Data Protection: Regulation frustration

The latest draft proposals for the European Union data protection regulation, released in December 2012, aim to modernise the EU Data Protection Directive (1995), extending its scope to meet the challenge of data processing in the internet age.

As a regulation rather than a directive, the legislation must be harmonised, meaning member states have little flexibility over how the rules are implemented.

Heavy fines
Subject to discussions by EU bodies, the rules are expected to be implemented in 2016. However, the wording of the regulation has caused concern, with trade body Insurance Europe last month claiming the rules could outlaw many of insurer's core activities.

When the first details of the new measures emerged, dramatic data breach sanctions which included fines of 2% of global turnover for not compliant firms, were the main focus. Though this has been reduced to 0.5% during the consultation process it could still be an issue for insurers. The list of carriers who have been punished for data breach, loss, or improper handling in the past features industry stalwarts such as Zurich, Prudential and Travellers among their ranks.

"It is a real risk and I'm sure insurers will make mistakes, just as health organisations or banks or any other organisation that has sensitive information on individuals will make mistakes," says Charles Juniper from analyst Ovum. "They are talking about 0.5% of global revenues so if you're talking about someone the size of Axa you are talking about tens of millions of euros."

Breach reporting
There are also concerns that in the rush to meet the 72-hour reporting deadline - the period in which affected firms have to notify the regulators of a data breach - incorrect information about the nature of the compromised data could enter the public domain.

Kirsten Mycroft, senior manager, information protection and business resilience team, at KPMG says: "If you have a supervisory body that is big on naming and shaming organisations then there's a real danger that things could be misreported."

"They are talking about 0.5% of global revenues so if you're talking about someone the size of Axa you are talking about tens of millions of euros." Juniper.

But while companies may quibble over the appropriate punishment, most accept that insurers who fail to adequately protect a policyholder's personal information, either through lack of encryption, or careless handling, are guilty of wrongdoing.

Insurance Europe's major concern stems around the section of the rules colloquially known as "the right to be forgotten" which enshrines a data subject's to withdraw their consent and ask that all the information a data controller holds on them be deleted.

Deleting data

The real target of these rules is thought to be social media sites such as Facebook and Twitter and telecommunications providers, but in theory a policyholder could invoke this right with its insurer.

Juergen Weiss, research president at analyst Gartner comments: "The right to be forgotten makes a lot of sense when you have published a picture on Facebook and you want that to be deleted but it's going to be much more challenging of you're asking an insurance provider for that because it would have a significant impact on contractual relationships."

"If you have a supervisory body that is big on naming and shaming organisations then there's a real danger that things could be misreported." Mycroft

Some might question why an insurer could not agree to delete data on the understanding that this terminates the insured insurance contract, but in many cases insurers are simply not allowed to erase data.

Compliance with a raft of regulations including the anti-money laundering directive and a host of national insurance laws means that in some cases data must be retained for over a decade.

Regulation incompatibility

According to Mycroft, the key feature of the right to be forgotten is that the onus shifts on to the data controller, meaning they must justify why they can't forget a data subject.

"Polish insurance legislation requires that insurers keep data for 26 years, so for somebody to argue that they can't hold that information anymore is going to be difficult."

Her advice to insurers is to be clear on what other regulations might conflict with the right to be forgotten. "They need to minimise the data they hold so they are compliant but not holding anything excessive," she adds.
 

"The problem we have with the European Commission's proposed regulation is that it does not provide us with sufficient legal certainty that we can continue doing these collection and processing activities in the future." Vidonja

Data collection

Weiss believes, the contractual issues raised by Insurance Europe are likely to be addressed in further revisions, but there is a more serious issue at stake over the extent to which insurers can collect and use accessible data.

He says: "If I post something on Facebook am I articulating consent that this information can be used by everybody that has access to my profile, or can I assume that this information is limited to the people I want to share it with.

"At the moment your Facebook profile and other publically available information is being used by insurance companies to profile, cluster, and segment you for marketing campaigns. For instance if you say that you are going on vacation insurers try to sell you travel insurance.

"The European Parliament wants to stop these kinds of cases happening, so these kinds of undesired cross-selling and upselling initiatives will become harder, or impossible."

Policyholder benefit

Though the EU seems to be trying to prevent customer's data being exploited for other's financial gain, Insurance Europe's William Vidonja, is not convinced the regulation will benefit policyholders.

He believes the wording needs to be improved to conduct activities such as automatic risk assessment and premium calculation, which would be caught under the provision on profiling.

Vidonja is also very concerned that the proposed regulation could inhibit insurance companies to detect or prevent fraud. He says:"The proposed regulation might have an effect on the ability of insurance companies to detect or prevent fraud. There is no clear legal basis for fraud detection and prevention."

"The problem we have with the European Commission's proposed regulation is that it does not provide us with sufficient legal certainty that we can continue doing these collection and processing activities in the future."

Insurer's fraud detection activities now run the gamut from criminal checks, to scanning social media profiles.

"The proposed regulation might have an effect on the ability of insurance companies to detect or prevent fraud." Vidonja

Fraud risks

Insurance Europe's recent fraud report includes the case of a UK policyholder whose claim for alleged back injuries was rejected after a perusal of his Facebook profile showed pictures of him engaged in gymnastics and training for a charity run.

The idea that likeminded conmen could get away scot free in future is likely to rankle with insurers, and policyholders, whose own premiums rise year on year to compensate for fraudulent activity.

Insurance Europe is lobbying industry stakeholders, including the European Parliament, European Commission and all EU member states. While it is not looking for a carve-out for insurers it is adamant that the wording needs to be amended to allow for these activities.

Vidonja concludes: "At the end of the day the honest consumers are paying for these frauds, and we're talking enormous amounts of money. It is in consumer's interest that insurers can continue carrying out their activities and offer the services and products consumers expect from them."