Niveditha Prasad

This piece looks at the draft Data Protection Bill, 2021 and its regulation of edtech services that have a bearing on student privacy. The author deliberates on this issue by emphasising the unique nature of edtech services, their method of functioning and how they work with student data to yield better learning outcomes. To this end, it analyses how the Bill edges on disproportionate regulation of edtech platform, thus harming the development of these services. It also considers the responsibilities of schools using edtech platforms as data fiduciaries.

Introduction

Educational technology (“edtech”) platforms have gained massive popularity in the past few years with India also seeing an implosion of these edtech start-ups. Edtech today includes devices such as laptops, computers aimed at students (and sometimes even provided by schools), applications (like the Google Suite for Education) and platforms like Byju’s, Vedantu, etc., which facilitate private online tutorials. It also includes learning management systems that track student attendance, grades and student activity in class forums.

With schools closing down due to the pandemic and remote learning being the only viable solution to many, the edtech boom has only strengthened further during the pandemic. While the jury is still out on whether edtech improves learning outcomes, it is undeniable that these platforms are here to stay.

There is a downside to this popularity. As the number of students using edtech platforms increases, the data amassed by these platforms inevitably increases too. This has given to privacy concerns, particularly because the data is extracted from minors. With Byju’s, arguably India’s most well-known edtech platform, entering the sphere of public education through its tie-up with the Niti Aayog, it is more important than ever to discuss the impact of edtech policies on student privacy.

It is in this context that one must analyse the Data Protection Bill of 2021 (“DPB”) proposed by the Joint Parliamentary Committee (henceforth, “Committee”) and how it intervenes in the regulation of student data collected by edtech platforms. An examination of the DPB is important considering that the Bill is a crucial step towards creating a concrete data policy at the national level and should ideally take into account the various aspects of student privacy. I contextualise the discussion by explaining the nature of student privacy and broad concerns related to it.  I argue that sufficient attention has not been given to the unique nature of student data in relation to edtech, which in turn leads to certain drawbacks in the Bill. Specifically, there is disproportionate regulation of student profiling and  in the potential treatment of schools as ‘significant data fiduciaries.’

Edtech’s Challenge to Student Privacy

Student privacy, in a general sense, refers to the protection of identifiable information related to student records in schools and universities. Student data might include details like a student’s attendance, grades, courses, health information and so on. Even before the foray of the internet, student data has been collected and stored by educational institutions. With the emergence of edtech, traditional student data along with newer information related to students are being collected by more entities.

Concerns about student privacy are varied and not unfounded. First, there is concern about the tracking of student’s online activities. For example, if enabled, Google’s Sync feature on its G-Suite for education can track students’ browsing history, enabling Google to create a profile of each student associated with their personal information. This data, gathered over the years, can then be monetised (although Google claims to have at least partially ended this practice). Second, there are concerns about the security of the systems in which the data is stored. Several edtech companies like White Hat Jr, Unacademy and Edurekha have had vulnerabilities in their system, exposing the personal information of millions of students. The problem is exacerbated by the fact that edtech attracts several start-ups that spend less time on setting up robust privacy protection mechanisms. Third, schools and parents might lack the necessary ability required to scrutinise privacy policies of edtech services that students might use.

While these are problems might appear to be general concerns, they are especially harmful to children and young adults as they are an inherently vulnerable group who require special protection on all fronts. Students in school for example, might not be aware of the nuances of a privacy policy of an online service that their school uses. They might be coerced to join these services as they are an integral part of their educational experience. Gathering of data about a student’s disciplinary issues might even harm their future prospects. These problems are particularly exacerbated in India, where the edtech industry is largely unregulated and public awareness of these issues remains low.

Data Protection Bill, 2021: An Unbalanced Approach to Edtech?

Considering these challenges, it is important to analyse the proposed changes to the Personal Data Protection Bill, 2019. As said earlier, it is vital to understand how, if at all, the DPB handles student privacy concerns since it is a slated to be a key legislation in India’s data privacy law. Like its previous version, the Bill does not distinguish between student data and other kinds of data. The only other classification that directly places special obligations and overlaps with the protection of student data is §16 of the Bill, which deals with the protection of children’s data. Since several K-12 edtech services handle large amounts of children’s data, they would fall under the purview of this section. The lack of distinction between edtech services and other platforms that cater to children dates back to the BN Srikrishna Committee that did not adequately take into account the existence of such platforms while deliberating the Bill. This has regrettably continued to the current JPC’s deliberations. As will be shown below, the section’s generalised approach necessarily undermines the unique nature of student data concerns.

