Abstract
‘Telematics’ insurance is an example of data driven innovation in the insurance industry where data obtained from the vehicle (such as speed, time and location) is used to provide consumers with premiums based on their actual driving behavior. Despite the many benefits including more accurate risk assessments and premium setting, there are serious privacy concerns about the increased use of vehicle data for insurance purposes. The information requirements of the GDPR and the IDD could address some of these concerns in the context of telematics insurance. This research chapter concludes the analysis of the scope of these requirements by proposing the need for a broad interpretation for information to be made available in order to effectively help consumers make better, well informed decisions about insurance products and use of their personal data for insurance purposes.
You have full access to this open access chapter, Download chapter PDF
Similar content being viewed by others
Keywords
- Personal data processing
- Telematics and Use Based Insurance
- General Data Protection Regulation
- Insurance Distribution Directive
- Automotive industry
1 Introduction
As insurance providers are increasingly developing and adopting data driven innovations there is a need for a better understanding how to regulate against potential harm caused.Footnote 1 A good example is the development of usage-based insurance products or ‘Telematics’ where through a device, data obtained from the vehicle (such as speed, time and location) is used by insurers for various purposes including more adequate risk assessments and personalized pricing.Footnote 2 Despite the benefits for consumers to potentially obtain lower premiums and improve their driving, there are serious privacy concerns about the increased use of vehicle data by insurers.Footnote 3
Vehicle data will generally constitute personal data, and especially in combination with advanced data analytics, processing thereof by insurers may have serious consequences for (potential) consumers.Footnote 4 Without adequate regulation in place, the uptake and benefits for consumers regarding telematics insurance may be limited. Based on the assumption that well-informed consumers make better decisions about insurance products and services, this raises questions about what information should be provided and specifically whether current regulations enable the sharing of relevant information by insurers to consumers.Footnote 5
To inform the current debate on telematics regulation with insight on the scope of relevant requirements for information disclosure, this contribution analyses two recent regulatory developments at EU level.
-
The EU General Data Protection Regulation (GDPR) which applies to the processing of personal data in general;Footnote 6
-
The EU Insurance Distribution Directive (IDD) which specifically regulates consumer insurance distribution.Footnote 7
Following a brief introduction to Telematics insurance, the key requirements of the GDPR and IDD are discussed and the scope of information disclosure concluding with the proposed role for the IDD to complement the GDPR in the context of telematics insurance.Footnote 8
What is argued for here is that both the GDPR and the IDD require a broad interpretation of the information necessary to improve consumer and personal data protection; and that insurers should consider taking an integrated approach towards the information requirements for effective and efficient compliance.Footnote 9
2 Telematics Insurance and the General Data Protection Regulation
2.1 Telematics Insurance
Modern vehicles are increasingly equipped with advanced sensor and communication technologies generating vast amounts of data on the way it functions as well as driving style and habits of its users.
Having access to this data in combination with increasingly advanced data analytics has made it possible for insurers to innovate and develop new products and services including insurance based on actual driving behavior of consumers or ‘telematics’ insurance.Footnote 10
The data vehicles generate can be obtained by insurers in several ways for example by installing a telematics device such as a dongle in the policyholder’s vehicle.Footnote 11 Relevant types of data insurers may collect include when, where, how and how long the car was used as research shows that for example late night and long-distance driving, speeding and heavy braking all correlate with an increase in accident risk.Footnote 12
Telematics enables insurers to improve their risk assessment and optimize their pricing accordingly.Footnote 13 As the assessment is based on actual driving data from the individual this may lead to more precise risk pooling or even to fully personalized insurance pricing.Footnote 14 Another potential advantage is that insurers can monitor the data and provide drivers with feedback on their driving, this way insurers may be able to reduce the risk of moral hazard as well as improve road safety when drivers are sufficiently incentivized, for example through a bonus or premium deduction to improve their driving.Footnote 15
Despite the benefits of telematics for both insurers and consumers the uptake has been slow which in part can be explained by the concerns people have raised about privacy and security.Footnote 16
As insurers differ in what data they consider relevant for their risk and policy assessment there is discussion over what data they should be allowed to have access to. Controversial concerning telematics is the collection of GPS location data for example.Footnote 17 Especially given that such data when monitored over longer periods may reveal sensitive information and possibly protected characteristics as well as increase the risk for such data to be used for a non-risk related analysis and premium setting.Footnote 18
In response to these concerns, the remains of this section provides an analysis to what extent privacy and data protection regulation helps consumers to become better informed and address some of their concerns about the way insurers obtain and process data in the context of providing telematics insurance.
2.2 The General Data Protection Regulation (GDPR)
When an insurer wants to use vehicle data, which is generally considered personal data in the context of insurance, they will likely fall under the scope of the General Data Protection Regulation (GDPR).Footnote 19 The GDPR lays down rules relating to the protection of natural persons, about the processing of personal data and rules relating to the free movement of personal data.Footnote 20 In particular, the first principle of the GDPR on data processing to be lawful, fair and transparent is relevant to understand the scope of the information requirements for insurers.Footnote 21 The principle of transparency is considered relevant in understanding information to be made available to enable consumers to become aware of; verify and challenge the lawfulness of the processing of personal data and automated decision-making processes.Footnote 22
Under the GDPR insurers as data controllers are required to make certain information available either directly or upon a specific request for access to data from consumers.Footnote 23 The GDPR states that information must be given [..] in a concise, transparent, intelligible and easily accessible form, using clear and plain language, avoiding for example legalese or vague terms.Footnote 24
The principle of transparency further requires that insurers provide enough information to enable consumers to make use of their rights under the GDPR which includes the right to access. Because the GDPR does not provide much further guidance what constitutes sufficient there are different interpretations of the level of detail and access to be provided which will be discussed further below.
In light of its aims including for consumers to make better informed decisions about personal data processing, the GDPR requires that information must be made available to consumers about the collection, use and consequences of processing personal data by insurers.Footnote 25 The GDPR requires insurers to provide the following information;Footnote 26
-
the identity and the contact details of the controller and, where applicable,
-
of the controller’s representative;
-
of the data protection officer;
-
-
the purposes and the legal basis for the processing; Footnote 27
-
the recipients or categories of recipients of the personal data
-
the storage period, or if that is not possible, the criteria used to determine that period;
-
the existence of applicable rights including the following:
-
to request from the controller access to; rectification; erasure of personal data and/or data portability
-
to request from the controller restriction of processing and/or to object to processing
-
to withdraw consent at any time
-
to lodge a complaint with a supervisory authority;
-
-
If there is an obligation to provide personal data to the insurer because of statutory or contractual requirement and what the possible consequences are when they fail to do so.
-
When insurers make use of automated decision-making, including profiling, referred to in Article 22(1) and (4) they must inform consumers thereof and give meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing.
Also, when personal data is not obtained directly from the consumer but indirectly for example using data brokers, insurers must also inform consumers aboutFootnote 28
-
The categories of personal data [obtained];
-
The source of the personal data and if applicable, whether it came from publicly accessible sources.
It remains difficult without clear practical guidance provided by the GDPR or case law, for insurers to know what the level of granularity of the data and information detail is required to be compliant. This is problematic given that insurers face fines for non-compliance and consumers may not receive sufficient information for them to take well-informed decisions.Footnote 29 This contribution focusses on the latter, proposing to interpret the scope of information necessary as broad as possible to effectively empower consumers with control over the processing of personal data concerning them.Footnote 30
To comply with the GDPR insurers must enable consumers to better understand the product on offer and depending on the legitimate ground for processing to give informed consent for the processing of their personal data and/or to challenge the collection and processing effectively making use of their rights when personal data is processed for insurance processes.Footnote 31 Therefore when considering what information to provide; the level of detail must be sufficient for consumers to know what personal data is collected and how their personal circumstances, behaviour and characteristics have influenced decision making for them. To enable consumers to validate and agree to the use of their personal data for processing they must be able to check whether the (proposed) processing is lawful and fair. Which means that they need to be able to challenge whether the information used is correct and whether the decision-making process is accurate. Furthermore, they should be made aware and better informed about the risks and potentially negative consequences for them personally which for example include being informed about the risks for bias, discrimination and system failure.Footnote 32
When it comes to personal data the level of detailed information about that data should be at the level of the individual so they can become aware what data about them is used and whether this data is correct and relevant for the purpose. Providing consumers with only categories does not allow them to do so.Footnote 33
When data is obtained from other sources consumers should be made aware that this is the case and provided with what personal data is received, how it is being processed by the insurer and what the risks and consequences are for them of the insurer processing this data. Furthermore, they must be informed who the source is and how to contact them to challenge the data accuracy and the lawfulness and fairness of its processing by this specific source.
Insurers themselves may not have (access to) information from third parties. For example, in the case of the use of credit or fraud scores obtained from third parties, insurers are unlikely to have access to what personal data and process are used to derive these scores. Although one could argue that insurers must have access or obtained this information themselves given their responsibility to understand and ensure their decision-making processes are compliant and for example not based on biased data. Consumers should be able to verify the validity of the personal data processing including when a decision is based on data from third parties such as credit or fraud scores. Which is why they need to be able to obtain relevant information including the personal data and processing used that has established such score either directly from the insurer or when the insurer cannot provide this, the contact details of the source and/or third party who can.Footnote 34
When it comes to information about the legal ground for processing the level of detail should allow for a comprehensible explanation why the chosen legal ground is the most appropriate for the proposed processing considering the purpose. Considering that consumers, based on the information given, must be able to understand which of the six legal grounds the insurer has chosen and why for them to challenge the lawfulness of the processing and personal data collected for the said purpose.Footnote 35
When it comes to information for consumers about risks and consequences of processing must enable them to decide whether to buy the insurance and what coverage. It should also include how certain personal data influences insurance decisions including their risk assessment. Providing information about how data contributes to the decision-making processes outcomes but also how accurate these processes are is heavily discussed in the context of the scope of the GDPR requirement on the right to meaningful information about the logic involved with automated decision-making.
