European insurers face consent requirement ‘patchwork’ under GDPR
Insurers are hoping that the pan-European data protection advisory body will intervene to safeguard the sector's ability to handle sensitive consumer data across the bloc after the General Data Protection Regulation (GDPR) takes effect.
From 25 May GDPR will significantly bolster EU residents' rights over how their data is handled and introduce heavy fines of the greater of up to EUR20mn ($24.6mn), or 4 percent of a company's global turnover, for firms that break the rules.
But as member states transpose the EU framework into national law a patchwork of different approaches to the insurance sector is emerging.
Insurers are looking to the Article 29 Working Group, which oversees national data protection authorities, for guidelines about how the industry can work within the new rules. At issue is the need within GDPR for individuals' explicit consent to be obtained to handle sensitive data.
In the UK, the sector is hoping that a legislative amendment that provides for the handling of "special category data" for insurance purposes survives the final parliamentary reading.
Germany uses different leeway to allow the sector wiggle room, while Austria has transposed the EU regulation into domestic law without any insurance derogation.
Local derogations will at any rate only be applicable for data controlled - or processed - within that particular member state, so insurers will have to adhere to different rules when data moves across borders.
Insurers are looking to the data protection supervisor after Insurance Europe was unable to convince the European Commission to make provision for the sector in the original framework, one source said.
The Article 29 guidelines would "provide the necessary legal certainty for insurers to conduct their business and will prevent fragmentation across member states", another source said.
In particular the guidelines need to provide certainty to insurers that consent "is deemed freely given, and thus valid", the source added.
The Article 29 body is expected to look at what consent, the withdrawal of consent and conditional consent mean in the context of GDPR.
"The guidance will have to be consistent with national derogations but there is room to give guidance as to what consent amounts to and exactly what withdrawal of consent means," one person said.
Insurers in those countries that do not implement derogations will be reliant on the original GDPR framework and any guidelines issued by the Article 29 body.
In the UK Information Commissioner Elizabeth Denham has called for amendments to draft legislation after its second reading in the House of Commons.
She is seeking beefed-up enforcement powers for her office and also the inclusion of a provision that would enable representative bodies to make "super-complaints" on behalf of consumers without their explicit mandate.
The draft legislation in the UK, which will replace the 1998 Data Protection Act, is out for public consultation.