkelijkheid: Over het verleden, heden en de toekomst van zelfstandige bestuursorganen’, Ministerie van BZK: Den Haag, pp. 122-123.|
|45.||↑||J. Peters (2017), ‘Onderwijs aan de Radboud Universiteit; een niet vanzelfsprekende vanzelfsprekendheid!’, Bulletineke Justitia.|
|46.||↑||F. Bardoel (2012), ‘‘WOB-procedure geldt ook voor bijzondere universiteiten’’, Univers.|
|47.||↑||C.N. van der Sluis (2017), ‘Commentaar op Wet openbaarheid van bestuur art. 3 (WOB)’, SDU Uitgevers.|
|48.||↑||VSNU, ‘About VSNU’, accessed on 20 May 2020: < https://www.vsnu.nl/en_GB/about-vsnu.html>.|
|49.||↑||VSNU (2016), ‘Funding’, accessed on 20 May 2020: < https://www.vsnu.nl/en_GB/funding-of-universities.html>.|
|50.||↑||Government of the Netherlands, ‘Brexit: where do we stand?’, accessed through: < https://www.government.nl/topics/brexit/brexit-where-do-we-stand>.|
|51.||↑||A. Deighton (2018), ‘UK public sector will be able to rely on legitimate interests ground in some circumstances’, Lexology, accessed through: < https://www.lexology.com/library/detail.aspx?g=b8d1e0fd-9114-4968-b0f4-2f23db252f84>.|
|52.||↑||M. Sloan (2017), ‘DP Bill amended to provide clarity on legitimate interests and public authorities’’, Lexology, accessed through: < https://www.lexology.com/library/detail.aspx?g=07a48396-b2ae-4c77-8cd7-06855acb7859>.|
|53.||↑||Autoriteit Persoonsgegevens (2020), ‘Normuitleg grondslag ‘gerechtvaardigd belang’’, accessed through < https://autoriteitpersoonsgegevens.nl/sites/default/files/atoms/files/normuitleg_gerechtvaardigd_belang.pdf>.|
|54.||↑||Working Party, Opinion 06/2014 on the notion of legitimate interest of the controller pursuant to Article 7 of Directive 95/46/EC, WP 217.|
|55.||↑||C. Hermes (2020), ‘The Dutch Data Protection Authority explains the “legitimate interests” ground’, AKD Benelux Lawyers, accessed through: < https://www.akd.eu/insights/the-dutch-data-protection-authority-explains-the-legitimate-interests-ground>.|
|56.||↑||Centrum voor Informatiebeveiliging en Privacybescherming (2019), ‘Grip op privacy: de privacy baseline, de Algemene Verorderning Gegevensbescherming ontrafeld voor toepassing in organisaties’, CIP.|
|57.||↑||Dutch text reads: “[Algemene] en specifieke wetgeving. Wetgeving die als het ware rechtstreeks verwerkingen mogelijk en noodzakelijk maakt. En waarin de wetgever zelf algemene belangen en (grond)rechten (van derden) afweegt tegen het grondrecht op bescherming van persoonsgegevens. Deze botsing van belangen – waarbij de wetgever vindt dat beide belangen wettelijke bescherming verdienen – heeft de wetgever dan voorzien, gewogen en daarin keuzes gemaakt”. In: Autoriteit Persoonsgegevens (2020).|
|59.||↑||E. Ustaran (2018), ‘European Data Protection: Law and Practice’, International Association of Privacy Professionals.|
|60.||↑||M.A. Eckstein (2003), ‘Combating academic fraud: towards a culture of intergrity, International Institute for Educational Planning, UNESCO.|
|61.||↑||V. Bongers & S. van Loosbroek (2020), ‘Hoe gaan we toetsen (en mag Big Brother ook meekijken)?, Mare, Leids Universitair Blad.|
|63.||↑||D. Woldaeb & T. Brothen (2019), ‘21st Century Assessment: Online Proctoring, Test Anxiety, and Student Performance’, International Journal of E-learning & Distance Education, Vol. 34:1.|
|64.||↑||L. Bergmans et al. (2020), ‘UT Framework for Remote Assessment During the COVID-19 Crisis’, Twente University of Technology.|
|65.||↑||Bongers & van Loosbroek (2020).|
|66.||↑||SURF (2020), White Paper Online Proctoring.|
|67.||↑||S.J. Bellens (2018), ‘Neuro-informaticus Sennay Ghebreab strijdt tegen racistische machines’, filosofie.nl.|
|69.||↑||Kamara & De Hert (2018).|
|71.||↑||W. Bos (2020), ‘Cyberhack: Maastricht University pays ransom’, Observant Online.|
|73.||↑||WP29 Opinion (2014), Overview of results of public consultation on Opinion on legitimate interests of the data controller, 06/2014.|
|74.||↑||Kamara & De Hert, 2018.|
|75.||↑||M. Mostert, A.L. Bredenoord, B. van der Sloot and J.J.M. van Delden (2017), ‘From Privacy to Data Protection in the EU: Implications for Big Data Health Research’, European Journal of Health Law, Vol. 24, pp. 1-13.|
|76.||↑||Cases: CJEU, Case C-139/01, Österreichischer Rundfunk and Others, ECLI:EU:C:2003:294, para. 74 and 64 & CJEU, Case C-293/12, Digital Rights Ireland, ECLI:EU:C:2014:238|
|77.||↑||Mostert et al., 2017|
|79.||↑||L. Taylor (2020), ‘Online proctoring: how the corona crisis makes some students more equal than others’, Diggit Magazine is a community-driven academic news and information platform (ISSN: 2589-6741) connected to the bachelor ‘Online Culture: Art, Media and Society’ and the Masters in Culture Studies of Tilburg University.|