A broad interpretation requires the following: If a potential consumer is refused insurance for example because they have a negative fraud score, they should be able to obtain information on why this is including how reliable the decision is. As insurers increasingly adopt more advanced automated processes for decision making there is concern that these processes become too opaque and can no longer be explained in terms of how the data being put in correlates to the outcome. As it should be possible to explain to the consumer how their insurance needs which are based on their current situation and behavior are met by the insurance product this could become problematic when an explanation about the process to offer the insurance product and at what price cannot be given. This would not only make it impossible for consumers to challenge whether personal data processing is fair and lawful but also reduce the opportunity for them to change their situation and reduce their risk exposure.Footnote 36
Providing consumers with meaningful information would not only help improve the overall risk in society but also gives consumers the choice whether to buy certain insurance and from which insurer stimulating competition based not only on price but also coverage and possibly the level of privacy protection as well as improve consumer trust in insurance more generally when they are no longer confronted with consequences they were not sufficiently aware of.
Concerning the products potential for negative personal consequences, as discussed in the previous section Telematics may not be beneficial for higher risk drivers who instead of being rewarded could be faced with higher premiums compared to when they would purchase more traditional forms of car insurance. Improving their understanding on insurance products and whether it addresses their needs taking into consideration these and other consequences would in this case probably have led to the consumer not opting for Telematics. Proposed is to help consumers make better choices by making available
-
the risk assessment of their needs and demands and how the (proposed) insurance product meets their needs but also where it doesn’t; and
-
what changes they could make to influence risk factors that are under their control.Footnote 37
Concerns about a broad scope of the information disclosure requirements is that it could not only harm consumers by causing information overload but lead to administrative burden for insurers as well as their need for keeping certain information confidential.Footnote 38 Because the GDPR takes into consideration the different rights and freedoms involved including the insurers’ freedom to conduct business the scope of information requirements must remain balanced and proportionate.Footnote 39
2.3 GDPR Discussions on the Scope of Information Requirements
Ongoing discussions on the scope of the right for consumers to access personal data; on the scope of the data portability right and the limits of processing personal data for profiling are briefly presented here to illustrate the lack of consensus about the scope of the GDPR requirements.Footnote 40
Based on the right to request for data portability a consumer may request their insurer to send a copy of (a subset of) personal data provided by the consumer to another insurer.Footnote 41 According to the interpretation of the article 29 working party, this would include the vehicle data as this is data (in)directly provided to the insurer by the consumer but for example not the insurers ‘risk score based upon the analysis of the telematics data as this is considered inferred data.Footnote 42 A sufficiently broad scope of what personal data falls under the scope for data portability would allow consumers to more easily switch and stimulate competition between insurers. However, it could also harm competition as insurers have warned for the consequences of having to share too much information considering the risk to disclose valuable information. For example, on factors used for target market selection and risk assessments insurers are concerned about the potential risks for fraud and unfair competition. As a result, insurers may become reluctant to contribute to the development of data standards and interoperability required for further innovations or to continue to offer certain insurance products which would be detrimental to consumers.Footnote 43
Considering their rights regarding automated decision-making, insurers are required to inform consumers whether they make use of profiling for example and give meaningful information about the logic involved but no provision explains what this means or how this should be done in practice.Footnote 44 There is much debate if it is and will continue to be possible to explain processes which make use of advanced analytics. Especially when data and computer science experts are no longer able to understand let alone explain how an algorithm reaches a certain outcome.Footnote 45 Which has led to some proposing that these systems, therefore, should not be used by insurers for critical decision-making when this would have significant effects on people’s lives. As insurance decisions about whether to accept or reject an application or insurance claim may have a significant effect, insurers must take caution when innovating their decision-making processes.Footnote 46 Although insurers may not yet have implemented automated decision-making this is likely to change in the future so there is an urgent need to understand the scope of the requirements and potential exceptions for insurers to be able to adopt and benefit from innovations without harming consumers rights to privacy and data protection.Footnote 47
Whether insurance innovations such as telematics using personal data and advanced processing are stifled or enabled and if these are going to be beneficial for consumers may further depend on the outcome of the discussions on the scope of GDPR requirements.Footnote 48
3 Telematics Insurance and the Insurance Distribution Directive
Instead of a one size fits all industries solution to the questions about the scope of the GDPR information requirements;Footnote 49 a sector-specific approach is called for taking into consideration sector-specific demands and needs which is more likely to improve industry-wide compliance and protection without stifling innovation.Footnote 50 What the previous section showed is that without consensus it will remain difficult for insurers to know what information they must give to (potential) consumers regarding their processing of personal data for insurance purposes. To help understand the insurance sector and find the adequate scope for information requirements that provide a balance between the need for information from consumers and the need to protect information by insurers this section takes such an approach through an analysis of the EU Insurance Distribution Directive (IDD).Footnote 51
The focus is on key IDD information requirements specific for insurers and how these may complement the GDPR with a better understanding of the challenges within the insurance industry. To better understand these requirements for insurers to disclose information to consumers; we will first briefly discuss relevant product oversight and governance requirements as these are necessary to understand what information has become available after which specific requirements of the IDD on what information must be made available for consumers in the context of telematics.
3.1 The Insurance Distribution Directive (IDD)
The EU Directive on Insurance Distribution (IDD) aims to improve the way insurance products are sold so that they will bring real benefits to consumers in the EU.Footnote 52 The IDD requires greater transparency on pricing and costs of insurance products; better and more comprehensive information to improve consumer decision making and transparency and business conduct rules to prevent the mis-selling of insurance products to consumers.Footnote 53
The IDD requires insurers to comply with the general principle to act:
-
honestly, fairly and professionally;Footnote 54 and
-
in accordance with the best interests of their customers.Footnote 55
This applies not only to information disclosure but the entire process of developing, testing, and distributing insurance products in the EU.
Important to note here is that the IDD only provides minimum harmonization of national provisions allowing the EU Member States to provide for a higher level of consumer protection proportionate to additional administrative burdens.Footnote 56 Member States could for example require insurers to disclose specific information such as ratings and risk factors for consumers to become better informed about insurance products such as Telematics.
3.2 IDD: Product Oversight and Governance (POG) Requirements
The POG requirements contribute to improving insight and transparency about insurance products in several ways. Although the IDD POG requirements are addressed at insurers and distributors they are important for the question about what data is available and how much must be shared with consumers.
To improve consumer protection and to offer products that are in their best interest, insurers are held under the IDD to have a proportionate and appropriate product approval process in place for each insurance product.Footnote 57
To comply manufacturers of insurance products must for each insurance product do the following:Footnote 58
-
Identify the target market based on the needs and demands of consumers.;Footnote 59
-
Assess the risks and costs involved;
-
Design a distribution strategy consistent with the identified target market reaching only those consumers with needs and demands best served by the product.Footnote 60
-
Regularly review to ensure that marketed products remain to serve the needs of the market and the distribution strategy remains appropriate.Footnote 61 Distributors are therefore held to provide insurers with any relevant information to do so.Footnote 62
To enable distributors to fully understand the products they intend to sell; insurers are held to share information about their product approval processes including on the target market; the proposed distribution strategy and any circumstances which might cause a conflict of interest to the detriment of the consumer.Footnote 63 The information provided to distributors must be clear, complete and up to date.Footnote 64
The IDD also requires both insurers and insurance distributors to document their actions and to make this available upon request to authorities.Footnote 65 Although this is not directly information to be shared with consumers it does require insurers and distributors to keep records and generally be well informed themselves of adverse effects for their consumers as a result of their products and services.Footnote 66
Compliance with the IDD requires insurers to become better informed themselves and may increase the necessity to gather and analyze personal data to understand and continue to assess their products concerning the target market and to document their steps for accountability purposes.Footnote 67 These efforts, however, may contradict with some of the data protection principles they must adhere to under the GDPR such as the principle of data minimization, storage limitation and privacy by design. This issue has been identified and will be discussed further below.
3.3 IDD: Information Disclosure Requirements
Under the IDD insurers must provide consumers with relevant information about the insurance product in a comprehensible form;Footnote 68 If a consumer is offered a contract this must be consistent with their insurance demands and needs.Footnote 69 The IDD further states that the information given must be fair, clear and not misleading.Footnote 70
To decide what information consumers need, insurers must take into consideration the complexity of the insurance product and the type of consumers it is for.Footnote 71 For example when it comes to new and innovative insurance products like telematics, consumers require more information to understand how telematics works and what the consequences are when they do not maintain a safe driving score based on criteria set by their insurer. The rise in complaints about the perceived unfairness of telematics insurance illustrates such a lack of understanding especially amongst young people of their policy requirements which could be improved through better and more comprehensible information.Footnote 72
The IDD contains several information requirements based on which information must be provided to consumers the following is relevant with respect to non-life insurance products such as motor vehicle insurance:
The insurance intermediary must give consumers relevant information including about the following:Footnote 73
-
The intermediaries’ identity and address;
-
whether the communication constitutes advice about the insurance products sold and if so a personalised recommendation explaining why this is the best product for the customer considering their demands and needs.
-
whether the proposed contract or advice is based on a fair and personal analysis;Footnote 74
-
the rights of the consumer to complain and information about procedures for redress.
-
possible conflicts of interest and remunerations.Footnote 75
The IDD introduced a new information requirement for insurers to help consumers get better informed about non-life insurance products. The Insurance Product Information Document (IPID) is meant to give consumers key information about the product in a way that allows them to easily obtain relevant information and compare between different insurers. The IPID contains the following information:
-
key information about the type of insurance;
-
a summary of the insurance cover, including
-
the main risks insured,
-
the sum and,
-
the geographical scope, if applicable;
-
-
the means and duration of the payment of the premiums;
-
the obligations at the start and during the term of the contract;
-
the obligations if a claim is made and main exclusions where claims cannot be made;
-
the term of the contract including the start and end dates of the contract;
-
the means of terminating the contract.
