1
Consumers as Policyholders in the era of Big Data and
Internet of Things: a first appraisal.
Daniela Pizzuto, student number 11359366 (2017) avv.danielapizzuto@libero.it
Thesis Master: European Private Law Supervisor: Candida Leone
University of Amsterdam Date of submission: 28.07.2017
2
Table of contents Abstract
Introduction……….... p. 4 Chapter 1 - Insurance contract, Big Data and Internet of Things……….. p. 8 1.1.The insurance contract………. p. 8 1.2 Big data and Internet of Things……… p. 12 1.3 Benefits of data……… p. 17 1.4 Discrimination risk……….. p. 18 Chapter 2: Eu rules on data protection……….. p. 20 2.1 Data Protection Directive and General Data Protection Regulation……… p. 20 2.2 Data protection rules on auto telematics insurance………. p. 26 Chapter 3: Impact of data………... p. 28 3.1. Utmost good faith?...……….. p.28 3.2. The consent paradigm... p. 29 3.3 Information duties ………... p. 31 Conclusion………. p. 34 Bibliography
3
Abstract
This paper is a first appraisal of the challenges that Big data, Internet of Things are posing. In particular the impact of this technological revolution on telematic car insurance contracts is being investigated. Big data and Internet of things allow insurers to extract many information about their potential customers, in so far they can remain profitable and make profits. The legal concerns which arise from this situation concern data protection and consumer protection.
In the paper the telematic insurance contracts are described by stressing the main rules of insurance contracts and the specific kind of telematic car insurance contracts that nowadays are offered to consumers. The existent data protection rules will be described with a view to consumer protection rules. The description will lead to some legal concerns related to the topic in order to evaluate whether the existent legal rules are sufficient to address them.
4
Introduction
Big data and Internet of Things (hereinafter IoT) are both elements of the technological revolution that nowadays is going to happen. Big data are defined as the ‘large amounts of different types of
data produced with high velocity from a high number of various types of sources’.1 Internet of things is referred to the increasing number of objects connected through the internet: ‘a global
architecture in which things (objects) are able to process, store, and communicate information about themselves and other things’.
The expression ‘telematics auto insurance contracts’ is referred to the auto insurance contracts provided with telematics devices monitoring the insured auto.2 These telematics devices belong to the category of Internet of Things whereas data generated by them fit into the definition of big data. Moreover it is important to specify that these insurance contracts are not called “telematics” due to the mean by which the contracts are concluded but rather due to the telematics devices for monitoring the insured auto. In this respect it is irrelevant the mean by which the insurance contracts are concluded.
It is important to stress that this information revolution involves not only car insurance sector but also other insurance fields such as health or home. Even though the correlations between the Internet of things, big data and insurance contracts are not exclusively limited on car sector, in the last years there has been a significant growth of the telematic car insurance contracts. As a consequence this paper is only focused on car insurance field and it has to be considered only a starting point for investigating the related legal issues. However the scope of this research involves exclusively the impact of data in business to consumers transactions.
Policyholders as consumers entering into such a contract give to the insurance company the chance of monitoring their driving behavior thanks to the information collected and processed by these
1 Commission (EC), ‘Towards a thriving data-driven economy’, (Communication) COM (2014) 442 final, 2 July 2014,
p. 4.
2 Mehdi Khosrow-Pour, (2013), ‘Dictionary of Information Science and Technology’, Second Edition, IGI Global
5
telematic devices. Telematic devices can be, for instances, black boxes or/and mobile phones. These contracts are offered to the consumers with the promise to reduce the insurance premium according to the evaluation of their driving behavior. The assumption is that the safer driver you are, the more discount can be afforded to you. Thus, data produced by installed telematics devices influence the contract in term of insurance premium.
Furthermore the insurance sector is particularly affected by consumers’ data that insurance companies can collect from third parties or by data that insurance company can extract for instance from social media. All these data may have a great impact in the pre-contractual stage since companies can understand more precisely what kind of customer you are.
Due to the impact that collected personal data may have on car insurance contracts, in the present paper it will be described this phenomenon with the aim to investigate the impact of big data and IoT on insurance contracts in order to evaluate if consumers as policyholders are strong enough to deal with the related issues. It is important to underline that in the present paper the term ‘big data’ is also used as a sub-process in the overall process of ‘insight extraction’ from big data’.3
Personal data and the so-called phenomenon of datafication, which is referred to the chance afforded by big data ‘to render into data many aspects of the world that have never been quantified before’,4 are the core elements of the aforementioned issues. The Directive on Data Protection
(hereinafter DPD) and the General Data Protection Regulation (hereinafter GDPR) on data protection seems to be the ground on which this phenomenon can be evaluated.5 This appraisal
will be done by investigating whether the data protection rules are strong enough to protect consumers as policyholders.
3 Gandomi, A., & Haider, M. Beyond, ‘The hype: big data concepts, methods, and analytics’, International Journal of
Information Management, 35(2), 137-144, (2015), p. 140.
4 Mayer-Schönberger, V., & Cukier, K., ‘The Rise of Big Data: How it’s Changing the Way We Think about the
World. Foreign Affairs’, 92(May/June 2013), 28–40, p. 29. See also Rhoen, M., ‘Beyond consent: improving data protection through consumer protection law’. Internet Policy Review, Journal on internet regulation, Volume I Issue 1 (2016), p. 1. See also Rhoen, M., ‘Big Data and Consumer Participation in Privacy Contracts: Deciding who Decides on Privacy’ (2015), Utrecht Journal of International and European Law, 31(80), 51–71.
5 Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of
individuals with regard to the processing of personal data and on the free movement of such data, OJ No L 281/31. Regulation (EC) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, OJ L 119/1.
6
The research question, therefore, will be: ‘How the existing Eu data protection rules guarantee the
protection of policyholder as consumer entering into a telematic car insurance contract? Are these rules sufficient to protect consumers?’.
In order to answer the research question the present paper will be divided into two parts which require two different research methods: descriptive and normative.
In order to describe the issue and the legal framework it will be adopted a classical doctrinal legal method which is the more appropriate to describe what the problem is and what the law is from an internal perspective. In the present paper, therefore, the legal sources available in order to investigate the topic are the DPD and the GDPR. Whereas in order to describe the technical aspects of telematics insurance contracts, which are outside the knowledge of the author, this paper will rely on researches already carried out on the subject. Moreover in the first section the insurance contract will be defined taking into account the rules provided by the Principles of European Insurance Contract Law (hereinafter PEICL) which is part of the a program set up to create a Common Frame of Reference (CFR) for European general contract law, as recommended by the European Parliament. In particular the PEICL is focused on establishing a voluntary insurance contract law regime across the EU. These rules cover all contractual stages of the relationship between parties: before, during and after the insurance contract is entered into. In the present paper this choice is determined by the fact that insurance contract law is not unified at a EU level. Furthermore even the Insurance Distribution Directive6 will be take into account as well as one of
the cornerstones of the European Commission's consumer strategy namely the Consumer Rights Directive7.
