Setting up a new platform for a peer to peer or alternative finance business is challenging at the best of times, as entrepreneurs plot a route through the diverse areas of law and regulation which must be respected for the platform to be launched and run in a sustainable manner. One such area is data protection and privacy. This article distils some of the experience and learning we at Fox Williams have gained from advising on data protection and privacy issues into what we consider to be the five most important data protection considerations relevant to P2P and alternative finance platforms.
1. Design with privacy in mind. Each platform will use and process personal data in different ways. If your platform innovates by providing a new service, or changes and improves the user experience of an existing service, then it may be using personal data in an entirely novel way. There is no ‘one size fits all’ solution to complying with privacy laws. The challenge is to ensure that the platform is still commercially viable even when operated within the framework of privacy laws. To help ensure this is the case, the platform or business model should be designed with privacy in mind so that any issues are identified early, which should minimise the costs of sorting them out. “Privacy by design” such as this is best practice and the interaction of data protection and privacy laws with your business model should be kept under review as the relevant legal framework changes.
2. Factor in new developments. Privacy laws are constantly evolving. Platform owners should establish a system, in conjunction with trusted advisers, so that the business is kept up to date with developments to privacy law both during the development phase and post-launch. The existing European data protection legislation is in the process of being reviewed and new laws are likely to enter into force at some point in 2017, although they could become law earlier or later than 2017. The new legislation is only in draft form at present but contains a number of material changes which will affect platform owners. For example, existing methods for getting your customers’ consent to his/her data being used may no longer be adequate as the requirements for valid consent are set to become more stringent and the potential fines for breaching data protection laws look likely to increase (the draft legislation provides for fines of up to 1 million euros or up to 2% of annual worldwide turnover).
3. Does your platform rely on the US Safe Harbor? Your platform could be affected by the recent decision of the Court of Justice of the EU, in which it ruled that the US Safe Harbor scheme is invalid. If, for example, your parent company is a US company and your HR or customer data is held by the parent company on servers in the US, or if your platform uses Software-as-a-Service (SaaS) solutions which are hosted in the US where the service provider is under Safe Harbor – such as Amazon Cloud or Salesforce. The eighth data protection principle of the UK Data Protection Act says that personal data shall not be transferred to a country outside the European Economic Area unless that country ensures an “adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data”. Formerly under the Safe Harbor, transfers could be made to the US, if the US recipient of the data had signed up to the US Department of Commerce Safe Harbor Scheme, as this had been recognised as providing “adequate protection”. Businesses that previously relied on Safe Harbor (or new platforms intending to rely on it) will need to review and where appropriate make changes to their business so that they can send data to the US lawfully. For further information on the Safe Harbor decision, please see our earlier item “Safe harbor update – and what to do” which can be found here.
4. Change management. Parallel with being informed of any new developments, you need to be able to implement changes to the way your platform operates fast to keep on the right side of new privacy laws. This means being able to adapt business processes which are usually governed by a complex network of contracts between you, as platform owners on the one hand, and customers or other users of the platform, and suppliers to the platform, on the other. All contracts and terms should give you the right to amend existing contracts and standard terms in order to bring them into compliance with applicable data protection law and regulation and set out a clear and transparent way of notifying all interested parties of the changes that have been made and the reasons for making them.