With respect to insurance based investment products there are additional requirements.Footnote 76
3.4 Product Oversight and Governance
The Product Oversight and Governance requirements are relevant as they require insurers to conduct testing and monitoring of their insurance products to make sure these are and remain appropriate for their specific target market. To facilitate the implementation of the IDD, the European Commission adopted two Delegated Regulations which contain implementing measures.
The delegated regulation on Product oversight and governance requirements for insurance undertakings and insurance distributors specifies the criteria and practical details for the application of the POG rules, based on the European Insurance and Occupational Pensions Authority (EIOPA) technical advice.Footnote 77
In addition, the EIOPA as well as many other (national) authorities and organizations such as the Financial Conduct Authority (FCA) have developed guidance on issues of interpretation or application of the IDD and its implementing measures. Their interpretation of the scope of the POG are useful insofar that they require insurers to obtain certain information which under a broad interpretation of the scope of the information requirements towards consumers should be made available.
To ensure consistent and effective application the EIOPA published their responses to questions about the POG product testing requirements.Footnote 78 To ensure that insurance product meets the identified needs, objectives and characteristics of the target market insurers must undertake appropriate product testing.Footnote 79 The product should be tested on all relevant dimensions. This should according to EIOPA, in particular, include assessments of:
-
how the product works;
-
its performance;
-
its risk/reward profile,
-
price and coverage; and
-
information to consumers.
Considering the relevant information it contains the EIOPA recommends insurers to include their product scenario analysis. Another good practice, according to EIOPA, for insurers who use driving behavior for premium setting, to know what information consumers must be given is to take into account the level of information available to the consumers belonging to that target market and the consumer’s financial literacy.Footnote 80 Further good practices proposed are consumer testing to help assess the comprehensibility by consumers of insurance products and to analyse consumer complaints about similar products.Footnote 81
In the UK, the Financial Conduct Authority (FCA) gives practical examples of what they consider to be IDD compliant advice for UK insurers.Footnote 82 According to the FCA, advice given by an insurer to a potential consumer, which includes proposing all available insurance products with only a generic statement for each product on what type of needs it will meet, is most likely non- compliant. Unless the insurer can show that they have identified, and all the products offered are consistent with, the consumers demands and needs.Footnote 83 Undertaking a demand and needs test for each consumer before providing advice on what insurance products are suitable may however lead to some insurers collecting more not fewer personal data about potential consumers which may be problematic in the context of the GDPR principles.
3.5 Information Disclosure: The Insurance Product Information Document
As mentioned, the IDD requires insurers to provide consumers with a simple, standardized Insurance Product Information Document (IPID) for non-life insurance products. The IPID, which is a new requirement introduced by the IDD for insurers, presents for each type of insurance product what the key characteristics of the product are.Footnote 84 These include what is and what is not insured; what is covered and any restrictions on coverage; key obligations for the policyholder including payment and finally information about the start, end and policy cancellation. As the IPID only contains key product information it does not replace the need for consumers to receive more detailed information including when they receive an offer for a product how the product complies with their specific needs and demands. The IPID format includes a statement that all the necessary pre-contractual and contractual information is available elsewhere.Footnote 85
The key information provided for on the IPID aims to enable consumers to quickly understand what the insurer offers and to compare between different insurers.Footnote 86 However, and despite that most stakeholders welcomed the IPID and its purpose, there are serious concerns about whether in its current form the IPID is effective and proportionate. If it is not effective it poses disproportioned administrative burdens for insurers to maintain. Main concerns include whether consumers are better informed and enabled to make comparisons as well as the potential risk for an overreliance by consumers on the basic information contained in the IPID which could result in consumers becoming less instead of better informed about the specificities of their insurance if they do not or no longer read the main insurance policy documents.Footnote 87
Research shows that the IPID may not present potential consumers with key information necessary for them to make an informed decision. A brief comparison illustrates serious differences in interpretations of what insurers consider to be key information to be shared with consumers. For example with respect to telematics car insurance a comparison between the IPD from a Dutch and a UK car insurance provider the UK IPID mentions that the policy may be cancelled as a result of breaching policy terms or severe traffic violations the Dutch IPID only mentions that driving behavior may lead to a premium reduction but not that a traffic violation could lead to the policy being cancelled immediately.Footnote 88
Considering the impact, it has for a consumer when their insurance coverage is being cancelled this should be considered key information.
Currently the IPID does not allow consumers to make comparisons given the different interpretations of what information should be given.Footnote 89 Important is, therefore, also to continue to monitor signs of overreliance on the limited information contained in the IPID as it could result in consumers becoming less informed about insurance products which is against its aim and purpose.
4 The GDPR and IDD Proposed Information Requirements
This final section presents the analysis based on the previous sections about the scope of requirements under the GDPR and IDD; the interplay between the GDPR and the IDD presenting an overview of key challenges and opportunities regarding the provision of information to improve consumer and data protection in the context of innovations in consumer insurance. Looking at the role of the IDD considering the aims of the GDPR, to what extent do the GDPR and the IDD complement and/or contradict each other concerning information requirements to enable better-informed decision-making regarding innovations in insurance products and services.
4.1 Interaction Between the GDPR and IDD
The IDD as it aims to take into consideration the specificities of the insurance industry providing a balanced approach to stakeholder interests will improve the understanding of the scope of the GDPR information disclosure requirements for insurance products and innovations thereof. However, due to a lack of consensus amongst experts and practitioners, uncertainty about key requirements and the interpretation thereof remains which may limit the developments and adoption of otherwise beneficial innovations in the insurance industry.
To consider the IDD requirements to better understand the scope of the GDPR requirements for insurers may help to reduce the risk of excessive and disproportionate interpretations of the scope for information to be provided to consumers in the context of insurance.Footnote 90 This combined approach will provide a (more) balanced understanding of the different interests involved, and characteristics of, the insurance industry required for better compliance with the GDPR requirements.
4.1.1 Better Informed Decision Making
Based on the understanding that greater transparency and better and more comprehensible information about insurance products and the processing of personal data will enable consumers to make better-informed decisions and contribute to consumer and privacy protection.Footnote 91
The IDD, when implemented in a way that enables adequate information to be made available to consumers regarding the processing of personal data, has the potential to contribute to improved and informed decision-making about innovative insurance products such as telematics that require personal data processing.Footnote 92 By providing consumers with key information not only about how their insurance products and services cover their demands and needs but also how their behavior affects their risk score and what they could do to obtain a more favorable result in terms of lower premium or lower chance of ever needing to call upon insurance benefits not only consumers but insurers as this would improve the level of understanding how insurance works and trust people have in the industry.
4.1.2 Improve Accountability and Responsible Business Practices
The IDD contributes with specific requirements not only to improve better-informed decision-making by consumers but also to improve the understanding of the requirements for insurers and distributors on what information should be made available under the scope of both the GDPR and the IDD.
4.1.3 Balancing Information Requirements
In practice insurers are challenged to find the right balance between the need for data collection for analysis and monitoring purposes while complying with the data protection principles of data minimization, privacy by default and by design.
The IDD requires insurers to understand the needs and demands of consumers not only to provide for adequate products but also to know what information consumers need to make informed decisions regarding what insurance to purchase. Although this could be taken as an incentive to collect vast amounts of personal data, collecting more than the minimum amount of personal data required to comply with the IDD, would be in breach of the GDPR where the principle of data minimization protects consumers against the risks involved of too excessive data collection.Footnote 93 In practice insures must be able to explain why certain data collection is appropriate and not excessive for understanding their target market and consumers’ demands and needs.Footnote 94 Taking into consideration that insurers are required to regularly review whether their products remain adequate and distribution remains appropriate for the identified target market(s). Insurers and their distributor must, therefore, monitor for any adverse effects on (potential) consumers and the market including on the availability and affordability of insurance for vulnerable groups. This requires again the collection of personal data to gain relevant insights. For example, monitoring the impact of their acceptance criteria on its potential for bias or discrimination of protected groups. As the IDD requires insurers to document their actions including steps taken to avoid adverse effects insurers may risk non-compliance with the IDD as well as face fines based on the GDPR.
The above examples illustrate why it is important for insurers not to have separate compliance procedures for the IDD and the GDPR but to integrate them in their product development and decision-making processes from the beginning. This will help reduce any overlap and administrative duplications and the risk for non-compliance being able to explain and justify the collection and processing of personal data.Footnote 95
4.1.4 Information Disclosure: Proposed Scope
The GDPR and the IDD, when interpreted with a sufficiently broad scope regarding the information disclosure requirements for insurers towards consumers, would include all information required for consumers to make better decisions which insurance product would best meet their needs. It would also enable them to hold insurers accountable for providing adequate safeguards to mitigate any adverse effects or to provide redress when things do negatively impact people’s lives. Adequate information disclosure will contribute to reducing the risks for bias, and discrimination when disclosure includes having access to challenge decisions made by insurers using automated processes. If there is no means to provide explanations that help consumers understand how decisions are made that affect them including what they should do to reduce their risk, arguably these systems should not be used for critical processes.Footnote 96
4.2 Information Disclosure: GDPR and IDD Integration for Better Compliance
Compliance with the IDD should contribute to the aim of the GDPR to enable consumers to become well informed and better protected against harm from personal data processing by insurers by bringing a sector-specific interpretation and balance for the scope of the GDPR.Footnote 97
As such the IDD requirements which are specific for the insurance sector and the more general requirements under the GDPR on transparency and information disclosure should be considered by insurers not in isolation but complementing each other. Considering the consequences, if an insurer decides not to make or have the required information available, they not only risk non-compliance with the IDD but could also face fines based on the GDPR.Footnote 98 As such it important for insurers to consider both the IDD and the GDPR requirements together and not have separate processes for compliance.Footnote 99 This combined approach will provide a (more) balanced understanding of the different interests involved, and characteristics of, the insurance industry which would contribute also to a better understanding of and compliance by insurers with the GDPR requirements.