Then, Big data and Internet of Things will be described in relations to the telematics insurance contracts. The descriptive part will continue describing the existing legal framework on data protection namely the EU data protection rules. The sources will be investigated emphasizing how the EU data protection rules can afford protection to the policyholders entering into a telematic insurance contracts.
6Directive (EU) 2016/97 of the European Parliament and of the Council of 20 January 2016 on insurance distribution
(recast).
7Directive 2011/83/EU of the European Parliament and of the Council of 25 October 2011 on consumer rights,
amending Council Directive 93/13/EEC and Directive 1999/44/EC of the European Parliament and of the Council and repealing Council Directive 85/577/EEC and Directive 97/7/EC of the European Parliament and of the Council.
7
In the second part it will be assessed if these rules are sufficient to afford protection to consumers as weaker parties. It will be adopted a normative methods in order to evaluate the rules that have been described in the previous section. This evaluation will be done by analyzing whether the rules described in the first part are able to give an answer to the issues related to the topic such as protection of policyholders as consumers and reduction of information asymmetry between consumers and insurers. The findings of these analyses will be combined in order to answer to the research question.
In order to answer to the research question this paper will be structured into three chapters. Chapter one will introduce the general elements of insurance contract and the technical aspects of big data, IoT and telematic car insurance contract. Benefits and discrimination risk will be described.
Chapter two will continue describing the EU rules on data protection also applied to the specific telematic insurance contract, analyzing how data can influence the stages of the contract.
In the third chapter, the problematic inputs underlined in the first and second part will be analysed with a general view to data and consumer protection rules. In more detail it will be investigated whether the mechanism which enables data processors and data controllers to use personal data are enough to protect the autonomy of consumers as policyholders and reduce the imbalance between the parties. In other words it will be investigated whether those elements, which are particularly addressed by consumer protection rules, are promoted or frustrated by data protection rules.
The findings will be briefly analysed in order to draw a conclusion.
8
Chapter 1: Insurance contract, Big Data and Internet of Things
This chapter introduces a definition of insurance contract taking into account the principle stated by the PEICL. The research will continue by introducing the concept of big data and giving some technical information about telematics insurance contracts. The effects of telematic insurance contract will be, then, enumerated.
1.1 The insurance contract
As mentioned in the introduction, there is not an harmonized insurance contract law within the Member States. The insurance contracts are regulated by national law of each Member State. However the European Commission strategy called “Europe 2020” has set the aim, among others, of removing contract-related barriers to cross-border insurance services in order to promote the economic growth within the Member States.8
Due to the existent lack of harmonization, in order to briefly describe the essential elements of insurance contracts, this research will rely on the Principles of European Insurance Contract Law.9 The Project Group "Restatement of European Insurance Contract Law" elaborated the Principles of European Insurance Contract Law (PEICL) with the aim to overcome these legal barriers that do not allow cross-border services. The PEICL, then, ‘could be considered a set of rules amounting
to a common understanding of insurance contract law throughout Europe’.10
The insurance contract, as defined by art 1:201 (1) of the PEICL, is ‘a contract under which one
party, the insurer, promises another party, the policyholder, cover against a specified risk in exchange for a premium’. The premium is ‘the payment due to the insurer on the part of the policyholder in return for cover’.11 The essential elements of an insurance contract then are ‘the
transfer of the economic consequences of risk to the insurer and the policyholder’s obligation to
8 European Commission website, ‘Insurance Contract Law’,
http://ec.europa.eu/justice/contract/insurance/index_en.htm.
9 Principles of European insurance contract law (PEICL)/prepared by the Project Group "Restatement of European Insurance Contract Law"; established by Fritz Reichert-Facilides; chairman: Helmut Heiss. ed. by the Drafting Committee: Jürgen Basedow ... [et al.], München:Sellier, 2009.
10PEICL
Introduction paragraph 17. 11 PEICL 1:201 (6).
9 pay for this transfer’.12 The probability that the insured event will occur is uncertain. Therefore the assessment of premium is related to the likelihood that the insured event will happen.
Since the aim of the contract is to transfer the risk to the insurer and the circumstances surrounding the risk lie mostly in the knowledge of the applicant, the latter is required to give the insurer a chance to evaluate the risk as precise as possible.13 Therefore the duty to disclose any relevant information is seen as an essential element where the assessment of the risk need to be done. This is the reason why insurance contracts are governed by the utmost good faith principle: that is to say that both parties are required to disclose all relevant information both during the application process and the performance of the contract.
The duty of utmost good faith is recognized by all European insurance law.14 However there is a fundamental division among Member States between the duty of spontaneous disclosure15 and the duty to answer the insurer’s questions.16 In some Member States the duty of spontaneous disclosure
is limited to the information of evident importance for the assessment of the risk and it is not required to disclose information which are either known or presumed to be known by the insurers. Whereas, where the duty to answer the insurer’s question is in force, its scope is accomplished only by answering the questions drawn up by the insurer.
The PEICL has adopted the questionnaire approach according to the evolution that this topic has had in the recent years.17The adoption of the question method is explained by the fact that it is
more difficult for a policyholder to assess what kind of information are relevant for insurers in the evaluation of insurance risk. Whereas, imposing an obligation on the insurer to ask clear and precise questions is more likely to reduce unnecessary transaction costs and rule out later disputes between insurers and policyholders.18
12 PEICL, section two general rules comments art. 1:201, para C.2.
13PEICL p. 104. 14PEICL p. 105, 106.
15 Austria, Belgium, Italy, Luxembourg, Portugal and, in part, the United Kingdom. See pages 106,107,108 PEICL. 16 Finland, France, Germany, Greece, Poland, Spain, Switzerland and the United Kingdom. See pages 106,107,108
PEICL.
17PEICL p. 105.
