Regulating Telematics Insurance

Abstract

‘Telematics’ insurance is an example of data driven innovation in the insurance industry where data obtained from the vehicle (such as speed, time and location) is used to provide consumers with premiums based on their actual driving behavior. Despite the many benefits including more accurate risk assessments and premium setting, there are serious privacy concerns about the increased use of vehicle data for insurance purposes. The information requirements of the GDPR and the IDD could address some of these concerns in the context of telematics insurance. This research chapter concludes the analysis of the scope of these requirements by proposing the need for a broad interpretation for information to be made available in order to effectively help consumers make better, well informed decisions about insurance products and use of their personal data for insurance purposes.

1 Introduction

As insurance providers are increasingly developing and adopting data driven innovations there is a need for a better understanding how to regulate against potential harm caused.¹ A good example is the development of usage-based insurance products or ‘Telematics’ where through a device, data obtained from the vehicle (such as speed, time and location) is used by insurers for various purposes including more adequate risk assessments and personalized pricing.² Despite the benefits for consumers to potentially obtain lower premiums and improve their driving, there are serious privacy concerns about the increased use of vehicle data by insurers.³

Vehicle data will generally constitute personal data, and especially in combination with advanced data analytics, processing thereof by insurers may have serious consequences for (potential) consumers.⁴ Without adequate regulation in place, the uptake and benefits for consumers regarding telematics insurance may be limited. Based on the assumption that well-informed consumers make better decisions about insurance products and services, this raises questions about what information should be provided and specifically whether current regulations enable the sharing of relevant information by insurers to consumers.⁵

To inform the current debate on telematics regulation with insight on the scope of relevant requirements for information disclosure, this contribution analyses two recent regulatory developments at EU level.

• The EU General Data Protection Regulation (GDPR) which applies to the processing of personal data in general;⁶

• The EU Insurance Distribution Directive (IDD) which specifically regulates consumer insurance distribution.⁷

Following a brief introduction to Telematics insurance, the key requirements of the GDPR and IDD are discussed and the scope of information disclosure concluding with the proposed role for the IDD to complement the GDPR in the context of telematics insurance.⁸

What is argued for here is that both the GDPR and the IDD require a broad interpretation of the information necessary to improve consumer and personal data protection; and that insurers should consider taking an integrated approach towards the information requirements for effective and efficient compliance.⁹

2 Telematics Insurance and the General Data Protection Regulation

2.1 Telematics Insurance

Modern vehicles are increasingly equipped with advanced sensor and communication technologies generating vast amounts of data on the way it functions as well as driving style and habits of its users.

Having access to this data in combination with increasingly advanced data analytics has made it possible for insurers to innovate and develop new products and services including insurance based on actual driving behavior of consumers or ‘telematics’ insurance.¹⁰

The data vehicles generate can be obtained by insurers in several ways for example by installing a telematics device such as a dongle in the policyholder’s vehicle.¹¹ Relevant types of data insurers may collect include when, where, how and how long the car was used as research shows that for example late night and long-distance driving, speeding and heavy braking all correlate with an increase in accident risk.¹²

Telematics enables insurers to improve their risk assessment and optimize their pricing accordingly.¹³ As the assessment is based on actual driving data from the individual this may lead to more precise risk pooling or even to fully personalized insurance pricing.¹⁴ Another potential advantage is that insurers can monitor the data and provide drivers with feedback on their driving, this way insurers may be able to reduce the risk of moral hazard as well as improve road safety when drivers are sufficiently incentivized, for example through a bonus or premium deduction to improve their driving.¹⁵

Despite the benefits of telematics for both insurers and consumers the uptake has been slow which in part can be explained by the concerns people have raised about privacy and security.¹⁶

As insurers differ in what data they consider relevant for their risk and policy assessment there is discussion over what data they should be allowed to have access to. Controversial concerning telematics is the collection of GPS location data for example.¹⁷ Especially given that such data when monitored over longer periods may reveal sensitive information and possibly protected characteristics as well as increase the risk for such data to be used for a non-risk related analysis and premium setting.¹⁸

In response to these concerns, the remains of this section provides an analysis to what extent privacy and data protection regulation helps consumers to become better informed and address some of their concerns about the way insurers obtain and process data in the context of providing telematics insurance.

