Read the original, full article here.
Child Data Privacy in Online Education Services
The educational disruption caused by Covid-19 is unprecedented in speed and scale. By April 1, 2020, 193 countries had closed schools in an attempt to curb the pandemic’s spread. Education authorities rushed to move millions of children to online learning, where access to the internet and technology made it possible.
Education technology companies (“EdTech”) subsequently experienced explosive growth in demand and new users, thanks in part to international organizations and governments rapidly signing agreements with EdTech firms and recommending their products to schools and teachers. In March, after Covid-19 was declared a pandemic by the World Health Organization, education app downloads worldwide surged 90 percent compared to the weekly average at the end of 2019. For example, Byju’s, an Indian EdTech company, added 20 million new users in the first four months of the pandemic and became the first EdTech company to join the ranks of some two dozen private companies worldwide valued at US$10 billion or more.
This has also meant that EdTech is collecting vast, unprecedented amounts of children’s personal data. But because most countries do not have data privacy laws that protect children, much of this data—including names, home addresses, behaviors, and other highly personal details that can harm children and families when misused—remain unprotected, putting children’s privacy rights at risk.
Human Rights Watch has found that many EdTech products recommended by governments and used by millions of children are problematic in how they collect, store, and use children’s data; with whom they share this data; and how they protect children’s privacy.
The sale or sharing of children’s data to third-party providers poses specific risks to children’s privacy. In September, the International Digital Accountability Council analyzed 496 EdTech apps across 22 countries and found privacy issues. Several apps were found to be recording and sending location data to third-party advertisers, or collecting device identifiers that cannot be reset unless a new device is purchased. The researchers noted, “Location tracking–whether through collecting location or persistent identifiers–is particularly problematic when the data subjects are children. Collecting this information and sharing with third-parties allows for the possibility that this information will be manipulated, misused, or monetized.” 
Several governments have waived existing child data privacy laws during Covid-19, arguing that such safeguards impede the shift to online learning. In Wales, the government waived the requirement for parents’ and students’ consent; in the United States, the governor of Connecticut suspended similar requirements under the Student Data Privacy Act.
Children exercising their right to education should not be compelled to give up their right to safety and privacy to do so, both in online and in physical spaces. Framing children’s privacy safeguards as an impediment to learning is false and potentially harmful, particularly as students’ data and their privacy are at heightened risk during this time. The pandemic has triggered a dramatic increase in cyberattacks seeking to acquire and demand ransom for students’ personal data. Education has now become the sector most affected worldwide by cyberattacks; Microsoft reported 5.7 million malware incidents on users of its education software between August 24 and September 24, 2020.
In interviews conducted by Human Rights Watch with students, parents, teachers, and education officials in 55 countries between April and August 2020, teachers worried about their students’ privacy, particularly those at risk. In the United States, one teacher in Iowa said, “Especially with undocumented students … I don’t know if they even fully know their rights or what being on the internet exposes them to, as far as their information.” Another teacher in Texas said: “Teachers were using [an online platform] which has no privacy protection. I was worried because, especially for our kids, this is not safe for them. From 60 to 70 percent of our kids had one primary family member that had been deported or was currently in ICE [Immigration and Customs Enforcement] holding. This is unacceptable, and it is a dangerous situation to put these kids in.”
Products adopted now–and the data they collect–may long outlast the current crisis.
We recommend that the Special Rapporteur:
Urge states to perform due diligence to ensure that the technology they recommend for online learning protects children’s privacy rights.
Urge states to provide guidance to schools on the inclusion of data privacy clauses in contracts signed with EdTech providers, to protect the data collected on children during this time from misuse.
Urge states with existing child data protection laws not to waive them, and for states without such laws to institute data protection laws for children.
Urge EdTech companies to protect children’s privacy at all stages of the data lifecycle, and to provide children with the choice of meaningfully opting out of the collection of their data, as well as to enable them to delete their data