1. INTRODUCTION
With a surge in the advancement of technology, educational technology has seen enormous growth in India over the past few years. Technology-led education overcame has come a long way by overcoming many obstacles and has made itself available in the remotest of areas. The increase in the number of people taking advantage of educational technology has augmented investments in Ed-Tech companies in India. India is home to the second-highest number of Ed-Tech companies i.e., 327 after the USA.[1]The technologies used by these companies are VR/AR, artificial intelligence, gamification, video learning, IoT and blockchain. With the growing technology, the amount of personal data shared online is also multiplying. This poses a threat to the privacy of a large number of people. Thus, as the instances of infringement of the right to privacy and data leakage have been on the rise, data security and data privacy have become major issues of concern.
This article will give us an insight into the budding cases of privacy infringement; compare the data protection laws in India and the USA; and evaluate the Personal Data Protection Bill, 2019.
2. RECENT CASES OF BREACH OF DATA AND PRIVACY BY ED-TECH COMPANIES
Data security and data privacy are nearly similar terms, with the only difference being that data security focuses on methods of protecting data, while data privacy concerns its storage and retention. The privacy policies of Ed-Tech companies are very long and intrinsic in nature, which often leads to people ignoring them and accepting all the terms and conditions without having required knowledge of the same. The option of opting out for using their data without consent is not mentioned in most of the policies of the companies. Their insecure policies and mishandling of data lead to cases of the leak of personal data, hacking, and infringement of privacy. Some of the major instances of are-
The data breach reported in May by Unacademy, one of India’s largest online education platforms, where the data of 11 million users was leaked which included email addresses, encrypted passwords, user IDs, names, usernames, dates joined, and times of the last login.[2]
Skolaro, the online school administration system reported the data leak of 50K users of students and parents belonging to 100 schools after they stored data in unsecured servers. The data included usernames, passwords, age, religion, blood group, address, medical history, etc.[3]
Bengaluru based Ed-Tech Vedantu faced a data breach, which risked data of 680,000 customers including names, email addresses, IP addresses, and contact numbers.[4]
The Government issued a warning against using the Zoom app as it was exploiting facial recognition technology without prior permission from the users.
3. PRIVACY LAWS IN INDIA v LAWS IN USA
3.1 INDIA
The right to privacy is one of the fundamental rights that have been provided to the people of India, yet India does not have any stringent policies or laws on data security and privacy. The much-awaited act on privacy is yet to come. Till then the companies in India would continue exploiting the data since the current laws are not being implemented by the Government strictly. The Information Technology Act of 2000 has provisions for data protection. Section 43 of the Act states that if there is any unauthorized access to a computer, computer system, network, databases, and unauthorized downloading, copying, and extraction of any computer information, then there can be a claim of up to 10 million compensation.[5] The more specific and apt law on privacy is mentioned in Section 72, “which imposes a penalty on any person who has secured access to any electronic record, documents, information, or any other material powers conferred by the act, discloses such information without the consent of the person concerned”.[6]
Contract laws are also assisting the companies to protect their data. Under the Indian Contract Act 1872, companies sign agreements such as non-circumvention, non-disclosure, user-license, and referral partner agreements, etc.to safeguard the personal data of people.
3.2 THE UNITED STATES OF AMERICA
There is no unified legislation on privacy in the U.S.A. Every sector has its law on privacy. The U.S Department on Education runs the Privacy Technical Assistance Centre that is a one-stop resource for addressing concerns related to privacy, confidentiality, and security practices. This includes[7]:
Family Educational Rights and Privacy Act (FERPA) – the student education records are protected by the act and also give parents certain rights concerning their children’s records.
Children’s Online Privacy Protection Act (COPPA) – this was created to protect children under age 13 from online websites that have knowledge for collecting and disclosing any kind of personal information of these children.
Protection of Pupil Rights Amendment Act (PPRA) – Parents’ consent is attained by schools and contractors before a minor participates in any Ed-funded program that reveals certain information.
