Data privacy: it’s not just the law which is changing

Date: Tuesday March 18, 2014

"Stalk me" sign pinned on map - data protectionWith fresh calls for tighter regulation on how personal location data is handled coming from the most unlikely ranks, we look at how data management will change for insurance carriers, services providers and wireless operators.

Last week, Martin Winterkorn, CEO and chairman of the board of management at Volkswagen, was quoted saying: “The car must not become a data monster. We intend to protect our customers against the abuse of their data.” It echoed earlier calls in the US by Ford Motor Co. CEO Alan Mulally for data usage boundaries and guidelines.

The car industry may have finally woken up to the potential use of car data, but service providers across industries have yet to address the upcoming changes in regulations on how to use that data.

In fact, in a survey from the UK Information Commissioner’s Office (ICO), none of the 506 data protection experts interviewed could accurately define the requirement of the proposed new data protection laws.

In the next two blogs we will look at various changes affecting every telematics database service provider, starting with the European regulations and proposed reforms then looking at the US industry-led efforts.

In Europe, while each member state has national specificities on privacy-related regulations, they all have to abide by the EU data protection act.

The act restricts the opportunities for using Big Data by defining what personal data means and how it can be handled. Simon Hania, Corporate Privacy Officer at TomTom detailed how in his presentation at the ConnecteDriver event in January:

  • The act stipulates that data must be used for its pre-defined purposes only, and affixes volume and time limitations.
  • How data is used must be explained clearly, and whether consent, legal obligation or a balance of legitimate interests must apply.
  • Most worryingly for insurers, drivers have the right to view, correct and even object to the data being used.
  • Anonymity is defined as the stage whereby there is no reasonable way to identify a person in the data, even with the use of other datasets for correlation, such as maps or phone books.

For the UBI service providers, the regulation has to be taken into account even if:

  • The user is not identified or the data is anonymised
  • Only the serial number is used
  • The data is encrypted
  • Other bigger companies are using the data for other purposes

China and many other Asian countries are moving towards the European model, with China said to be very interested in the German model for personal data protection.

Looking ahead, insurance players should be fully aware of the European Commission’s proposals for reform of the data protection act, which is expected to be finalised in 2015 and become law in 2016.

Simon Spooner, a Partner at Osborne Clarke explains that the new regulation is intended to ensure that data protection laws are applied consistently throughout the EU. The draft regulation is the subject of fierce debates and may still change but, if it comes into force as it stands, the implications are likely to include:

  • An individual’s right to require that his insurer erases all his personal data that is no longer needed for performance of the contract or because of statutory retention obligations, and does not use the data going forward. This will likely require the implementation of additional IT systems, and may impact the insurer’s ability to use historical data in their claims systems and processes.If this right is covered in the final Regulation, insurers will need to consider their ability to remove the telematics device and delete all data before starting to collect any information from individuals.
  • Depending on the outcome of the legislative process, potentially also an individual’s right to obtain from their insurer a copy of all personal data relating to them, in a structured and commonly used electronic format, making it easier for individuals to move their data from one insurer to another. Therefore some basic industry data format standards will be needed by 2016.

The EU parliament has already voted – by a massive majority – to strengthen the data privacy Act, and warned the Council to waste no time ratifying the proposed reform. Last week’s vote highlighted the above-mentioned changes – among others.

A full analysis of the repercussion of the Data Protection Act reforms can be found in the UBI Global study 2013. We’ll look at the situation in the US in the next blog.