Progress on the proposed EU data protection law
European policymakers are holding discussions on a new data protection framework, for application across all industries, including insurers and insurance intermediaries.
Insurers, like all businesses operating in Europe, are subject to European and domestic data protection laws which seek to protect personal data held in a digital form. The current framework regulating data privacy in the EU dates back to 1995. It is set out in the Data Protection Directive, implemented in UK law by the Data Protection Act 1998.
In January 2012, the European Commission put forward its original proposal for a General Data Protection Regulation (GDPR) aimed to update and modernise the legislative framework currently in place. Two years later the European Parliament adopted an amended version of the original proposal. In June 2015, the Council of the EU (composed of representatives of the 28 EU Member States) agreed a ‘general approach’ on the draft EU GDPR. This paved the way for the beginning of trilogue negotiations between the three institutions, aiming to adopt a final text acceptable to all institutions. Negotiations on crucial details started at the end of June and are expected to continue throughout the second half of 2015, until common agreement on a final text is reached.
Because a final text is yet to be agreed, this article is based on interpretation of the three different texts reflecting the position of each EU institution involved in the legislative process. The proposed provisions are likely to be subject to changes as the EU Commission, Council and Parliament agree a final text.
Key elements of the proposals are set out below.
- Harmonisation – Current EU law regulating data protection takes the form of a Directive, requiring Member States to enact minimum specific harmonised EU standards which can be tailored by national parliaments to meet domestic needs. The GDPR will be directly applicable to Member States, and does not need to be implemented into national laws.
- Data processing –The proposal sets out the grounds under which firms (data controllers and data processors) can process ordinary personal data. Conditions include when the data processing is necessary for the performance of a contract, or compliance with a legal obligation to which a controller is subject.
- Sensitive personal data – Conditions for processing sensitive data, such as information concerning health or criminal convictions, include explicit consent of the data subject. However, each institution proposes introduction of additional legitimate grounds which would allow data controllers to process such data. The final text will depend on the outcome of the negotiations; therefore, at this stage, the final position is a matter of speculation.
- Cross-border data transfers – The proposal imposes restrictions on the transfer of data to countries outside the EU. GDPR rules will apply to data processors and controllers based outside the EU, if they are active in EU markets. However, the proposal identifies a number of options which would allow cross-border data transfers with no restrictions. For instance, if the non-EU country has passed an “adequacy test” laid down by the European Commission, then international transfers can operate without further requirements.
- Breach notification – The proposed text introduces burdensome requirements on breach notification, whereby firms would be under obligations to notify breaches to the data protection supervisor within 24 hours.
- Sanctions – According to the Commission’s proposal, the supervisory authority can impose a fine up to €1 million or up to 2% of a company’s annual worldwide turnover for companies that intentionally or negligently breach the rules. The European Parliament goes further and proposes sanctions worth up to 5% of a company’s global annual turnover, or €100 million.
Impact on the Lloyd’s market
The new rules will apply to Lloyd’s managing agents and their intermediaries who, under the legislation, will be ”data controllers” of personal and sensitive data used in their business. Managing agents and intermediaries collect and use vast amounts of personal and sensitive data concerning policyholders and prospective insureds. In particular, the underwriting and claims stages are particularly data rich, and data collected can be also used for fraud prevention, marketing and pricing risk.
While some of the provisions represent an update of the principles set out in the 1995 Directive to bring it in line with the challenges posed by technology, other provisions may divert from today’s legislative framework. Therefore, Lloyd’s managing agents and insurance intermediaries operating in the Lloyd’s market, will be required to take appropriate steps to update their internal data protection policies in compliance with the new provisions.
What can we expect?
The earliest an agreement may be reached by the EU institutions would be in December 2015. However, due to the sensitiveness of the issues to be agreed upon, it would not be a surprise to see a delay until 2016. After the Regulation’s entry into force, there will be a two-year implementation phase during which authorities and businesses have to put in place measures to be compliant with the new law. Therefore, it is likely that the new rules will apply at the end of 2017 or the first half of 2018.