Returning to the main concern on whether consumers can obtain the information that allows them to make informed decisions regarding telematics insurance the following can be said:
4.2.1 The IDD Contributes to Transparency in and About Insurance
Transparency of, and information on, personal data processing by insurers will enable consumers to become better informed when it comes to telematics and other innovations within insurance where the processing of personal data is necessary.Footnote 100 Although it is argued here that generally more information is required to be made available by insurers than is currently being done in practice, this has to be proportionate taking into consideration the consequences for insurers including additional administrative burdens and risks for unfair competition.Footnote 101
4.2.2 Recommendations: Self-Regulation Regarding Information Disclosure
Despite concerns raised about the uncertainty as a result of the lack of clearer guidance on how to comply with the GDPR requirements, it does not seem likely that this will happen nor that it would be desirable given the different national and sector specific needs and demands regarding what information is required. The Insurance Industry should continue to take a proactive approach to address any legal uncertainties about the scope for information to be provided compliant with the GDPR and IDD. The absence of legal clarity and specific requirements also provides opportunities for the insurance sector to develop standards and industry specific codes of conduct regarding the GDPR information requirements.Footnote 102
The EDPS considers codes to: ‘[…] represent an opportunity to establish a set of rules which contribute to the proper application of the GDPR in a practical, transparent and potentially cost effective manner that takes on board the nuances for a particular sector and/or their processing activities.’Footnote 103 The development of sector specific initiatives including codes and certifications to ‘enhance transparency and compliance and to contribute to ‘the proper application of the Regulation’ is encouraged under the GDPR.Footnote 104
An industry-wide approach, developing practical guidelines based on a shared interpretation of the scope, is recommended which could be done in the form of standard developments and/or the insurance code of conduct focusing specifically on information disclosure compliance with both the GDPR and the IDD.Footnote 105 The IPID could also play a more prominent role here by including information regarding personal data processing to allow consumers to compare insurers also on the level of privacy protection they provide.
4.2.3 Recommendations: Include Privacy Information/Icons on the IPID
To stimulate more competition amongst insurers the level of privacy protection they offer could be monitored, compared and communicated to consumers. Research shows that icons can be used to ‘effectively communicate complex and lengthy privacy policies to consumer.’Footnote 106 This could be done through the IPID to help potential consumers make more informed decisions which insurers to choose based on their level of use and protection of personal data.Footnote 107 Research on privacy icons shows that it is promising in helping consumers become better informed.Footnote 108
To conclude: as both the GDPR and the IDD are recent developments, it remains to be seen how national implementation and proposed interpretations in the sector will play out in practice.Footnote 109 Monitoring the developments following the implementation of the GDPR and the IDD, therefore, remains essential for the insurance industry to see whether a broader scope of information disclosure will improve consumer (data) protection without negatively affecting, for example, insurers’ incentives for and investments in developing innovative insurance products and interoperability.Footnote 110
Acknowledging that the insurance industry has specific challenges when it comes to compliance with the information requirements under the GDPR this chapter aimed to provide an analysis of the requirements under the GDPR and the IDD specific for insurers. What the analysis shows there is concern about the scope of information to be made available by insurers to consumers considering the aims of both the GDPR and the IDD. A too-broad interpretation of what information and level of detail must be provided may impede the insurers’ ability to innovate and remain competitive while still providing affordable insurance to as many people as possible. A too narrow interpretation would not allow consumers to become well informed and/or challenge decisions made by insurers when these may have an adverse effect. Finding this balance for information required to be made available by insurers is further challenged when regulation overlaps, contradicts or leaves room for interpretation.Footnote 111 As legal uncertainties may stifle what would otherwise be beneficial innovations based on personal data and automated decision-making there is a clear need for more research that looks at the specific challenges for the insurance industry.
Notes
- 1.
Acknowledged for example by the European Parliament stating that [..] Notwithstanding all the benefits, FinTech confronts us with essential questions of a regulatory societal nature. European Parliament (2017) Draft Report on FinTech: the influence of technology on the future of the financial sector (2016/2243 (INI) [online] http://www.europarl.europa.eu/; Also OECD (2017), ‘Technology and innovation in the insurance sector’, OECD [online] https://www.oecd.org/pensions/Technology-and-innovation-in-the-insurance-sector. pp. 27–39; On the role of policy and regulation in InsurTech. See IAIS (2018), ‘Issues Paper on Increasing Digitalization in Insurance and its Potential Impact on Consumer Outcomes [online] https://www.iaisweb.org/page/supervisory-material/issues-papers##. More specific on the challenges posed by Telematics See Troncoso et al. (2011) Providing many examples of the problems caused by data innovations including telematics see O’Neil (2016). And Pasquale (2015).
- 2.
- 3.
Acquisti et al. (2015); Koops et. al (2016); Leenes et al (2018) Other concerns include the need to better inform consumers about consequences especially of innovative products that people have no experience with. This includes for example making it clearer to consumers of telematics that their premium could increase as well as be cancelled as a result of bad driving scores. See General Accident Telematics Car Insurance Terms and Conditions ‘If a score of below 50 is recorded […] we reserve the right to cancel your policy [..] [online] https://help.generalaccident.com/media/1090/telematicsterms.pdf.
- 4.
On the discussion behind the general understanding that vehicle data is personal data see The Fédération Internationale de l’Automobile (FIA) (2017) Legal Memorandum on Connected Vehicles and Data [online] https://www.fiaregion1.com/wp-content/uploads/2017/06/20170516-Legal-Memorandum-on-Personal-Data-in-Connected-Vehicles-www.pdf. On the challenges for understanding privacy risks by consumers see Solove (2006) p 505. Specific regarding privacy concerns and telematics: see Pogarcic Mataija and Van Schoubroeck (2016) Telematics insurance: legal concerns and challenges in the EU insurance market. More generally see Tene and Polonetsky (2013), p. 239.
- 5.
At the time of writing the EU directive on modernizing consumer law part of the ‘new deal for consumers’ was not yet adopted and therefore not taken into consideration. It is however highly relevant given its aim ‘to adapt EU consumer protection legislation to the realities of the digital era’. See for more background information and most important developments the Council of the EU(2019) EU consumers’ protection to be reinforced, Press release [online] https://europa.eu/!uc86NQ.
- 6.
Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.
- 7.
Directive (EU) 2016/97 of the European Parliament and of the Council of 20 January 2016 on insurance distribution (recast) OJ L 26, 2.2.2016, pp. 19–59. Köhne and Brömmelmeyer (2018).
- 8.
A note on the use of ‘consumer’ and ‘customer’ in the IDD. It seems that the IDD uses them interchangeably; (compare for example Recital 5 and 6 IDD) their meaning is not the same. The GDPR instead only refers to customers, however, for readability this text will use the term consumer to refer to the driver buying telematics car insurance for their own use unless otherwise noted.
- 9.
- 10.
It is expected that by 2020 most European insurers will have adopted telematics. Ptolomeus (2016) Global Usage-based Insurance Study Abstract [online] https://www.ptolemus.com/wp-content/uploads/2019/07/UBIStudy2016.pdf.
- 11.
Other ways include the use of smartphone apps or obtain the data (with permission from the manufacturers) directly from in vehicle systems. Handel et al. (2014); Ohlsson et al. (2015) For a brief introduction how telematics works see https://www.octotelematics.com/insurance-telematics-resources/what-is-insurance-telematics/.; and regarding insurance use of telematics, see Fan and Wang (2017), pp. 1–5
- 12.
See As already identified by Dorweiler in 1929 certain information would be more predictive but unattainable at the time. Dorweiler (1929), p. 337 See further Weiss and Smollik (2012), p. 5 and Conners, J & Feldblum, S. (1998). Personal Automobile: Cost Drivers, Pricing, and Public Policy. On the difference between factors and proxies concluding that traditional data provides proxies and do not provide a full understanding of the underlying factors that influence automobile insurance loss costs. Karapiperis et al. (2015).
- 13.
- 14.
- 15.
Driving less careful after having obtained insurance is an example of moral hazard. See Shavell (1979); On how in-vehicle smart driving system can lead to significant improvements in driving behaviors see Birrell et al. (2014), pp. 1801–1810; On the opportunity to provide driver feedback: Dijksterhuis et al. (2016), pp. 1158–1170. For a good overview of all the issues see Tselentis et al. (2016), pp. 362–371; Husnjak et al. (2015), pp. 816–825.
- 16.
Weiss and Smollik (2012), p. 35; LexisNexis® Risk Solutions, Telematics insurance helps cut young driver casualty rates by 35%, 14/11/2018 [online] https://risk.lexisnexis.co.uk/about-us/press-room/press-release/20181114-young-driver#_edn2; Despite their concerns people are willing to share data when there are strong incentives to do so. Derikx et al. (2015).
- 17.
European Data Protection Board (2020), Guidelines 1/2020 on processing personal data in the context of connected vehicles and mobility related applications. Version 01, note 43 p 10.
- 18.
Collinson P. (2017) Motoring myths: what ‘black boxes’ reveal about our driving habits, The Guardian,[online] Available at: https://www.theguardian.com/money/2017/dec/16/motoring-myths-black-boxes-telematics-insurance. See also Solove (2006)
On what data from vehicles may be of use for insurers in the context of risk assessments see Thomas (2012); Geneva Association (2018) “Big Data and Insurance: Implications for Innovation, Competition and Privacy”, March 2018, Available at: https://www.genevaassociation.org/research-topics/cyber-and-innovation-digitalization/big-data-and-insurance-implications-innovation.
- 19.
This Regulation applies to the processing of personal data [..]. Article 2(1)GDPR. Whereas ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); Article 4(1) Location data, which is generally collected from the vehicle, is mentioned as an example of personal data. (FIA) (2017).
- 20.
Art 1(1) GDPR.
- 21.
Art 5(1)a GDPR. ‘Personal data shall be: processed lawfully, fairly and in a transparent manner in relation to the data subject.” Transparency was already taken as a key element for processing to be considered fair as processing should not be done in a way that would be considered misleading data subjects for example. See Carey p. 42; The Art. 29 Data Protection Working Party (2017), Guidelines on the Right to Data Portability, 16/EN WP 242 rev.01 (hereinafter WP29).
