I am filing today a privacy complaint in thirteen European regions against Coursera, Inc.
Happy Data Protection Day, everyone!
I have fought against a few billion dollar companies and won to get access to my personal data. However one company has been extremely reluctant to give me access to personal data of high relevance to me. This company, Coursera, is the dominating platform for providing Massive Open Online Courses. In fact, it has used of this position to censor my views in the online course I was myself teaching! This course was, non-coincidentally, partly about privacy laws and business models around education data… I intended, among other things, to explain how Coursera’s contracts circumvented EU privacy laws, with little pushback by partner universities.
Even though academic freedom is a fundamental right in the Swiss constitution, Coursera was able to casually ignore it. The circumstances surrounding this censorship are still very murky, twenty months later. At the time, Coursera even engaged in defamation and mislead journalists. Coursera’s actions even lead my employer to initiate a disciplinary investigation, although I have never been informed of any formal accusations. Ever since, I have attempted to ask for my personal data to help clarify and document the circumstances of their actions and their practices, but Coursera has so far failed to meet their legal obligations. I have made many attempts at resolving the matter directly and through an arbitrator (legal procedure still ongoing). Coursera has gone as far as claiming that their Privacy Policy actually doesn’t apply to me, despite me having to sign their Terms of Use when opening an account. It is currently extremely difficult to force U.S. companies to comply with their data protection obligations towards European users, but Coursera’s data processing practices are particularly opaque.
My struggles (Swiss radio, English version of German newspaper) have by now only increased my concern for the future of higher education in Europe if such practices are left unchecked. For these and additional reasons, I will be filing today a complaint to the Data Protection Authorities of twelve European regions, selecting those where Coursera has a business partner (note that most of these partners are public universities).
The complaint consists of the following files:
- the main text of the complaint, followed by attachments:
- 2014–12–17 Second Safe Harbor request, Dear Coursera Representative
- 2015–01–23 First Safe Harbor request, Jan 23 response
- 2015–03–20 FERPA access request
- 2015–03–24 FERPA access response and follow-up
- 2015–11–24 Second Safe Harbor request
- 2016–01–04 Second Safe Harbor response
- 2016–01–05 Second Safe Harbor follow-up
The relevant Data Protection Authorities are:
- the Belgian Commission for the Protection of Privacy, presumably supervising authority for EIT Digital;
- the Swiss Federal Data Protection and Information Commissioner, supervising authority for the Ecole Polytechnique Fédérale de Lausanne;
- the Swiss Bureau de la préposée à la protection des données et à l’information (canton of Vaud), supervising authority for the Université de Lausanne;
- the Swiss Préposé Cantonal à la Protection des données et à la Transparence (canton of Genève), supervising authority for the Université de Genève;
- the Swiss Kanton Zürich Datenschutzbeauftragter, supervising authority for the Universität Zürich;
- the French Centre National Informatique et Libertés, supervising authority for the Institut Mines-Télécom, Ecole Polytechnique, Ecole Normale Supérieure, ESSEC Business School, EMLYON Business School, Sciences Po, ESCP Europe, Centrale Supélec, and HEC Paris;
- the German Bayerisch Landesbeauftragte für den Datenschutz, supervising authority for the Technische Universität Munchen and Ludwig-Maximilians Universität;
- the Danish Datatilsynet, supervising authority for the Technical University of Denmark, Copenhagen Business School, and University of Copenhagen;
- the Italian Garante per la protezione dei dati personali, supervising authority for Sapienza University of Rome and Universita Bocconi;
- the Dutch College Bescherming Persoonsgegevens, supervising authority of the Universiteit Leiden, Utrecht University, Eindhoven Institute of Technology, University of Amsterdam, and Erasmus University Rotterdam;
- the Spanish Agencia Española de Protección de Datos, supervising authority of the IESE Business School, IE Business School, ESADE Business and Law School, and Universitat Autònoma de Barcelona;
- the Swedish Datainspektionen, supervising authority of Lund University;
- the British Information Commissioner’s Office, supervising authority of the University of Manchester, University of Edinburgh, University of London, and Commonwealth Education Trust.
I will also send a copy to the European Data Protection Supervisor.