If the UK GDPR regulations are the highest standard and most stringent privacy legislation in the world… how is it that so many proctoring companies claim compliance?
They can claim GDPR compliance because such a claim has not been subject to third-party verification. Many proctoring companies are either registered in the United States or hold data within the jurisdiction of the US government. As such, these proctoring companies are subject to the US Patriot Act. Data protection laws in the 27 countries of the EU all prohibit the disclosure of personal data without a data subject’s consent or knowledge. However, the Patriot Act gives the US Government the ability to compel such data sharing without this consent.
Aware of this conflict between the US Patriot Act and the GDPR, many organizations tried to address client/user concerns by demonstrating that they are “certified” under the United States Privacy Shield program.
However, on July 16, 2020, Europe’s top court invalidated the EU-U.S. Privacy Shield, stating that the Privacy Shield transfer mechanism does not ensure compliance with the level of protection required by EU law.
Following this court decision, negotiations between the EU and the US began in earnest. Legal frameworks within both jurisdictions have now been revised in response to the concerns raised by the 2020 decision, giving rise to the EU-US Data Privacy Framework Program.
On July 13, 2023, the U.S. Department of Commerce launched the Data Privacy Framework (DPF) program website. This website is meant to facilitate eligible U.S. companies to self-certify their participation in the EU-U.S. Data Privacy Framework (EU-U.S. DPF). However, there are already criticisms that this new framework faces the same shortcomings as its Privacy Shield predecessor.
It is important to note that the UE-U.S. DPF still allows organizations to “self-certify”. This self-certification is achieved by filling out a short questionnaire and paying a fee to the U.S. International Trade Administration (ITA). The fee ranges from $375USD to $4,875USD, depending on the revenue of the business.
The conclusion? Be wary of any US-based company that claims GDPR compliance, particularly if they retain and share user identification credentials.
Integrity Advocate’s claim of GDPR-compliance is based on the same Privacy by Design architecture that was also the basis for the GDPR legislation. All data is hosted in GDPR designated jurisdictions, out of reach of jurisdictions with governments requiring access to the data. Additionally, Integrity Advocate only collects the data necessary to confirm a learner’s identity and compliance with exam rules, most of which is automatically deleted after 24 hours.
Get in touch today to learn more, or to request our GDPR Compliance Brief.