- 22.
Article 5; 12 and Recital 39 GDPR. WP29 (2016) Guidelines on Transparency P.6; Cruz Villalon (2015) “the requirement to inform the data subjects about the processing of their personal data, which guarantees transparency of all processing, is all the more important since it affects the exercise by the data subjects of their right of access to the data being processed, [..]Opinion AG Cruz Villalon, 9 July 2015 (1) Case C-201/14 Smaranda Bara and Others; Court of Justice of the European Union: Judgment in Case C-201/14 / Smaranda Bara and Others; paragraph 74.
- 23.
Consumers have specific rights to information including the right to access; to rectification, the right to data portability and rights regarding automated decision making. Articles 12–23 GDPR.
- 24.
Article 12 GDPR and Recital 39 GDPR; WP29 (2016) Guidelines on Transparency P. 9 [..] The information provided to a data subject should not contain overly legalistic, technical or specialist language or terminology’.
- 25.
Recital 58 of the GDPR emphasizes the need for transparency to be particularly relevant in situations [..] where the proliferation of actors and the technological complexity of practice make it difficult for the data subject to know and understand whether, by whom and for what purpose personal data relating to him or her are being collected, Article 5; 12 and Recital 39 GDPR. WP29 (2016) Guidelines on Transparency P.6; Cruz Villalon (2015) “the requirement to inform the data subjects about the processing of their personal data, which guarantees transparency of all processing, is all the more important since it affects the exercise by the data subjects of their right of access to the data being processed, [..]Opinion AG Cruz Villalon, 9 July 2015 (1) Case C-201/14 Smaranda Bara and Others; Court of Justice of the European Union: Judgment in Case C-201/14 / Smaranda Bara and Others; paragraph 74.
- 26.
When personal data is collected directly from the consumer (art 13 GDPR).
- 27.
Where applicable the legitimate interests pursued by the controller or by a third party. Article 12,18 GDPR; Recital 60 GDPR Further processing of personal data is allowed when the repurpose is compatible with the initial one depends on identifiable link between the two purposes; reasonably expectations for the data subject; the consequences and safeguards to mitigate potential harm or detriment to the data subject. See further, Soussan G, Woolfson P, Terruso D (2016) p. 24 mentioning the example of ‘insurance link’ investigation where data collected for fraud could not be used for policy quotation purposes.
- 28.
Art 14 GDPR.
- 29.
Art 77–84 GDPR on remedies, liabilities and penalties. Insurers may refuse to provide certain information because they consider this to fall under the exception when this information would otherwise have helped consumers to decide whether or not to buy certain type of insurance given the potential harm.
- 30.
A recent survey shows that consumers do want to know about how their personal data is being processed McCauley (2018); See further Kamleitner and Mitchell (2018), who discuss information overload and report that visualizing data streams could be helpful in increasing consumer understanding about what happens to data after consent is initially given. Kamleitner and Mitchell (2018), pp. 91–118. Insurance Council of Australia (2015, 2017)
- 31.
Article 12,18 GDPR; Recital 60 GDPR.
- 32.
- 33.
For example, many insurers state they collect ‘date of birth’ and ‘address’ but without knowing what information is on file consumers cannot correct if there is a mistake.
- 34.
It is often the case that this information includes proprietary information that the insurer may not have access to themselves so the insurer does not know how these scores were calculated nor can they then assess whether this data is accurate. This raises challenges for insurers considering they can be held accountable towards consumers when they base their decision-making on inaccurate information which may lead to discriminatory outcomes and adverse effects. If insurers could hide behind not having access to how these scores are calculated, they would shift it on the consumer to challenge the source of the data which would be too heavy a burden for them to bare.
- 35.
It can be argued that a privacy policy informing consumers that “personal data will be used to improve the service”, without specifying what personal data is used is not specific enough to comply with the GDPR. Article 6 GDPR Recitals (47), (48) and (49), GDPR. Insurers report that they mostly rely on the legal basis of the performance of the contract, compliance with a legal obligation and legitimate interest for processing personal data of consumers. Consent is used only for processing health data as well as for direct marketing purposes. Insurance Europe response […] p. 5, Soussan G, Woolfson P, Terruso D (2016), pp. 18–23 also legal duty may be applicable p 21 Note that Member States remain free to specify how this provision applies in their national law. See also Court of Justice of the EU, Joined Cases C-468/10 and C-469/10, ASNEF and FECEMD, 24 November 2011 regarding a Spanish law rule which restricted processing under the basis of legitimate interest only to information that was already in the public domain.
- 36.
Grouped under three data processing stages Van Ooien et al. have identified a list of threats to individual control over personal data processing which consumers should be made aware of. See van Ooijen and Vrabec (2016), p. 95 specifically on the severe consequences to be explained when consumers would withdraw consent for example it may not be possible to obtain new coverage with a new provider on similar terms, e.g. the loss of “no claims bonus” for motor insurance. See, Soussan G, Woolfson P, Terruso D (2016) p. 20.
- 37.
For example, how their driving behaviour or habits including whether they drive much late at night or park their car outside will influence the outcome of the insurers decision making process.
- 38.
Concerns about the risk for information overload raised by Insurance Europe (2016) Insight Briefing Better, not more information for consumers. Further research discusses whether people indeed understand how algorithms work. Bucher (2017); On the problem of ‘informed’ consent Custers et al. (2013), pp. 435–457. On the problem of information complexity and how the GDPR contributes to solving problems regarding information asymmetry regarding processing see Van Ooijen and Vrabec (2019), pp. 91–107.
- 39.
The right to privacy is not an absolute right and requires an appropriate balance between the different rights and freedoms. Recital 4 GDPR. On the concerns to protect trade secrets in light of the GDPR see Malgieri (2016), pp. 102–116.
- 40.
Contribution from the multistakeholder expert group on one year of GDPR application (Multistakeholder expert report 2019), Multistakeholder Expert Group to support the application of Regulation (EU) 2016/679, Report 13 June 2019 pp. 5–9.
- 41.
Article 20(1)a GDPR conditions include only data provided by and based on specific legal grounds have to be provided to the data subject. Excluded from the scope is data which are derived or inferred from the personal data provided by the data subject. The WP29 gives a broad interpretation of what data is considered to be ‘provided by’. See Article 29 Data Protection Working Party (2017), Guidelines on the Right to Data Portability, 16/EN WP 242 rev.01. For critical analysis and concerns raised about the scope and effectiveness of the right in practice see Zanfir (2012), p. 149 Graef et al. (2013), pp. 53–63; Swire and Lagos (2013), p. 335.
- 42.
The Article 29 Working Party (Art. 29 WP) was an advisory body on the GDPR. On 25 May 2018, it has been replaced by the European Data Protection Board (EDPB).
- 43.
Multi stakeholder expert report, (2019) n 41; On the perspective of insurers see Insurance Europe (2017) contribution to the Article 29 Working Party guidelines on the right to data portability, Position paper, 26 January 2017; for general concerns about the broad scope see Meyer (2017) European Commission, experts uneasy over WP29 data portability interpretation [Available online] https://iapp.org/news/a/european-commission-experts-uneasy-over-wp29-data-portability-interpretation-1/.
- 44.
Articles 13,14,22 GDPR. The GDPR acknowledges that automated decision-making, including profiling can have serious consequences for individuals, however in order to fall under the scope of the general prohibitions the effects must be legal or similarly significant which the GDPR does not further define. Article 29 Data protection Working Party (2017) Guidelines on Automated individual decision-making and Profiling for the purposes of Regulation 2016/679, WP 251, p. 7 The GDPR defines profiling as: any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements; Article 4(4) GDPR.
- 45.
The need for, and lack of, explainable AI has been gaining much attention lately as an emerging field in machine learning seef or example DARPA’s program on XAI [online at https://www.darpa.mil/program/explainable-artificial-intelligence] but the concerns are not new see for a good introduction: Wachter et al. (2017), 10.1126.
- 46.
Article 22 GDPR. The GDPR does provide a number of exceptions, including the “necessity to perform or enter into a contract”. See further Article 29 Data protection Working Party (2017) Guidelines on Automated individual decision-making and Profiling for the purposes of Regulation 2016/679, WP 251. See for proposed guidance on the scope in the context of insurance BIPAR (2016), p. 36. In response however Insurance Europe raises concerns about the impact of the guidelines for adoption of innovative processes. Insurance Europe (2019) Insight Briefing EU General Data Protection Regulation: one year on, Insurance Europe aisbl, June 2019. The insurance industry has also raised concerns about a too narrow interpretation as proposed by the EDPB guidelines which would discourage insurers from further developing and using innovative beneficial automated processes.
- 47.
There is a trend towards increasingly data-driven business models throughout the insurance value chain in motor insurance. See EIOPA (2018) BDA thematic review p6 In this context it is important insurers (together with their DPO) consider a risk and impact assessment. See Bipar (2016), p. 43 based on their recordkeeping requirements. ‘Before a controller processes data, it should decide, with its DPO, how risky the processing is likely to be to the rights and legitimate expectations of data subjects. If the risk is high, the controller should carry out an impact assessment to evaluate the origin, nature, particularity and severity of the risk. Examples include: processing using new technology; innovative techniques, such as profiling; and large-scale processing of special categories of data or data relating to criminal convictions and offences.’
- 48.
Insurance Europe raised concerns on the impact that certain GDPR provisions can have on the use of innovative technologies in the sector considering that legal uncertainty stifles innovation in insurance. See Insurance Europe (2019) Position Paper Response to EC stocktaking exercise on application of GDPR, COB-DAT-19-032; p. 9 On the negative effect of the GDPR on the development and use of AI in Europe: Wallace and Castro (2018), March 27, 2018.
- 49.
Confirming a no one size fits all approach the Geneva Association (2018) “Big Data and Insurance: Implications for Innovation, Competition and Privacy”, March 2018, https://www.genevaassociation.org/research-topics/cyber-and-innovation-digitalization/big-data-and-insurance-implications-innovation. p. 16.