18 Olavi-Jüri Luik, ‘Do the Principles of European Insurance Contract Law Go Too Far in Protecting the
Policyholder?’, JURIDICA INTERNATIONAL XVIII/2011, p. 75, available at
10
Thus, according to the rules of the PEICL, the policyholders have to disclose information asked by the insurers through a questionnaire. Art. 2:101 of the PEICL, consequently, imposes on the parties a specific duty of disclosure in the pre-contractual stage according to which the applicant shall inform the insurer ‘of circumstances of which he is or ought to be aware, and which are the
subject of clear and precise questions put to him by the insurer”. Those are even circumstances of
which “the person to be insured was or should have been aware’.19
In the contractual relationship even the insurers are required to act in good faith20 and they have to provide the applicant in the pre-contractual stage with a copy of the proposed contract terms as well as a document which include the relevant information.21
These pre-contractual duties to inform are a clear mean to provide protection to consumers and to balance the knowledge of the parties entering into an insurance contract. They are in line with the European consumer protection rules already in force namely the Consumer Rights Directive (hereinafter CRD).22 Under art. 5 of CRD it has been placed on the trader a pre-contractual duty to inform ‘before the consumer is bound by a contract’. The consumers have to be informed of the main characteristics of the goods or services; trader’s identity; the total price of the goods or services; the arrangements for payment, delivery and performance; a legal guarantee for the conformity of the goods; after-sales services and commercial guarantees; the duration of the contract; and the functionality of digital content and the interoperationality of digital content with hardware or software.23 However it is important to stress that the CRD is not applicable to
insurance contracts24 which are explicitly excluded from the scope of the Directive itself. Consequently pre-contractual duty to inform, in this specific area, are not covered by general Eu consumer legislation on the topic. Conversely specific rules are provided by Eu insurance
19 The solution adopted by the PEICL is in line with the questionnaire system Vs the duty of spontaneous disclosure. 20Art. 2:701 PEICL.
21Art. 2:202 PEICL. 22Directive 2011/83/EU.
23 K. Tonner, The Consumer Rights Directive and Its impact on internet and other distance consumer contracts, p. 401,
in N.Reich, H.W. Micklitz, P. Rott and K. Tonner, European Consumer Law, 2nd edition, Intersentia 2014.
11
directives25 the most recent of which is the Insurance Distribution Directive26 (hereinafter IDD).
The IDD has to be implemented by all EU Member States by 23 February 2018. This Directive introduces the Insurance Product Information Document (hereinafter IPID) for all non-life insurance products across European Union.27 The IPID is intended to be a summary of the pre-contractual terms through which consumers are able to take an informed decision when purchasing an insurance contract. The IPID is a stand-alone document and it has to be short, comprehensible, accurate and not misleading, provided on paper or on another durable medium.28 The content of the IPID must contain the following information: information about the type of insurance; a summary of the insurance cover, including the main risks insured, the insured sum and, where applicable, the geographical scope and a summary of the excluded risks; the means of payment of premiums and the duration of payments, main exclusions where claims cannot be made obligations at the start of the contract, obligations during the term of the contract, obligations in the event that a claim is made, the term of the contract including the start and end dates of the contract, the means of terminating the contract. The IPID is considered so important that it has to be provided even where the insurance distribution activity is outside the scope of the IDD.29
Following the utmost good faith principle, the PEICL has also provided a post-contractual duty to inform during the performance of the contract itself: under art 2:701, thus, the insurer has to inform the policy holder of the chance concerning the name, address, legal form, address of its head office and of the agency or branch which concluded the contract. Upon written request of the policyholder the insurer is required to inform the policy holder of ‘a) all matters relevant to the performance of
25Art. 3 Directive 2002/65/EC of the European Parliament and of the Council of 23 September 2002 concerning the
distance marketing of consumer financial services and amending Council Directive 90/619/EEC and Directives 97/7/EC and 98/27/EC, Art. 36 and Annex Life Insurance Directive; Art. 43 Directive 92/49/EEC of June 1992 on the coordination of laws, regulation and administrative provisions relating to direct insurance other than life insurance and amending Directive 73/239/EEC and 88/357/EEC (third non-life insurance Directive (which has not been repealed by the Solvency II Directive); Art. 5, 6 Directive No. 2000/31/EC of the European Parliament and of the Council of 8 June 2000 on certain legal aspects of information society services, in particular electronic commerce, in the Internal Market (Directive on electronic commerce); Art. 183 -184 (for non-life insurance products) and Art. 185 (life insurance contracts) of the Solvency II Directive.
26 Insurance Distribution Directive (recast) (EU) 2016/97, articles 17- 25. 27Art. 20 IDD.
28Art. 20 (7) IDD. 29Art. 1 (4) (c) IDD.
12 the contract; b) new standard terms offered by the insurer for insurance contracts of the same type as the one concluded with the policyholder’.30
Pre-contractual information duties are a very popular instrument within the Eu consumer legislation. The rationale is that the trader is more informed than the consumer and this information imbalance has to be corrected. However, as several scholars have observed, it is not always true that consumers are able to process and comprehend all the given information before taking a decision. This has led to the consideration that pre-contractual information duties would be more effective for consumers if they would be made available only when needed in the transactional decision process.31
The growth of information technology, in particular of big data and Internet of Things, is generally enhancing the quantity of information available. In the next paragraph it will be described how these technologies can influence the insurance contracts and in particular the so-called telematic insurance contracts.32
1.2 Big data and Internet of Things
The European Commission Communication on Data Driven Economy33 defines Big data as ‘large
amounts of different types of data produced with high velocity from a high number of various types of sources’. The given definition is referred to the most cited definition of the ‘three Vs’ given by
Gardner.34 Gardner defines Big Data as ‘high volume, high velocity and high variety information assets that demand cost-effective, innovative forms of information processing for enhanced insight and decision making’. Volume is referred to the huge amount of information generated by the
internet, social media etc. Variety is referred to the increased capacity of creating new connections between the information available thanks to the information technology. Velocity is referred to the quick generation of data and to the quick capacity to analyze them.
30Art. 2:702 PEICL.
31 Wilhelmsson, T. & Twigg-Flesner, C. (2006). Pre-contractual information duties in the acquis communautaire.
European Review of Contract Law, 2(4), pp. 441-470, p. 454.
32 See the definition already given in the introduction of this paper, p. 1. 33 Commission (EC), ‘Towards a thriving data-driven economy’.
34 Garner IT Glossary, <http://www.gartner.com/it-glossary/big-data/> accessed 14 June 2017. See also Ward J. S. and
Barker A., “Undefined By Data: A Survey of Big Data Definitions”, School of Computer Science University of St Andrews, UK, (2013).
13
The term Big Data includes also ‘the technologies and procedures followed to process and analyse
the data to unlock income-generating insights, to reveal patterns or correlations, to generate new ideas or solutions or, importantly, to predict future events in a more accurate and timely manner’.35 In this view it is relevant to stress that the value created by big data is referred to the
insights drawn from the analysis of the meaningful correlations and relationships between them.36 Value, thus, is created when actionable insights are drawn from this analysis.
