INTRODUCTION:
The enactment of the Digital Personal Data Protection Act, 2023, marks a significant milestone in the realm of data privacy and protection in India. This Act affects all sectors including ed-tech industry which has witnessed rapid growth in the country over the last few years. The India ed-tech market size was valued at $5.13 billion in 2023. The Indian ed-tech market recorded strong growth in 2023 due to the rise in internet penetration and digital literacy. Ed-Tech facilitates scale and speed using a direct-to-device model, thus breaking geographical barriers for students and helping them get quality education from leading institutions.
The enactment of DPDPA will have profound impact as it brings both an advantage and a disadvantage for the emerging ed-tech industry in India. Since the ed-tech sector thrives on huge amounts of personal data to provide personalized learning experiences to its users, therefore, it is critical to understand implications of DPDPA for compliance and growth purposes. Furthermore, a large portion of the user base in these industries in India comprises children, necessitating additional compliance requirements under the DPDPA.
In this blog, we will examine the impact of DPDPA on ed-tech Industry and then explore several measures that companies need to take to ensure that they comply with legislation and exploit opportunities for their business expansion.
KEY PROVISIONS OF DPDPA RELEVANT TO EDTECH:
The DPDPA will apply to all ed-tech platforms that process data within India. It will also apply to platforms that process data outside India if the processing relates to offering goods or services to Data Principals within the territory of India. Therefore, once the DPDPA is enforced, these ed-tech platforms must comply with requirements of the law. These requirements are:
- Consent and Lawful Processing: Section 4(1) of the DPDPA mandates that personal data processing must be based on lawful purposes, with explicit and informed consent from Data Principals. Ed-Tech companies must ensure that they obtain clear consent, explaining the purpose and scope of data collection and usage before processing their data. They must serve the consent notice to the Data Principal in a manner specified in the Act.
- Limiting Data Retention Periods: Ed-Tech companies must refrain from retaining personal data for a period longer than required for the specified period. Furthermore, DPDPA provides that data fiduciary must erase the data of a student upon their request unless retention of the same is necessary for the specified purpose or for compliance with any law for the time being in force. Therefore, ed-tech industries must comply with these requirements and not retain data of students beyond the retention period for any purpose such as targeted advertisement and marketing.
- Transparent Communication About Data Usage: Ed-tech institutions should clearly inform their users about how their data will be used, shared, and processed. This transparency is critical to maintaining compliance with the Act, which mandates informed consent. Furthermore, when these ed-tech industries involve other entities (data processors) to process data on their behalf for offering any kinds of goods or services to students, this must be done under a valid contract.
Read Original Article Here > https://tsaaro.com/blogs/the-impact-of-dpdpa-on-the-ed-tech-industry/
English
Arabic
French
Portuguese
Deutsch
Turkish
Dutch
Italiano
Russian
Romaian
Portuguese (Brazil)
Greek