“Every Student Can Learn, just not on the same Day” -Data Protection and Cybersecurity Challenges for E-Learning Platforms

When George Evans stated that every student can learn, just not on the same day, he had probably not in mind the despair of pupils trying to access an e-learning platform during a national lockdown period.
With the COVID19 crisis, online learning became an everyday commodity almost overnight; however, not all schools were prepared to swiftly switch from in class to remote teaching. Concerns were raised with regard to data protection and cyber security, which in some cases led to the implementation of “home-made” solutions.
Taking the example of the federalist state of Germany, where education is within the sole competence of the Länder, this paper will explore the functioning and technical implementation of a variety of e-learning platforms before data protection concerns are addressed. We will then explore whether the NIS Directive, which foresees similar security requirements as the GDPR, is applicable to the diverse models, and outline the consequences.
In light of the acceleration of the revision of the NIS Directive due to the COVID-19 crisis, we take the example of learning platforms to outline the flaws of the 2016 Directive before we critically evaluate selected aspects of the NIS 2.0 proposal of December 2020.