NHRC issues notice to MeitY on the processing of children’s personal data for AI training

On 27 February 2026, the National Human Rights Commission took cognizance of a complaint by NAMO Foundation. The complaint is regarding Pratham’s deployment of an AI tool “Anytime Testing Machine (ATM)”. Pratham is an NGO based in India. The AI tool is being developed in collaboration with Anthropic to process children’s handwritten responses and academic performance data.

The complaint particularly alleges a violation of the provisions related to the processing of children’s personal data as mandated in the DPDP Act, 2023.

NHRC has issued notices to Ministry of Electronics and Information Technology (MeitY), Departments of School & Higher Education, and all State/Union Territory Chief Secretaries, directing inquiries into compliance risks (parental consent, collection, storage and cross-border transfer) arising out of the processing.

The NHRC also ordered the submission of action-taken reports (ATR) within two weeks.

Relevant DPDP Act Provisions (read with DPDP Act rules 2025)

Definition and Classification:

Pratham, as the entity determining purpose and means of processing handwritten data, qualifies as a Data Fiduciary. Anthropic, providing the AI backend, is likely a Data Processor (Section 2(e)), with Pratham remaining fully responsible for complying with the obligations mandated in Section 8(1)–(2) (contractual obligations as well as overall accountability).

Child Data Protection Mandates – Section 9:

“A Data Fiduciary shall not process personal data of a child unless it obtains verifiable consent of the parent or guardian, in such manner as may be prescribed.”

DPDP Rules, 2025 – Rule 10:

Verifiable parental consent requires “appropriate technical and organisational measures”, typically via reliable identity/age verification or virtual tokens (e.g., Digilocker).

Fourth Schedule Exemptions:

Educational institutions/NGOs engaged in “educational activities” or “safety monitoring” may be exempt from Section 9(1) consent requirements provided processing is strictly necessary and limited to the child’s best interest. Pratham may seek shelter here, but the exemption is narrow and does not waive security measures or purpose-limitation duties.

Cross-Border Transfer – Section 17:

Permissible to the US unless the Central Government notifies restrictions (none currently). However, Rule 15 (for Significant Data Fiduciaries) and general Section 8(5) security obligations apply.

Security & Breach – Section 8(5) + Rule 6 & 7:

Reasonable safeguards (encryption, access controls, audit logs with minimum one-year retention) are mandatory; breach notification to Board within 72 hours and to principals “without delay.”

Significant Data Fiduciary Status (Section 10 + Rule 13): If Pratham’s scale triggers notification, mandatory Data Protection Impact Assessment, independent audit, and algorithmic risk mitigation apply, post-enforcement of the act.

Critical Assessment of the alleged violation of rights

NHRC’s intervention shows that Indian Judiciary system is capable of filling the enforcement vacuum while the DPDP framework matures. Children’s data attracts the highest protection precisely because handwritten academic responses can yield sensitive inferences (learning disabilities, socio-economic markers) via ArtificiaI Intelligence.

Even if Pratham qualifies for Fourth Schedule exemption, the collaboration raises red flags:

• whether data is shared with Anthropic beyond “necessary” educational processing (potential model-training violating purpose limitation under the DPDP Act)

• adequacy of verifiable consent mechanisms in a mass NGO rollout across government-supported programmes, and

• contractual flow-down of security obligations to a foreign processor.

Critically, the DPDP regime’s absence of mandatory Standard Contractual Clauses or adequacy decisions (unlike GDPR) makes cross-border AI projects inherently riskier.

NGOs cannot claim blanket immunity merely by virtue of their social mission since Section 8(1) makes every Data Fiduciary strictly accountable “irrespective of any agreement to the contrary.”

The case underscores a broader systemic gap. Educational NGOs partnering with frontier AI labs are currently operating in a pre-enforcement twilight zone. MeitY must issue sector-specific guidance on AI-edu data processing, mandating DPIAs and consent-manager integration (Rule 4, effective in one year).

Overarching Critique & Recommendations

The DPDP Act, 2023 and the subsequent DPDP Act Rules, 2025 mandate a consent-centric, principle-based data privacy regime superior to the 2018 Draft Bill in several respects (verifiable child consent architecture, phased rollout, explicit processor accountability). Yet a few fault-lines persist in the current Act, as mentioned below:

1. Over-correction on privacy vs. transparency in the RTI amendment risks a democratic deficit.

2. Sectoral exemptions and phased enforcement create compliance arbitrage, particularly acute for child-centric AI projects involving NGOs and foreign processors.

Bellwether’s Regulatory Advisory to Data Fiduciaries

Immediate Step: Conduct legacy-data audits and implement verifiable consent workflows (Digilocker integration) for all child-facing programmes.

For AI Collaborations: Execute iron-clad processor agreements mirroring Section 8 obligations; perform voluntary DPIAs.

India’s data protection journey is at an inflection point. These developments affirm that privacy is not antithetical to transparency or innovation—it is their essential enabler. Bellwether stands ready to assist data fiduciaries, processors, and civil-society activists in navigating these evolving regulatory times with future-proof compliance.

Loooking for DPDP Act Compliance?

Bellwether's data privacy consutants have worked with over 500 companies across the globe to establish data privacy compliance with global data protection regulations.

Request for a free 1-1 meeting with an expert DPDP Act Consultant.