Regulation would give policy holders the right to withdraw their consent for insurers to process their personal information

private data

Data protection laws currently being discussed by the EU could lead to restrictions on the way insurers investigated suspected cases of fraud if they are implemented in their current form.

The EU Data Protection Regulation would give policy holders the right to withdraw their consent for personal data to be processed by insurers, meaning investigators would not be able to access the information when examining a claim.

Insurance Europe head of single market and social affairs William Vidonja said the regulations could mean data that is vital to the claims investigation process could be taken away from investigators.

“If policyholders withdraw consent for their personal data to be processed it would significantly diminish insurers’ abilities to prevent and detect fraud,” he said. “This is because insurers will not be able to access, use and process specific categories of personal data once the policyholder decides to withdraw their consent.”

Absolute Partnership data and intelligence director Dr Stephen Hill said that insurers may also be faced with the prospect of having to get consent to investigate a suspected fraud before they can take any action.

“It is going to be much harder for insurers to pass information on [to fraud investigators] as that flexibility is going to be taken away,” he said. “There will have to be provisions put in place to get that consent for data to be processed [before an investigation is started].”

The problem arises because the proposed regulations have no clear definitions around potential exemptions from the regulations if criminal activity is suspected, unlike the UK’s current Data Protection Act.

Hill Dickinson insurance fraud partner Stratos Gatzouris said the current proposed regulation had not considered the intricacies of the UK insurance market, and in particular fraud investigation.

“We don’t have that much clarity [on what will be impacted by the regulations],” he said. “We can see the reasoning behind the regulations, but the problem is that it has not taken into account the issues we encounter with insurance fraud.

“The regulations do make an exception if a crime is involved, but there is no clearly defined reason [for exemption from the regulations]. Does investigating insurance fraud constitute being in the pursuit of investigating a criminal offence? Potentially yes – it is at the moment under the Data Protection Act – but it isn’t clear under the current proposal for the regulations.”

But there is still time for changes to be made to the proposed regulations, with clearer definitions for what would result in an exemption from the rules a possibility should lobbying efforts succeed.

Vidonja said that while insurers respect the importance of data privacy, these regulations need to be amended to take into account the serious nature of insurance fraud.

“The protection of people’s personal data is of the upmost importance,” he said. “It is also necessary, however, to ensure that rules do not prohibit insurers from carrying out an essential function in identifying criminals committing fraud.

“Detected and undetected fraud is estimated to represent up to 10% of all claims expenditure in Europe. This is why the new EU Data Protection Regulation should include an explicit legal basis allowing data processing for fraud prevention and detection purposes.”

Join the debate at our Insurance Times Regulation Forum on LinkedIn