2.2 The General Data Protection Regulation (GDPR)

When an insurer wants to use vehicle data, which is generally considered personal data in the context of insurance, they will likely fall under the scope of the General Data Protection Regulation (GDPR).¹⁹ The GDPR lays down rules relating to the protection of natural persons, about the processing of personal data and rules relating to the free movement of personal data.²⁰ In particular, the first principle of the GDPR on data processing to be lawful, fair and transparent is relevant to understand the scope of the information requirements for insurers.²¹ The principle of transparency is considered relevant in understanding information to be made available to enable consumers to become aware of; verify and challenge the lawfulness of the processing of personal data and automated decision-making processes.²²

Under the GDPR insurers as data controllers are required to make certain information available either directly or upon a specific request for access to data from consumers.²³ The GDPR states that information must be given [..] in a concise, transparent, intelligible and easily accessible form, using clear and plain language, avoiding for example legalese or vague terms.²⁴

The principle of transparency further requires that insurers provide enough information to enable consumers to make use of their rights under the GDPR which includes the right to access. Because the GDPR does not provide much further guidance what constitutes sufficient there are different interpretations of the level of detail and access to be provided which will be discussed further below.

In light of its aims including for consumers to make better informed decisions about personal data processing, the GDPR requires that information must be made available to consumers about the collection, use and consequences of processing personal data by insurers.²⁵ The GDPR requires insurers to provide the following information;²⁶

• the identity and the contact details of the controller and, where applicable,

  • of the controller’s representative;

  • of the data protection officer;

• the purposes and the legal basis for the processing; ²⁷

• the recipients or categories of recipients of the personal data

• the storage period, or if that is not possible, the criteria used to determine that period;

• the existence of applicable rights including the following:

  • to request from the controller access to; rectification; erasure of personal data and/or data portability

  • to request from the controller restriction of processing and/or to object to processing

  • to withdraw consent at any time

  • to lodge a complaint with a supervisory authority;

• If there is an obligation to provide personal data to the insurer because of statutory or contractual requirement and what the possible consequences are when they fail to do so.

• When insurers make use of automated decision-making, including profiling, referred to in Article 22(1) and (4) they must inform consumers thereof and give meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing.

Also, when personal data is not obtained directly from the consumer but indirectly for example using data brokers, insurers must also inform consumers about²⁸

• The categories of personal data [obtained];

• The source of the personal data and if applicable, whether it came from publicly accessible sources.

It remains difficult without clear practical guidance provided by the GDPR or case law, for insurers to know what the level of granularity of the data and information detail is required to be compliant. This is problematic given that insurers face fines for non-compliance and consumers may not receive sufficient information for them to take well-informed decisions.²⁹ This contribution focusses on the latter, proposing to interpret the scope of information necessary as broad as possible to effectively empower consumers with control over the processing of personal data concerning them.³⁰

To comply with the GDPR insurers must enable consumers to better understand the product on offer and depending on the legitimate ground for processing to give informed consent for the processing of their personal data and/or to challenge the collection and processing effectively making use of their rights when personal data is processed for insurance processes.³¹ Therefore when considering what information to provide; the level of detail must be sufficient for consumers to know what personal data is collected and how their personal circumstances, behaviour and characteristics have influenced decision making for them. To enable consumers to validate and agree to the use of their personal data for processing they must be able to check whether the (proposed) processing is lawful and fair. Which means that they need to be able to challenge whether the information used is correct and whether the decision-making process is accurate. Furthermore, they should be made aware and better informed about the risks and potentially negative consequences for them personally which for example include being informed about the risks for bias, discrimination and system failure.³²

When it comes to personal data the level of detailed information about that data should be at the level of the individual so they can become aware what data about them is used and whether this data is correct and relevant for the purpose. Providing consumers with only categories does not allow them to do so.³³

When data is obtained from other sources consumers should be made aware that this is the case and provided with what personal data is received, how it is being processed by the insurer and what the risks and consequences are for them of the insurer processing this data. Furthermore, they must be informed who the source is and how to contact them to challenge the data accuracy and the lawfulness and fairness of its processing by this specific source.

