We are the voice of insurance and long-term savings | Contact us

Draft EU Data Protection Regulation update and next steps

Latest Developments

In April 2015, the ABI participated in an ad hoc meeting of the Ministry of Justice Data Protection Advisory Panel, which was convened in order to discuss the progress of the draft EU Data Protection Regulation.

Ministry of Justice representatives confirmed that it is anticipating a full “general approach” agreement in Council on 15th June, as the Council has now reached agreement on most Chapters of the Regulation. Negotiations on the provisions on liability and sanctions and Chapter III (which includes the provisions on profiling, data portability and the right to be forgotten) will continue in the coming weeks.

Once the Council reaches a final position, the trilogue process (negotiations between the European Commission, European Parliament and Council) can begin. There will be an ambitious goal to adopt the final text of the legislation by the end of 2015. Implementation of the new regulation allows a two year implementation period from the time of adoption.

Council of Ministers

Negotiations on the Data Protection Regulation have continued in the Council of Ministers under the Latvian Presidency.

In March 2014, the ABI had a number of meetings on data protection in Brussels, including with the representatives at the Latvian Presidency, and the German Government representative on data protection. The meetings provided us with a good opportunity to discuss the progress made by Member States in their negotiations of the EU Data Protection Regulation. The main topics we focussed on were: the use of pre-contractual data, profiling, data protection and the collection and retention of data for regulatory requirements.

The Latvian Presidency has pushed hard for a full General Approach (a text agreed by member states which will form the basis of trilogue negotiations) since it took over in January.  On 13th March, a partial general approach was agreed on the “One Stop Shop” (in Chapter II of the Regulation).

As the Council is now focussed on discussions on Chapter III of the Regulation, the areas of profiling and also data portability remain high on the agenda.

The Latvian Presidency continues to pursue a (full) final General Approach on the whole Regulation by June. This would allow trilogues to commence, which brings together the European Parliament, Council of Ministers and the European Commission to negotiate a final text.  This trilogue process could take up to a year or more and would bring about changes to the current text.

On 4 December 2014, a partial general approach was reached on Chapter IX and public sector provisions.

On 10 October 2014, a partial general approach was reached on the amended text of Chapter IV of the Regulation, including provisions on the data breach notification (to both supervisory authority and data subject) and on impact assessment.

According to the proposed changes in Article 31, 32 and 33:

  • the criteria used to identify which personal breaches need to be reported to the supervisory authority and to the data subject represent an attempt to introduce a risk-based approach
  • the data controller should notify the supervisory authority for any serious personal data breaches no later than 72hours after becoming aware of the breach.
  • the data processor should notify the supervisory authority of any serious personal data breaches ‘without undue delay’
  • the data controller should notify the data subject of any serious personal data breaches ‘without undue delay’
  • data controllers should conduct an impact assessment when processing sensitive data.

This partial general approach on Chapter IV follows a similar agreement on Chapter V in June 2014, under the Greek Presidency of the Council.

Both partial general agreements are strongly caveated by ‘nothing is agreed until everything is agreed’ principle. This means that further amendments could still be made to both Chapter IV and V as negotiations continue.

Despite continued political pressure to get the text agreed as soon as possible, it is still expected that the Council will reach its final position at the beginning of next year, with trilogues expected to take place in the first half of 2015. This would mean agreement can be reached mid-2015, with a likely implementation date of mid-2017.

European Parliament

On March 12, 2014, the European Parliament (EP) adopted in its Plenary session the Data Protection Regulation text voted in October 2013 by the lead EP committee, the Civil Liberties, Justice and Home Affairs (LIBE).

They made no further changes and there was an overwhelming majority of 621 votes in favour and 10 against. This means that the EP is ready to enter trilogue negotiations, as soon as Council agrees its position on the draft Regulation.

As a reminder, the ABI views on the most important areas of the EP’s text are listed below.

