Insurance Europe key messages on Data Protection. pdf

Transcription

1 BRE-JBZ From: Sent: To: Subject: Attachments: Follow Up Flag: Flag Status: Kaai, Geran vrijdag 3 april :00 Verweij, Ellen FW: Request for a meeting on proposed Data Protection Regulation Europe key messages on Data Protection. pdf Follow up Completed From: BRE Sent: donderdag 28 februari :49 To: Kaai, Geran Subject: FW: Request for a meeting on proposed Data Protection Regulation n~ij?91!nj" From: Sent: donderdag ~ februari :31 To: BRE CC:" _ Subject: Request for a meeting on proposed Data Protection Regulation Dear Mr Kaai, On behalf of Europe we would like kindly request a meeting with you in order present you and exchange views on proposed Data Protection Regulation. For your convenience, we attach Europe Key Messages on se subjects. We hope this meeting can prove possible, and look forward hearing from you. Yours sincerely, Secretary, Public Affairs and Single Market &. Social Affairs rue MontOy~e=r=5=1=' =B=-:l~OOOBrussels el: +322 Fax:

2

3 ~~':"i~ 3... ~~\\\\ II..... II. ::::: 11,-... :". insurance ~::europe Position Paper 'II Europe key messages on European Commission's proposed General Data Protection Regulation Our reference: SMC-DAT Date: Proposal for a Regulation on protection Related personal and on free movement documents: 3 September 2012 of individuals with regard of of such (General Data Protection Regulation), Head of Single Contact Market and Social Affairs, person: Policy Advisor Transparency Register ID Pages: Introduction Europe welcomes protection legislation protection of individuals within European Commission's EU and strengn CEC) objective individuals' rights. harmonise furr with regard of personal and free movement may however, have unintended The EC proposed Regulation on of such consequences for and consumers. Insurers are concerned EC proposed Regulation will restrict ' ability process and use properly assess risk. Collecting and personal are at core of insurance business. Being able access and process personal claims, determine of cover aumated needed, assess risk enables and hence provide process and pay If are not able properly assess risks, re will be a Significant negative impact on consumers. For example, level through with appropriate consumers premium fairly reflects individuals' needs and risks. it would prevent accidents, as without an appropriate amounts of reimbursement premiums, or delay reimbursement assessment or compensation. decrease in insurance of medical treatment of risks, Furr potential or compensation are unable determine for car right negative consequences include increase of coverage and fact some products may be withdrawn entirely from market. Furrmore Europe believes parts of proposal address problems stemming from social networking, parts should not apply or highly regulated have been designed with intention online tracking fields of activities, and search engine technology. which y are not adapted, These such as insurance. Therefore, any changes EU protection legislation should be relevant and proportionate, individuals' privacy right with security, taking in consideration should recognise need for and re law requirements. process personal premiums, and respect contract information provided and prevent fraud and or financial crime. in order calculate fair It should also enable verify accuracy of Finally, Regulation must not overlap or be in conflict with or pieces of national or EU legislation, Solvency II Framework Directive and Anti-money Europe aisbl rue Monyer 51, B-1000 Brussels Tel: Fax: balancing way insurance works. It explicitly laundering such as Directive. Reproduction in whole or in part of content of this document and communication reof are made with consent of Europe, must be clearly attributed Europe and must include date of Europe document.