Insurers themselves may not have (access to) information from third parties. For example, in the case of the use of credit or fraud scores obtained from third parties, insurers are unlikely to have access to what personal data and process are used to derive these scores. Although one could argue that insurers must have access or obtained this information themselves given their responsibility to understand and ensure their decision-making processes are compliant and for example not based on biased data. Consumers should be able to verify the validity of the personal data processing including when a decision is based on data from third parties such as credit or fraud scores. Which is why they need to be able to obtain relevant information including the personal data and processing used that has established such score either directly from the insurer or when the insurer cannot provide this, the contact details of the source and/or third party who can.³⁴

When it comes to information about the legal ground for processing the level of detail should allow for a comprehensible explanation why the chosen legal ground is the most appropriate for the proposed processing considering the purpose. Considering that consumers, based on the information given, must be able to understand which of the six legal grounds the insurer has chosen and why for them to challenge the lawfulness of the processing and personal data collected for the said purpose.³⁵

When it comes to information for consumers about risks and consequences of processing must enable them to decide whether to buy the insurance and what coverage. It should also include how certain personal data influences insurance decisions including their risk assessment. Providing information about how data contributes to the decision-making processes outcomes but also how accurate these processes are is heavily discussed in the context of the scope of the GDPR requirement on the right to meaningful information about the logic involved with automated decision-making.

A broad interpretation requires the following: If a potential consumer is refused insurance for example because they have a negative fraud score, they should be able to obtain information on why this is including how reliable the decision is. As insurers increasingly adopt more advanced automated processes for decision making there is concern that these processes become too opaque and can no longer be explained in terms of how the data being put in correlates to the outcome. As it should be possible to explain to the consumer how their insurance needs which are based on their current situation and behavior are met by the insurance product this could become problematic when an explanation about the process to offer the insurance product and at what price cannot be given. This would not only make it impossible for consumers to challenge whether personal data processing is fair and lawful but also reduce the opportunity for them to change their situation and reduce their risk exposure.³⁶

Providing consumers with meaningful information would not only help improve the overall risk in society but also gives consumers the choice whether to buy certain insurance and from which insurer stimulating competition based not only on price but also coverage and possibly the level of privacy protection as well as improve consumer trust in insurance more generally when they are no longer confronted with consequences they were not sufficiently aware of.

Concerning the products potential for negative personal consequences, as discussed in the previous section Telematics may not be beneficial for higher risk drivers who instead of being rewarded could be faced with higher premiums compared to when they would purchase more traditional forms of car insurance. Improving their understanding on insurance products and whether it addresses their needs taking into consideration these and other consequences would in this case probably have led to the consumer not opting for Telematics. Proposed is to help consumers make better choices by making available

• the risk assessment of their needs and demands and how the (proposed) insurance product meets their needs but also where it doesn’t; and

• what changes they could make to influence risk factors that are under their control.³⁷

Concerns about a broad scope of the information disclosure requirements is that it could not only harm consumers by causing information overload but lead to administrative burden for insurers as well as their need for keeping certain information confidential.³⁸ Because the GDPR takes into consideration the different rights and freedoms involved including the insurers’ freedom to conduct business the scope of information requirements must remain balanced and proportionate.³⁹

2.3 GDPR Discussions on the Scope of Information Requirements

Ongoing discussions on the scope of the right for consumers to access personal data; on the scope of the data portability right and the limits of processing personal data for profiling are briefly presented here to illustrate the lack of consensus about the scope of the GDPR requirements.⁴⁰

Based on the right to request for data portability a consumer may request their insurer to send a copy of (a subset of) personal data provided by the consumer to another insurer.⁴¹ According to the interpretation of the article 29 working party, this would include the vehicle data as this is data (in)directly provided to the insurer by the consumer but for example not the insurers ‘risk score based upon the analysis of the telematics data as this is considered inferred data.⁴² A sufficiently broad scope of what personal data falls under the scope for data portability would allow consumers to more easily switch and stimulate competition between insurers. However, it could also harm competition as insurers have warned for the consequences of having to share too much information considering the risk to disclose valuable information. For example, on factors used for target market selection and risk assessments insurers are concerned about the potential risks for fraud and unfair competition. As a result, insurers may become reluctant to contribute to the development of data standards and interoperability required for further innovations or to continue to offer certain insurance products which would be detrimental to consumers.⁴³