- 50.
Recognizing the need for such a sector specific approach taking account of ‘the specific features of the various processing sectors and the specific needs of micro, small and medium-sized enterprises.’ Article 40 GDPR; and the need for a national scope Member States may maintain or introduce more specific provisions to adapt the application of certain GDPR rules for specific processing situations, including determining more precisely the conditions under which the processing of personal data is lawful. Article 6(2) GDPR; Recital 10 GDPR and Recital 98 GDPR referring to codes of conducts to facilitate the effective application of the GDPR by considering the characteristics of sector specific processing and the specific needs of micro, small and medium enterprises. ‘’Codes could calibrate the obligations of controllers and processors, taking into account the risk likely to result from the processing for the rights and freedoms of natural persons.
- 51.
Directive 2016/97/EU of the European Parliament and of the Council of 20 January 2016 on insurance distribution (recast), [2016) OJ L 26/19 (the IDD).
- 52.
[..] In order to guarantee that the same level of protection applies and that the consumer can benefit from comparable standards, in particular in the area of the disclosure of information, a level playing field between distributors is essential. Recital 6 IDD; Recital 2 IDD. For a critical analysis of the background and IDD requirements in relation to its aims see De Maesschalck (2017), pp. 59–79; Hofmann et al. (2018), pp. 740–769; Köhne and Brömmelmeyer (2018). Marano (2019a),; Schaeken Willemaers, Gaetane (2014).
- 53.
EU Publications (2016) Insurance distribution — new rules from 2018, Document 32016L0097 [online] https://eur-lex.europa.eu/legal-content/en/LSU/?uri=CELEX:32016L0097.
- 54.
Insurers must prioritize the interest of consumers when designing, developing and distributing insurance products to prevent the miss-selling of insurance products to consumers Article 17(1) IDD As an example of how this has been implemented nationally see for the UK the FCO Handbook article ICOBS 2.5.-1. Financial Conduct Authority (2015)
- 55.
Article 19; 20 IDD insurers must avoid selling insurance products which do not meet the consumers’ insurance demands and needs. Although Insurance-based investment products are not dealt with here the EIOPA specifically refers to a suitability/appropriateness assessment for insurers to ensure that not more information is requested from the consumer than needed (or duplicated) to provide good quality advice to the consumer. The EIOPA considers this will further enhance the quality of service provided to the consumer, strengthening the framework for proper selling practices. See consideration 8 of the EIOPA, Final Report on Consultation Paper no. 16/006 on Technical Advice on possible delegated acts concerning the Insurance Distribution Directive.
- 56.
Article 11(2) IDD and Recital 3 IDD.
- 57.
Article 25 IDD: “[…]to the nature of the insurance product. Recital 55 IDD: For specific guidelines how to comply in practice see the EIOPA (2016) Preparatory Guidelines on product oversight and governance arrangements by insurance undertakings and insurance distributors. For detailed analysis of the POG requirements see further Marano (2019b). The EU Regulation and the Liabilities, in Marano, P., Rokas, I. (ed.), Distribution of Insurance-Based Investment Products. The EU Regulation and the Liabilities, Springer, Cham 2019: pp 59–96.
- 58.
Insurers are considered manufacturers when they have a decision-making role in designing and developing products for the market. Article 3(1) IDD regulation. Which is assumed when they can autonomously determine the essential features and main elements of an insurance product, including its coverage, price, costs, risk, target market and compensation and guarantee rights, [..] Art 3(2) IDD Regulation.
- 59.
‘Article 5(1) IDD Regulation ‘[..] be identified at a sufficiently granular level, taking into account the characteristics, risk profile, complexity and nature of the insurance product [..] Recital 5 and 6 IDD Regulation further explain that (5) The identification of the target market means describing a group of customers sharing common characteristics at an abstract and generalized level in order to enable the manufacturer to adapt the features of the product to the needs, characteristics and objectives of that group of customers. (6) The level of granularity of the target market and the criteria used to define the target market [..] should be relevant for the product and should make it possible to assess which customers fall within the target market.
- 60.
Article 5(1) Recital 5 and 6 IDD Regulation.
- 61.
Article 25(1) IDD.
- 62.
Art 25(1) IDD; The IDD Regulation states that ‘Insurance distributors becoming aware that an insurance product is not in line with the interests, objectives and characteristics of its identified target market or becoming aware of other product-related circumstances that may adversely affect the customer shall promptly inform the manufacturer [..]’ and that ‘[..]insurance distributors shall upon request provide manufacturers with relevant sales information, including, where appropriate, information on the regular reviews of the product distribution arrangements.’ Art 10,11 IDD Regulation.
- 63.
Art 8 IDD; Recital 10 IDD information must be given to distributors [..] to fully understand the products they intend to distribute, so that they can carry out their distribution activities in accordance with the best interest of their costumers, in particular by providing professional advice’. Recital 55 IDD: “[..]be able to understand the characteristics and identified target market of those products. [..].
- 64.
Art 8(2) IDD Regulation.
- 65.
Art 9;12 IDD Regulation.
- 66.
As insurers may not collect information about protected characteristics such as gender or race they would not be able to monitor the impact of decisions including whether to reject applications or claims has on these groups of vulnerable consumers in society including whether insurance for these groups remains accessible and affordable.
- 67.
Article 7(3) of Delegated Regulation 2017/2358, for example states that manufacturers are held to monitor their products during its lifetime for any circumstances related to the insurance product that may have a material adverse affect on the consumer. See further EIOPA Q&A on appropriate product testing requirements [accessed online] https://eiopa.europa.eu/Pages/Guidelines/Q-and-A-on-Regulation-Answers-Delegated-Regulation.aspx.
- 68.
Article 20 IDD [..] objective information about the insurance product in a comprehensible form to allow that customer to make an informed decision.
- 69.
In this regard the IDD introduces specific disclosure requirements to inform consumers about any relationship between the insurer and distributor or other circumstance that could be an incentive not to receive recommendations which are not in their best interest to avoid conflicts of interest Article 17 (3) IDD.
- 70.
Art 17(2); 20(7) and 23 IDD. Somewhat similar to the art 5(1)a GDPR principle of lawfulness, fairness and transparency where the latter requires information and communication relating to the processing of personal data to be easy to understand using clear and plain language. Article 12 GDPR and Recital 39 GDPR.
- 71.
Art 20(1) and Art 20 (2) IDD.
- 72.
Frost, J., 2018. Rise in telematics complaints down to ‘sub-standard’ market entrants – Mike Brockman. Insurance Times, [online] Available at: https://www.insurancetimes.co.uk/rise-in-telematics-complaints-down-to-sub-standard-market-entrants-mike-brockman/1427294.article; Recital 71 GDPR on fairness.
- 73.
Art 18–20 IDD.
- 74.
Art 20(3). [..]on the basis of an analysis of a sufficiently large number of insurance contracts available on the market to enable it to make a personal recommendation, in accordance with professional criteria, regarding which insurance contract would be adequate to meet the consumer’s needs.
- 75.
This includes information to be provided about the register in which it has been included and how to verify; whether the intermediary is representing the consumer or is acting for and on behalf of the insurance undertaking; The names of insurance undertakings with whom the distributor has a contractual obligation for exclusivity. The names of insurance undertakings with whom the distributor has a contractual obligation for exclusivity; and Information about remuneration received including whether consumers must pay a fee and/or any other payments See art 18–19 IDD.
- 76.
Which fall outside the scope of this research. For an analysis of the IDD requirements for these products see: Marano (2019b).
- 77.
The two Delegated Regulations cover Product oversight and governance requirements for insurance undertakings and insurance distributors; and Information requirements and conduct of business rules applicable to the distribution of insurance-based investment products (IBIPs).
- 78.
EIOPA, Answers to (EU) 2017–2358 product oversight and governance requirements for insurance: 11 July 2018 (accessed online) These answers by the EIOPA are however not legally binding and do not prevent national competent authorities from maintaining or introducing stricter standards on a national level.
- 79.
Delegated Regulation 2017/2358.
- 80.
Article 5 (3) Delegated Regulation 2017/2358: However, the requirement to assess the product performance should not be understood as an interference with the manufacturer’s freedom to set premiums or as price control in any form.
- 81.
See EIOPA (2018) Answers to (EU) 2017–2358 product oversight and governance requirements for insurance, [online] https://eiopa.europa.eu/Pages/Guidelines/Q-and-A-on-Regulation-Answers-Delegated-Regulation.aspx.
- 82.
FCA (2017) Insurance Distribution Directive Implementation – Consultation Paper I (CP17/7).
- 83.
FCA (2018) IDD: delivering clear, fair outcomes for consumers from the insurance sector [online] https://www.fca.org.uk/firms/insurance-distribution-directive/idd-delivering-clear-fair-outcomes-consumers-insurance-sector.
- 84.
Article 20(8) IDD specifies which information the insurance product information document should contain; which includes the type of insurance it relates to, the main risks insured and excluded from its cover, geographical scope and whether consumers have any contractual obligations for example regarding the claim’s procedure.
- 85.
Article 2 IPID Regulation.
- 86.
Recital 3:[..] to provide customers with product information which is easy to read, understand and compare, Commission Implementing Regulation (EU) 2017/1469 laying down a standardized presentation format for the IPID, C/2017/5544, OJ L 209, 12.8.2017, pp. 19–23 (hereinafter IPID Regulation).
- 87.
- 88.
VIVAT Schadeverzekeringen N.V., Fairzekering - Autoverzekering WA + Beperkt Casco [online] https://verzekeringskaarten.nl/fairzekering/Autoverzekering-WA and Aioi Nissay Dowa Insurance Company of Europe (insurethebox) Insurance Product Information Document [online] https://www.insurethebox.com/wp-content/uploads/2018/09/itb_IPID_v1.pdf.
- 89.
Research shows that even when a standardized format is used insurers differ in the level and type of information they provide, which makes it impossible for consumers to compare between different insurers. See in this volume: Brofeldt, A. and Kolding-Krøger, B, “The promised increase in customer protection under the IDD. Customers’ demands and needs and comparable pre-contractual information in form of a standardised IPID”.
