Connected vehicles services: legal and regulatory update
The eCall Mandate
The proposals for eCall legislation are now coming together with (i) all models newly type-approved needing to be fitted with eCall technology to automatically send a minimum set of data to an emergency control room and (ii) all EU members now being required to have the requisite infrastructure in place to handle such eCalls.
Member states must have the infrastructure in place to handle eCalls, but they remain free to decide how their emergency services are organised.
Member states will also have to ensure that all data transmitted via eCall is used exclusively for the objectives of eCall and that the processing of personal data fully complies with European legislation on data privacy.
There is still a lack of clarity on the precise contents of the new EC Regulation on Data Protection because it has not yet been agreed. This is unhelpful to insurers currently designing and implementing new systems.
The draft was approved by the European Parliament in March 2014, but still needs to be negotiated between the Council of Ministers and European Commission. Given that the Council of Ministers appears divided on whether the draft takes an appropriate approach there is still some way to go before the law is finalised.
In the meantime, insurers need to consider the design of their UBI products and back-office systems carefully in order to anticipate the predicted contents of the new Regulation, such as “data portability” and enhanced consent rules.
Cyber Security Developments
A draft EC Cyber Security Directive has been approved by MEPs but still awaits final approval.
Companies that operate “critical infrastructure” will be required to take appropriate technical and organisation measures to manage the risk posed to the security of their networks, and notify the authorities of any incidents which have a significant impact on the security of the services they provide.
Other Data Privacy Updates
In April 2014 the Article 29 Working Party issued an opinion addressing the potential value of anonymisation as a strategy for mitigating the risks associated with the collection and use of data. Whilst the views of the Article 29 Working Party are not legally binding, they do influence the views and enforcement of data protection authorities in each Member State.
Their opinion casts doubt on the effectiveness of anonymisation as a technique to remove data from the definition of “Personal Data” and therefore the application of the current EC Data Protection Directive to anonymised data.
This is potentially unwelcome news for insurers who may have been looking at anonymisation as a way of enhancing the actuarial value of telematics data and also sharing it within the industry without having to comply with the EC Data Protection Directive.
Consumer Attitudes to Privacy
The information disclosed by whistleblower Edward Snowden and related revelations surrounding communications monitoring by the NSA have strengthened and re-ignited general concerns about privacy.
The impact of this is that consumers are still cautious about how much of their data will be collected using telematics and how it will be shared (including with law enforcement agencies).
A report from YouGov in 2013 revealed that 51% of consumers believe that a disadvantage of telematics insurance is that their driving data might be used for marketing purposes and 29% are concerned that driving data may be passed to police without their permission.
Maintaining consumer confidence is a key factor in the success of the increased take-up of telematics. Therefore, insurers should take measures to ensure that their data collection and sharing practices are managed properly and compliantly, and that consumers are comfortable with how their information is being used in order to prevent the erosion of trust and confidence in telematics at a critical stage in its development.
For further information on Osborne Clarke’s automotive experience, click here