Considering their rights regarding automated decision-making, insurers are required to inform consumers whether they make use of profiling for example and give meaningful information about the logic involved but no provision explains what this means or how this should be done in practice.⁴⁴ There is much debate if it is and will continue to be possible to explain processes which make use of advanced analytics. Especially when data and computer science experts are no longer able to understand let alone explain how an algorithm reaches a certain outcome.⁴⁵ Which has led to some proposing that these systems, therefore, should not be used by insurers for critical decision-making when this would have significant effects on people’s lives. As insurance decisions about whether to accept or reject an application or insurance claim may have a significant effect, insurers must take caution when innovating their decision-making processes.⁴⁶ Although insurers may not yet have implemented automated decision-making this is likely to change in the future so there is an urgent need to understand the scope of the requirements and potential exceptions for insurers to be able to adopt and benefit from innovations without harming consumers rights to privacy and data protection.⁴⁷

Whether insurance innovations such as telematics using personal data and advanced processing are stifled or enabled and if these are going to be beneficial for consumers may further depend on the outcome of the discussions on the scope of GDPR requirements.⁴⁸

3 Telematics Insurance and the Insurance Distribution Directive

Instead of a one size fits all industries solution to the questions about the scope of the GDPR information requirements;⁴⁹ a sector-specific approach is called for taking into consideration sector-specific demands and needs which is more likely to improve industry-wide compliance and protection without stifling innovation.⁵⁰ What the previous section showed is that without consensus it will remain difficult for insurers to know what information they must give to (potential) consumers regarding their processing of personal data for insurance purposes. To help understand the insurance sector and find the adequate scope for information requirements that provide a balance between the need for information from consumers and the need to protect information by insurers this section takes such an approach through an analysis of the EU Insurance Distribution Directive (IDD).⁵¹

The focus is on key IDD information requirements specific for insurers and how these may complement the GDPR with a better understanding of the challenges within the insurance industry. To better understand these requirements for insurers to disclose information to consumers; we will first briefly discuss relevant product oversight and governance requirements as these are necessary to understand what information has become available after which specific requirements of the IDD on what information must be made available for consumers in the context of telematics.

3.1 The Insurance Distribution Directive (IDD)

The EU Directive on Insurance Distribution (IDD) aims to improve the way insurance products are sold so that they will bring real benefits to consumers in the EU.⁵² The IDD requires greater transparency on pricing and costs of insurance products; better and more comprehensive information to improve consumer decision making and transparency and business conduct rules to prevent the mis-selling of insurance products to consumers.⁵³

The IDD requires insurers to comply with the general principle to act:

• honestly, fairly and professionally;⁵⁴ and

• in accordance with the best interests of their customers.⁵⁵

This applies not only to information disclosure but the entire process of developing, testing, and distributing insurance products in the EU.

Important to note here is that the IDD only provides minimum harmonization of national provisions allowing the EU Member States to provide for a higher level of consumer protection proportionate to additional administrative burdens.⁵⁶ Member States could for example require insurers to disclose specific information such as ratings and risk factors for consumers to become better informed about insurance products such as Telematics.

3.2 IDD: Product Oversight and Governance (POG) Requirements

The POG requirements contribute to improving insight and transparency about insurance products in several ways. Although the IDD POG requirements are addressed at insurers and distributors they are important for the question about what data is available and how much must be shared with consumers.

To improve consumer protection and to offer products that are in their best interest, insurers are held under the IDD to have a proportionate and appropriate product approval process in place for each insurance product.⁵⁷

To comply manufacturers of insurance products must for each insurance product do the following:⁵⁸

• Identify the target market based on the needs and demands of consumers.;⁵⁹

• Assess the risks and costs involved;

• Design a distribution strategy consistent with the identified target market reaching only those consumers with needs and demands best served by the product.⁶⁰

• Regularly review to ensure that marketed products remain to serve the needs of the market and the distribution strategy remains appropriate.⁶¹ Distributors are therefore held to provide insurers with any relevant information to do so.⁶²

To enable distributors to fully understand the products they intend to sell; insurers are held to share information about their product approval processes including on the target market; the proposed distribution strategy and any circumstances which might cause a conflict of interest to the detriment of the consumer.⁶³ The information provided to distributors must be clear, complete and up to date.⁶⁴

