Experts flag concerns over handling of oBike customers' personal data

SINGAPORE — As consumers mull over ways to get their deposits back from oBike, experts have flagged another "currency" that the bicycle sharing operator is holding on to: Large amounts of sensitive data including credit card information, contact numbers and details from social media accounts.

Data protection laws do not directly address scenarios where a company winds up, and the duties of a liquidator in handling personal data are also unclear, said the experts, who felt a need for rules to keep pace with the fast-changing landscape.

oBike, which had a fleet of about 14,000 bicycles and claimed it had more than one million users here, did not respond to TODAY's queries on how it would handle customers' personal data.

When approached, the Personal Data Protection Commission pointed TODAY to an advisory on key concepts spelled out in the law.

Under the Personal Data Protection Act (PDPA), organisations are not allowed to hold on to the personal data of their customers indefinitely where there are no legal or business reasons to do so.

However, there is no specific timeframe for them to delete the data.

oBike, which is in liquidation here, could argue that the data has to be kept for business purposes as users are still able to use the service outside of Singapore, experts noted.

The company, which announced unexpectedly on Monday (June 25) that it is stopping operations in Singapore, may also need to keep the data to sort out deposit refunds, said Ms Joanne Wong, senior regional director (Asia-Pacific and Japan) at security intelligence company LogRhythm.

"There are a number of concerns such as cyber attackers gaining access to the data. oBike stores sensitive information such as payment details so one can question what measures are in place to protect the data if the company is liquidated here," said Ms Wong.

"Such data can also be sold or transferred to third parties without the knowledge of the user, which can result in privacy intrusion," she added.

While existing laws are adequate to protect consumers' data, more can be done, especially in oBike's case where insolvency laws are also involved, said lawyers.

In Grab's recent acquisition of Uber's South-east Asia operations, the Competition and Consumer Commission of Singapore's interim orders issued in April barred Grab from taking over operational data from Uber, but allowed it to receive the personal data of drivers, riders and merchants who had expressly opted in.

"An area which could be clarified is the obligation on organisations which cease to operate or are wound up. As it stands, it can be argued that the right to retain personal data is too broad, as retention is permitted so long as there is some legal purpose for it," said Mr Samuel Yuen of Yuen Law.

Mr Daniel Song, a senior associate in the technology and communications practice at Bird & Bird law firm said: "Insolvency laws generally seek to offer a liquidator the maximum flexibility to realise value from an insolvent company; no jurisdiction's data protection laws currently directly address insolvency scenarios. Accordingly, in such circumstances, personal data will be treated like any other asset of the insolvent company."

There is room for laws to be refined in areas such as the disclosure of a breach or, for oBike, its plans and timeline for the handling of customers' personal data, said Ms Wong.

"There is currently no requirement for companies to inform users what happens to their data once a service cease to exist or when a company goes into liquidation. That has to change as we strive for better transparency in the handling of personal and sensitive data," she said.

"A company should also provide individuals with the required information to understand how their data will be disposed (of)."

Once oBike's liquidator is known, consumers can write in with the request to stop collecting, using or disclosing their personal data. But it is "unclear what duties the liquidator has in respect of personal data", and there could be more guidance in this area, suggested Mr Koh Chia Ling, director of law practice Osborne Clarke.

"Organisations are to provide rights of access – consumers can ask the organisation what personal data is still in its possession. The tricky part here is that the organisation may no longer be fulfilling that right," said Mr Bryan Tan, a partner at Pinsent Masons MPillay.