Data and personal information has been defined as ‘a substantial intangible asset used for the
purposes of value creation, comparable to copyright, patents, intellectual capital and goodwill’37
or in other words as “the new oil”38. Nowadays data are created in several ways i.e. social network, search engines, e-commerce.39 This is directly connected to the increased number of internet users: in the last five years the global internet population has grown by more than 60%.40
Another source of data is represented by the increasing number of devices interconnected through the Internet: the so called Internet of things41. The Internet of things is defined as ‘a global
architecture in which things (objects) are able to process, store and communicate information about themselves and other things”.42 The use of this term is attributed to Kevin Ashton who in
2009 mentioned it claiming the necessity for an Internet for Things as a standardized way for computers to capture information from the real world and to understand it43.
35 Joint Committee Discussion Paper on the Use of Big Data by Financial Institutions, JC 2016 86, p. 7.
36 M. Murphy and J. Burton, ‘From a Sea of Data to Actionable Insights: Big Data and What It Means for Lawyers’
in Intellectual Property & Technology Law Journal, - Volume 26, Number 3, March 2014, p. 8.
37 Preliminary Opinion of the European Data Protection Supervisor, ‘Privacy and competitiveness in the age of big
data: the interplay between data protection, competition law and consumer protection in the Digital Economy’, March 2014, p. 9.
38 See inter alia Kuneva M., European Consumer Commissioner, Roundtable on Online Data Collection, Targeting
and Profiling, Brussels, 31 March 2009.
39 See also Preliminary opinion of the European Data Protection Supervisor, March 2014, p 9. See also A. Mantelero,
‘The Future of Consumer Data Protection in the E.U. Rethinking the 'Notice and Consent' Paradigm in the New Era of Predictive Analytics’. Computer Law and Security Review, 2014, 30, 643-660, paragraph 4.
40 Josh J., Data never sleeps, (28 June 2016). See also Preliminary Opinion of the European Data Protection Supervisor
2014, p 9.
41 See Commission Staff working document, ‘Advancing the Internet of Things in Europe’ accompanying the document Communication from the Commission to the European Parliament, the Council, the Europena Economic and Social Committeeand the Committee of the Regions ‘Digitising European Industry Reaping the full benefits of a Digital Single Market’, SWD (2016) 110 final, 19 April 2016, page 5.
42 Mehdi Khosrow-Pour, (2013), p. 520.
43 Ashton K., That ‘Internet of Things’ Thing, In the real worlds things matter more than ideas - in RFID Journal
14
During the last years the number of devices connected to the internet has considerably increased, consequently the quantity of data scattered on-line has increased too. Moreover thanks to big data the capacity to analyse those data is enhancing the capacity to predict human behavior.
The increased number of internet users and the increased numbers of interconnected devices has been having a significant impact also on business which, therefore, can be more effective. As reported in the first document promoted by the Eu Commission on this topic44 it has been valued that “The number of IoT connections within the EU is estimated to increase from approximately
1.8 million in 2013 to almost 6 billion in 2020, leading to the EU IoT market being higher than one trillion euros by 2020”. 45
The insurance sector has not been left out. In the last few years the car insurance industry has been affected both by data scattered online and by data produced by the IoT.
This phenomenon has enabled the auto insurance sector to remain competitive and profitable even becoming the so-called ‘big data industry’.46
In this respect, last November Admiral, one of the biggest UK insurance company, announced that they use the customers’ Facebook data in order to analyse car owners’ personality and set the price.47 The scheme is based around algorithms developed by Admiral itself. Thanks to these algorithms they are able to make a personality assessment of the potential customer and then, to analyze the risk of insuring that particular driver. The algorithms adopted have not been disclosed. Furthermore thanks to the information technology, motor insurance companies are changing the paradigm of traditional insurance policies by offering to their customers new usage-based
44 Commission (EC), ‘Internet of Things – An action plan for Europe’, (Communication) COM (2009) 278 final, 18
June 2009, p. 2.
45 Eu Commission Staff Working Document (2016), p. 7.
46 National Association of International Commissioners (NAIC) and the Center for Insurance Policy and Research
(CIPR), CIPR Study (2015), Usage-Based Insurance and Vehicle Telematics: Insurance Market and Regulatory Implications, by D. Karapiperis, B. Birnbaum, A. Brandenburg, S. Castagna, A. Greenberg, R. Harbage, A. Obersteadt, CIPR Study Series 2015-1, March 2015, p. 8.
47 G. Ruddik, ‘Admiral to price car insurance based on Facebook posts’ The Guardian (London 02 November 2016).
https://www.theguardian.com/technology/2016/nov/02/admiral-to-price-car-insurance-based-on-facebook-posts accessed 14 June 2017.
15
(hereinafter UBI) insurance policies.48 These insurance programs have been welcomed as a tool
both to reduce premiums, incidence of fraud and vehicle theft.49
The devices involved in the collecting of information combine telecommunication and information technology. They contain, for instance, GPS, Sim card or accelerometer50 which are able to monitor cars. The most popular telematic devices in Europe are black boxes51. They guarantee very detailed data on driving behavior since they are equipped with technical tools able to track a lot of drivers performances. Smartphones are also involved in the process of monitoring drivers behavior since they are equipped with all the technical element needed: GPS, accelerometer and gyroscopes.52 However there are concerns about their reliability and accuracy because it is not possible to know, for instance, whether the policyholder brings the smartphone on all journeys.53 These smart devices record and transmit data back to the insurance company. The collected data, thus, are able to monitor the behavior of policyholders and consequently are able to affect the terms of insurance contracts namely the price.54
Telematics insurance started ten years ago but without success due to the high costs and complexity involved in the development of new technology. Cost and complexity have been consistently reduced in the last years. Italy, UK and USA are the countries where these kind of insurance contracts have had more success.55 European countries have high adoption of Usage-based
insurance trend. Relying on data drawn up by a survey, in 2015 Italy usage-based insurance market
48 Ibidem.
49 Institute of Actuaries Belgium -Information paper, ‘BIG DATA: An actuarial perspective’, (November 2015). 50 NAIC, CIPR (2015), p. 10.
51 Ibidem, p. 9. 52 Ibidem, p. 10.
53 For more other concerns look at Greg McGarry, managing director, DriveProfiler (Ireland), ‘Viewpoint: Black box
versus smartphone in insurance telematics’, posted Fri, 30/08/2013, available at http://analysis.tu-auto.com/insurance-telematics/viewpoint-black-box-versus-smartphone-insurance-telematics.
54 Husnjaka S., Perakovića D.,Forenbachera I., Mumdziev M, Telematics System in Usage Based Motor Insurance’
Procedia Engineering 100 ( 2015 ) 816 – 825, p… 819;
55 See GHETU D., ‘Octo Telematics joins the exquisite IIF 2017 team of speakers which will analyze the motor
insurance trends’, posted 19.01.2017, available at http://insurance.1asig.ro/OCTO-Telematics-joins-the-exquisite-IIF-2017-team-of-speakers-which-will-analyze-the-motor-insurance-trends-article-2,3,100-8932-0.htm.