The IDD also requires both insurers and insurance distributors to document their actions and to make this available upon request to authorities.⁶⁵ Although this is not directly information to be shared with consumers it does require insurers and distributors to keep records and generally be well informed themselves of adverse effects for their consumers as a result of their products and services.⁶⁶

Compliance with the IDD requires insurers to become better informed themselves and may increase the necessity to gather and analyze personal data to understand and continue to assess their products concerning the target market and to document their steps for accountability purposes.⁶⁷ These efforts, however, may contradict with some of the data protection principles they must adhere to under the GDPR such as the principle of data minimization, storage limitation and privacy by design. This issue has been identified and will be discussed further below.

3.3 IDD: Information Disclosure Requirements

Under the IDD insurers must provide consumers with relevant information about the insurance product in a comprehensible form;⁶⁸ If a consumer is offered a contract this must be consistent with their insurance demands and needs.⁶⁹ The IDD further states that the information given must be fair, clear and not misleading.⁷⁰

To decide what information consumers need, insurers must take into consideration the complexity of the insurance product and the type of consumers it is for.⁷¹ For example when it comes to new and innovative insurance products like telematics, consumers require more information to understand how telematics works and what the consequences are when they do not maintain a safe driving score based on criteria set by their insurer. The rise in complaints about the perceived unfairness of telematics insurance illustrates such a lack of understanding especially amongst young people of their policy requirements which could be improved through better and more comprehensible information.⁷²

The IDD contains several information requirements based on which information must be provided to consumers the following is relevant with respect to non-life insurance products such as motor vehicle insurance:

The insurance intermediary must give consumers relevant information including about the following:⁷³

• The intermediaries’ identity and address;

• whether the communication constitutes advice about the insurance products sold and if so a personalised recommendation explaining why this is the best product for the customer considering their demands and needs.

• whether the proposed contract or advice is based on a fair and personal analysis;⁷⁴

• the rights of the consumer to complain and information about procedures for redress.

• possible conflicts of interest and remunerations.⁷⁵

The IDD introduced a new information requirement for insurers to help consumers get better informed about non-life insurance products. The Insurance Product Information Document (IPID) is meant to give consumers key information about the product in a way that allows them to easily obtain relevant information and compare between different insurers. The IPID contains the following information:

• key information about the type of insurance;

• a summary of the insurance cover, including

  • the main risks insured,

  • the sum and,

  • the geographical scope, if applicable;

• the means and duration of the payment of the premiums;

• the obligations at the start and during the term of the contract;

• the obligations if a claim is made and main exclusions where claims cannot be made;

• the term of the contract including the start and end dates of the contract;

• the means of terminating the contract.

With respect to insurance based investment products there are additional requirements.⁷⁶

3.4 Product Oversight and Governance

The Product Oversight and Governance requirements are relevant as they require insurers to conduct testing and monitoring of their insurance products to make sure these are and remain appropriate for their specific target market. To facilitate the implementation of the IDD, the European Commission adopted two Delegated Regulations which contain implementing measures.

The delegated regulation on Product oversight and governance requirements for insurance undertakings and insurance distributors specifies the criteria and practical details for the application of the POG rules, based on the European Insurance and Occupational Pensions Authority (EIOPA) technical advice.⁷⁷

In addition, the EIOPA as well as many other (national) authorities and organizations such as the Financial Conduct Authority (FCA) have developed guidance on issues of interpretation or application of the IDD and its implementing measures. Their interpretation of the scope of the POG are useful insofar that they require insurers to obtain certain information which under a broad interpretation of the scope of the information requirements towards consumers should be made available.

To ensure consistent and effective application the EIOPA published their responses to questions about the POG product testing requirements.⁷⁸ To ensure that insurance product meets the identified needs, objectives and characteristics of the target market insurers must undertake appropriate product testing.⁷⁹ The product should be tested on all relevant dimensions. This should according to EIOPA, in particular, include assessments of:

• how the product works;

• its performance;

• its risk/reward profile,

• price and coverage; and

• information to consumers.

