Please find our commentary on GDPR (2016) here.
The General Data Protection EU Regulation (the "GDPR") was adopted in April 2016. It applied in all EU Member States from 25 May 2018. The GDPR is binding in its entirety and directly applicable. The GDPR repealed the Data Protection Directive that provided the previous EU data protection rules.
The GDPR only covers the processing of personal data: this is information that relates to a living identified or identifiable person (a data subject). Special categories of data, such as health data, are subject to additional protection and such data will only be processed with express consent from the data subject. Derogations are possible.Data processing covers most activities involving personal data: collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure and destruction. Therefore, any private company coming into contact with personal data is likely to be considered as processing such data.
The GDPR is a cross-sectoral legislation. It applies to the insurance distribution sector but is not specific to it. Consequently, compliance with the Regulation has been challenging for intermediaries in some respects.The GDPR takes the form of a Regulation, i.e. it is "binding in its entirety and directly applicable in all Member States.” However, the GDPR makes provision for secondary legislation by way of Delegated and Implementing Acts to be adopted by the European Commission in various areas. The GDPR is also supplemented by guidelines issued by the European Data Protection Board (EDPB). Lastly, whilst the GDPR has the status of a Regulation, it includes some 50 provisions that permit EU Member States to retain national legislation.For example, the GDPR provides for Member States to maintain or introduce further conditions, including limitations with regard to the processing of health data. This may offer a means of addressing some of the challenges specifically faced by insurance intermediaries (see below).
The GDPR and insurance intermediaries
Insurance intermediaries, whether large firms or small offices, are confronted daily with the processing of data and are, therefore, directly affected by the GDPR. The data that insurance intermediaries process is necessary to provide quotations, arrange insurance cover, manage claims and for client relationship management, etc.In most cases, insurance intermediaries will process personal data on their own account and will act as data controllers.In some others, intermediaries will act under clear processing instructions from a data controller (example: an insurer) and will be a data processor. Intermediaries could also be joint controllers. The GDPR requires joint controllers to reach an arrangement to determine their respective responsibilities for compliance with the obligations under the GDPR.
In the context of the GDPR implementation, in some markets it has been observed that the role of “processor” was being imposed unilaterally on intermediaries, i.e. processing clients’ personal data on behalf of a “controller”. Over the last months this situation has changed. Intermediaries are in some cases considered as controllers, in some others as processors, in some others as joint controllers, and negotiations are taking place in most of the markets between intermediaries’ associations/intermediaries and insurers’ associations/ insurers.
The EDPB as well as national authorities have also issued guidance on the issue (see below).
Another significant GDPR challenge for insurance intermediaries is the processing of sensitive and mainly health data. Under the GDPR, as a matter of principle, it is prohibited to process sensitive data. Exceptions are provided to this general prohibition in the circumstances exhaustively described in Article 9 §2. However, the processing of health data by insurance intermediaries does not readily fall in one of the exceptions to the general prohibition of the processing of personal data. It should consequently be verified whether the processing of health data by insurance intermediaries can be covered under one of the derogations. The stakes are high: if the processing of sensitive data in the course of the intermediaries’ operations does not fall within the provisions of Article 9§2, then the general principle applies and such processing is prohibited. Moreover, the data subject could require the intermediary to erase the sensitive data on the grounds that they are unlawfully processed. There are today divergences of approaches between Member States on the legal basis for processing health data in an insurance context: In some countries, using the legal basis of Article 9(2)(g), legislation has been introduced allowing the processing of sensitive data without explicit permission to underwrite insurance contracts and to manage claims. In some others the legal basis used is Article 9(2)(h) of the GDPR. In some other countries there are currently no special exceptions for the processing of sensitive data by the insurance sector.
The GDPR is supplemented by guidance issued by the European Data Protection Board (EDPB). The EDPB contributes to the consistent application of data protection rules throughout the European Union and promotes cooperation between the EU’s data protection authorities. The EDPB is composed of representatives of the national data protection authorities, and the European Data Protection Supervisor (EDPS). The EDPB has different main tasks, such as issuing opinions, guidelines, recommendations and best practices to promote a common understanding of the GDPR.
Over the last year, the EDPB published different Guidelines such as the ones on the territorial scope of the GDPR and on codes of conduct under the GDPR. The aim of the EDPB Guidelines on codes of conduct is to provide practical guidance and interpretative assistance in relation to the application of Articles 40 on codes of conduct and 41 on the monitoring of approved codes. The guidelines intend to help clarify the procedures and the rules involved in the submission, approval and publication of codes of conduct at both the national and the European level. These Guidelines should act as a clear framework for all competent supervisory authorities, the Board and the Commission to evaluate codes of conduct in a consistent manner and to streamline the procedures involved in the assessment process.
In its various meetings with the EU institutions and the EDPB, BIPAR has always voiced the potential interest of our industry in a code of conduct focusing on the practical implementation of the GDPR at national or European level. The Commission is very supportive of sector specific codes. Codes of conduct can bypass the potential difficulties generated by the cross-sector nature of the GDPR by specifying rules for a given sector processing data in the EU, such as the insurance distribution sector. They can be prepared by associations and other bodies representing categories of controllers or processors and may specify rules regarding, among other aspects, the legitimate interests pursued by controllers, the exercise of the rights of data subjects, the transfer of personal data to third countries or the notification of personal data breaches to supervisory authorities. Codes of conduct are also mechanisms to demonstrate compliance with the GDPR.