- 90.
The GDPR acknowledges the need for sector specific interpretations of the requirements encouraging certification and codes of conduct. Article 40 GDPR ‘[..] encourages the drawing up of codes of conduct intended to contribute to the proper application of this Regulation, taking account of the specific features of the various processing sectors and the specific needs of micro, small and medium-sized enterprises. And Recital 98(1) GDPR [..] to facilitate the effective application of this Regulation, taking account of the specific characteristics of the processing carried out in certain sectors.’
- 91.
Confirming conclusions reached by Hofmann et al. (2018) who concluded that: All in all, the new IDD will enhance the efficiency of European insurance markets.: ‘and that: Through more uniform and consistent regulation, in conjunction with extended transparency requirements, it can ensure that consumers throughout the EU are equally well protected’ p. 766.
- 92.
See in this regard the objectives of the IPID to ensure that the consumer has the relevant information about a non-life insurance product to allow him to easily compare between different product offers and to make an informed decision about whether or not to purchase the product, which not only contributes to the general aim of better informed consumers but also to help avoid consumer lock in with one service provider as is the aim of the right to data portability under the GDPR. EIOPA (2017) Draft Implementing Technical Standards p. 3.
- 93.
“Personal data shall be: adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (data minimisation)” Article 5(1)(c) GDPR Considering that the principles of data minimisation and purpose specification are difficult to reconcile with the prospect of big data analyses. The Geneva Association (2018), p. 16.
- 94.
As this could be used as an argument to collect ever more personal data collecting data to better understand consumers’ demands and needs for example must be balanced against the GDPR notion of data protection by design and privacy principles of data minimization and purpose limitation. Art 5 GDPR.
- 95.
The need for a coherent application of the applicable regulatory framework is acknowledged by the EP in the context of avoiding competitive disadvantages for insurers. European Parliament (2017), p. 10; See in this volume Chatzara, V., “The interplay between the GDPR and the IDD”.
- 96.
There is a lively discussion on explainability of AI and accountability for the adoption of increasingly sophisticated and opaque automated decision-making. Whether such systems should be adopted by insurers is subject to debate as there is much disagreement about the legal requirements; about the level of explain-ability of different methods and their potential adverse effects or what safeguards should be in place. Furthermore promising solutions are starting to be proposed. For a good understanding of what explainable AI entails Price Waterhouse Copper (2018) explainable AI; the DARPA XAI Program https://www.darpa.mil/attachments/XAIProgramUpdate.pdf; Project ExplA which is a collaboration between the UK Information Commissioner’s Office and The Alan Turing Institute to create practical guidance to assist organisations with explaining artificial intelligence (AI) decisions to the individuals affected who have recently published a report and guidelines of what they consider relevant for explainability. [Accessed online] https://ico.org.uk/about-the-ico/research-and-reports/project-explain-interim-report/.
- 97.
See in this regard the objectives of the IPID to ensure that the consumer has the relevant information about a non-life insurance product to allow him to easily compare between different product offers and to make an informed decision about whether or not to purchase the product, which not only contributes to the general aim of better informed consumers but also to help avoid consumer lock in with one service provider as is the aim of the right to data portability under the GDPR. EIOPA (2017) Draft Implementing Technical Standards p. 3.
- 98.
The ICO and The Alan Turing Institute provide insights on the risks for not making information available. For more information see https://ico.org.uk/about-the-ico/news-and-events/blog-ico-and-the-alan-turing-institute-open-consultation-on-first-piece-of-ai-guidance/.
- 99.
As proposed also by Chatzara, V. (2019) note 94. The need for a coherent application is also acknowledged by the European Parliament in the context of avoiding competitive disadvantages for insurers legislation in place. European Parliament (2017), p. 10.
- 100.
Researchers warn for overly restrictive provisions as they may […] decrease insurance companies’ ability to develop product innovations, thereby reducing the range of products available in the marketplace. Hofmann et al. (2018), p. 765.
- 101.
Relevant discussions and concerns about the unclear scope of the GDPR access rights include for example the issue of trade secrets Malgieri (2016), pp. 102–116. Arguing for the need for more information to be shared and proposing a new data protection right, the ‘right to reasonable inferences’ needed to enable adequate control for consumers over personal data; and Wachter and Mittelstadt (2018); On the other hand see Hofmann et al who warn that the expected increase in reporting and disclosure requirements might add to what is already excessive bureaucracy for insurers. Hofmann et al. (2018) referring to GDV (2015).
- 102.
Referring to codes of conduct the EDP considers this an opportunity for ‘[…] specific sectors to reflect upon common data processing activities and to agree to bespoke and practical data protection rules, which will meet the needs of the sector as well as the requirements of the GDPR.’ And that such codes could be, [..] a practical, potentially cost effective and meaningful method to achieve greater levels of consistency of protection for data protection rights ‘EDPG Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies under Regulation 2016/679 p. 4.
- 103.
EDPG Guidelines 1/2019 what are the benefits of codes’ p. 7 and more specifically 36. Codes will need to specify the practical application of the GDPR and accurately reflect the nature of the processing activity or sector. They should be able to provide clear industry specific improvements in terms of compliance with data protection law. They will need to set out realistic and attainable standards for all their members, and they will need to be of a necessary quality and internal consistency to provide sufficient added value[..] and 37. [..] aim to codify how the GDPR shall apply in a specific, practical and precise manner. The agreed standards and rules will need to be unambiguous, concrete, attainable and enforceable (testable).
- 104.
See Article 40(1) of the GDPR that specifically encourages the setting up of codes of conduct [..] ‘intended to contribute to the proper application of this Regulation, taking account of the specific features of the various processing sectors and the specific needs of micro, small and medium-sized enterprises.’ Articles 40 and 41 and Recitals 98, 100 of the GDPR. See for more detail and guidance and more recent for drafting, amending or extending sector specific codes the EDPG Guidelines 1/2019.
- 105.
See also Van Ooijen and Vrabec (2019) who argue for codes of conduct to help mitigate deficiencies that remain entrenched in the GDPR.
- 106.
See Edwards, L. Abel, W. (2014) The Use of Privacy Icons and Standard Contract Terms for Generating Consumer Trust and Confidence in Digital Services Create Working Paper 2014/15 (October 2014); Proposing a Risk-Based approach for the selection, design and implementation of privacy icons having identified that consumers mostly lack understanding of the risks related to processing; Efroni et al. (2019), pp. 352–366.
- 107.
See for an example of a Dutch Telematics insurers’ privacy statement on the collection of personal data: [online] https://verzekeringskaarten.nl/fairzekering/autoverzekering-beperkt-casco.
- 108.
Hoepman presents an analysis of initiatives and proposes what characteristics to take into consideration when deciding what elements of a privacy policy, and essential aspects on the what, where and how of the processing of personal data, must be represented by an icon See Jaap-Henk Hoepman Using icons to summarise privacy policies: an analysis and a proposal. September 21, 2016 [accessed online] https://blog.xot.nl/2016/09/21/using-icons-to-summarise-privacy-polices-an-analysis-and-a-proposal/.
- 109.
The Multistakeholder Expert Group reports that [the impact the Regulation should have on business practices still has to fully materialise and that they see a need to move from the implementation to the enforcement stage. Multistakeholder Expert Group to support the application of Regulation (EU) 2016/679. Report. 13 June 2019. Page 5.
- 110.
The need to monitor insurance practices especially pricing strategies is widely recognized see FCA (2018) FCA launches general insurance market study [online]https://www.fca.org.uk/news/press-releases/fca-launches-general-insurance-market-study See for an interesting initiative to obtain insights: The Dutch Association (of Insurers) has developed the solidarity monitor against the background of the debate over the possible undesired effects of the use of big data by insurers, to be able to analyse how the spread in premiums are developing and to what extent consumers remain insurable. Their reports can be found online https://www.verzekeraars.nl/media/4115/solidarity-monitor-2017.pdf; On the challenges for interoperability see for example Kerber and Schweitzer (2017).
- 111.
A concern raised by Insurance Europe about contradicting regulations where not much attention has been paid when developing new regulations to existing requirements resulting in a mismatch of requirements and disproportionate burdens for insurers to comply. Insurance Europe (2019) Making EU insurance regulation that works and benefits consumers.
