[This post is authored by Oshi Priya, a third-year student at the National Law University of Study and Research in Law, Ranchi.]
Education technology (EdTech) is the means to facilitate e-learning through the combination of software and computer hardware along with educational theory. Though still in its early stages of development, it’s a $700 million industry today in India and is headed for 8-10 times the growth in the next 5 years. Some of the popular EdTech companies in India include Unacademy, BYJU’S, and Toppr, etc.
In May 2020, one of the biggest EdTech companies in India, Unacademy suffered from a data breach, the stolen personal information of millions of users was put up for sale on Dark Web. These users include thousands of minor students. Information including user names, passwords, joining date for the programme, last login date, location, email addresses, account status (active/inactive), etc, was compromised.
Minors constitute the primary target audience for EdTech companies. This group is most vulnerable to data breach as they are not informed enough to give consent regarding questions related to privacy policies. The personal information compromised can be used to monitor user behavior, further to build marketing profiles.
Privacy by Design
Privacy by Design means incorporating data protection and privacy mechanisms in the data collection and storing system right from the beginning for the entire lifecycle of the data, i.e., from the data acquisition, its storage, protection, usage and finally the destruction of data that is no longer required. It focuses on a preventive approach than curative, making the privacy of the data of focal importance. The Data Protection Bill, 2019 (PDP Bill) in an attempt to solve some of the problems related to personal information of the user and privacy policies has introduced the concept of Privacy by Design in the Indian context.
Provisions to keep the powers of EdTech Platforms in Check
The PDP Bill is based on the proposed draft of the PDP Bill of 2018, which was prepared by the Committee of Experts under the chairmanship of Justice Srikrishna. According to Section 16(2) the PDP Bill, 2019, the data fiduciary shall, before processing of any personal data of a child, verify their age and obtain the consent of their parent or guardian, in such manner as may be specified by regulations by the Authority under the Act. Moreover, according to Section 11(5), the burden of proof that consent has been given by the data principal for processing of the personal data under this section shall be on the data fiduciary.
These companies also have a policy regarding Automatically Collected Information where they can automatically collect a variety of information like – the type of mobile device being used, its unique device ID, IP address, and operating system, etc. Such clauses endow them with wide powers for collecting and processing of data principal’s personal information on the pretext of their consent. They might collect information that users never consented to, originally.
According to Section 7 of the Bill, the data fiduciary is under the obligation to notify the data principal at the time of collection or processing of personal data. The provision mandates the data fiduciary to inform the data principle about the nature, category and purpose of personal data collection, details of all the parties with whom data may be shared and the period for which the personal data shall be retained (Section 9). Hence, the ambiguous use of words and vague suggestions to the kind of data being collected will be contrary to the provisions of the legislation.
Further, these platforms have discretionary clauses (decisions regarding deletion of data) that absolve them of the liability to deal with user’s data on user’s terms and conditions.
As per Section 9(1) of the Bill, the data fiduciary shall not retain any personal data beyond the period necessary to satisfy the purpose for which it is processed and shall delete the personal data at the end of the processing. If the user wishes to discontinue the services provided and exercise his/her right to be forgotten (Section 20), the data fiduciary is obligated to delete all the personal information of the data principal under Section 9 of the Bill.
Issues that Need to be Addressed
Though the Bill attempts to deal with the data protection of the users comprehensively, it does not lay down all data exchanges, liabilities, etc. For example, these platforms, in their privacy policies, specify that it may contain links to third-party websites that may/may not be owned and controlled by them and subsequently, they absolve themselves of any liabilities related to the third-party websites.
Third-party cookies (or tracking cookies) collect information related to the user’s browsing habits and use that information to feed the user-targeted ads. For site owners, tracking cookies can be very profitable.
The present PDP Bill has no provision for regulating the third-party cookies. The regulation is essential because they are often used by advertisers and social networks to monitor user activity online and for behavioral targeting, i.e., it uses people’s activities to determine which advertisements and messages will resonate most with them. It leverages behavioral data, like what people are or not doing in the app, on the website, or with the campaigns to trigger personalized marketing.
Further, these platforms host certain forums on their websites and exclude themselves from any liability provided the data is shared on these forums by the users.
Taking into consideration the age of minors using these platforms, they can’t make an informed decision about collection or sharing of personal information.
Severe privacy risk is presented by third-party, persistent, marketing cookies. They contain a significant amount of information about the user’s online activity, preferences, and location. The chain of responsibility (who can access a cookies’ data) for a third-party cookie can get complicated as well, only heightening their potential for abuse.
The Cookie Law which supplements the General Data Protection Regulation (GDPR) makes the following mandatory:
- Documenting and storing consent received from users.
- Allowing access even if they refuse to allow the use of certain cookies.
- Making the withdrawal of user’s consent effortless.
Hence, the PDP Bill must incorporate similar provisions to regulate the third-party cookies as they are continually evolving. The users have a right to know about the number and types of cookies the owner site hosts so that they can give informed consent regarding their personal data.
Another incident in March, 2020 involved data breach from an EdTech platform Skolaro. The data (that included medical records, photos, passport scans) belonging to over 50 thousand students, their parents and teachers were compromised, after storing the database in unsecured servers. Such incidents indicate that data fiduciaries do not take the privacy of the users seriously and the lack of proper and strict regulations absolves them of liabilities, as a result of which, after the personal data of millions of users is compromised, the method of determining the liability becomes impossible.