Data Privacy for Peer to Peer and Alternative Finance Platforms

Sian Barr
Sian Barr

Setting up a new platform for a peer to peer or alternative finance business is challenging at the best of times, as entrepreneurs plot a route through the diverse areas of law and regulation which must be respected for the platform to be launched and run in a sustainable manner. One such area is data protection and privacy. This article distils some of the experience and learning we at Fox Williams have gained from advising on data protection and privacy issues into what we consider to be the five most important data protection considerations relevant to P2P and alternative finance platforms.

1. Design with privacy in mind. Each platform will use and process personal data in different ways. If your platform innovates by providing a new service, or changes and improves the user experience of an existing service, then it may be using personal data in an entirely novel way. There is no ‘one size fits all’ solution to complying with privacy laws. The challenge is to ensure that the platform is still commercially viable even when operated within the framework of privacy laws. To help ensure this is the case, the platform or business model should be designed with privacy in mind so that any issues are identified early, which should minimise the costs of sorting them out. “Privacy by design” such as this is best practice and the interaction of data protection and privacy laws with your business model should be kept under review as the relevant legal framework changes.

2. Factor in new developments. Privacy laws are constantly evolving. Platform owners should establish a system, in conjunction with trusted advisers, so that the business is kept up to date with developments to privacy law both during the development phase and post-launch. The existing European data protection legislation is in the process of being reviewed and new laws are likely to enter into force at some point in 2017, although they could become law earlier or later than 2017. The new legislation is only in draft form at present but contains a number of material changes which will affect platform owners. For example, existing methods for getting your customers’ consent to his/her data being used may no longer be adequate as the requirements for valid consent are set to become more stringent and the potential fines for breaching data protection laws look likely to increase (the draft legislation provides for fines of up to 1 million euros or up to 2% of annual worldwide turnover).

3. Does your platform rely on the US Safe Harbor? Your platform could be affected by the recent decision of the Court of Justice of the EU, in which it ruled that the US Safe Harbor scheme is invalid. If, for example, your parent company is a US company and your HR or customer data is held by the parent company on servers in the US, or if your platform uses Software-as-a-Service (SaaS) solutions which are hosted in the US where the service provider is under Safe Harbor – such as Amazon Cloud or Salesforce. The eighth data protection principle of the UK Data Protection Act says that personal data shall not be transferred to a country outside the European Economic Area unless that country ensures an “adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data”. Formerly under the Safe Harbor, transfers could be made to the US, if the US recipient of the data had signed up to the US Department of Commerce Safe Harbor Scheme, as this had been recognised as providing “adequate protection”. Businesses that previously relied on Safe Harbor (or new platforms intending to rely on it) will need to review and where appropriate make changes to their business so that they can send data to the US lawfully. For further information on the Safe Harbor decision, please see our earlier item “Safe harbor update – and what to do” which can be found here.

4. Change management. Parallel with being informed of any new developments, you need to be able to implement changes to the way your platform operates fast to keep on the right side of new privacy laws. This means being able to adapt business processes which are usually governed by a complex network of contracts between you, as platform owners on the one hand, and customers or other users of the platform, and suppliers to the platform, on the other. All contracts and terms should give you the right to amend existing contracts and standard terms in order to bring them into compliance with applicable data protection law and regulation and set out a clear and transparent way of notifying all interested parties of the changes that have been made and the reasons for making them.

5. Transparency is one of the guiding principles of privacy law. This principle should also resonate with P2P and alternative finance platforms as often the point of distinction between them and the more traditional finance businesses is that platforms are easier to navigate and understand. The principle of transparency should track through to the legal terms governing the platform. The privacy statement and privacy policy should be clear, easy to follow and easy to find. The platform should be up front at all times about how personal data is to be used. Doing so can only improve the user experience offered by the platform.

High Court decision brings cautious optimism for data controllers

Laura Monro
Laura Monro

A recent decision of the High Court has highlighted the difference in approach taken by the Court and the ICO in respect of compliance with subject access requests.

The Data Protection Act 1998 gives individuals the right to request that data controllers provide them with a copy of any personal data held about them, subject to certain exemptions. The intended purpose of a subject access request is to enable the individual to verify the personal data held about them and the lawfulness of the processing of that data.

In Dawson-Damer v Taylor Wessing subject access requests were made by three family members against law firm Taylor Wessing, the data controller. One of the family members was involved in litigation in the Bahamas with Taylor Wessing’s client which was the Bahamian trustee of the family’s trust fund. Taylor Wessing did not comply with the subject access requests, claiming to be entitled to the exemption for legal professional privilege. As a result, the family members submitted an application to the court to make an order for compliance with the subject access requests.

The judge refused the application holding that, amongst other points:

(i) whilst there was no direct evidence of the motives in making the subject access requests, in the judge’s view, the real purpose of the subject access requests was to obtain information that may assist in connection with the litigation in the Bahamas. Such purpose was not a proper purpose for submitting a subject access request. This follows the decision of the County Court in 2012 in Elliott v Lloyds TSB Bank Plc & Anor which decided that if it could be shown that “but for” the litigation the subject access request would not have been made, such request would be an abuse of process.

However, in contrast, the ICO’s subject access code of practice provides that data subjects do not have to inform the data controller their reason for making the subject access request, nor what they intend to do with the information requested.

(ii) It was not reasonable or proportionate on the facts of the case for Taylor Wessing to carry out the necessary search to determine if any particular document was covered by legal professional privilege. In the circumstances, whether or not a document was protected by privilege depended on Bahamian law. As such, deciding whether a document was protected by privilege would be time consuming (and hence costly) and require consideration from skilled lawyers.

This reasoning is in contrast to the ICO’s view that a data controller need only supply such data as is found after a reasonable and proportionate search. The ICO’s guidance suggests that data controllers cannot refuse to deal with a subject access request simply because it will be an onerous task and time consuming to do so.

Employers as data controllers which have received subject access requests will be aware that such a request will be an administrative burden on the business. The decision in Dawson-Damer v Taylor Wessing is therefore likely to be welcomed by data controllers. However, the decision is at odds with the ICO’s guidance which suggests that data controllers should be prepared to make extensive efforts to find and retrieve the requested information, and even if a data controller can show that supplying a copy of information in permanent form would involve disproportionate effort, the data controller must still comply with the request in some other way.

It remains to be seen whether the ICO will revise its guidance in light of the court decisions. However, the ICO is unlikely to do so in the near future given that the judge acknowledged that the Court of Appeal might take a different view to that decided in Dawson-Damer v Taylor Wessing and granted permission to appeal. In the meantime, employers should take a cautious approach in following the decision of the High Court.

Please contact Laura Lumby for further information.