Conditions and lawfulness of processing (Articles 6,7 and 9)

  • We welcomed many of the changes proposed by the LIBE committee, which we feel reflect an effective risk based approach, in particular:
  • the additions regarding third parties (Article 6 paragraph 1(f))
  • the confirmation that data controllers can continue to process data even after the data subject has withdrawn consent if other conditions of processing are available to the data controller (Article 7 paragraph 3)
  • the acknowledgement that withdrawal of consent could lead to the termination of the service provided or of the relationship with the controller (Article 7 paragraph 3 and Recital 33)
  • the deletion of the term 'significant imbalance' (from Article 7 paragraph 4 and Recital 34)
  • the extension of grounds under which special categories of data can be processed (Article 9 paragraph 2 (aa))

However, we are very concerned about Recital 32, namely with the sentence: 'consent cannot be given for the processing of personal data of third persons'. While it has probably been written with the on-line context in mind, this will have significant negative consequence in the off-line context, including in the insurance context (for example, when including an additional driver on the car insurance or on joint travel policies). It is also likely to have negative consequences on any intermediate business. 

We believe further clarification is required to ensure legal certainty, so that data controllers can continue to access, process, share and store data for the purpose of fraud prevention and detection. 

We welcomed the changes proposed in Article 6 paragraph 1(f) and Recital 39 (a) that widen the definition of 'legitimate interests' of the data controller. However, to ensure legal certainty, we believe that the text of Article 6 paragraph 1 needs to be amended to include specific reference to fraud prevention and detention, either as part of Article 6 paragraph 1(f) or as a new Article 6 paragraph 1 (g)

Profiling (Article 20)

The LIBE text presented significant improvements, particularly by clarifying that individuals can be profiled if this is necessary for entering into, or performance of, a contract, or if profiling is expressly authorised by a Union or Member State Law, or if consent has been obtained for profiling from the data subject (Article 20 paragraph 2). 

However, changes made to Article 20 paragraph 5 are extremely concerning because they state that profiling which leads to measures producing legal effects concerning the data subject or affects significantly the interests of the data subject should not be based 'solely or predominantly on automated processing and shall include human assessment'. (We had argued that the words 'or predominantly' and 'and shall include human assessment' should be deleted). While we do not oppose the right to obtain human assessment, as enshrined by the 1995 Data Protection Directive (also mentioned in the proposed Recital 58 of this Regulation), we believe the proposed wording for Article 20 paragraph 5 is overly onerous and it is not workable in practice.

For example, we are concerned that, interpreted in the narrowest sense, these provisions could make it impossible for individuals to buy travel insurance on-line just before travelling or to shop on-line for their motor insurance policy. Imposing a human assessment in all profiling activities would not only be onerous for businesses but it would act as a barrier to consumers and it would increase the time and cost invested by individuals in order to access services. Moreover, there is no evidence to suggest that the presence of human intervention guarantees a higher data protection regime. 

Data Portability (Articles 15 and 18) 

We welcomed the deletion of Article 18, its merger with Article 15, and the changes made to Article 15 paragraph 2 (a) which address some of our previous concerns about the potential need to disclose information with might be commercially sensitive or competitive in nature.  However, Article 15 paragraph 2 (a) remains over-prescriptive. We continue to believe that requirements stating that the data controller needs to provide 'the personal data in an electronic and interoperable format which is commonly used and allows for further use by the data subject' are a consumer / competition provision and not one pertaining to data protection. 

Right to Erasure (Article 17)

We welcome the changes made to Article 17. We believe this Article could be further improved by ensuring that the text of the Article mirrors the words of Recital 53: 'The right to erasure should not apply when the retention of personal data is necessary for the performance of a contract with the data subject, or when there is a legal obligation to retain the data'. This would give clearer legal certainty.

European Council

The Greek Presidency has been extremely active on this file, organising 10 Council Working Group meetings, a COREPER and a Justice and Home Affairs (JHA) Council orientation debates. They had hoped to reach partial general agreement at the March JHA Council meeting, but this was not possible due to disagreements on many issues, most crucially on the one-stop-shop. 

