In his speech on March 6, 2017, Singapore’s then Minister for Manpower commented that:
“[F]acilitated by technology, we can expect the gig economy to keep growing.”
The gig economy encapsulates an online labour- or capital-sharing platform economy where individuals work under flexible arrangements unlike those in a conventional employment setting.
In 2017, there were approximately 224,000 gig freelancers in Singapore, 191,000 of which freelance as their main job (Ministry of Manpower Research and Statistics Department, Own Account Workers).
Globally, the proliferation of digital platforms has been a key driver of the gig economy, and Singapore is no exception. As online marketplaces find innovative ways to tap into large pools of workers and customers through the harnessing of real-time information and personal data, they are able to generate increasingly efficient matches.
From a data privacy perspective, who is responsible for protecting personal data in the gig economy? For starters, where the platform collects and uses personal data of account holders to make and process bookings, or to facilitate the provision of goods or services, it would likely be required to comply with relevant obligations as a data controller.
Is the gig worker similarly liable? Under Singapore’s Personal Data Protection Act, compliance with its relevant obligations lies with an “organization.” This is defined to include any individual, unless he is acting in a personal or domestic capacity.
A similar exclusion appears in the EU General Data Protection Regulation for processing of personal data “by a natural person in the course of a purely personal or household activity and thus with no connection to a professional or commercial activity”. “Personal or household activity” includes “correspondence and the holding of addresses, or social networking and online activity undertaken within the context of such activities”.
The question arises as to whether gig workers are acting in a personal or domestic capacity. In Lindqvist, interpreting a parallel provision in the Data Protection Directive 95/46/EC which precedes the GDPR, the Court of Justice of the European Union held that the exemption for data processed “by a natural person in the course of a purely personal or household activity” must be confined "only to activities which are carried out in the course of private or family life of individuals." Reluctance to expand the personal, family or household affairs exception has also been expressed in Hong Kong (30 Hong Kong L. J. 361), where the Law Reform Commission’s subcommittee argued that personal data held by individuals in respect of personal or family matters ought rightfully to be excluded on the basis that purely domestic purposes would carry little or no risk of harm to the persons to whom such data related. The instances of domestic data to which the subcommittee referred were personal communications and address lists for the purposes of sending greeting cards, which is contrasted with data used for various forms of economic activity that carry consequent risks of pecuniary harm.
It remains to be seen whether gig workers in Singapore who undertake work for some form of economic gain would be considered as falling within the exclusion of acting in a personal or domestic capacity. If not, then they would be organizations bound to comply with the obligations under the PDPA.
Another area which throws up ambiguity in the gig economy is that of employment. It would appear that the law is far from settled on whether, and in what circumstances, a gig worker is considered an employee. Whilst the California Labour Commission, New York State Department of Labour and a United Kingdom employment tribunal have found that Uber drivers, for instance, are employees of Uber and not independent contractors, a different decision has been reached at the 3rd District Court of Appeal in Miami and the Philadelphia 3rd U.S. Circuit Court of Appeals.
This issue of whether a gig worker is an employee is relevant in determining the applicability of the PDPA in a couple of ways. Firstly, there is a specified exemption in the PDPA for employees acting in the course of their employment. Similar exceptions for employees appear in Malaysia’s Personal Data Protection Act 2010 and Hong Kong’s Personal Data (Privacy) Ordinance. The PDPA definition of “employees” includes volunteers, however, it is unclear whether gig workers are covered.
Should a gig worker — for instance, a ride-hailing driver — be exempted from having to comply with the PDPA insofar as they were driving passengers booked through a ride-hailing platform? Whilst such gig worker would typically be bound by a set of terms and conditions prescribed by the platform, these would almost never constitute terms of employment so as to enable the worker to rely on the above exemption for employees under the PDPA.
The concept of employment surfaces in another exception to the consent obligation. Specifically, an organisation does not need to obtain consent from an individual where its collection, use or disclosure of personal data is “reasonable for the purpose of managing or terminating an employment relationship.” Given that the law is not settled as to whether gig workers are to be considered employees or independent contractors, it is likely that any determination as to whether the above exception to consent would apply will be fact dependent, taking into account the nature of the business and the context in which the gig worker has been providing his services. For instance, a deliveryman with FoodPanda, a food delivery app, would likely be considered an employee, whereas a GrabHitch driver who occasionally carpools and only recovers costs from passengers, would not.
A final aspect of the PDPA, which at first may seem innocuous but could throw up interesting questions for the gig sector going forward, would be in relation to the “business contact information” exclusion. This is defined as an individual’s contact information that is “not provided by the individual solely for his personal purposes”. It may not always be clear whether the purpose for which a gig worker provides his contact information is purely personal or work-related; and further, how this correlates with whether a gig worker may be considered as acting in a personal or domestic capacity. To some degree, it is logical to assume that if an individual provided his personal data solely for personal purposes, then he would likely be acting in a personal or domestic capacity as opposed to for some business purpose. In fact, “business” is defined in the PDPA to include “the activity of any organisation, whether or not carried on for purposes of gain, or conducted on a regular, repetitive or continuous basis, but does not include an individual acting in his personal or domestic capacity.” In other words, “business” and “personal or domestic” in the PDPA appear to be incongruous.
It remains to be seen, however, whether there could be instances in which an individual would be exempted from having to comply with the PDPA on the basis of acting in a personal or domestic capacity, but yet have their contact details be provided for a work-related gig such that they constitute business contact information. Given the wide spectrum of services encompassed by the gig landscape today, from home rental experiences to clothing exchange services and freelancing gigs, it would be crucial for any data protection authority to consider all of the relevant circumstances and context before deciding whether to apply specific rules to the various stakeholders of the gig economy.
As an eco-system that thrives on constant creativity, one should expect novel ways of delivering work and services to continue to emerge in the gig economy, and for previously distinct concepts such as the work-domestic and social-economic divides to be called into question.
It would not be an underestimation to say that the gig economy has posed interesting and unique challenges to the application of data protection laws in Singapore and elsewhere in the world. In order for the PDPA to keep up with the times, enforcement of its provisions will need to take into account the ever-evolving landscape that is our digital world today.
If you want to comment on this post, you need to login.