Controlling and dealing with personal data is integral to the activities of sharing economy platforms. Users may be required to share a range of information about themselves, including their location, address, job or the services they provide or use – and those users are becoming more aware of and concerned about the way that their data is collected, stored and shared.
These concerns have been heightened by a number of high-profile data breaches where digital platforms have been subject to malicious attacks resulting in disclosure of users’ personal data. Irrespective of the cause, negative publicity and erosion of users’ trust arising from a data breach is highly damaging to the development of the sharing economy.
Sharing economy companies as data controllers and intermediaries as data processors
Many sharing economy companies will fall within the definition of a “data controller” under the Data Protection Act 1998 (DPA) because they decide what and how personal data will be collected and used. This means that businesses will have to process personal data in compliance with the DPA, and that in turn means taking “appropriate technical and organisational” measures to keep personal data secure.
These obligations must also be observed by businesses processing personal data on their behalf (known as data processors) such as intermediaries. What is “appropriate” will depend on the nature of the personal data being processed. In particular, the security requirements for sensitive personal data (which includes, for example, personal data relating to an individual’s physical or mental health, their sexual life, ethnicity, political opinion, or their racial or ethnic origin) will generally be more onerous.
In the case of a serious data breach, a data controller could find itself the subject of a complaint made to the UK Information Commissioner’s Office which may issue an enforcement notice (failure to comply with an enforcement notice is a criminal offence) and a fine of up to £500,000. Many organisations suffering data breaches also incur significant amounts of money and time in investigating and mitigating the impact of data breaches, and of course there is a risk of substantial “fraud” damage.
The changing legal landscape
The proposed new General Data Protection Regulation (GDPR) is likely to have significant implications for the sharing economy when it comes into force in 2018. The GDPR will introduce a harmonised and modernised data protection law for the whole of the European Union. In its current draft form (the final text is expected to be agreed by the end of 2015) it will increase the data privacy compliance burden and introduce much higher fines. In particular, the following changes have been proposed:
- Increased fines up to €1m or 2% of annual global turnover for serious breaches of the GDPR.
- New, more onerous, data breach notification obligations.
- An obligation to carry out data protection impact assessments before providing new products and services which present a specific privacy risk.
- A requirement to appoint a data protection officer.
- For the first time, data processors will be responsible for compliance with certain data privacy obligations.
What does all this mean for sharing economy businesses and how can they help to protect users?
- Identify and respond to cyber security threats: Take pro-active steps to identify, continuously monitor and address potential threats, including by taking physical and technical security measures, such as firewalls and encryption.
- Train those handling personal data: Ensure staff are trained to spot and minimise the risk of data breaches arising from internal failures, typically through mistakes or lack of clear processes, as well as external factors, such as viruses and hacking. An appropriate security policy should be used to achieve awareness and provide practical guidance.
- Chose intermediaries and service providers carefully: Check that those involved in collecting and processing personal data take good practice security measures. Impose obligations covering virus protection, regular penetration testing, data back-ups, notification of security breaches and co-operation in responding to them and restrictions on onward processing.
- Be prepared for security breaches: Be prepared to act quickly if a data breach occurs in order to comply with obligations under the DPA, ensure continuous availability of the platform, mitigate the impact of breaches and minimise the effects of negative publicity.
- Respond to changes in law: Monitor and respond to changes in law, including the GDPR and Cyber Security Directive.
No more “Safe Harbour” for data transfers
And for sharing economy businesses which need to export data outside the EU, there is an additional level of complexity introduced by the recent judgement by the EU’s top court that the “Safe Harbour” for data transfers from the EU to the United States is invalid. We discuss the practical steps affected companies can take following that judgement here.
The data privacy and cyber security landscape is becoming more difficult to navigate as a result of changes in law, significant legal developments and more sophisticated cyber security attacks. Sharing economy businesses need to be proactive in responding to these issues in order to maintain the trust of providers and users.
This article is the fifth in a series of six weekly articles on the legal issues affecting the sharing economy. Register here for future sharing economy updates.