Data privacy challenges within sharing economy and mobility

| Insight

The sharing economy has helped solve some of our everyday challenges. For example, it has simplified and cost reduced our mobility by making it possible for us to share cars, bikes and electric scooters when we transport ourselves from one place to another. By using an app on our phones, we can easily borrow someone else's car when going on a mountain hike, or book a bike or electric scooter to get to work in the morning.

It is however important to be aware of the challenges that come with the sharing economy, as it often requires the exchange of personal data on digital channels. When a sufficient number of people use the services from providers of mobility services, such as Nabobil, Oslo Bysykkel, Voi and Tier, these providers will naturally collect and process vast amounts of data about their users.

If you want to use the above-mentioned services, the relevant app requires you to register data about yourself, such as contact- and credit card information. The app may in many cases also record where you are transporting yourself to and from, in addition to the length of your journey. This will of course raise questions in relation to data protection, in particular relating to lawful purposes and usage, legal grounds, security and retention.

As a provider of applications in the mobility sector, it is therefore important to research and be aware of the scope and limits that data privacy regulations set for the relevant service. Naturally, there are also a number of other laws and regulations to consider, such as consumer- and marketing regulations. However, the following list outline some key factors that a provider should consider from a data protection perspective when offering mobility services to consumers through applications:

  • Privacy by design: the GDPR requires that products and services are designed in a way that limits the processing of personal data to what is necessary to provide the services.
  • Information: the GDPR sets out requirements regarding information. The user must be able to get adequate information about the service and the corresponding processing of personal data prior to using the service, in addition to accepting clear and understandable terms of use.
  • Defining a purpose: A provider should have a clear vision about what the collected personal data will be used for (the purpose of the processing). The GDPR sets out requirements when it comes to determining one or more purposes in a concrete and clear manner, as well as prohibiting the use of information for other and incompatible purposes. By having a clear sense of what collected personal data will be used for from the very beginning, the provider ensures the opportunity of using the information in the way it intended, while keeping the processing transparent for the user.
  • Legal basis: If the processing performed is not based on the fulfilment of a contract, the provided services must be based on consent. The GDPR sets out strict requirements regarding what constitutes lawful consent obtained from the user (the data subject), as a legal basis for the collection, use and disclosure of personal data. Moreover, the provider must adequately document the obtained consent.
  • Security: The GDPR sets out security requirements for the solution offered through an app. The user’s personal data must be processed in a satisfactory and secure way. This applies both to who has access to the information internally within the provider sphere, but also externally (e.g. that the information must not end up with unauthorised persons, such as in the event of disclosure or hacking).

The above list will also be key factors that today’s consumers expect service providers to have in place before making the service available to the public.