4 1. specific concerns with regard Ee's proposed General Data Protection Regulation 1.1 Consent Definition of consent - Recital 25, Article 4par.8 Based on ' experience across member states, consumers do not encounter problems with current rules on consent in Directive 95/46/EC. Article 2(h) of Directive 95/46/EC provides a suitable protection for consumer without being unnecessarily burdensome, eir for consumer or for insurer or both. The requirements of and for consent as provided by proposed Regulation must be relevant and suitable purposes for which consent is obtained. It should not prevent insurer from delivering necessary services consumer. Europe calls for Article 2(h) Directive 95/46/EC '. 3 1 ;d I F.nt Article rules on ned. 7par.3 Europe is concerned subject's right withdraw consent, as proposed by draft Regulation, would: (i) hinder execution of insurance contract: withdraw consent problems under insurance contract contractual (ii) Should consumer exercise his/her right of personal, this will give rise serious law as insurer will no longer be able perform legal obligations. lead a cancellation consumer's of contract right withdraw because it is not foreseen by parties: consent should not result in a right of consumer The cancel policy. Based on insurance contract law, insurer and consumer fix terms of contract at beginning of ir contractual relationship. Some contracts permit cancellation during a given period under specific conditions. This is different withdraw consent deriving from proposed Regulation: from consumer's right it was not foreseen by parties when signing contract and it will be perceived as a breach of contract. (iii) Conflict with or legal instruments: meet legal and regulary laundering and terrorist Financial service providers are required retain obligations. financing, end of business relationship control and internal investigations For example, Directive 2005/60/EC on anti-money requires sre for at least 5 years after with natural or legal persons, because of public authorities' amongst or reasons. National insurance also require sre for longer periods, for example legislation 10 years in Italy can and 26 years in Poland. Europe suggests proposed provision on right withdraw consent at any time should be redesigned take in account situations: Where must be retained for conclusion and execution of insurance contracts, settlement of a claim and Where must be processed for regulary, anti-fraud Right be forgotten - Article The EC proposal introduces concept of "right or legal purposes 17 be forgotten" whereby individuals can request deletion of ir personal. Europe believes while intention of this requirement is address concerns related internet services (such as social networking sites), re is a concerning overspill or areas where it is vital hold. This is case where re is a contractual are needed for proper withdraws performance relationship between an organisation of contract. For example and an individual, if a health consent for ir health be used or requests information insurance and policyholder be deleted, while this forms an integral part of contract, risk assessment, as well as assessment and of claims 2

5 . c... \\\\\ M,.. ::::: II "'; ~ ~.....:..'":., ~.: ~:: europe cannot take place. This is also case where re are regulary re is a need retain for fraud prevention Europe recommends forgotten does not apply where: There is a contractual draft Regulation relationship requirements retain and where purposes, as explained above. is amended clearly state right be between an organisation and an individual, and are needed for proper performance of contract. There are regulary requirements retain. There is a need retain for fraud prevention Significant The introduction imbalance - Recital 34, Article 7parA of new term "significant re is a "signifiltnt imbala*=e!' for sensitive (non) purposes imbalance" creates legal uncertainty. between and consumers, would be invalidated It could be interpreted as if in which case, subject's consent and would prevent from offering- ir services new and existing cusmer~;. For instance, have only one legal ground process sensitive, of consent. If rule of significant imbalance applies m, will not be able process health anymore. Europe calls on removing or at least amending provision in a way limits unintended consequences for insurance industry. 1.2 Health Definition Insurers of health - Recital 26, Article 4par.12 need process health-related health-related appropriate for private provide medical insurance insurance products. ensure By way of example, consumer receives cover at a fair price for risk he/she poses, or reimburse all or part of health care where individual requires medical treatment certain is processed Europe believes requirements for disproportionate certain covered by insurance policy. definition administrative and will impose administrative delays in pay-out of health. Treating is o broad and will increase consent purely administrative as sensitive is burden on consumers and. For instance, it will create of covered medical expenses which is important for insurance products require medical, for example health, mor or travel insurance. Moreover, indication of patient's will be considered sensitive without health problem on an accident claim or hospitalisation health and refore administrative admission employees could not process m explicit consent of subject. This, again, is burdensome for all parties and does not provide any benefit subject. Europe calls for definition information, of health be clear and restricted and exclude administrative non-sensitive information. Administrative clinical and medical should be categorised as Processing of health - Recital 42, Article 9par.2 information Europe understands (h), Article 81pa.Hc) can process health for management of health care services and settling claims for benefits and services in health insurance system, as stated in rec,42. However, Article 9par.2 conclusion (h). Europe finds unclear wher insurance falls under provisions of eir Article 81 or Processing sensitive and execution of insurance is imperative contracts, including for and it is crucial clarify management of health care services and settling claims for benefits and services in health insurance system, should be permissible. Europe calls for a confirmation of application of eir Article 9par (h) or Article 81 insurance or an extension of scope for collecting and health for all insurance purposes, for example health, life, accident, third party liabilities insurance and reinsurance. 3