ANIA, ‘L’assicurazione italiana’ (2015-2016), p.185, available at
http://www.ania.it/export/sites/default/it/pubblicazioni/rapporti-annuali/Assicurazione-Italiana/2015-2016/LAssicurazione-Italiana-2015-2016.pdf.
16
accounted for one-third of the global usage-based insurance market revenue which is expected to grow during 2016-2022.56
Telematics-based UBI include programs called pay-as-you-drive (PAYD) and pay-how-you-drive (PHYD).57 These programs take into account both driving habits and driving style.58 The PAYD program is focused on the driving habits such as the driven distance, the location (i.e. motorways, urban area, abroad, any other type), the start and end time of each trip taken by the car, how often the car is used per day.59
Whereas the PHYD programs take into account even other elements such as driving style revealed by the speed, harsh or smooth braking, aggressive acceleration or deceleration, cornering and parking skills. These information, generated at very short intervals, produce large datasets. The analysis of these data leads to a proper evaluation of each driver going beyond information such as age, model of car owned, precedent accidents which, in absence of these technologies, can be considered the usual parameters to evaluate the insured risk.60
Thus, wherever one of these program is involved or where big data analyses are employed, the information available to the insurance companies is not only those disclosed by the applicant but also information that insurance companies can easily collect in the pre-contractual stage and during the performance of the contract. It is questionable, therefore, whether it makes sense to continue qualifying the insurance contracts as utmost good faith contract.
56 Singh C., ‘Usage-Based Insurance Market by Service Type (Pay-As-You-Drive (PAYD), Pay-How-You-Drive
(PHYD), and Manage-How-You-Drive (MHYD)) and Technology (OBD-II, Smartphone, Hybrid, and Black-Box): Global Opportunity Analysis and Industry Forecasts, 2014 – 2022, (Allied Market Research 2016), report overview.
57 Husnjaka S., Perakovića D.,Forenbachera I., Mumdziev M, p. 819-820;
58 Verbelen r. and Katrien A. and Gerda C., ‘Unraveling the Predictive Power of Telematics Data in Car Insurance
Pricing’, (January 18, 2017), available at SSRN: https://ssrn.com/abstract=2872112 p. 3,4;
59 Ptolemeus Global Usage-based Insurance Study 2016, p. 59.
17
1.3 Benefits of data
As observed by several studies on this topic,61 UBI insurance contracts may offer many potential
benefits for insurers, consumers and our society as a whole.62
As mentioned in the previous paragraph, thanks to the telematics-based UBI programs insurance business may remain competitive and profitable since insurers are able to assess the risk more accurately obtaining the maximum amount of information about insured parties,63 correcting the risk of misclassifications,64 and moreover enhancing pricing accuracy by relying on data which are not only based on past trends and events. In doing so insurance company may fight fraudulent claims, enable lower premiums, reduce claim costs, modify risky behavior and improve brand recognition and loyalty.
Telematics-based UBI programs may also offer benefits for consumers. Policyholders can influence the reduction of their auto insurance costs: driving performances or voluntary reduction in kilometers driven are, indeed, strictly related to the insurance premium costs. This outcome has been evaluate as ‘particularly beneficial to lower income, urban and multi-car households’ which, therefore, should be able to monitor their insurance costs.65 However the insurance cost reduction is a controversial matter. According to a different research made by the Dutch Consumer organization the price reduction is considered not an automatic outcome of the telematics-based UBI programs.66 In that research has been found that:
- PAYD premiums are substantially higher than traditional car insurance premiums but can be lowered through adopting exemplary driving practices, resulting in rebates of up to 35%;
61 Soleymanian M., Weinberg C., Ting Zhu ‘The Value of Usage-Based Insurance beyond Better Targeting: Better Driving’, Sauder School of Business, University of British Columbia, September 2016.
See also NAIC and CIPR Study (2015), p. 42-46. See also Husnjaka S., Perakovića D., Forenbachera I., Mumdzievb
(2015).
62 Husnjaka S., Perakovića D., Forenbachera I., Mumdzievb M., (2015) p. 820.
63 de Azevedo Cunha M. V. (2010)“Data Protection and Insurance: The Limits on the Collection and Use of Personal
Data on Insurance Contracts in EU Law,” Global Jurist: Vol. 10: Iss. 1 (Topics), Article 6, p. 6.
64 Ibid.
65 NAIC and CIPR Study (2015), p. 45.
66 BEUC The European Consumer Organization, ‘Big Data & Financial Services - BEUC response to ESAs
18
- average consumers with fair driving practices are mostly better off with a traditional insurance;
- consumer with a higher risk profile (younger or older drivers) can be sometimes better off with a PAYD insurance but firms are restricting this effect by setting age limits;
- the criteria for calculating rebates remain vague and hard to comprehend;
- privacy concerns loom and insurers also collected data which was not necessary for the calculation of the premium.
Telematics-based UBI programs is also considered a mean of increasing the policyholders’ safety: policyholder involved in a UBI insurance programs follow better driving habits. As shown by the NAIC and CIPR study ‘safer drivers become even safer and riskier drivers, whose premiums are typically highest, are educated to modify their high risk behavior’.67 In addition, telematics-based
UBI programs can also be useful to prove how an accident occurred, to provide vehicle diagnostic, to recovery a stolen car and to call the emergency service68.
Telematics-based UBI programs may also be beneficial for our environment and society in general. As long as the behavior of policyholder is influenced by this kind of programs, they also have societal impact.69 They increase, indeed, use of congestion-free routes and limit vehicle usage;
reduce fuel consumption; limit the use of vehicle; improve vehicle maintenance; reduce CO2 emissions, reduce accident response time; track and recover stolen vehicles; establish fault to improve equity in settling claims; reduce driving, pollution, traffic congestion and energy consumption.70 It could be said, than, that disclosure of policyholder’s data have many positive
effects involving not only both contracting parties but also society as a whole. 1.4 Discrimination risk
Insurance companies potentially know more than we expect. Is there a risk of discrimination among policyholders? From the perspective of the insurance company differentiations are not
67 NAIC and CIPR Study (2015), p. 45.
68 Husnjaka S., Perakovića D., Forenbachera I., Mumdzievb M, (2015), p. 820. 69 NAIC and CIPR Study (2015), p. 46.
19
made to discriminate, but only to classify the risk.71 Moreover the aim is to offer tailored products
and ultimately to guarantee to policyholder a tailored price. Differentiations in price cannot be seen as discriminations but only as an instrument to differentiate situations which are not similar. According to the European current rules, discriminations in price are not prohibited unless they are put in place on grounds of race, ethnicity and gender.72 Whilst discrimination on ground of
race, ethnicity and sex are forbidden, other kind of discriminations are not. As stated in the Guidelines of the European Commission, anti-discrimination rules do not affect ‘the use of other risk-rating factors, such as age and disability, which is currently not regulated at EU level’.73
Big data, therefore, can enhance differentiations among policyholders as consumers which ultimately could be perceived as discriminations even if they are completely lawful. The general evaluation seems to be compounded by the undisclosed algorithms that each company can put in place. These outcomes have been observed in more occasions without any legal solutions.74
In the next chapter, therefore, it will be described the Eu rules on data protection with a specific view to the telematic insurance contracts in order to describe on which grounds data can be processed and if these rules guarantee protection on policyholders.
