Rukmini* had aimed to finish her spoken English course by her 18th birthday. Being the first in her family to graduate high school, Rukmini wants to be a primary school teacher. With a history of physical abuse within her family, her first interaction with an NGO was at the age of 14. A prominent child rights organisation in Delhi promised to provide support with her education.
“Every weekend that we were in the NGO office, these people would come in with sign-up sheets,” said Rukmini. Hinting at EdTech companies that tie up with NGOs to target their deliverables, Rukmini spoke to Decode about her experience with online education. “Pehli baar ke selections mein mera hua nahi kyon ki ghar pe Papa nahi maante the padhai ke liye.” (I wasn’t able to apply the first time around because my father didn’t favour educating girls). But the same company showed up at her house within a month, wanting to speak to her father.
The practice of extracting data during the process of onboarding is commonplace for EdTech platforms. Their sales agenda involves targeting potential school-going children within a specific area radius, making home visits to make pitches to the parents, and then signing them on for a 7-day trial period. However, the data that is extracted in the process, is then kept on regardless of whether the child continues to use the platform.
As a part of their modus operandi, these companies also partner with non-profit spaces to design campaigns targeting children, especially those from lower-income families. Hence, the question that automatically arises is, how much of this consent that’s passed on by non-profits to EdTech organisations is done with the consent of the minor’s parents and will the newly passed Data legislation reduce the gap in prosecution for those engaging or enabling in data exploitation of children?
Decode (with support from Digital Empowerment Foundation) surveyed parents of 44 children (between the ages of 11-18) in Noida to assess the kind of information they’re asked for by EdTech organisations during sales drives. 43% said they were asked about their educational background. 73% said that third-party companies have reached out to them asking for their signatures. 59% have continued to receive promotional emails from EdTech platforms despite their refusal to participate. Exactly 50% said they’ve shared their Aadhaar and other personal details such as address, contact numbers and OTPs with platforms. Decode also spoke to several data safety organisations and project leaders who work to defend online freedom and data privacy in India.
Leveraging donations to extract data
According to our sources, some non-profit organisations collaborate with EdTech companies to design educational projects for children known to the NGO. In this context, any exchange of data would be done against a donation as a profit markup for the said NGO. However, any non-profit organisation or charitable trust in India is bound by specific regulations both assigned by the government, as well as their personal child protection policies.
Osama Manzar, Founder-Director of Digital Empowerment Foundation attested that NGOs are in fact subject to CSR funding over which EdTech organisations pressure them to retrieve data beyond what’s required. “On several occasions, we have fought this demand and urged firms to write up separate MOUs explicitly justifying additional data. But more often than not, they refuse and recuse themselves from the partnership.”
Manzar believes that although it is true that NGOs are forced to give data beyond the requirements or limitations of a project, NGOs need serious literacy on laws surrounding NDAs and MOUs to be able to fight the firms.
Children constitute more than 15 per cent of active internet users in India. With children becoming increasingly reliant on digital services, ensuring their online safety and privacy has become vital. In India, under the Digital Personal Data Protection Bill (DPDP), people under the age of 18 are considered minors. So entities processing a minor’s data need to meet three crucial criteria: Obtaining “verifiable parental consent”, not causing harm to children, and not tracking children’s activities or curating targeted ads for them.
Neha*, an employee at Byju’s (who has also previously worked with other EdTech firms) claimed that EdTech companies tie up with NGOs when they intend to increase their PR reach. “Once all the affluent families in an area are covered, they move on to lower-income families,” explained Neha.
The EdTech companies set weekly targets for their sales teams. “4 out of 12 teams are tasked with finding lower-income families, who they have to manipulate into signing on.” First, they call parents and make a pitch, almost to instil fear in their minds about their child’s failing education. Then they make home visits. This still leaves out children in the area who are being rescued and supported by non-profit organizations. “So they might reach out to NGOs to secure their sales agenda,” Neha added.
However, Neelam Singh, head of UNICEF South Asia says she is unaware of the practice of extracting data from smaller NGOs as they always state the intended purpose of bringing in data. Since 80% of UNICEF’s programmes are in partnership with the government, there is an expectation of assurance on whether the data is going beyond UNICEF’s systems. “We have our own privacy statements, consent and limitations on who the data is shared with. We make sure all personal data is masked or deleted before we share it with campaign partners,” said Singh.
According to Singh, the liabilities of hosting personally identifiable data are entirely with the governments and not with non-profits. “The government is also responsible for making minors aware of campaigns wherein their private information will be recorded.”
According to Raman Jit Singh Chima, Asia Policy Director and Senior International Counsel at Access Now, it is generally not regarded as acceptable to be leveraging donations to access the personal information of children. “It’s not seen as kosher in the space, because you need to get informed consent from parents. But you won’t get that consent from lower-income families who don’t have the opportunity to say no,” Chima explained.
The new law that has been drafted over many years, involves a high test on what data can be collected. “Hence, EdTech organisations are trying to suck up as much data before the law becomes clear,” Chima argued.
So, are there preexisting concerns regarding unfair practices by EdTech firms in the Consumer Forum or the likes of administrative bodies?
“The Department of Consumer Affairs came out with a notice that you cannot deny services if a customer refuses to provide personal information,” said Prateek Waghre, Policy Director at Internet Freedom Foundation. Doubtful that a notice can do much, Waghre pointed to the fact that child data exploitation concerns have been brought up to the government, putting EdTech firms on their radar.