6 ~-~" M,.. ::::: ~ insurance ~::,_ europe.ail,. III. II..~~\.~ ~~~':.~ *- If ; 1.3 Data sharing and fraud prevention - Article 6par4 and Article 9par.2(j) Europe is concerned changes EU protection ' ability share information interest of society. and prevent fraud1, framework which benefits may have an impact honest consumers on and is in Europe is concerned proposed Regulation will: Restrict ' ability process and use information One of ways detect suspicious activity (multiple claims prohibited of it is estimated every day2. Hinder same nature, multiple claims needed for fraud is by considering featuring same of honest consumers will have pay price through figure for health care fraud and corruption development and use of systems for prevention and previous claims hisry parties, do so, will not be allowed protect ir cusmers whilst majority collect, detection. etc). If y against insurance higher tariffs. are fraud For instance, in EU is at least (80 million identification of fraudulent policyholders, applicants and claims which already exist in member states. Europe suggests taking in consideration Council of Europe (CoE) Recommendation treatment of fraud insurance of personal activity. for purposes According recommendation, prevention "actuarial and detection activities" (2002)9 on as essential and risk rating for are allowed; same applies preparing and issuing insurance covers, ie risk-based pricing and premium calculation. For this happen, collecting and using is indispensable. Europe recommends proposed Regulation explicitly recognises need for organisations, including, process and share information prevent and detect fraud. This could be done through an exemption where preventing, for both sensitive and non-sensitive is necessary for purposes of detecting and addressing fraud. 1.4 Profiling - Article 20par.1 Being able access, process and sre personal through ability provide consumers with appropriate There is a direct correlation Europe is concerned proposed effectively. This would be consumers' and/or lack of available insurance. is central ' between consumers' profiled risk - as derived from multiple used for risk assessment - and likely claims hisry of a policyholder determines fair premium charged policyholders. aumated products and services at fair prices. Europe recommends avoid prohibiting or restricting premium calculation. provision detriment rating, on profiling policy will prohibit period, which, combined, from using in form of higher prices, lack of product rules on profiling risk-adequate during innovation as proposed in draft Regulation are amended rate classification and risk assessments necessary for 1.5 Data portabilitv - Article 18 Europe believes proposed right on portability clearly falls outside scope of draft Regulation. This right deals with use of and not with protection. facilitate transferring from one social network anor. It appears have been created country facts: According a 2011 survey, 4% of German households admit have committed an insurance fraud within last five years. For non-life insurance only, estimated loss arising from fraud is (4 billion each year. In 2010, number of fraudulent claims in Italy reached almost 2.5% of tal claims against. The actual number is estimated much higher, but is difficult detect fraud accurately. In 2010, in UK, insurance fraud is adding on average an extra 50 a year each UK policyholder's insurance bill. In 2011, in NL, re were proved cases of fraud, amounting 29 million euros. The estimated loss from undetected fraud could add up 150( per family p.a. The actual number of false claims is estimated be higher, but goes undetected. European Healthcare Fraud and Corruption Network (EFHCN) 4

