The conflict between data protection and a direct client connection

No sooner have Europe’s insurers adapted to the General Data Protection Regulation (GDPR) than the EU starts adding more data protection rules: the ePrivacy Regulation wants to add to personal data security in electronic communication. The repercussions, however, extend well beyond mere data confidentiality and may even affect insurers’ digital business models.

The ePrivacy Regulation covers both the content of communication, for example what is said in conversations and notifications, and the associated metadata, including the time or duration of a contact. The purpose of the new regulation is to give individuals full control over their data. No data from user devices is to be collected when surfing the internet, not even through cookies.

The EU Parliament and Commission have already presented their positions on the regulation. “Our proposal offers a middle path between a high level of consumer protection and innovation opportunities for the corporate world,” explained Andrus Ansip, Commissioner for the Digital Single Market. While the EU Parliament has already presented its position on the proposal work in the Council of the European Union, the institution of national governments currently presided over by Finland, is still ongoing.

Data exchange with customers as we know it may soon be forbidden

It is not yet known when the ePrivacy Regulation will come into effect. Nevertheless, its impact is already highly relevant. Once approved, the new rules will immediately become directly enforceable in all the EU member states and that could have serious consequences for the relationship between insurers and the insured community.

“The planned ePrivacy Regulation could affect key areas of insurance companies’ operations that are gaining in importance through digitalisation,” says Martina Vomhof, Head of Data Protection and Fundamental Issues at the GDV. One particularly sensitive area is electronic communication with customers when they, for example, inform their insurer of a loss event via an app. Data exchange with devices, such as the ones used in connected cars within the context of telematics contracts, would be affected. Such digital insurance aids, at least in their current form, could suddenly be banned depending on the final content of the regulation; Vomhof has no doubt about that. From an insurance perspective, this would be counterproductive, particularly given the growing popularity of networked devices and customer's attendant demand for practical, digital solutions.

Background information: the GDPR protects consumers’ right to informational self-determination. The ePrivacy Regulation goes considerably further: it is meant to complement the GDPR and protect the confidentiality of electronic communication. That could make it considerably harder for companies to gather and evaluate electronic communication-based user data.

Conceived for communication providers, applicable to all companies

The ePrivacy Regulation primarily targets telecommunications providers and over-the-top (OTT) service companies, such as Skype (videotelephony) or the WhatsApp messaging service. It is designed to prevent tech corporations evaluating users’ communication data and selling the information. It also contains obligations for website operators and other companies that generate information from digital devices. This could extend to insurers that want to offer messaging services for their customers or services relating to the smart home.

“It comes down above all to the nature of the electronic communication data that telecommunication and OTT companies are allowed to gather, evaluate and sell for advertising purposes for example,” says Vomhof. “That’s why we consider it desirable to restrict the area of application as much as possible to telecommunications providers and OTT companies.” After all, it’s up to the providers of electronic communication services to ensure the confidentiality of information about their users and the contents of their communications.

Moreover, insurers are insisting on a clear demarcation of the ePrivacy Regulation from the scope of application of the General Data Protection Regulation. For example, both the GDPR and ePrivacy drafts contain rules pertaining to direct advertising via electronic communication services. “In those cases the ePrivacy Regulation shouldn’t add more rules to something that has already been regulated,” asserts Vomhof. “We hope the final regulatory framework will be free of redundancies.” Otherwise it will lead to confusion.

The Commission, Council and Parliament still can't agree

Some of the concepts envisaged by the Council still contrast strongly with those of the Parliament and Commission: the Members of Parliament and the Commissioners want to ban providers of electronic communication services from processing their customers’ communication data as a matter of general principle. Any exceptions are subject to extensive conditions and obligations.

The Council’s draft position treats companies that interact with their customers through their own communication channels as end users who wouldn’t be subject to these obligations. This would be extremely important for insurers that might communicate with their customers through a proprietary app, for example.

The Council of the European Union also differs from the Parliament and Commission in another notable aspect. Should the Commission and Parliament prevail, companies will find it a lot harder to use cookies and social media plug-ins. Machine-to-machine communication (M2M) could be hampered considerably. And insurers with electronic access to data from home devices or cars would also be affected.

The content of the different draft regulations varies widely

The GDPR allows insurers to collect and process data from devices, a connected vehicle for example, without having to obtain special permission if they need the data to implement a telematics motor insurance policy. Under the Council’s draft position they will retain that right.

The Commissions proposal and the EPs position, on the other hand, are much more restrictive. Should their proposals be included in the new regulation, customers will have to expressly agree to the collection of their vehicle data which the insurance company needs to fulfil its contractual obligations. “It contradicts basic legal principles for parties to come to a contractual agreement and then requiring additional permissions on top of that,” says GDV expert Vomhof. Not only is it an awkward legal situation, it’s also almost impossible to implement in practice. The future of digitally based insurance offers would be highly uncertain in this case.