With the implementation of the Digital Personal Data Protection Act 2023 (Act) all set, India’s buzzing ed-tech space is predicted to undergo a reshaping of its contours and business models.
DPDP Act: The Territorial Scope
The Act will apply to ed-tech providers that:
collect or otherwise process personal data within India, or
process personal data outside India, but such processing is in connection with offering ed-tech products or services within India. For instance, a foreign ed-tech provider with no physical presence in India providing courses to Indian students (such as in collaboration with foreign universities) would be covered by the Act.
The Act is silent on applicability where neither of these two conditions is satisfied. For example, where an ed-tech provider carries out analytics over data collected and processed outside India to improve its overseas offerings.
Decoding the Material Scope
The Act imposes the entire responsibility of compliance on data fiduciaries, akin to data controllers under the European Union (EU) General Data Protection Regulation (GDPR), which are entities determining the means and purposes of processing personal data. An ed-tech provider may commonly intend to act on behalf of an educational institution in the capacity of a data processor. The role of an ed-tech provider as a data fiduciary is not a function of what is set out in the contract, such as with an educational institution, and instead on who in fact is controlling the processing of personal data.
If personal data is processed by an ed-tech provider independently, i.e., beyond the instructions of an educational institution to which it provides technology services, the ed-tech firm may be assuming a data fiduciary’s role to that extent. In complex scenarios where the educational institution and an ed-tech provider are performing distinct but complementary functions, the ed-tech provider should carefully consider whether it is involved in jointly controlling the personal data in question and ring-fence their liability through contractual controls.
How Consent Requirements Will Change
Under the Act, consent is the primary basis for all personal data (to be accompanied by a notice), with exceptions for ‘certain legitimate uses’ applicable in limited instances. For example, voluntary provision of personal data for a specified purpose, employment purposes, compliance with law. The rules under the Act will specify how notice and consent are to be exchanged with data principals, akin to data subjects under the GDPR. Since ed-tech providers typically operate as the platform interfacing with the user, they may need to revisit their UI/UX interfaces to evaluate if consent being obtained is consistent with the Act, for example, through an affirmative act, rather than an opt-out mechanism. Given that consent is required to be specific, ed-tech providers may, going forward, be required to unbundle consent for collecting personal data necessary for providing their services, from consent for receiving promotional content/marketing. This may especially impact the business models of ed-tech firms that rely heavily on marketing, promotional content and cross-selling of products.
Protection of Children’s Personal Data
To collect and process personal data of children (persons under 18 years of age), ed-tech firms would require the ‘verifiable parental consent’ from the parent or lawful guardian. Notably, the Act does not clarify whether fresh verifiable parental consent would be required for children who registered on ed-tech platforms prior to the Act’s commencement. Further, news reports suggest that such verification may have to be carried out through an Aadhaar or token-based mechanism.
The Act generally prohibits tracking or behavioural monitoring or targeted advertising directed at children. This may impact business models involving leveraging children’s behavioural data to provide bespoke services. This may also restrict monitoring children’s device data to offer behavioural advertisements. Ed-tech providers would need to assess whether curating useful content for children as a broad category rather than preference-based recommendations to any child in particular, would be hit by this restriction.
The Act also prohibits processing of personal data having a ‘detrimental effect’ on children’s well-being, including age-inappropriate content which undermine their physical or mental health. Through rules under the Act, the Government may exempt certain classes of data fiduciaries whose processing activities are verifiably safe. However, given the drift of these provisions, it is unlikely that this would provide any leeway to ed-tech firms.
Exemptions on the Anvil?
Considering the volume and sensitivity of personal data, certain data fiduciaries (including ed-tech providers that are startups) may be exempt from certain obligations under the Act. The Act may also exempt processing by ed-tech providers for research that (i) is not used to make a decision about a data principal (ii) is in accordance with prescribed standards. However, what constitutes a ‘decision’ is not clear. A broad reading will mean for instance that processing of personal data for analytics purposes to decide if a person receives an advertisement may constitute a ‘decision’ under the Act.
To conclude, the Act would require ed-tech providers to revisit their existing business models, data processing arrangements, and data mapping practices to ensure appropriate lawful basis for continued processing of personal data, ahead of its implementation. Ed-tech providers would also have to internalise appropriate technological lifts to enable age gating mechanisms, be conscious of child-related prohibitions where applicable, and consider alternative monetizing strategies where required.
The authors would like to thank Monika Srivastava, Partner at Khaitan & Co who specialises in Mergers and Acquisitions, Private Equity and Education, for her valuable inputs.