New Data Protection Law & it’s Impact on EdTech Industry in India: Best Corporate Lawyer Advice for EdTech Startups in India
“EdTech Companies and EdTech Startups in India are bound to follow the data protection laws, rules and regulations including the guidelines issued for data privacy in India. EdTech Companies collect a lot of data and information from querists and visitors including their customers and are duty bound and under a direct obligation to preserve the same from any kind of pilferage and unauthorised use. The option of obtaining appropriate legal advice and/or startup legal solution from a good corporate lawyer is advisable.“
In India, the EdTech industry has grown rapidly in the last several years. Some believe that this is just the beginning and that there is much more to come. Byju’s, an Indian start-up valued at USD 18 billion, is the most valuable Indian start-up to date, according to the most recent figures. This year has seen a large number of educational technology start-ups become Unicorns. According to this data, India’s educational technology market is growing rapidly. As a result of the epidemic, educational technology (particularly online learning platforms) grew at an astronomical rate.
Businesses in the EdTech sector are exempt from education rules since their primary focus is on technology. In other words, this does not mean that they operate in an unregulated environment. In addition, there are other more laws that they must follow. Data protection laws in India include the Information Technology Act, 2000 (IT Act), the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Regulations, 2011, as well as other similar regulations. India’s current data protection system is likely to be radically altered by the Personal Data Protection Bill (PDP Bill), which has not yet become law.
Legal Consequences for Non-Adherence to Data Laws on EdTech Companies and EdTech Startups in India
In 2019, the Federal Trade Commission in the United States penalized Google and YouTube USD 170 million due to a violation of the Children’s Online Privacy Protection Act. For suspected irregularities in the usage of children’s data, TikTok is being sued in the UK. There are fines of up to 4% of global turnover or INR fifteen crore (about USD 2 million) in cases of non-compliance with the PDP Bill, which is similar to the EU’s General Data Protection Regulation.
EdTech companies and platforms typically gather a lot of information while providing their services. A student’s name, contact information, passwords, age, identity, gender, credentials, etc., are all collected by an e-learning platform when a student creates a profile. If the student’s parent or guardian is involved, they may gather the same information. Many EdTech systems commercialize student data through data analytics and data transfers, but we don’t want to generalize. To use this data for internal planning, such as measuring the traffic, user interaction, etc., or for targeted marketing, linked or collaborating firms may share it with them. Additionally, this data might be utilized to target social media marketing campaigns. When it comes to the education system, it is critical for all parties involved – educators, schools, teachers, and even parents all benefit from educational technology platforms- to understand why data is really important in this digital age, how it is collected, what it’s used for, and how it affects what a child consumes online through targeted or sponsored advertisements or otherwise, as this could have a direct impact on what a child sees online. There should be no unauthorized sharing of personal information, especially when it comes to kids.
Gathering of Information & Compliances under the Data Protection Regime for EdTech Companies and EdTech Startups in India
Under the existing Data Protection Act, what types of information are protected? According to the IT Act and the SPDI Rules, there are two distinct types of data:
● Information that may be used to identify a person, either directly or indirectly, in conjunction with additional information that is either already or is likely to be in the possession of a body corporate, is referred to as “Personal Information” (PI). Name, address, phone number, birth date, and other personal information are all part of PI.
● Personal information that can be used to identify an individual, such in that the term “SPI” encompasses not only physical or mental health data and sexual orientation but also a wide range of medical records and histories that can be used to identify an individual. (Sensitive Personal Data/Information)
Who all are protected under the Data Protection Laws?
The processing of personal information is not subject to any special regulations; however, certain penalties may be imposed if the information is released without permission. India’s SPDI Rules require a limited number of measures to be taken by an Indian entity when it collects, stores, processes, receives, or otherwise handles SPDI, including the user’s consent, disclosing the collection of data, adopting and maintaining reasonable privacy policies, and designating a grievance officer for data-related issues.
Restrictions on Data Processing & Data Profiling upon the EdTech Companies in India and EdTech Startups in India
Yes, SPDI-related processing and profiling require consent. PI, on the other hand, has no stated constraints on its processing under existing data protection regulation due to SPDI’s restricted forms and EdTech firms’ common practice of collecting PI. There are no limits on profiling or analyzing minors’ information for targeted advertising provided the data processed does not qualify as SPDI under the existing law. As soon as the PDP Bill is signed into law, things might be quite different.
The EdTech startups in India have to duly follow the data protection and privacy laws, rules and regulations and require startup legal solutions to be rendered by a good EdTech startup lawyer in India.
It is expected that the PDP Bill would be reintroduced in Parliament in November or December of 2021. Despite significant delays, India’s data protection legislation will be implemented. To be ready for the next iteration of the law, educational technology companies may want to examine their data collection and processing policies now. There is little doubt that the new regulation will help educational technology companies around the world to meet international requirements. Legal requirements for data-related compliance do not exist at this time, but educational technology platforms can learn from global organizations that have already begun to implement data-related policies and procedures. In addition to educational technology platforms, parents, teachers, and educational institutions could benefit from knowing about their rights to privacy and data processing, as well as numerous redress mechanisms if children’s privacy is abused. The internet will be safe for our children and grandchildren to utilize.
Authored By: Adv. Anant Sharma & Aparajita Singh