7 ~... J:~;\ II..... HI,. ~~~~~ II'.. "". :::::.. :... insurance,_ europe ~:= Europe also believes ability change providers easily is a consumer and/ or competition not a protection one. From an insurance perspective, provision would have implications controllers for competition disclose confidential and intellectual or intellectually protected issue, Europe is concerned proposed property as it may unintentionally information underwriters, force eg underwriting criteria, risk and pricing ols. Europe calls for adequately protect confidential 2 removal of Article and intellectually 18, or at minimum, provisions should be included protected information. General concerns with regard Ee's proposed General Data Protection Regulation 2.1 Delegated and implementing acts Europe is concerned number of delegated and implementing as it is impossible predict delegated and implementing final content acts is even more worrying acts causes legal uncertainty of key provisions3 and interpretation The large number since chosen legal instrument, a Regulation, of is directly applicable. Europe calls for a reduction of number of delegated and implementing acts. 2.2 Administrative sanctions - Article 79 Europe believes proposed sanctions for breaching because Data Protection Authorities regulation (DPAs) do not have discretion are disproportionate. when deciding This is impose a fine. For instance, DPAs are obliged impose a fine ("shall impose a fine") even if violation has not produced any damage subject or if it is first violation without considering any or mitigating circumstances. This would lead situations millions for some ) where a fine of up 0.5% of annual worldwide turnover (which would run in will apply for responding a few days late a request for access personal. Europe considers such a sanction is disproportionate, especially where re is no impact for individual. Europe calls for: The sanctions be defined as a competence ("may impose") and not as an obligation ("shall impose"). A revision of level of fines, and suggests linking ir amount with damages and harms caused by sanctioned violation subject. The inclusion of a provision introducing 3 a right appeal against sanctions. Administrative burden - Articles Europe welcomes EC's intention reduce companies' administrative burden. However, Europe identified several proposed provisions having opposite outcome. 3.1 Data breach notification Articles 31 and 32 Europe is in favour of a notification have been affected take steps protect perform ir functions, In contrast, protection or allowing supporting individuals, who may appropriate regulary bodies provide advice and deal with complaints. Europe is concerned excessive notification proposes, could lead consumer distract system with clear purposes: mselves, authorities apathy, requirements, as draft Regulation as has been case in US. Excessive notification from ir important role of investigating serious breaches, will also and where necessary, taking action. This would not be in public interest. Europe suggests : Only breaches posing significant risk of harm subjects - and where subjects should take action (eg prevent identity ft) or remain vigilant - or a serious violation of ir rights should be notified 3 Such as articles 9(3), 20(5), 6(5), 6(5), 9(3), 15(3), 17(9), 28, 31, 32, 33, 34,81(3). 5

8 .,... II... "... ~..,_t C;'... \\~\-:::':\.... ~:: insurance ~~: europe The Regulation should not impose concrete deadlines for supervisory authority, but should encourage controller and without excessive delay. notification of breach provide a response as soon as feasible 3.2 Impact assessment and prior authorisation and consultation - Articles 33 and 34 Europe believes duties of assessing impact imposed by Article 33 and of prior notification disproportionate For instance and authorisation of envisaged objective pursued as it would lead an extensive administrative article, interferes. 33par.4 and obligation with entrepreneurial seek freedom The same applies Article between controller and supervisory Europe believes distinction subject's determine 34par.2 authority operation of of by Article 34 are view burden. on its own business regarding prior intended policy and way of authorisation and consultation before of. Moreover, between prior consultation and prior authorisation in Article 34 is not clear and creates legal uncertainty. Finally, according article 33par.7, specify criteria and conditions assessment. This creates furr Commission for uncertainty may adopt implementing operations and delegating should be included acts will in impact for insurance companies as y are not aware of when and in what manner impact assessment is be made; while at same time y are facing sanctions based on Article assessment. 79par.6(i) in case controller The impact assessment duty is also raising competition Article 33par.2 (e) allows each supervisory assessment. subject This means impact company) does not carry and impact concerns: authority each supervisory assessment, (insurance weakening list operations subject an impact authority thus could list different impact of maximum operations harmonisation are and creating an uneven playing field between competirs. The obligation publish assessments endangers ' trade secrets, and may force m make unlawful disclosures of confidential insurance information. Europe calls for: The removal of Article 33, or at least, Clarification Clarifications of which type of is subject impact assessment. on wher re is a difference between a prior authorisation and a prior consultation. 3.3 Information subject - Article 14 The proposed transfer provision would oblige controllers, sensitive or non-sensitive or service provider) (eg European eir a third-country or a third-country controller or re) inform every subject (insured) transfer. According present Standard Contractual Clauses (Processors) 2010/87/EU, applies currently only when sensitive (e.g. health-related) are involved. Europe is concerned re will not be able meet this requirement insured of a transfer, as re have no direct relationship with insured persons. intending processor (like a computing centre or of such such an obligation inform every Europe calls on removing or at least amending provision in a way excludes unintended consequences for insurance industry. 6

9 ~::_~ ;;~. \\\\\ "'.. 1#._... II,.. ::::: ~:: insurance ~:: europe Europe is European insurance and reinsurance federation. Through its 34 member bodies - national insurance associations - Europe represents all types of insurance and reinsurance undertakings, eg pan-european companies, monoliners, mutuals and SMEs. Europe, which is based in Brussels, represents undertakings account for around 95% of tal European premium income. makes a major contribution Europe's economic growth and development. European generate premium income of over 1 100bn, employ nearly one million people and invest almost 7 500bn in economy. 7