Data is at the core of the insurance sector. Without data, insurers would be unable to assess the risks consumers wish to be protected against, develop and price their policies, process consumers’ claims or spot fraud. As data processing lies at the very heart of their business, insurers are aware of the value of data and the importance of protecting it. This is not only a legal and regulatory requirement but also a fundamental component of building and maintaining consumer trust.
Insurers have therefore always been strong supporters of the objectives of the EU’s General Data Protection Regulation (GDPR). The text – which entered into force in 2018 – was originally adopted to protect Europeans' fundamental right to privacy while fostering responsible competition in the digital world. Now that the GDPR is almost at its 6th birthday, it is time for another look and to check whether it is still fit for purpose.
The European Commission has a legal obligation to carry out its second evaluation of the GDPR in 2024, following which it may decide to revise or amend the regulation. In the first review, which was carried out in 2020, the Commission considered the framework fit for purpose. A success story that managed to give individuals more control over their data.
Almost 6 years later, Europe’s digital legal landscape has drastically changed. From evolving case law from the EU’s Court of Justice to the completely new pieces of legislation stemming from the European data strategy such as the Data Act, the Data Governance Act, and the AI Act, the EU’s digital rulebook has become much more complex.
How these new initiatives will interplay with one another in practice is yet to be determined. What is clear is that they all build upon the foundations laid out by the GDPR and they will all significantly impact organisations’ data processing operations in the coming months and years.
Before the impact of the Commission’s data strategy and its new regulations can be evaluated, a reopening of the GDPR is premature. Like many other sectors, the insurance industry has invested significant resources in understanding the GDPR and its implications and ensuring proper implementation of the new regime. At a time when the GDPR has also successfully set itself as a global standard, the Commission’s review should take advantage of this opportunity to address outstanding interpretation issues, promote existing legal mechanisms l and foster companies’ compliance.
Let’s start by going over each one of these points.
One of the key aspects the Commission’s review should focus on is the unintended impact of the GDPR on innovation. Emerging technologies like blockchain, artificial intelligence, and the Internet of Things (IoT) offer immense opportunities for insurers and consumers alike. However, innovation could be undermined, from one side, by the lack of guidance, and the other, by the too strict interpretation provided by existing guidance put forward by the European Data Protection Board (EDPB).
Take blockchain, for example. While its potential to boost efficiency, trust and transparency is well known, it is still unclear how its use can be reconciled with GDPR’s right to erasure and the right to rectification.
Likewise, due to a very narrow interpretation of the “necessity” of carrying out solely automated processes, the EDPB guidelines have the effect of discouraging insurers from introducing innovative products, such as real-time insurance offered through mobile phone apps.
This leads to the second point. The role of the EDPB and its guidelines.
While the EDPB’s guidance is a useful implementation and compliance tool, there are a number of areas, such as in international data transfers and the right of data access, in which the EDPB has not consistently applied the risk-based approach and proportionality principles enshrined in the GDPR. For example, the guidelines on the right of access imply that, following an explicit access request from a consumer, a company should search for the individual’s data throughout all its IT systems, including back-up systems. Requiring the controller to search backup systems, which may not be readily or easily accessible, constitutes a disproportionate effort. Back-up data is personal data stored solely to restore the data in the case of a data loss event and therefore should not be included in the scope of the right of access.
The EDPB should prioritise practical guidance to strengthen harmonisation, and to reduce compliance burden whenever the GDPR text allows it. Increased dialogue with external stakeholders would enable the EDPB to learn more about emerging issues and develop relevant guidelines that better align with the practical realities faced by businesses, ultimately promoting more robust and effective data protection compliance.
Finally, another critical area for the evaluation should be the GDPR’s mechanism for international data transfer.
Ensuring seamless data flows between EU Member States and third countries is vital for European businesses.
Here, the Commission should take measures to ensure that companies can make full use of all the tools for international transfers provided in the GDPR. At this stage, the use of existing tools such as Codes of Conduct and Binding Corporate Rules has been limited due to the high requirements imposed by the EDPB and long and complex approval processes.
The Commission should also speed up its work to develop new adequacy decisions. These are the most well-fitting instruments to transfer data internationally as they provide the most appropriate safeguards for both companies and consumers. However, the current list of countries that are covered by an adequacy decision is still quite limited and falls short of covering data transfers in an environment in which the global exchange of data is on the rise daily.
Overall, work is still needed. The upcoming evaluation is therefore a golden opportunity to ensure that the text fully meets its intended objectives, including guiding businesses to compete responsibly in the digital environment. Industry needs a focused GDPR review that addresses outstanding interpretation challenges, facilitates compliance for companies and strengthens Europe’s single market. It must promote practical guidance from the EDPB, secure international data transfers, and the full use of all GDPR mechanisms. All of this will pave the way for the next review in 2028 when the impact of recently adopted data strategy legislation can be better assessed, and it will be possible to carry out a more comprehensive evaluation of the EU’s digital rulebook.