Privacy Concerns in Ridesharing Businesses

Ride-sharing business as a part of the larger gamut of the sharing economy has changed the apparatus of conventional transportation service. A large number of people belonging to different demographies have grown largely accustomed to the easily accessible transportation service through easy to use apps. These ride sharing platforms have helped people navigate easily; riders earn additional income and have provided incentive for transportation industry to become efficient. Furthermore, an equally large number of people have found an alternative source of income; estimates show that around 35,000 people participate in the ridesharing economy as riders, and the total number of rides in any given day is close to 15,000 through ridesharing apps like Pathao and Tootle in Nepal.

Exchange of information

Businesses in the sharing economy like ridesharing, typically act as an intermediary between the customer and the service provider by pairing them through an app which requires both the parties to provide certain information in order to be matched. The information typically includes name, phone number, address, and e-mail address of both the users, geo-location, storing of ratings and reviews etc. The crucial information that is provided by the users at both ends helps the platform and its app generate better services to its users in the form of optimal matching of riders and consumers.

Legal provisions

Information provided by the users which is required for use of services are categorised as personal information under the Nepalese Privacy Act 2075 (2018), and when shared in an online domain raises two fundamental privacy concerns (i) the extent of use of data and protection of data by the platform and (ii) the extent of use of data by the participants of the ride sharing business i.e. riders and consumers. As a matter of general principle, the company is believed to have established a fiduciary relationship with its users, requiring the company to act in good faith. However, as subjective and as broad as the ambit of this principle is, the Privacy Act provides some specific provisions mandating the collection, treatment, supervision, and storage of personal information. The Privacy Act mandates that personal information can only be collected on the consent of people. The information concerning someone’s name, address, phone number, etcetera which is of a personal nature can only be collected if the consent to collect such information is given. While using the app the users give consent for the collection believing that the information that has been collected will be used and stored properly. The Privacy Act also explicitly provides that any personal information concerning anyone should not be shared without the consent of the person providing the information. In the strictest application of this provision, ride sharing companies cannot share the personal information that has been collected from its users without the consent of the users. The Privacy Act also restricts the usage of data collected for any purpose other than its original purpose. For instance, the data collected by an online food delivery service should only be used for the purpose of delivering food, any other use of the data should first be approved by the data provider.

The Privacy Act also explicitly provides that any personal information concerning anyone should not be shared without the consent of the person providing the information. In the strictest application of this provision, ride sharing companies cannot share the personal information that has been collected from its users without the consent of the users.

On the second concern, the act does provide a right against violation of privacy. If such data is used to commit any crime, provisions of the Electronic Transactions Act,2063 (2008) would apply. However, a key concern here remains that the Electronic Transactions Act is outdated. Although there is a proposed Information Technology Bill, which encompasses the progress and modernisation in the sector, the Bill awaits ratification from the parliament for more than a year now. Furthermore, debates are also ensuing whether the right to erasure is a fundamental right or not. The General Data Protection Regulation, 2016, a European Union legislation, gives the data subjects the right to erasure of data where personal data are no longer necessary in relation to the purposes for which they were collected and when the data subject withdraws consent. However, Nepalese legislation lacks any provision relating to the right of data subjects to erasure. It instead only covers the requirement of consent for storing data. Thus, a time bound limitation and elaborate definition of the consent provided to store data by these applications is essential. As catering services through online mediums is evolving each day, breaches have also increased at the same rate. In this muddled scenario, all companies collecting personal information from its users should pay extra attention to protecting and safeguarding the information of their users. The Privacy Regulation 2020 (2077) mandates that personal data that is collected should be stored properly in a way that it is not subject to access from any unauthorised person, manipulation, storage or publication. The mechanisms for protection of data are sure to raise costs of the business given the scale of data it collects and stores, however protection of data also remains crucial because of the privacy concerns it raises Further, concern of privacy also arises when notification of breach is not given to the customers. Despite the privacy legislation of Nepal mandating that the personal data collected be stored properly with utmost care, the specifics regarding actions to be taken by the company in case of breach is absent. In most jurisdictions for instance in EU, GDPR mandates that when there is a breach of data, notification about the same should be provided to the supervisory authority. Nepalese legislation on the other hand has failed to provide such protection under the privacy legislation of Nepal. The issue becomes important given the many instances of data breaches that have occurred not just in Nepal but in other jurisdictions as well. Uber’s data breach in 2018 serves a relevant example for Nepal on the importance of privacy concerns in the ride-sharing business. While the rider-sharing giant following its breach and failure to notify customers of data theft was able to minimise the damage by paying $100,000 to the attackers through its bug bounty program, it subsequently led to many of its consumers questioning the particular practice. This particular instance shows how privacy concerns are no longer a matter of how data is collected and used but also a matter of the duty it imposes on the data collector i.e. complete accountability and transparency. As a business model that requires collection, storage and use of data in order to earn revenue, privacy concerns must be addressed properly. The responsibility for ensuring these concerns does not just lie with the company but also with the legislature. In fact, the legislature will have a crucial role to play in the days to come as we move towards digitisation. Ridesharing businesses like most other businesses in the sharing economy’s peculiar form of operation is the mechanism of trust which requires collection of data from both parties and disclosure of data from both parties. A balanced approach would thus be required which facilitates the collection and storing of data for the sharing economy to function properly while also ensuring that data collected is stored properly, fairly used and removed when required.