Considering the relevant information it contains the EIOPA recommends insurers to include their product scenario analysis. Another good practice, according to EIOPA, for insurers who use driving behavior for premium setting, to know what information consumers must be given is to take into account the level of information available to the consumers belonging to that target market and the consumer’s financial literacy.⁸⁰ Further good practices proposed are consumer testing to help assess the comprehensibility by consumers of insurance products and to analyse consumer complaints about similar products.⁸¹

In the UK, the Financial Conduct Authority (FCA) gives practical examples of what they consider to be IDD compliant advice for UK insurers.⁸² According to the FCA, advice given by an insurer to a potential consumer, which includes proposing all available insurance products with only a generic statement for each product on what type of needs it will meet, is most likely non- compliant. Unless the insurer can show that they have identified, and all the products offered are consistent with, the consumers demands and needs.⁸³ Undertaking a demand and needs test for each consumer before providing advice on what insurance products are suitable may however lead to some insurers collecting more not fewer personal data about potential consumers which may be problematic in the context of the GDPR principles.

3.5 Information Disclosure: The Insurance Product Information Document

As mentioned, the IDD requires insurers to provide consumers with a simple, standardized Insurance Product Information Document (IPID) for non-life insurance products. The IPID, which is a new requirement introduced by the IDD for insurers, presents for each type of insurance product what the key characteristics of the product are.⁸⁴ These include what is and what is not insured; what is covered and any restrictions on coverage; key obligations for the policyholder including payment and finally information about the start, end and policy cancellation. As the IPID only contains key product information it does not replace the need for consumers to receive more detailed information including when they receive an offer for a product how the product complies with their specific needs and demands. The IPID format includes a statement that all the necessary pre-contractual and contractual information is available elsewhere.⁸⁵

The key information provided for on the IPID aims to enable consumers to quickly understand what the insurer offers and to compare between different insurers.⁸⁶ However, and despite that most stakeholders welcomed the IPID and its purpose, there are serious concerns about whether in its current form the IPID is effective and proportionate. If it is not effective it poses disproportioned administrative burdens for insurers to maintain. Main concerns include whether consumers are better informed and enabled to make comparisons as well as the potential risk for an overreliance by consumers on the basic information contained in the IPID which could result in consumers becoming less instead of better informed about the specificities of their insurance if they do not or no longer read the main insurance policy documents.⁸⁷

Research shows that the IPID may not present potential consumers with key information necessary for them to make an informed decision. A brief comparison illustrates serious differences in interpretations of what insurers consider to be key information to be shared with consumers. For example with respect to telematics car insurance a comparison between the IPD from a Dutch and a UK car insurance provider the UK IPID mentions that the policy may be cancelled as a result of breaching policy terms or severe traffic violations the Dutch IPID only mentions that driving behavior may lead to a premium reduction but not that a traffic violation could lead to the policy being cancelled immediately.⁸⁸

Considering the impact, it has for a consumer when their insurance coverage is being cancelled this should be considered key information.

Currently the IPID does not allow consumers to make comparisons given the different interpretations of what information should be given.⁸⁹ Important is, therefore, also to continue to monitor signs of overreliance on the limited information contained in the IPID as it could result in consumers becoming less informed about insurance products which is against its aim and purpose.

4 The GDPR and IDD Proposed Information Requirements

This final section presents the analysis based on the previous sections about the scope of requirements under the GDPR and IDD; the interplay between the GDPR and the IDD presenting an overview of key challenges and opportunities regarding the provision of information to improve consumer and data protection in the context of innovations in consumer insurance. Looking at the role of the IDD considering the aims of the GDPR, to what extent do the GDPR and the IDD complement and/or contradict each other concerning information requirements to enable better-informed decision-making regarding innovations in insurance products and services.

4.1 Interaction Between the GDPR and IDD

The IDD as it aims to take into consideration the specificities of the insurance industry providing a balanced approach to stakeholder interests will improve the understanding of the scope of the GDPR information disclosure requirements for insurance products and innovations thereof. However, due to a lack of consensus amongst experts and practitioners, uncertainty about key requirements and the interpretation thereof remains which may limit the developments and adoption of otherwise beneficial innovations in the insurance industry.

