IMEC: Assessing and Mitigating Data Privacy Risk for a Large e-Learning Project
A Flanders-born R&D giant
IMEC is a world-class R&D hub for nano- and digital technologies. With firm roots in nanoelectronics, their portfolio covers a range of hardware and software technologies. Some of their applications include semiconductor technologies, robot arms for industry 4.0, nanoelectronics for space exploration and more.
Headquartered in Leuven and founded in 1984, imec now employs over 5000 employees across different countries, collectively driving annual revenue of over € 500 million.
Data Trust Associates (DTA) was involved in the i-Learn MyWay project. The project is an initiative of the Flemish government and is carried out by imec and KULeuven. Thanks to i-Learn MyWay, teachers no longer have to find their way through the enormous range of educational tools, but they have access to a wide range of high-quality tools bundled on one portal and via a single login. With these tools, they can then set up learning trajectories within the portal tailored to their students to provide personalised education and easily monitor their students’ progress.
GDPR-compliant processing of children’s personal data
The customer was in the process of designing a new personalized education platform, which would be used by a large number of schools in Flanders, resulting in the processing of a vast amount of children’s personal data. The challenge was the data protection of the children’s data in accordance with the GDPR principles.
In that respect, the Flemish Authority for Data Protection (VTC) had issued advice regarding cloud storage that takes into account the European Court of Justice’s Schrems II case. Schrems II rules that users of US-based cloud providers (such as Amazon Web Services) must take into account the data protection laws of the recipient country document its risk assessment and confer with customers.
As the i-Learn MyWay project involves especially vulnerable end-users (children), imec decided to bring in external assistance to maximally safeguard the end-users privacy.
Data Trust Associates (DTA) was brought in to identify the privacy risks related to the i-Learn MyWay project and assist in mitigating these risks to safeguard the privacy of all users, including children and teachers.
We conducted a Data Protection Impact Assessment (DPIA) as a starting point. To gather all the necessary information, we held interviews with the project team and some of the project’s stakeholders. This group is diverse and includes the schools, imec’s Data Protection Officer (DPO), the VTC and of course, the end-users: the pupils and teachers that will be using the application.
Based on the information gathered, Data Trust Associates (DTA) helped the project team to identify privacy risks as well as identifying mitigation measures (e.g. need to know access only, minimum personal data). The most considerable risk turned out to be that most big-name cloud providers lack compliance with European data protection rules.
As a solution, we identified several European cloud provider alternatives and presented them to the VTC. After a few iterations, the agreed-upon solution involved using a European cloud provider to store personal data and a US-based cloud provider to host the i-Learn MyWay platform.
This way, the data protection risks were reduced to a minimum while still benefiting from the lower costs, better functionalities, and more optimal infrastructure of US-based cloud providers.
As a result of the DPIA and the proposed mitigation measures for improvement, imec can now provide a personalized learning platform that is GDPR compliant that implements privacy by design and safeguards the data of both pupil and teacher.
The solution we proposed in this project could also be implemented for other projects looking for alternatives to US-based cloud providers. Evidently, this shouldn’t be decided ad hoc. A case-by-case approach works best to account for inherent differences between projects and to find the optimal solution for all stakeholders.
Sonja is one of our Data Protection and Data Privacy experts. She has a Master’s degree in Law as well as an LLM. Apart from her deep knowledge of Data Protection law, she also received more hands-on Data Analyst training. Because of this, she is comfortable understanding regulatory requirements’ legal and technical implications.