The EU Data Protection Regulation may not be the most eye catching title for a summer read, but a once in a generation change to legislating the use of data is currently underway.
The EU Data Protection Regulation entered its final leg in June, with negotiations (known as trilogues) between the European Commission, the European Parliament and the Council of Ministers to reconcile their different versions of the text. Although this is the final stage of the process, the legislation is still some months away from being finalised. However, now is the right time to take stock of the last three and a half years, assess where we’ve got to, and plan for the last sprint (or, more accurately, for the (half) marathon) ahead.
Political process so far
The 1995 Directive was drafted before the web took off and before social media was invented, so the European Commission published its proposalsfor modernisation in January 2012. The aim was to have a more comprehensive, technologically neutral regulation, consistent across all industry sectors and all Member States, which is future proof.
The level of this ambition was mirrored by the political scrutiny it faced. Five European Parliament Committees were involved and a record 5,000+ amendments and compromise amendments were discussed before the European Parliament finally voted its position in March 2014. After hundreds of versions of the text were discussed across all levels of the Council of Ministers, the Council was also able to adopt its position in June 2015.
Data is at the heart of insurance and it’s important to ensure that insurers can continue to responsibly use data to provide customers with the insurance products they need.
It’s not surprising that lobbying activity surrounding the Regulation has been dubbed the most intense Brussels has ever seen. A large number of Brussels’ 30,000 lobbyists were quick to engage, with a thousand meeting requests or more reportedly sent to the main MEP in charge, Jan Philip Albrecht, in his first month after appointment.
The ABI’s engagement began with the 2010 consultation stage and we have been involved throughout the process. Insurers recognise the importance of data privacy and take their responsibility for data protection seriously. Data is at the heart of insurance and it’s important to ensure that insurers can continue to responsibly use data to provide customers with the insurance products they need. Therefore, there was a need to highlight possible unintended consequences which might affect customers, especially since much of the Regulation was designed with social media in mind.
Key potential problem areas for insurance and its customers:
- Using individual data
The Regulation must allow insurers to access, process, store and share data to continue to offer products. Data enables insurers to price products accurately and provide cover that best meets their customers’ needs, which has been the basis of insurance for hundreds of years. The use of data also enables insurers to prevent and detect fraud, minimising costs for honest customers. In 2014, the ABI estimates insurers detected over 130,000 fraudulent claims, worth £1.3bn, and the Data Protection Regulation should strengthen, not hinder insurers doing this.
It’s important the Data Protection Regulation does not impede insurers’ ability to underwrite risk. Written with the online context in mind, the provisions on ‘profiling’ could impact the provision of goods and services. Therefore, these need to be proportionate to ensure insurers can still use customers’ data (i.e with their consent, or for the purposes of entering into or the performance of the contract) to provide customers with the products they need.
- Data portability
The Regulation should not force insurers to disclose commercially sensitive information to competitors. The draft legislation seeks to introduce a right to data portability, which arguably is not a privacy issue. If the provisions remain in the final text, the wording must ensure insurers are not required to divulge competitive or intellectual property aspects of underwriting.
- Right to be forgotten
A flagship proposal of the Regulation, the right to be forgotten was written with the social media in mind, but it needs to be fit for purpose in an off-line context. It’s important that the text ensures individuals understand and can meaningfully exercise this right. For example, an insurer may not be able to delete all data it holds on an individual because it has to comply with other regulations (for instance, for anti-money laundering purposes) or in order to pay out a claim at a later stage.
All of these topics will continue to be discussed by EU policymakers, in line with the agreed roadmap, which sees agreement reached by the end of this year. This could mean the earliest date for implementation of the Regulation would be December 2017.
This timeframe for trilogues is extremely ambitious and some key differences between the negotiating parties remain. However, the political momentum cannot be overstated and there’s a desire to get the text agreed as soon as possible. We’re working towards final agreement in December, but are prepared for the long-haul.
We will be discussing this issue and many more at the ABI Data Conference- ‘The bigger the better? Insurance, ‘Big Data ‘, and the digital world on 9th September.
Raluca Boroianu-Omura is ABI Manager for Conduct Regulation at the Association of British Insurers.