Education Sector Hotline
October 11, 2021
The Calm Before the Storm: How the Upcoming Data Protection Law will Impact EdTech in India
The past few years have seen an EdTech boom in India. Some say that this is just the start – and much more is yet to come. As per latest numbers, Indian born and bred Byju’s is valued at USD 18 billion,1 making it the highest valued Indian start-up. Several EdTech start-ups have already joined the Unicorn club, and many more are in the waiting. This is an indicator of the size and growth trajectory of EdTech in India. Especially with parents and children stuck at home, the pandemic allowed EdTech especially online learning platforms, to grow in leaps and bounds.
As EdTech entities are primarily technology driven, they fall outside the purview of education laws per se, allowing business flexibility. However, this is not to say that they function in a regulatory vacuum. There is a host of other laws that apply to them. One of them being the Information Technology Act, 2000 (IT Act) and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (”SPDI Rules”) which are the current “data protection” laws in India. India is also in the process of enacting the Personal Data Protection Bill, 2019 (PDP Bill) as law, which is set to overhaul the current data protection framework in the country in the (hopefully) near future.2
What is the implication of not paying heed to data laws? We don’t have to look very far to see the fallout from taking data protection regulations lightly - Google and YouTube were fined USD 170 million by the Federal Trade Commission in America for violations of the children’s privacy law in 2019.3 TikTok is facing a lawsuit for alleged violations in their use of children’s data in the UK.4 Similar to Europe’s General Data Protection Regulation, the PDP Bill prescribes hefty fines in cases of non-compliance – ranging up to 4% of global turnover or INR fifteen crore (approx. USD 2 million); and criminal penalties in limited cases. With these risks in mind, time is of the essence for our homegrown EdTech platforms to consider data protection and data collection practices seriously and get their house in order.
Generally, EdTech entities and platforms collect a significant amount of data while offering their services. As an example, when a student sets up their profile on an e-learning website, the platform collects their name, contact details, passwords, age, identification, gender, qualifications, et al. They may also collect similar details about the student’s parent or guardian. While we don’t mean to generalize, there are also a large number of EdTech platforms who monetize such data through data analytics and data transfers. They may use this data for internal business planning purposes - to track traffic, user engagement etc., for targeted marketing and at times, share it with associated or partnering entities to position their product or services to prospective customers. This data could also be used for targeted marketing specially on social media. In this digital age, where so much of our lives is tracked by devices, it is essential for all stakeholders in the education system – be it EdTech platforms, schools, teachers and even parents to realize the importance of data, how it is collected, what is it collected for, what is us used for, especially children’s data, as this could have implications on what a child consumes on the internet, for example through targeted or sponsored advertisements or otherwise. Personal data, especially that of minors, should thus only be shared consciously.
The collection of this data and its use will soon be subject to stringent data protection laws in India. What is the current law, and what is the PDP Bill, and what do they say about data protection and privacy? We explain below.
Current data protection law: Are you collecting sensitive personal data?
The PDP Bill: Not to be taken lightly
A few provisions of the PDP Bill of significance to EdTech are:5
Most significantly, the PDP Bill also prescribes for safeguards in the processing of minor’s data, as well as provisions that would impact EdTech platforms and their advertisement based revenue streams. These are as follows:
The PDP Bill is due to be re-introduced in Parliament in November-December 2021. Albeit there has been some delay, a robust data protection law will surely be introduced in India. While the easiest solution would be to wait and watch for the next version of the law, it may be prudent for EdTech platforms to use this lead time to examine their data collection and processing practices in order to be future ready. The proposed law is based on global practices, and will surely help EdTech platforms in global level compliances. Even if data related compliances for a variety of data are not legally required at the moment, EdTech platforms can take inspiration from multinational companies who have begun to get their systems in order. Apart from EdTech platforms themselves, it would serve parents, teaches and educational institutions well to also educate themselves on their rights with respect to data privacy and processing, and possible redressal mechanisms in case of privacy breaches for children. This will ensure a safe and secure digital environment for our future generation.
You can direct your queries or comments to the authors
1 https://techcrunch.com/2021/10/04/indian-edtech-giant-byjus-valued-at-18-billion-in-new-funding/ (Last accessed October 8, 2021).
2 The PDP Bill is currently under consideration by a Joint Parliamentary Committee, which is slated to meet in October 2021 to study the PDP Bill.
3 https://www.ftc.gov/news-events/press-releases/2019/09/google-youtube-will-pay-record-170-million-alleged-violations (Last accessed October 8, 2021).
4 https://www.bbc.com/news/technology-56815480 (Last accessed October 8, 2021).
5 You may read further about the PDP Bill in our research paper available at:
https://www.nishithdesai.com/fileadmin/user_upload/pdfs/Research_Papers/Privacy-and-Data-India_s-Turn-to-Bat-on-the-World-Stage.pdf (Last accessed October 8, 2021).
6 The PDP Bill is designed to have extra-territorial application and is linked to the processing of personal data by entities not present within the territory of India; if such processing is “(a) in connection with any business carried on in India, or any systematic activity of offering goods or services to Data Principals within the territory of India; or (b) in connection with any activity which involves profiling of Data Principals within the territory of India”.
7 The only entities exempted from the parental consent requirement are those guardian data fiduciaries who provide exclusive counselling or child protection services.
The contents of this hotline should not be construed as legal opinion. View detailed disclaimer.