With the increasing influence of digital technology and the internet, particularly in the wake of COVID-19, legal nuances surrounding the processing of children’s personal data is assuming greater importance. Digital transformation has acted as the whetstone for remote learning to become the only alternative to mainstream education. 

EdTech platforms in particular have been in the eye of the storm for targeting children and marketing products to them, their parents and guardians. Sensitivity around their business practices, standards of curriculum and related aspects increasing manifold led to the Ministry of Education issuing an advisory to citizens regarding exercising caution against EdTech Companies on 23 December 2021. It is also speculated that the Ministry of Education is poised to roll out a common policy to regulate the sector. 

Another significant aspect that has garnered a lot of attention across the globe is the challenge of securing privacy of a child in the digital world. On a sector-neutral basis, the Information Technology Act, 2000 and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 regulate aspects of data privacy and protection in India today. However, the Indian law does not lay down any specific provision for the processing of children’s personal data. 

India is at the cusp of adopting a comprehensive data protection legislation and the Joint Parliamentary Committee (JPC) has submitted its Report on the Personal Data Protection Bill, 2019 (2019 Bill) along with a revised draft Data Protection Bill, 2021 (2021 Bill) to the Parliament on 16 December 2021. This article aims to shed light on the approach towards the protection of children’s personal data in the 2021 Bill, together with the key recommendations by the JPC and its possible impact on EdTech businesses. 

• Age Limit: While the age of providing consent in several jurisdictions is between 13 to 16 years, the JPC has kept it aligned with the age of majority in India (i.e. 18 years). 
• Processing Children’s Personal Data: In terms of the 2021 Bill, a data fiduciary (say an EdTech platform) must verify the age of the child and obtain the consent of her parent or guardian.  The JPC has recommended that the data fiduciary should inform the child 3 months before she attains the age of majority (18 years) for providing fresh consent on the date of attaining the age of majority. 
• Mandatory Registration: The JPC has recommended that data fiduciaries dealing exclusively with children’s data should register themselves with the Data Protection Authority (DPA) under the 2021 Bill. Therefore, an EdTech business focusing on children’s education would need to register itself with the DPA.
• Significant Data Fiduciary and its Impact: Interestingly, ‘the processing of data relating to children or provision of services to them’ has been added as a qualifying factor for the determination of a data fiduciary as a significant data fiduciary (SDF). As per the present draft of the bill, there are no specific guardrails such as the child centricity of business, volume or size of the processing of children’s data, etc. for a data fiduciary to be categorised as a SDF and it is expected that the DPA would provide necessary guidelines in this regard. The SDF has additional compliance obligations under the 2021 Bill such as the appointment of a data protection officer, conducting data protection impact assessments, record keeping and data audits.
• Removal of the concept of Guardian Data Fiduciary: It is also important to note that as a departure from the 2019 Bill, where the DPA could classify a data fiduciary as a ‘guardian data fiduciary’ who had offerings directed at children or processed large volumes of children’s personal data,  the JPC recommended the removal of the concept of ‘guardian data fiduciary’ as a separate class. As an effect, all data fiduciaries are now barred from profiling, tracking, behaviourally monitoring children and their data, or targeting advertisements at children, or processing any personal data that can cause significant harm to the child. The impact of this recommendation is rather far reaching wherein this obligation now potentially extends to every data fiduciary, irrespective of their level of engagement with children or children’s offerings. Thus, EdTech or learning platforms, where children’s courses are a minor part of the overall offerings of the platform, would also get covered under this fold. They may have to take a re-look at their overall business and technical architecture, if this JPC recommendation become a reality.

In conclusion, one can certainly say that the inclusion of specific provisions for the processing of children’s personal data in what is slated to be India’s first comprehensive data protection legislation is a welcome step in the discourse of protecting the privacy of a child in the digital world. However, it is essential to weed out ambiguities in the 2021 Bill and streamline compliance obligations, so that this mother data protection legislation does not become a hindrance in the digital journey of the nation.