To consider the IDD requirements to better understand the scope of the GDPR requirements for insurers may help to reduce the risk of excessive and disproportionate interpretations of the scope for information to be provided to consumers in the context of insurance.⁹⁰ This combined approach will provide a (more) balanced understanding of the different interests involved, and characteristics of, the insurance industry required for better compliance with the GDPR requirements.

4.1.1 Better Informed Decision Making

Based on the understanding that greater transparency and better and more comprehensible information about insurance products and the processing of personal data will enable consumers to make better-informed decisions and contribute to consumer and privacy protection.⁹¹

The IDD, when implemented in a way that enables adequate information to be made available to consumers regarding the processing of personal data, has the potential to contribute to improved and informed decision-making about innovative insurance products such as telematics that require personal data processing.⁹² By providing consumers with key information not only about how their insurance products and services cover their demands and needs but also how their behavior affects their risk score and what they could do to obtain a more favorable result in terms of lower premium or lower chance of ever needing to call upon insurance benefits not only consumers but insurers as this would improve the level of understanding how insurance works and trust people have in the industry.

4.1.2 Improve Accountability and Responsible Business Practices

The IDD contributes with specific requirements not only to improve better-informed decision-making by consumers but also to improve the understanding of the requirements for insurers and distributors on what information should be made available under the scope of both the GDPR and the IDD.

4.1.3 Balancing Information Requirements

In practice insurers are challenged to find the right balance between the need for data collection for analysis and monitoring purposes while complying with the data protection principles of data minimization, privacy by default and by design.

The IDD requires insurers to understand the needs and demands of consumers not only to provide for adequate products but also to know what information consumers need to make informed decisions regarding what insurance to purchase. Although this could be taken as an incentive to collect vast amounts of personal data, collecting more than the minimum amount of personal data required to comply with the IDD, would be in breach of the GDPR where the principle of data minimization protects consumers against the risks involved of too excessive data collection.⁹³ In practice insures must be able to explain why certain data collection is appropriate and not excessive for understanding their target market and consumers’ demands and needs.⁹⁴ Taking into consideration that insurers are required to regularly review whether their products remain adequate and distribution remains appropriate for the identified target market(s). Insurers and their distributor must, therefore, monitor for any adverse effects on (potential) consumers and the market including on the availability and affordability of insurance for vulnerable groups. This requires again the collection of personal data to gain relevant insights. For example, monitoring the impact of their acceptance criteria on its potential for bias or discrimination of protected groups. As the IDD requires insurers to document their actions including steps taken to avoid adverse effects insurers may risk non-compliance with the IDD as well as face fines based on the GDPR.

The above examples illustrate why it is important for insurers not to have separate compliance procedures for the IDD and the GDPR but to integrate them in their product development and decision-making processes from the beginning. This will help reduce any overlap and administrative duplications and the risk for non-compliance being able to explain and justify the collection and processing of personal data.⁹⁵

4.1.4 Information Disclosure: Proposed Scope

The GDPR and the IDD, when interpreted with a sufficiently broad scope regarding the information disclosure requirements for insurers towards consumers, would include all information required for consumers to make better decisions which insurance product would best meet their needs. It would also enable them to hold insurers accountable for providing adequate safeguards to mitigate any adverse effects or to provide redress when things do negatively impact people’s lives. Adequate information disclosure will contribute to reducing the risks for bias, and discrimination when disclosure includes having access to challenge decisions made by insurers using automated processes. If there is no means to provide explanations that help consumers understand how decisions are made that affect them including what they should do to reduce their risk, arguably these systems should not be used for critical processes.⁹⁶

4.2 Information Disclosure: GDPR and IDD Integration for Better Compliance

Compliance with the IDD should contribute to the aim of the GDPR to enable consumers to become well informed and better protected against harm from personal data processing by insurers by bringing a sector-specific interpretation and balance for the scope of the GDPR.⁹⁷

As such the IDD requirements which are specific for the insurance sector and the more general requirements under the GDPR on transparency and information disclosure should be considered by insurers not in isolation but complementing each other. Considering the consequences, if an insurer decides not to make or have the required information available, they not only risk non-compliance with the IDD but could also face fines based on the GDPR.⁹⁸ As such it important for insurers to consider both the IDD and the GDPR requirements together and not have separate processes for compliance.⁹⁹ This combined approach will provide a (more) balanced understanding of the different interests involved, and characteristics of, the insurance industry which would contribute also to a better understanding of and compliance by insurers with the GDPR requirements.