In February 2019 the EDPB Board adopted its two-year work programme for 2019-2020 and announced the future adoption of additional Guidelines, such asthe Guidelines on the notion of legitimate interest of the data controller (Update of the Article 29 Working Party –“WP29”- Opinion) and the Guidelines on concepts of controller and processor (Update of the WP29 Opinion). These are key issues for BIPAR and its members.
In March 2019, in preparation of its review of the existing opinion of the Article 29 Working Party from 2010 on the concepts of controller and processor in the light of the GDPR, the EDPB arranged a meeting with different European stakeholders including BIPAR, in order to get their view on which issuesneed to be covered and which aspects are problematic. The application of these two concepts to insurance intermediaries has caused and is still causing many serious issues. In some markets it has been observed that the role of “processor “ has been or is being unilaterally imposed on intermediaries.
BIPAR explained that examples of the determination of controller/processor would be helpful, particularly in relation to specialist service providers where they process data in accordance with their regulatory and/or professional obligations. BIPAR added that too often there is an incorrect assumption that any service provider is a processor, which leads to inappropriate terms being issued and time-consuming negotiations to put in place more appropriate wording that reflects the actual position.
The EDPB is expected to publish its Guidelines on Controller and Processors by the end of 2019.
EDPB and Brexit
Insurance and financial services providers and distributors transfer personal data from the UK to the EU/EEA and vice versa in order to conduct their business. Post-Brexit, the UK will become a third country in relation to the EU and the transfer of personal data from the EU/EEA to the UK will be subject to the conditions governing third country data flows, outlined in Chapter V of the GDPR. The GDPR which fully applied as of 25 May 2018 in all EU Member States - including the UK, provides several solutions which allow the transfer of personal data from the EU/EEA to a third country. The adoption of an adequacy decision under Article 45 of the GDPR appears to be the most appropriate solution as adequacy decisions are comprehensive, ensure a high level of protection for individuals, and offer clear legal certainty.
In this context, in July 2018, the Small and Medium-sized Enterprises association, of which BIPAR is a member, sent a letter to the European Commission calling on them to launch the adequacy assessment process as soon as possible, and to adopt an adequacy decision maintaining the free flow of personal data from the EU/EEA to the UK post-Brexit. The letter was also signed by DigitalEurope, the Trans-Atlantic Business Council and Insurance Europe. A joint letter was also sent to the British authorities calling on them to implement a suitable legal solution that will allow continuity of personal data transfer from the UK to the EU/EEA post-Brexit.
In February 2019 the EDPB adopted an information note addressed to commercial entities and public authorities on data transfers under the GDPR in the event of a no-deal Brexit. This note is not specific for the insurance sector but is of interest to it:
EDPB survey on the practical application of its GDPR guidelines, recommendations and best practices
In April 2019 the EDPB conducted a short survey to gather the views of individual entities (companies and non-profit organisations) and sectoral organisations (national/European associations) with regard to the practical application of its GDPR guidelines, recommendations and best practices adopted. BIPAR and some of its members participated in the survey. BIPAR requested in particular that the insurance distribution sector and its specificities be taken more into account in EDPB work.
A summary of the key findings of the survey will be included in the EDPB annual report.
Commission’s Expert Group on the GDPR
This Group advises the European Commission on all issues related to GDPR implementation. A representative of the European Federation of SMEs - of which BIPAR is a member - is a member of this Expert Group.
In March 2019, the Commission informed the Expert Group that in June 2019 a European Stakeholder stocktaking conference on the GDPR will be organised. In preparation of the Conference, the Commission consulted the stakeholders on the implementation of the GDPR and possible difficulties. BIPAR informed the Commission that the processing of health data by intermediaries, the processing of personal data where there is no direct relationship with the data subject prior to processing and the classification of intermediaries as data processors or controllers were some of the key issues faced today by the industry.
Free Flow of Non-Personal Data
On 13 September 2017 the Commission published a legislative proposal on the free flow of non-personal data in the European Union. This proposal completes the GDPR which provides for the free movement of personal data (i.e. any information relating to an identified or identifiable natural person). In particular, the proposal develops tools regarding:
In December 2018, the Regulation on the free flow of non-personal data entered into force. It was adopted by the European Parliament in October 2018 and by the Council of the European Union in November 2018.
The Regulation allows public and private sector bodies to store and process non-personal data anywhere in the EU as well as raise trust in cloud computing and make it easier for customers to switch or end their cloud contracts. Furthermore, it will no longer be possible for Member States to compel businesses to store data in a particular location. Wherever data is stored in the EU (whether in a cloud or locally), competent authorities in all Member States will retain any right they currently have to request access for regulatory and supervisory control.The new Regulation also creates a self-regulatory process by which cloud service providers and users develop codes of conduct that will enable users to switch between providers more easily.
This new Regulation does not in any way affect the application of the GDPR, as it does not cover personal data. The application of these two Regulations in parallel aim to enable the free flow of all data in the EU, creating a single European space for data.
BIPAR will study the impact of this text on the insurance distribution sector.