71See Thiery Y. and Van Schoubroeck C., ‘Fairness and equality in insurance classification, Geneva papers on risk
and insurance issues and practice’, (2006) 3, p. 193-195.
72 Art 8 TFEU ‘In all its activities, the Union shall aim to eliminate inequalities, and to promote equality, between
men and women’. Art. 21 CFREU “Any discrimination based on any ground such as sex, race, colour, ethnic or social origin, genetic features, language, religion or belief, political or any other opinion, membership of a national minority, property, birth, disability, age or sexual orientation shall be prohibited”.
73 Communication from the Commission, ‘Guidelines on the application of Council Directive 2004/113/EC to
insurance, in the light of the judgment of the Court of Justice of the European Union in Case C-236/09 (TestAchats)’ Brussels, 22.12.2011 C(2011) 9497 final, p. 6.
74 See for example newspaper article about the men price discrimination: Collinson P. ‘How an EU gender equality
ruling widened inequality’ (The Guardian 14 January 2017). See also Ezrachi A. and Stucke M. E., ‘Virtual Competition: The Promise and Perils of the Algorithm-Driven Economy’. Cambridge: Harvard University Press.
20
Chapter 2: Eu rules on data protection
The secondary Eu rules on data protection are based on the Data Protection Directive 95/46/EC
(hereinafter DPD), on the General Data Protection Regulation 2016/679 (hereinafter GDPR) and on CoE Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (Convention 108) which is the first international legally binding instrument adopted in 1981 dealing explicitly with data protection.75
2.1 Data Protection Directive and General Data Protection Regulation
Personal data are protected by the European Convention on Human Rights (hereinafter ECHR)76. The article 8 guarantees the right to respect for private and family life, home and correspondence. The case law of the ECHR scrutinized different situations in which data protection is questioned namely situations involving interception of communication, various form of surveillance and protection against storage of personal data by public authorities.77 The ECHR explained in those judgments that contracting States have not only to refrain from any violations of these rights but also that they have a positive obligation to assure the effectiveness of them78.
75 Handbook on European data protection law (2014), prepared by the European Union Agency for Fundamental
Rights (FRA) and the Council of Europe together with the Registry of the European Court of Human Rights, Publications Office of the European Union, p. 14.
76 The ECHR was adopted after the Second World War in order to promote the rule of law, democracy, human rights
and social developments. It is an international agreement between the 47 States of the Council of Europe and also Switzerland, Russia and Turkey. The Convention entered into force in 1953. The competent Court is the European Court of Human rights. Art 8 ECHR Right to respect for private and family life 1. Everyone has the right to respect
for his private and family life, his home and his correspondence. 2. There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others.
77 Handbook on European data protection law (2014), p. 15.
Inter alia, ECtHR, Malone v. the United Kingdom, No. 8691/79, 2 August 1984; ECtHR, Copland v. the United Kingdom, No. 62617/00, 3 April 2007; Klass and Others v. Germany, No. 5029/71, 6 September 1978; ECtHR, Uzun v. Germany, No. 35623/05, 2 September 2010. ECtHR, Leander v. Sweden, No. 9248/81, 26 March 1987; ECtHR, S. and Marper v. the United Kingdom, No. 30562/04 and 30566/04, 4 December 2008. ECtHR, I. v. Finland, No. 20511/03, 17 July 2008; ECtHR, K.U. v. Finland, No. 2872/02, 2 December 2008.
78 Inter alia ECtHR, I. v. Finland, No. 20511/03, para 36, 17 July 2008; ECtHR, K.U. v.
21
Even the Treaty on the Functioning of the European Union as well as the Charter of Fundamental Rights of the EU79 (hereinafter CFR) guarantee protection of personal data.80 Art. 8 of the CFR
establishes that:
‘Everyone has the right to the protection of personal data concerning him or her. 2. Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified. 3. Compliance with these rules shall be subject to control by an independent authority’.
Processing of personal data, thus, is allowed where it is fair and lawful and it is made for specific purposes, where the data subject is entitled to access to his/her information and to rectify them.81
If this right is refused to the data subject, administrative measures and judicial remedies regulated by national rules of Member States are available to the data subject.82
The DPD, thus, was adopted in 1995 to give effect to the right established by art. 8 of the CFR. Its territorial application is extended to the non-Eu Member States which are part of the European Economic Area (Iceland, Liechtenstein and Norway). However, the DPD will be no more applicable starting from 25th of May 2018, when it will be replaced by the GDPR.
The GDPR, as a regulation, will provide more legal certainty among Member States due to the fact that, generally speaking, directives lead to variations among Member States. Moreover the GDPR will be applicable even to non Eu-organization where they offer services and goods to the Eu residents. Anyway the current Eu data protection rules are afforded by the DPD.
79 The Charter of Fundamental Right of the EU has become legally binding within the EU with the entry into force of
the Treaty of Lisbon in December 2009. The Charter has the same legal value of constitution as the Treaty (art 6 (1) TEU). The CFR contains rights and freedoms under six titles: Dignity, Freedoms, Equality, Solidarity, Citizens' Rights, and Justice. In case of breach of these freedoms and rights by the European Institutions or by national institutions individuals and legal entities are protected: the European Court of justice and national Courts have the power to review these acts. Even the Commission has the power to sue to Court a Member States where implementing EU law rights or freedoms are violated.
80 EU Charter of Fundamental Rights OJ 2012/C 326/02.
81 European Data Protection Supervisor, March 2014, p. 12. See also Kokott J. and Sobott C., The distinction between
privacy and data protection in the jurisprudence of the CJEU and the ECtHR, International Data Privacy Law, 2013, Vol. 3, No. 4, pages 222-228, p.223.
22
The DPD applies to data processed by automated means and data contained in non-automated filing systems.83 In the Directive’s wording ‘processing of personal data’ is referred to ‘any
operation or set of operations which is performed upon personal data’. As stated in the first article, data protection and subsequent right to privacy are considered fundamental rights and freedoms of natural persons. 84 Anyway the DPD is not applicable to the processing of data by a natural person in the course of purely or house hold activities and in the course of activity which falls outside the scope of Community law.