The Committee has once again neglected the role that data can play in the improvement of services towards children. It is important to understand that while there are legitimate concerns about adequate protection of student privacy, there is also an equally important need to balance the regulation such that data protection does not inhibit edtech services. Currently, however, it appears that the Committee’s recommendations border on excessive regulation. This is due to inadequate attention being paid to the unique nature of edtech services. They collect data about individual students, their learning trajectory and their responses to specific teaching interventions. This data can then be utilised to create tailored content that may be beneficial to students’ learning goals. Crucial to implementing this is the process of user profiling. Through this, data associated with a particular student can be analysed to personalise learning. §16(5) of the Bill, in both its current and previous version, continues to mandate a bar on profiling, tracking and monitoring the behaviour of children. This provision might be appropriate for services like, say, YouTube Kids to prevent companies like Google from profiling children at a young age and then monetising out of that data later on. However, considering that several edtech delivery platforms employ profiling, this necessarily has an impact on the efficiency of the services that these platforms render. Further, the same data might be utilised by the companies for research and development purposes to improve their educational products which might, in turn, be beneficial to students. Despite submissions to the Committee against a complete prohibition on profiling of children, the Committee has unfortunately not taken them into consideration, leading to a disproportionate measure being proposed.

Role of Schools

Section 11 of the draft Bill states that consent will be deemed to be invalid if, among other requirements, the data principal is not informed about other data fiduciaries or data processors with whom personal data might be shared. However, §12(a)(i) of the Bill creates an exception to §11 and allows non-consensual processing of data when deemed necessary for the rendering of any service or benefit for the data principal by the government. Government-run schools might be classified as a ‘service’ beneficial for the data principal, i.e., the student. While §16 does mandate that data fiduciaries are required to take parental consent before processing data, it is not clear whether the requirement of such consent will be diluted due to the exception created by §12(a)(i). This has ramifications for student privacy in the context of public edtech, where student data might be shared with private companies for various kinds of educational collaboration. That private, for-profit companies might have side-door access to student data is a problematic prospect.

Apart from the obligations owed to children under §16, data fiduciaries handling large amounts of children’s data might also be notified as significant data fiduciaries under §26(g) of the draft Bill. This would impose fresh liabilities, such as carrying out a data protection impact assessment, maintenance of records, evaluation of policies and conduct by an auditor and so on. This would obviously be a welcome step to regulate the activities of large edtech platforms, like Google or Byju’s, as these companies have sufficient resources to handle additional obligations.

However, we also need to consider that even schools may now have additional responsibilities. Schools, after all, do collect large amounts of data that they manage using outsourced edtech school administration tools. Several low-cost schools with a shoestring budget exist in India, and these schools might simply not be equipped with the obligations of a ‘significant data fiduciary.’ While schools too should have certain responsibilities towards protecting their students’ data, the reality of resource-crunched schools calls for a more balanced approach. Again, it becomes evident that the neglect of edtech has led to a lack of understanding of how different stakeholders are affected by the Bill’s provisions.

Moving Forward with – and beyond – the DPB, 2021

In light of these issues, it is evident that improvements to the DPB are in order. Perhaps the best way forward is to recognise certain fiduciaries and processors as education-related fiduciaries and impose obligations upon them accordingly. The current obligations might work well and indeed be necessary for websites or apps that children use to play games or watch cartoons, but as shown above, they might hinder edtech services. Consequently, the prohibition on edtech services against profiling, tracking and behavioural monitoring must be restricted to commercial purposes and such activities can be allowed in furtherance of educational purposes that benefit students. Such a stipulation would balance both privacy concerns with the need to improve services. Future regulation should also explicitly prohibit the placing of third-party cookies that track student behaviour on learning platforms and other applications used by students. Further, it should be clarified whether the exception created by §12 regarding the requirement of consent applies to government schools. This should be complimented by the Union Government laying out specific guidelines for the deletion of student data beyond the required purposes, taking into account the method in which edtech companies operate. Such enhancements would bring more coherence, protection and balance to the Bill.

There are other areas where more deliberation is required. The possibility of ill-equipped schools being designated as significant data fiduciaries is one such area. An alternative mechanism could be conceptualised wherein data collection by schools is monitored by a supervisory body without necessarily imposing onerous responsibilities on them. This would ensure that schools- an important centre of data collection- does not escape into a greyhole in terms of data protection. Further, since concerns related to student privacy goes beyond minors and extends to college students and other adult learners, the possibility of bringing their data under a similar protection mechanism should be considered, with more autonomy in privacy choices being granted to adults.

Even as legislative efforts should be made to fine-tune the DPB to address the special challenges posed by edtech, it is important to understand that much of its implementation depends on awareness. Considering that students, parents, teachers and schools might not be well aware of their rights under the law, efforts should be made to increase awareness of these rights and empower people to utilise them. Only then can we truly ensure that student privacy is adequately protected.

Niveditha Prasad is a current undergraduate student pursuing a B.A., LL.B. (Hons.) at the National Law School of India University (NLSIU), Bengaluru.