During these discussions, two main areas that impact insurers were considered, namely profiling and data portability. While neither of these two provisions have been finalised, they are still subject to change, the direction of travel is, overall, positive. 

Data Portability (Article 18)

We welcome confirmation (in proposed changes to Recital 55 and Article 18 paragraph 2b) that  this right should not apply where processing is based on another legal ground or where processing is necessary for compliance with a legal obligation to which the controller is subject. 

We welcome the safeguards (in proposed changes to Article 18 paragraph 2b) which states that this right to data portability will not apply to processing carried out on the basis of Article 6(1) points (c), (d), (e) & (f). We believe this should be extended to processing carried out on the basis of Article 6(1) points (a) & (b), namely with data subject’s consent or for entering into or performance of a contract.

We do, however, have concerns that references to 'commonly used format' and 'electronic format' remain in the text of the Article. 

Profiling (Article 20)

We welcomed the proposed changes made to Recital 58, particularly the inclusion of a specific reference to fraud prevention as it is vital that the legislative framework recognises the need for organisations to access, process, store and share information in order to prevent fraud and other financial crime. Therefore, we supported the addition of the words ‘including for fraud monitoring and prevention purposes and to ensure the security and reliability of a service provider by the controller’.

We welcomed changes proposed to Article 20, which mean individuals can be subject to profiling when certain conditions are met. We particularly welcome the recognition that individuals can be profiled if it is necessary for entering into, or performance of, a contract, or if profiling is expressly authorised by a Union or Member State law, or if consent has been obtained for profiling from the data subject.

We welcome proposed changes that state that profiling based on special categories of data can be undertaken under conditions outlined in Article 9 (2) points (a) or (g). 

However, we are concerned about the deletion of the word ‘solely’ from paragraph 3 – as we think this has the potential to significantly increase the scope of the paragraph from processing based solely on the special categories of personal data referred to in Article 9 to all processing that contains any special categories of personal data referred to in Article 9 but also other categories of data (captured under Article 6).

Legal and regulatory obligations

The Council text continues to refer, across all the provisions, to other legislative requirements, but fails to recognise the importance of regulatory requirements. Although we have received reassurances from many Member States that the text, as currently drafted, would also cover regulatory obligations, in order to achieve greater legal certainty, we continue to argue for the inclusions of the words 'and regulatory', across the Regulation, especially in Recital 53, Recital 58, Article 6 paragraph 1 (c), Article 17 paragraph 3 (d).


Next steps

Commissioner Reding continues to raise concerns with Member States, and in the public arena, about the delays in Council. Both the European Commission and the EP have made forceful demands to the Greek Presidency and the Member States representatives to agree a Council position as soon as possible so that trilogues can begin as soon as possible.

The Greek Presidency will aim to reach a partial general approach by June of this year. Collectively, the Council have expressed their belief that the file could be concluded by 2015.

ABI actions

Since the beginning of the year, the ABI has:

  • briefed key UK MEPs ahead of the plenary vote
  • met with Treasury to raise awareness of the impact of the draft Regulation on the insurance sector
  • participated in a round-table discussion, organised by the FCA on this topic. This was attended by the ICO, Ministry of Justice, Treasury and representatives from all sectors of the UK financial services
  • met with the ICO to discuss the progress of the draft Regulation and the benefits of a proportional risk based approach to the provisions of the Regulation
  • provided written comments on draft Presidency texts to the Ministry of Justice and Treasury ahead of Council Working Group meetings and ahead of COREPER
  • continued to feed into the Insurance Europe messaging to Member State Attachés
  • liaised bilaterally with national insurance associations across EU member states to ensure coordinated lobby efforts in Council.
  • continued to participate in the CityUK IRSG Data Protection Work Stream

The ABI continues to lobby on this file as Council discussions progress and will keep members updated.

Last updated 01/07/2016