Definition of personal data
Art. 2 of DPD provides a definition of personal data as ‘any information relating to an identified or identifiable natural person ('data subject')’ considering an identifiable person as ‘one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity’. Over the years the European Court of Justice (hereinafter CJEU) gave a consistent interpretation of personal data as every element by which persons can be identified.85 In its last pronunciation86 the CJEU stated that even a dynamic IP address can be considered as personal data as long as it enables to identify the ‘data subject with additional data which the internet service provider has about that person’.
The Directive also provides that ‘special categories’ of data cannot be processed, unless there is a specific consent of the data subject or processing is necessary to protect vital interests of data subject or legitimate interests of others and public interest. Article 8(1) lists these special categories of data as: ‘personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and the processing of data concerning health or
83 15th whereas DPD, article 12(b) and article 6(1)(d) DPD;
84As stated by the Article 29 Working Party in the Opinion 4/2007 on the concept of personal data, data of dead human being cannot be considered personal data since they are anymore considered civil person in civil law. the GDPR explicitly specify that these rules do not apply to deceased persons, even if, according to the 27th whereas, MS
may provide different rules on this topic.
85 The name of a person in conjunction with his/her telephone number (Lindquist Case c-101/01), the list of names of participants in a meeting (Bavarian Lager Case C-28/08), ISP addresses (Scarlet Case C-70/10), the data relating to the applicant for a residence permit (….), fingerprints (Schwartz Case C-291/12), the record of working time concerning (Worten Case C-342/12), The image of a person recorded by a camera (Rynes Case C-212/13), tax data transferred (Bara Case C-201/14), information published in the press (Nikolau Case T-161/04).
23
sex life’. In GDPR genetic data, biometric data and sexual orientation data have been added to this category of sensitive data.87
Furthermore GDPR adds elements in the definition of personal data by referring to the concept of identified or identifiable natural person meaning as ‘a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person’.88
The users of personal data.
Users of personal data are defined by the DPD as processors and controllers. Processor means ‘a natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller’;89 controllers is a legal or a natural person who ‘alone or jointly with
others determines the purposes and means of the processing of personal data’.90 According to the
opinion of the Article 29 Working party (2010)91 these two concepts are essentials in the application of the DPD since they establish who has to comply with data protection rules and how the rights afforded by the DPD can be exercised by data subjects. In this respect acting on behalf of the controller92 recalls the legal concept of delegation according to which the controller has to instruct at least ‘with the purpose of the processing and the essential elements of the means’. The relationship between processors and controllers has been intensified since the contract between them as to be more detailed and where two organizations jointly determine purposes and means of personal data processing, they will be joint data controllers.
The DPD also provide the definition of third party as any natural or legal person other than ‘the data subject, the controller, the processor and the persons who, under the direct authority of the controller or the processor, are authorized to process the data’. Another category is included on the definition of recipient defined as ‘a natural or legal person, public authority, agency or any other body to whom data are disclosed, whether a third party or not’. It seems that the definition of third party and recipient are redundant. However the distinction between them is that a third party
87 GDPR art. 9. 88 DPD art. 4 (1). 89 DPD art. 2 (e). 90 DPD art. 2 (d).
91 Art. 29 Data Protection Working Party, Opinion 1/2010 on the concepts of "controller" and "processor" - Adopted
on 16 February 2010, 00264/10/EN WP 169, p. 18, 22, 25.
24
recipient is not authorized to use personal data processed by the controller unless on specific legal ground. 93
Personal data can be processed where there is the consent of the data subject.94 The consent has to be free, informed and specific: in the word of the DPD consent has to be “unambiguously given”.95 This means that no pressure must be placed on data subject at the time when the consent is given; in addition a complete information has to be provided. 96 The GDPR clarifies the meaning of a ‘freely consent’ establishing that consent will not be valid if the data subject has no free choice, or is unable to withdraw consent without loss, where there is a ‘clear imbalance’ between the controller and the data subject.
Furthermore ‘when assessing whether consent is freely given, utmost account must be taken of whether the performance of a contract is made conditional on the data subject consenting to processing activities that are not necessary for the performance of that contract’. 97
The consent can be explicit or implicit. The former can be made oral or written without leaving doubt about the intention of data subject. The latter can be implicit by acting in a way that data subject consent is concluded by circumstances. Sensitive data can be processed only when an explicit consent is given. In this respect under articles 4 (11), 6 (1) (a) and 7 of the GDPR it has been established that consent must be given by a statement or a clear affirmative action. Therefore implicit consent will be no longer valid: mere silence or inaction is not valid too.98 In addition
under the GDPR has been explicitly established that the consent can be withdrawn.99 Such a
possibility was not provided by the DPD, even if it was allowed on the assumption that the right to withdrawn was strictly related to the notion of consent. As stated by the Article 29 Working
93 Handbook page 55.
94 DPD art. 7 (a); GDPR article 8.
95 DPD Art 2 (h). See also Ferretti F., A European Perspective on Data Processing Consent through the
Re-conceptualization of European Data Protection’s Looking Glass after the Lisbon Treaty: Taking Rights Seriously, European Review of Private Law 2-2012 [473–506],p. 486.
96 See also Article 29 Working Party (2011), Opinion 15/2011 on the notion of consent, WP 187, Brussels,
13 July 2011, p. 12. European Data Protection Supervisor, March 2014, p. 14,15.
97 Art. 7 (4) GDPR.
98 European Data Protection Supervisor, March 2014, p. 15. 99 Art. 7 GDPR.
25
Party,100 indeed, an implicit right to withdrawn is the only mean by which data subject does not
lose control over his personal data.
Besides the consent, processing of data is legitimate when it is necessary either for the performance of the contract and for compliance with a legal obligation. Moreover, processing is necessary to protect the vital interests of the data subject; to perform tasks carried out in the public interest or in the exercise of official authority vested in the controller or in a third party to whom the data are disclosed;101 for the purposes of the legitimate interests pursued by the controller or by the third party or parties to whom the data are disclosed, except where such interests are overridden by the interests for fundamental rights and freedoms of the data subject. 102 On the other hand, sensitive data cannot be processed in principle. However there are exemptions to this prohibition which include explicit consent of the data subject, vital interests of the data subject, legitimate interests of others and public interest. It is important to stress that a contractual relationship cannot be a basis on which sensitive data can be processed: an explicit consent is always required.
The legitimate collection of data for the performance of the contract includes also the pre-contractual stage where it is necessary to process data for the purpose of the conclusion of the contract itself.