There is a vast difference between the laws in India and the U.S.A. India does not have proper laws regarding the preservation of online personal data of individuals; whereas U.S.A has varieties of data protection and privacy laws for different online sectors. In comparison to India, education is given the foremost priority in the United States, and therefore the privacy laws are divided for distinct purposes in the Ed-Tech sector.
4. CRITICAL ANALYSIS OF PERSONAL DATA PROTECTION BILL, 2019
In the Puttuswamy case[8], informational privacy was considered to fall under the right to privacy. The Government was asked to formulate laws on data protection. The government created a committee on data protection under the chairmanship of B.N. Srikrishna, which formulated the Data Protection Bill that was presented in the Lok Sabha on 11 December 2019 by the Ministry for Electronics and Information Technology. The bill was then referred to Joint Select Committee who is yet to submit its report.
After critically analyzing the much-awaited Personal Data Protection Bill, it was observed that this bill weakens and invades the citizen’s fundamental right to privacy in the following ways:
The bill gives immense power to the Central Government. The center can arrange its procedures and exempt the state agency and the other laws to process personal data for national security and sovereignty. These powers fail to meet the provisions of the Puttuswamy case regarding the right to privacy, that is it should be supported by law, serve a reasonable reason, be equitable to the objective of the law, and have a proper bulwark against abuse. National interests can also infringe on the privacy of individual interests.
The central government may ask any data-fiduciary or data processor to provide non-personal data, but how the Government would use the data is not mentioned.
The Government can process data without the consent of the data principal for reasonable purposes, which can lead to scams and irregularities.
The sensitive personal data excludes passwords.
The Bill grants certain rights to individuals such as to access, rectify, and delete the personal data when it interferes with the profiling. But after the due recognition, the bill has some additional safeguards against the harms limited to only sensitive data.
Bill’s data localization clause will not necessarily reinforce data security.
5. CONCLUSION
India has a rather inconsiderate and relentless attitude towards the right to privacy. The provisions for the privacy of individuals lack the presence of proper safety measures and a stern framework. Where safeguarding the privacy of individuals by Ed-Tech companies should be the first preference of the Government, they still do not have any strict policies or stringent laws against online resources. The Government should learn from the U.S.A and the European Union's current law, which is the General Data Protection Regulation (GDPR). The Personal Data Protection Bill, 2019 on the circumference is making the rules similar to GDPR, but, to its core, it is just diluting the very fundamental right to privacy. Resolving the privacy concerns around Ed-Tech is emerging as the foremost task for the country. The government and as well as the policymakers in India should critically analyze the provisions of the current Bill and come up with an appropriate solution to deal with the current scenario.
REFERENCES
[1]Vardaan, India’s Ed-Tech industry is the 2nd biggest in the world, Indianweb2 (Feb 12, 2020), https://www.indianweb2.com/2020/02/12/indias-edtech-industry-is-the-2nd-biggest-in-the-world/, accessed 22 July 2020 [2] Adam Bannister, Data breach at Indian learning platform Unacademy exposes millions of user accounts, The Daily Swig (May 14, 2020, 10:52 IST), https://portswigger.net/daily-swig/data-breach-at-indian-learning-platform-unacademy-exposes-millions-of-user-accounts, accessed 22 July 2020 [3]Aman Rawat, Exclusive: Ed-Tech Start-up leaks data of over 50K school children, Govt. officials, Inc42 (Mar 14, 2020), https://inc42.com/buzz/exclusive-edtech-startup-leaks-data-of-over-50k-indian-children/, accessed 22 July 2020 [4]Sanghamitra Kar, Vedantu’s data breach risked 680,000 customers data, ETtech.com (Nov 03, 2019, 4:00 IST), https://tech.economictimes.indiatimes.com/news/internet/vedantus-data-breach-risked-680000-customers-data/71882087, accessed 22 July 2020 [5]The Information Technology Act, 2000, No. 21, Acts of Parliament, 2000 (India) [6]Id. [7]Privacy, Office of Educational Technology, https://tech.ed.gov/privacy/, accessed 22 July 2020 [8]Jusctice K.S. Puttuswamy v Union of India, (2017) 10 SCC 641 (India).
Comments