Returning to the main concern on whether consumers can obtain the information that allows them to make informed decisions regarding telematics insurance the following can be said:

4.2.1 The IDD Contributes to Transparency in and About Insurance

Transparency of, and information on, personal data processing by insurers will enable consumers to become better informed when it comes to telematics and other innovations within insurance where the processing of personal data is necessary.¹⁰⁰ Although it is argued here that generally more information is required to be made available by insurers than is currently being done in practice, this has to be proportionate taking into consideration the consequences for insurers including additional administrative burdens and risks for unfair competition.¹⁰¹

4.2.2 Recommendations: Self-Regulation Regarding Information Disclosure

Despite concerns raised about the uncertainty as a result of the lack of clearer guidance on how to comply with the GDPR requirements, it does not seem likely that this will happen nor that it would be desirable given the different national and sector specific needs and demands regarding what information is required. The Insurance Industry should continue to take a proactive approach to address any legal uncertainties about the scope for information to be provided compliant with the GDPR and IDD. The absence of legal clarity and specific requirements also provides opportunities for the insurance sector to develop standards and industry specific codes of conduct regarding the GDPR information requirements.¹⁰²

The EDPS considers codes to: ‘[…] represent an opportunity to establish a set of rules which contribute to the proper application of the GDPR in a practical, transparent and potentially cost effective manner that takes on board the nuances for a particular sector and/or their processing activities.’¹⁰³ The development of sector specific initiatives including codes and certifications to ‘enhance transparency and compliance and to contribute to ‘the proper application of the Regulation’ is encouraged under the GDPR.¹⁰⁴

An industry-wide approach, developing practical guidelines based on a shared interpretation of the scope, is recommended which could be done in the form of standard developments and/or the insurance code of conduct focusing specifically on information disclosure compliance with both the GDPR and the IDD.¹⁰⁵ The IPID could also play a more prominent role here by including information regarding personal data processing to allow consumers to compare insurers also on the level of privacy protection they provide.

4.2.3 Recommendations: Include Privacy Information/Icons on the IPID

To stimulate more competition amongst insurers the level of privacy protection they offer could be monitored, compared and communicated to consumers. Research shows that icons can be used to ‘effectively communicate complex and lengthy privacy policies to consumer.’¹⁰⁶ This could be done through the IPID to help potential consumers make more informed decisions which insurers to choose based on their level of use and protection of personal data.¹⁰⁷ Research on privacy icons shows that it is promising in helping consumers become better informed.¹⁰⁸

To conclude: as both the GDPR and the IDD are recent developments, it remains to be seen how national implementation and proposed interpretations in the sector will play out in practice.¹⁰⁹ Monitoring the developments following the implementation of the GDPR and the IDD, therefore, remains essential for the insurance industry to see whether a broader scope of information disclosure will improve consumer (data) protection without negatively affecting, for example, insurers’ incentives for and investments in developing innovative insurance products and interoperability.¹¹⁰

Acknowledging that the insurance industry has specific challenges when it comes to compliance with the information requirements under the GDPR this chapter aimed to provide an analysis of the requirements under the GDPR and the IDD specific for insurers. What the analysis shows there is concern about the scope of information to be made available by insurers to consumers considering the aims of both the GDPR and the IDD. A too-broad interpretation of what information and level of detail must be provided may impede the insurers’ ability to innovate and remain competitive while still providing affordable insurance to as many people as possible. A too narrow interpretation would not allow consumers to become well informed and/or challenge decisions made by insurers when these may have an adverse effect. Finding this balance for information required to be made available by insurers is further challenged when regulation overlaps, contradicts or leaves room for interpretation.¹¹¹ As legal uncertainties may stifle what would otherwise be beneficial innovations based on personal data and automated decision-making there is a clear need for more research that looks at the specific challenges for the insurance industry.

Annex I

Based on the analysis Table 1 presents examples of what information needs to be made available to consumers to comply with the broad scope of information requirements under the GDPR and the IDD.

Table 1 Information requirements and examples under the IDD and the GDPR