In fact, the GOI warned EdTech firms against unfair trading practices. The notice included misleading advertisements and cautioned that lack of self-regulation will subject EdTech firms to stringent guidelines. The meeting was attended by representatives of IAMAI, upGrad, Unacademy, Vedantu, BYJU'S, WhiteHat Jr., Great Learning, and Sunstone.
EdTech campaigns target government school-goers
Another avenue through which EdTech companies reach children is through campaigns specifically designed to bring in children from lower-income families.
The Indian EdTech industry has noticed a boom with a bouquet of solutions curated to tackle different types of learning. Along with private schools, the use of EdTech by governments is backed by national digital initiatives under Samagra Shiksha and the National Education Policy 2020. Earlier reports suggested, that the future of government EdTech adoption showed over 24 states are inclined to integrate some form of EdTech across 98,000 schools by 2023.
Keeping in mind the criteria of the Child Protection Act, what does the flow of data look like when government school children are onboarded on EdTech platforms and whose consent applies?
Prateek Waghre suggests that although in letter the consent comes from the parents, if a school sends a signup sheet, a lower-income family will technically have to consent. “Look at the power dynamic there. Meaningful consent as a concept is extremely difficult to measure,” he stated. One can never satisfactorily deduce the source of consent in these spaces.
Additionally, there’s an issue of digital and data literacy with lower-income families, especially ones with first-generation school-goers. Osama Manzar agreed that as long as a family thinks they’re going to get something out of it, they don’t follow up on who or what data is being extracted from them.
According to Manzar, in India, the seeker has to be more proactive about informing people why they request some data instead of the other way around. “Culturally, Indians are not private persons. We live in joint families where decisions are made collectively. Because we don’t have full control over our data, we don’t know how to keep it private.”
Alongside, government schools are public procurement; which means greater leeways are applied to them as state instrumentalities. Section 7B of the Data Protection Act states “a data fiduciary may process personal data.., for the state or its instrumentalities to provide service or issue to the data principal such subsidy benefits, license, permit or, certificate etc. as may be prescribed, where if they previously consented to their usage, or if this data is already available with the government.”
“But then who does that leave?,” questioned Waghre. It’s unclear whether government schools can forward data to a private entity such as an EdTech firm. But one can see that there are sufficient gaps in the Act left solely to rule-making.
In terms of the Data Protection Act, what’s envisioned is a Data Protection Board as an adjudicatory body and not the Consumer Forum. “I think anyone from that ministry taking a more active interest in privacy breaches is good to create pressure on other ministries. But it’s still early days,” Waghre continued.
Raman Chima echoed the looming questions surrounding said Data Protection Board. Although the Centre provides open avenues for everyday citizens to bring up their data harm concerns, until the data protection board is set up, there’s no active redressal. “Also, if the board is set up and consists of 3 people and 10 staff, they will not have enough bandwidth to take on the entire country’s data protection issues,” Chima continued. He opines that the Data Protection Board is set up to fail and issues surrounding data leaks by EdTech are evidence that the problem of data harm is under-resourced.
Is there a way around it? Raman Chima recommends that there has to be a concerted campaign to assess which companies target govt schools, and issue guidelines to all schools, and in case more data is extracted than necessary, the avenue of public prosecution should be taken.
No govt. awareness drives for the digitally unaware
Edtech platforms usually have very widely-worded clauses relating to the processing of children’s data. They would like to collect as much data as possible, so they can create targeted advertisements.
In terms of data breaches, the DPDP Act provides some remedies. EdTech companies are barred from extracting information that can cause harm to children. However, that only makes an already unfair practice prosecutable. But follow-through still remains absent because there is no grassroots effort to spread awareness to low-income families about how to protect their children’s data or what the consequences of data harm look like.
Why the lack of concerted efforts by the government to launch data and privacy awareness campaigns?
Philosophically there is a belief that you need people’s data linked across ministries to provide better governance to people. “Without even making the surveillance argument, it is not in the government’s interest to have more people know about how and where their data rests,” Waghre argues. Thus, there is the intent to create the impression that steps are being taken against data harm, without actually doing much.
“There is selective blindness on the part of the government in pursuing only particular forms of digital safety,” said Arjun Adrian D’Souza, Lawyer at SFLC. “In effect, you have a reactive mechanism to enforce your rights. But most people affected by data exploitation are farthest from lawyers and courts,” Raman Chima said.
The onus of safeguarding the public’s data then falls on the non-profit organisations. For instance, Osama Manzar says that DEF developed their own data policy, passed by its board directors. “Our staff are more aware of whether to share any data with our funders.” However, this allows noncompliant organisations to fall through the cracks; once again endangering those who are farthest from data privacy awareness.
Rukmini* for instance was unaware that there could be mediums of learning beyond going to school. When asked, although Rukmini has had to make digital signatures on platform apps that sought her personal address and parent's contact information, she’s quick to look past potential data harm. “Humein toh pata nahi hai. Bas hum school nahi jaa paaye, lekin online hi English ka certificate mil gaya.”
This paints an interesting picture for those disconnected from conversations of digital safety; leaving space for misaligned interests in EdTech agendas.
Decode reached out to multiple EdTech platforms for comment but is yet to receive any.
*Names have been anonymised to protect the source's identity.