References
Acquisti A, Brandimarte L, Loewenstein G (2015) Privacy and human behavior in the age of information. Science 347(6221):509–514
Article 29 Data Protection Working Party (2017) Guidelines on the Right to Data Portability, 16/EN WP 242 rev.01
Barone G, Bella M (2004) Price-elasticity based customer segmentation in the Italian auto insurance market. J Target Meas Anal Mark 13:21–31
Birrell S, Fowkes M, Jennings P (2014) Effect of using an in-vehicle smart driving aid on real-world driver performance intelligent transportation systems. IEEE Trans 15(4):1801–1810
Bordoff J, Noel PJ (2008) Pay-as-you-drive auto insurance: a simple way to reduce driving related harms and increase equity. The Brookings Institution, Washington, DC
Bucher T (2017) The algorithmic imaginary: exploring the ordinary affects of Facebook algorithms. Inf Commun Soc 20(1)
Conners J, Feldblum S (1998) Personal automobile: cost drivers, pricing, and public policy
Custers B, van Der Hof S, Schermer B, Appleby-Arnold S, Brockdorff N (2013) Informed consent in social media use-the gap between user expectations and EU personal data protection law. SCRIPTed 10:435–457
Davis J (1977) Protecting consumers from overdisclosure and gobbledygook: an empirical look at the simplification of consumer credit contracts. Virginia Law Rev 63(6):841–920
Derikx S, de Reuver M, Kroesen M, Bouwman H (2015) Buying-off privacy concerns for mobility services in the Internet-of-things era. In: Proceedings of the 28th Bled eConference, Bled, Slovenia, 7–10 June
Derikx S, de Reuver M, Kroesen M (2016) Can privacy concerns for insurance of connected cars be compensated? Electr Mark 26(1):73–81 | 26: 73
Dijksterhuis C, Lewis-Evans B, Jelijs B, Tucha O, de Waard D, Brookhuis K (2016) In-car usage-based insurance feedback strategies. A comparative driving simulator study. Ergonomics 59(9):1158–1170
Dorweiler P (1929) Notes on Exposure and Premium Bases. CAS Proceedings1929 XVI(33):337
Edwards L, Veale M (2017) Slave to the algorithm? Why a ‘right to an explanation’ is probably not the remedy you are looking for. Duke Law Technol Rev 16(1):1–65
Efroni Z, Metzger J, Mischau L, Schirmbeck M (2019) Privacy icons. Eur Data Protect Law Rev 5(3):352–366
EIOPA (2016) Preparatory Guidelines on product oversight and governance arrangements by insurance undertakings and insurance distributors
EIOPA (2018) Q and A on Regulation - Answers - Commission Implementing Regulations laying down Implementing Technical Standards, (EU) 2017–2359
European Parliament (2017) Draft Report on FinTech: the influence of technology on the future of the financial sector (2016/2243 (INI)
Fan C, Wang W (2017) A comparison of underwriting decision making between telematics enabled UBI and traditional auto insurance. Adv Manage Appl Econ 7:1–5
Financial Conduct Authority (2015) Developing our approach to implementing MiFID II conduct of business and organizational requirements, Discussion Paper DP15/3
GDV (2015) Regulation in the insurance industry: Opportunities and challenges from an economic perspective. Economic Issues and Analyses, No. 7. German Insurance Association (GDV), Berlin
Goodman B, Flaxman S (2017) European Union regulations on algorithmic decision-making and a “right to explanation”. AI Magazine 38(3):50–57
Graef I, Verschakelen J, Valcke P (2013) Putting the right to data portability into a competition law perspective law: the journal of the higher school of economics. Ann Rev 2013:53–63
Handel P, Ohlsson J, Ohlsson M, Skog I, Nygren E (2014) Smartphone-based measurement systems for road vehicle traffic monitoring and usage-based insurance. IEEE Syst J 8(4):1238–1248
Hofmann A, Neumann JK, Pooser D (2018) Plea for uniform regulation and challenges of implementing the new Insurance Distribution Directive. Geneva Pap Risk Insur Issues Pract 43(4):740–769. 30p
Husnjak S, Perakovic D, Forenbacher I, Mumdziev M (2015) Telematics system in usage based motor insurance. Proc Eng 100:816–825
Insurance Council of Australia (2015) Too Long; Didn’t Read. Enhancing General Insurance Disclosure. Research findings report
Insurance Council of Australia (2017) Consumer Research on General Insurance Product Disclosures, Research findings report
Kamleitner B, Mitchell VW (2018) Can consumers experience ownership for their personal data? From issues of scope and invisibility to agents handling our digital blueprints. In: Peck J, Shu S (eds) Psychological ownership and consumer behavior. Springer, Cham, pp 91–118
Karapiperis D, Birnbaum B, Brandenburg A, Harbage R, Obersteadt A (2015) Usage-based insurance and vehicle telematics: insurance market & regulatory implications. The National Association of Insurance Commissioners and the Center for Insurance Policy and Research
Kerber W (2018) Data governance in connected cars: the problem of access to in-vehicle data. J Intellect Prop Inf Technol Electr Commer Law
Kerber W, Schweitzer H (2017) Interoperability in the Digital Economy. Journal of Intellectual Property, Information Technology and Electronic Commerce Law (Jipitec); MAGKS, Joint Discussion Paper Series in Economics, No. 12-2017
Köhne T, Brömmelmeyer C (2018) The new insurance distribution regulation in the EU—a critical assessment from a legal and economic perspective. Geneva Pap Risk Insur Issues Pract 43(4):704–739. 36p. https://doi.org/10.1057/s41288-018-0089-0
Koops BJ, Newell BC, Timan T, Skorvanek I, Chokrevski T, Galic M (2016) A typology of privacy. Univ Pa J Int Law Rev 38:483
Lajunen T, Karola J, Summala H (1997) Speed and acceleration as measures of driving style in young male drivers. Percept Motor Skills 85:3–16
Leenes R, van Brakel R Gutwirth S, De Hert P. (2018) Data protection and privacy: the internet of bodies (computers, privacy and data protection. Hart, Oxford, pp 249–276
Maesschalck ND (2017) The Insurance Distribution Directive: what does it change for intermediaries and for others? In: Marano P, Siri M (eds) Insurance regulation in the European Union. Palgrave Macmillan, pp 63–65
Malgieri G (2016) Trade secrets v personal data: a possible solution for balancing rights. Int Data Priv Law 6(2):102–116
Marano P (2019a) Navigating InsurTech: the digital intermediaries of insurance products and customer protection in the EU. Maastricht J Eur Comp Law 26(2):294–315
Marano P (2019b) The product oversight and governance: standards and liabilities. In: Marano P, Rokas I (eds) Distribution of insurance-based investment products. Springer, Cham
McCauley D (2018) What the Internet of Things means for consumer privacy. Briefing paper, The Economist Intelligence Unit Limited 2018
Meyer D (2017) European Commission, experts uneasy over WP29 data portability interpretation. The Privacy Advisor. Retrieved from https://iapp.org/news/a/european-commission-experts-uneasy-over-wp29-data-portability-interpretation-1/
O’Neil C (2016) Weapons of math destruction: how big data increases inequality and threatens democracy. Crown, New York
Ohlsson J, Händel P, Han S, Welch R (2015) Process innovation with disruptive technology in auto insurance: lessons learned from a smartphone-based insurance telematics initiative BPM-Driving Innovation in a Digital World. Springer, pp 85–101
Paefgen J, Kehr F, Zhai Y, Michahelles F (2012) Driving behavior analysis with smartphones: Insights from a controlled field study
Pander Maat H, De Boer N, Timmermans C (2009) De gebruiksvriendelijkheid van hypotheekinformatie: Een lezersonderzoek. Universiteit Utrecht, Utrecht
Pasquale F (2015) The black box society. Harvard University Press, Cambridge
Schaeken Willemaers, Gaetane (2014) Client Protection on European Financial Markets – From Inform Your Client to Know Your Product and Beyond: An Assessment of the PRIIPs Regulation, MiFID II/MiFIR and IMD 2 Revue Trimestrielle de Droit Financier
Shavell S (1979) On moral hazard and insurance. In: Dionne G, Harrington SE (eds) Foundations of insurance economics. Huebner international series on risk, insurance and economic security, Vol 14. Springer, Dordrecht
Smith ML, Kane SA (1994) The law of large numbers and the strength of insurance. In: Insurance, risk management, and public policy. pp 1–27. https://doi.org/10.1007/978-94-011-1378-6
Solove D (2006) A taxonomy of privacy. Univ Pa Law Rev 154:477–560
Soussan G, Woolfson P, Terruso D (2016) The GDPR from an insurance and financial intermediation perspective. BIPAR and Steptoe & Johnson LLP
Swire P, Lagos Y (2013) Why the right to data portability likely reduces consumer welfare: antitrust and privacy critique. Maryl Law Rev 72(2):335, pp 347–349
Tene O, Polonetsky J (2013) Big data for all: privacy and user control in the age of analytics. Northwest J Technol Intellect Prop 11:239
Thomas GR (2012) Non-risk price discrimination in insurance: market outcomes and public policy. Geneva Pap Risk Insur Issues Pract 37(1):27–46
Troncoso C, Danezis G, Kosta E, Balasch J, Preneel B (2011) Pripayd: privacy-friendly pay-as-you-drive insurance. IEEE Trans Depend Secure Comput 8(5):742–755
Tselentis DI, Yannis G, Vlahogianni EI (2016) Innovative insurance schemes: pay as/how you drive. Transp Res Proc 14:362–371
Van Boom WH, Desmet P, Van Dam M (2016) “If It’s Easy to Read, It’s Easy to Claim”—the effect of the readability of insurance contracts on consumer expectations and conflict behaviour. J Consum Policy 39(2):187–197
van Ooijen I, Vrabec H (2016) Does the GDPR enhance consumers’ control over personal data? An analysis from a behavioural perspective. J Consum Policy 42(1):95
Van Ooijen I, Vrabec HUJ (2019) Does the GDPR enhance consumers’ control over personal data? An analysis from a behavioural perspective. J Consum Policy 42(1):91–107
Wachter S, Mittelstadt B (2018) A right to reasonable inferences: re-thinking data protection law in the age of big data and AI. Columbia Bus Law Rev
Wachter S, Mittelstadt B, Floridi L (2017) Transparent, explainable, and accountable AI for robotics. Sci Robot 2:10.1126
Wallace N, Castro D (2018) The impact of the EU’s new data protection regulation on AI. Center for Data Innovation
Weiss J, Smollik J (2012) Beginner’s roadmap to working with driving behavior data. Casualty Actuarial Soc E-Forum 2(1):35
Zanfir G (2012) The right to data portability in the context of the EU data protection reform. Int Data Priv Law 2(3):149
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Annex I
Annex I
Based on the analysis Table 1 presents examples of what information needs to be made available to consumers to comply with the broad scope of information requirements under the GDPR and the IDD.
Rights and permissions
Open Access This chapter is licensed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made.
The images or other third party material in this chapter are included in the chapter’s Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the chapter’s Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.
Copyright information
© 2021 The Author(s)
About this chapter
Cite this chapter
van den Boom, F. (2021). Regulating Telematics Insurance. In: Marano, P., Noussia, K. (eds) Insurance Distribution Directive. AIDA Europe Research Series on Insurance Law and Regulation, vol 3. Springer, Cham. https://doi.org/10.1007/978-3-030-52738-9_12
Download citation
DOI: https://doi.org/10.1007/978-3-030-52738-9_12
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-52737-2
Online ISBN: 978-3-030-52738-9
eBook Packages: Law and CriminologyLaw and Criminology (R0)