The collected data have to be stored in a ‘in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the datawere collected or for which they are further processed’.103 Storing data for longer-term is possible but data have to be
anonymized.104
Controllers are obliged to inform data subject in advance about the intention of processing data. This information include the purpose of the processing and the identity and contact details of the controller.105 Other information have to be disclosed ‘having regard to the specific circumstances in which the data are collected, to guarantee fair processing in respect of the data subject’.106 Where
100 Article 29 Working Party Opinion 15/2011, p. 9; 101 DPD art. 7 (e).
102 DPD art. 7 (f).
103 Data Protection Directive, Art. 6 (1). 104 DPD 26th Whereas.
105 DPD art. 10 (a) (b). 106 DPD art. 10 (c).
26
data have not been obtained from the data subject, the controller has the duty to inform the data subject about his identity and purposes of processing. This information has to be provided ‘no later than the time when the data are first disclosed’. Furthermore, where information is collected from data subject, the described information has to be provided at the time of the collection, whereas where data are collected from third parties information has to be provided at the moment of recordings or before the data are disclosed to third parties.
2.2 Data protection rules on auto telematics insurance
As described in the previous paragraph, the DPD and GDPR lay down rules to protect personal data. It is interesting to investigate, thus, whether data revealed by telematic devices are or are not personal data.
When telematic insurance contracts are involved, data collected by the insurers are strictly related to an identified or identifiable policyholder entering or already entered into an insurance contract. Therefore data collected on drivers and on their behavior can be defined as personal data in the meaning of the data protection rules since these data reveal information about them. There is, indeed, a close connection between the telematic devices (i.e. black boxes) installed on cars and the policyholders. This close connection has been also scrutinized by the ECtHR which in Uzun
v Germany case found that data revealed by a global positioning system (GPS) device installed in
a car for surveillance purposes has to be considered as personal data since they interfere with the respect for private life protected by art. 8 of the ECHR.107 Similarly data revealed by devices
voluntarily installed in cars for insurance purposes should be considered as personal data as well. Furthermore telematic devices installed in cars are also able to reveal other kinds of data which belong to the category of sensitive data namely speeding offences. Speeding offences are considered by the DPD108 as special categories of data which ‘may be carried out only under the control of official authority’. Same provisions will be available under the GDPR.
According to the definition explained in the previous paragraph, the insurer can be both controller and/or processor of policyholder’s data. As a controller the insurer can outsource the processing of telematic data to third party who therefore will act as processor. As described above the
107 ECtHR, Uzun v. Germany, No. 35623/05. 108 Art 8 (5) DPD.
27
responsibility between them are provided by art.17 of DPD and even emphasized by GDPR in respect to accountability of the processor.
Along with the existing rules, thus, personal data of policyholders entering or already entered into a telematics-based UBI programs can be lawfully processed whether ‘the data subject has unambiguously given his consent’ or ‘processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract’.109 As stated by the Article 29 Working Party the
expression ‘processing necessary for the performance of the contract’ must to be strictly interpreted. It means that if contracts can be performed without using and collecting data, they should not be considered as ‘necessary for the performance of the contract’.110
As described in the first chapter technological devices are able to disclose in great detail a large amount of personal data, even classified as sensitive. As long as a consumer can easily consent to their processing it is interesting to explore the impact of data in the contractual relationship between insurer and policyholder.
109 Art. 7 (a) (b) DPD; Art. 6 1 (a) (b) GDPR.
110 Article 29 Working Party 29 Opinion 06/2014 on the notion of legitimate interests of the data controller under
28
Chapter 3: Impact of data
In this chapter, the problematic inputs underlined in the first and second chapter will be analyzed with a general view to data and consumer protection rules.
As described above, in recent years there has been a growing exposure of consumers’ data. Consumers may be unaware of the impact that this personal information may have on contracts they will enter into. The telematic car insurance contracts, as described, are particularly affected by personal data produced through the internet both in the pre-contractual stage and during the performance of the contract. The existent legal basis of processing personal data have to be therefore scrutinized in this chapter in order to understand if they are still suitable.
At the same time it seems interesting to investigate the impact that data have on contracts that consumers as policyholders enter into. Both contractual parties have the duty to disclose all relevant information: consumers as applicant have the duty to disclose all relevant personal information, the insurers have the duty to inform about the main characteristics of the contracts itself. In all those circumstances there are Eu rules which poses on the parties duties and rights. 3.1. Utmost good faith?
Starting from the problematic inputs raised in the first chapter, it seems interesting to come back to the utmost good faith principle by which the insurance contract is governed due to the necessity for the insurer to receive all the information needed to classify the risk.111 The rationale of this
definition relies on the assumption that the policyholder has a deeper knowledge of the risk to be insured than the insurer. In order to overcome this asymmetric information between contractual parties, thus, it is required to the policyholders to disclose all relevant information known. However big data and in particular IoT have modified this situation of asymmetric information by enhancing the predictive and surveillance skills of the insurance companies and by increasing the lack of knowledge of consumers which do not really know which data are already known by insurance companies and how the analysis of them will be done. Therefore information technology is causing a significant change of the distribution of information among contractual parties. In particular in insurance business the balance of power between parties has been shifted: information
29
afforded by on-line data and IoT and capacity to draw up meaningful correlations give to the insurance companies more contractual power than before. As a consequence the duty of the applicant to disclose all relevant information in the pre-contractual stage is losing its meaning since the analyses and profiling already carried out by insurance company overcome those that the applicant could give.
For these reasons it seems that the description, still retained in many national systems,112 of insurance contract as utmost good faith contract is no more completely suitable, at least as concerns mass insurance.
3.2 The consent paradigm
As described in the second chapter personal data can be lawfully processed where the consent of data subject is given or where data processing is necessary for performance of the contract to which the data subject is part.113
Where a mandatory insurance contract is required, which is the case of car insurance contract, consumers try to subscribe the most suitable contract according to their needs. However consumers does not have effective power in negotiating insurance premium which is established by the insurance company itself. In telematics auto insurance contracts consumers agree to the processing of their personal data, which may also be sensitive data,114 for a premium reduction.
The notion of consent presumes that data subject is able to ‘make conscious, rational and autonomous choices’.115 However, it is questionable whether a data subject as consumer can be
considered strong enough to do so.116 This seems particularly true where consumers are required to take out a liability insurance and where, for instance, there are no other chance to receive a discount other than subscribing a telematic insurance contract (i.e. it is the case for young drivers). Consumers have only to consent to the collecting and processing of their personal data or to give up the contract.
112 PEICL p. 106. 113 Art. 7 1 (a) (b) DPD.
114 See paragraph 2.2 of the present paper.
115 Schermer, Bart Willem and Custers, Bart and van der Hof, Simone, The Crisis of Consent: How Stronger Legal
Protection May Lead to Weaker Consent in Data Protection (February 25, 2014). Ethics and Information Technology, Available at SSRN: https://ssrn.com/abstract=2412418.
