Regulatory framework

European regulation is becoming increasingly developed, and in many ways leads the global discussions on how to regulate the digital sphere. Though the various directives and acts are often not made with universities in mind, they influence how universities digitalise their services. The General Data Protection Regulation (GDPR) directive was likely one of the first major examples of a European regulation that required universities to change their policies, for example regarding student data or which external services they can use  to comply with new digital laws. The Artificial Intelligence Act specifically sets requirements for the use of artificial intelligence in education and research. Later laws, such as the Digital Services Act, which regulates online platforms, could have implications on the management of open access platforms, both for research and education.

See more in the dedicated section on European Regulation.

National regulation is much broader but has effects on universities’ ability to shape their programmes and make investments in infrastructure and staff. The EUA report on The future of digitally enhanced learning and teaching in Europe notes that while quality assurance systems can be complicated in some countries, there is a general agreement that rules concerning staff careers, student status and funding present the main hindrances for further developing digitally enhanced learning and teaching.

Some of the legal frameworks can be summarised under the various dimensions of university autonomy, as described in EUA’s Autonomy Scorecard: organisational, financial, staffing and academic autonomy. Given the difficulty for universities to hire and retain staff, particularly when it comes to IT personnel, staffing autonomy – the ability to decide on recruitment, salaries and promotion – is very important. Generally, the rules on hiring, promoting and dismissing senior administrative staff (the only category where EUA has comparable data) are fairly flexible in most countries. However, only a few countries have the liberty to set salaries for administrative staff. This is, of course, a challenge for hiring people with IT skills, as there is a high demand from private companies that are much less constrained in what they pay. This has very palpable consequences for the capacity of universities to invest in cybersecurity or very advanced digital infrastructure. Lack of internal staff can also produce a situation where universities are forced to use external services and therefore lose critical knowledge within the institution with consequences for digital sovereignty. Likewise, university budgets in many cases prescribe how money should be used in particular areas, and it can be easier to get funding for infrastructure investments and maintenance than for subscriptions.

Other legal obligations that have a direct effect on the digital transformation of universities are linked to quality assurance systems, which at times require reporting on specific indicators. Here, the development of digital solutions needs to take into account what data will be needed for external quality assurance purposes. Other times, administrative legal requirements can be an impediment to digitalisation, for example if only physical signatures can have legal value.

In most countries, there is an overlap between the university system and the national level, but in federal countries, such as Germany, Belgium or Switzerland, universities can find themselves with a ‘carpet of rules’ from different federal levels, European regulation as well as rules connected to different funding sources.

Concerning Open Science and Open Education, many European countries have national policies and guidelines, particularly relating to the dimensions of Open Science such as open publications and findable, accessible, interoperable, and reusable (FAIR) data, while policies on Open Education are much less frequent. However, disparities also exist within national open science policies, where provisions related to open access to scholarly publications are more common than those aimed at promoting FAIR data and data sharing. Such policies could, for example, have requirements for universities to set up open access repositories but only provide recommendations when it comes to FAIR research data management. Similar trends are identifiable when analysing the landscape of national policies on digital skills, where provisions related to FAIR data and data- intensive skills are fragmented or underdeveloped. Universities that are engaged in Open Science tend to see such policies in a good light, identifying them as the key driver for the transition to Open Science that support the implementation of open science policies and practices at institutional level.

Compliance with national and EU regulations are seen as being very important in order to avoid legal risks when using digital tools. The current unstructured and complex regulatory framework presents a big challenge, where universities spend considerable resources on compliance in one area, taking resources from places where the immediate need is more urgent. This could be focusing on data protection, while the real emergency is protecting the institution from malware or ransomware attacks.

The most mentioned regulation here is the GDPR, which is often implemented nationally in different and at times very restrictive ways. This has among other things led to questions about consent in online learning environments, for example, consent to seeing the participants on the screen. Data sharing is another issue where GDPR compliance becomes important, as universities have partners all over the world, and they need to understand what data can be shared with different countries: a partner in the UK may receive personal data, whereas a partner in the US cannot.

There is a need for universities to share good practice in the field of compliance to better use the resources across all the various digital challenges.

Many universities have been very averse to taking legal risks. In the compliance discussions concerning GDPR in particular, there are voices saying that authorities, but also universities, have been over-zealous in their implementation of the regulation. However, legal risks are very present for universities, for example when it comes to individual staff members applying their own solutions (which can be a simple excel sheet with personal data) against institutional policies, but where the institution theoretically could be held responsible.

It is important to underline that compliance does not have to be a one-way implementation of political demands. At times, the implementation of regulations happens in a dialogue between policy makers and institutions to see how realistic and compliant solutions can be made. This requires that institutions have good channels of communication with decision-makers, for example through external members of university boards. Also internally, compliance needs to happen in a dialogue between legal experts and other university staff and ensure common approaches to rules, roles, and responsibilities.

In systems with a unified legal framework, this can help to scale up solutions that are compliant with the requirements. This has been the case in Greece with the common use of a student information system that was developed at the Aristotle University in Thessaloniki and then adopted by other institutions around the country who had the same requirements. However, solutions that are tailor-made for national contexts face challenges when used in a transnational one, where rules are different, either because of national legal frameworks or because of uneven implementation and different interpretations of EU directives.

Anecdotal evidence from higher education leadership has revealed that there are varying practices regarding copyright within institutions, with ownership being granted to teachers, a particular institution, or (in some cases) online platforms. Online collaboration between higher education institutions, particularly when it comes to learning and teaching, may also increase the risk of intellectual property rights infringements by the sharing of materials with different institutions in different countries with different rules. There is also a lack of awareness of intellectual property licensing models, such as Creative Commons, which can enable collaborative materials sharing, and a lack of certainty around the legality of the use of Open Educational Resources, due to the inexistence of specific policies in certain higher education institutions. This can slow down the progress of on Open Education in general.