I can not discuss any details of this, for obvious reasons, but the issue revolves around the legal culpability of what the analytics does. The situation involves multiple companies in multiple jurisdictions (including the EU) with various contracts in a industry regulated somewhat differently country to country.
Basically, they want to uncouple the entire analytics engine from Moodle, but it can not be easily removed as it is not a proper plugin; there's no master on/off switch; no tool or documentation about removing the data; and honestly, I got no help in figuring that out --- these were all red flags to my client that Moodle has not thought this through for the various scenarios it might be used in, but rather, as one person put, just "assumes that educational system attitude that they can do whatever they please with student data."
The product they are going to use instead is from a corporate vendor (that I had never heard of before) that has an analytics engine but it is a distinct package and product that works independently. You can use it or not, and you when you do, you have a lot of control over what it does.
Now, the client lawyers disagree strongly with the view this is just reporting, as Emma says. This is not just reporting, this is algorithmic: it learns and changes its decisions based on how it is trained and it also changes as it augments its training based on the ongoing data. It is not just reporting, it's doing more than that, it's analyzing.
And that brings up a big legal red flag for the client due to their situation because someone somewhere has to own the responsibility for that, with a contract.
Consider this scenario: the algorithm improperly or inaccurately flags a student as having issues, this influences teacher and school attitudes and decisions, the student drops out, burdened with debt. Later, under GDPR
right to view, the student find this out. The student sues. The teachers clamor, "It wasn't us, it was the algorithm!” The lawyers arrive…. Student, data, and teachers both employee and contract, are in different countries with different laws in and out of the EU, different companies, different contracts, and so forth. So, who's responsible for what?
The answer is: you don’t want to be put into that situation to begin with ;)
Call it FUD
if you like, I call it prudence. They want full knowledge and control of these aspects of analysis so they can meet various and sometimes conflicting contractual and regulatory (including GDPR) obligations.
If Moodle pushes things into core that cause legal complications for a user, then the safest course may very well be, as in this case, for the user to choose another product.
Analytics is a minefield of privacy and legal issues, with somewhat differing minefields for different users. I guess what it comes down to is my client is not confident that Moodle can help them cross their particular minefield. And from what I have seen to date, I would have to agree.