Personal data is a very important asset to the insurance sector. It will come as no surprise that insurers collect and use vast amounts of personal data about customers or others. Some of that data might even be very sensitive in nature (for example, health data). After all, insurers need data for risk management, underwriting, claim management, fraud prevention and detection and marketing purposes.
Health data is considered as a special category of personal data. Health data is, by nature, particularly sensitive as their processing could create significant risks to the fundamental rights and freedoms. The General Data Protection Regulation (GDPR) provides that special categories of personal data, including health data, can only be processed under strict conditions. An insurance company can only process health data of the policyholder, insured or others by invoking one of the ten legal bases provided in the GDPR (Article 9.2 GDPR).
Practice shows that a large cloud of uncertainty surrounds the correct legal base for the processing of health data by insurers. This has been evidenced once again by a recent ruling of the Belgian Data Protection Authority (gegevensbeschermingsautoriteit – Autorité de protection des données) of 29 August 2024.
The underlying facts are as follows. A policyholder of an outstanding balance insurance (schuldsaldoverzekering – assurance solde restant dû) lodged a complaint with the Data Protection Authority in the context of a credit offer for the purchase of a home. The credit offer provides for a conditional interest rate discount if the policyholder concludes an outstanding balance insurance for the amount of the credit. The policyholder alleges that when applying for outstanding balance insurance through a broker in March 2022, it emerges that the signing of a consent form to process health data is necessary. However, according to the policyholder, this consent would apply not just to acceptance of the outstanding balance insurance in question, but to all processing of health data, such as claims handling, elaboration of pricing, refining entry and coverage conditions, automated decision-making and fraud detection and prevention. The broker clarified that it is impossible to proceed with a more specific consent. Furthermore, the policyholder notes that the insurer’s website prevents completion of the questionnaire if consent is not given. Given the risk of missing out on the interest rate discount, the policyholder agrees to the consent form and completes the medical questionnaire on the website. Subsequently, the policyholder partially withdraws its consent.
The policyholder requests the Data Protection Authority to take a position on the legal basis, namely whether there is a sufficiently specific legal basis for the processing or whether consent is the applicable legal basis. The policyholder claims that the consent has not been given freely and specifically. As regards the free nature of the consent, the policyholder points out that there is a definite disadvantage in refusing the consent, which goes beyond not being able to obtain insurance. Similarly, the policyholder denounces the fact that, by bundling consents for different purposes into one consent, the consent is not freely obtainable nor specific of nature.
The Data Protection Authority points out that Belgian legislation does not contain any specific provisions regarding the processing of health data by insurers. Therefore, the general provisions of the GDPR apply. According to article 9.2, a) GDPR the processing of health data is possible if the insurer acquires the explicit consent of the data subject (prior to processing). Consent should be given freely. This means that consent can only be valid if the data subject is able to exercise a real choice, and there is no risk of deception, intimidation, coercion or significant negative consequences if the data subject does not consent.
The Data Protection Authority considers that the consent given by the policyholder in the underlying case is not free. That is because the credit offer in question provides for a conditional interest discount if the policyholder concludes an outstanding balance insurance with the insurer. The interest rate discount is forfeited if no outstanding balance insurance is taken out with the insurer. In addition, the Data Protection Authority also refers to the social desirability of outstanding balance insurance, namely the benefits for and protection of partners or heirs. Consequently, there is a breach of Article 4, 11) GDPR and article 9.2 GDPR.
However, the Data Protection Authority points out that this breach is not imputable to the insurer. The Data Protection Authority wishes to draw attention to the broader issue related to the complaint, namely the collection of health data by insurers from potential policyholders through their express consent (art. 9.2. a) GDPR) in the context of the conclusion and performance of an insurance policy, in this case outstanding balance insurance, and the related question of the extent to which the consent of those policyholders can be free. The Data Protection Authority considers that this situation is undesirable for all actors involved in the conclusion of such insurance contracts and insists that a solution be found, preferably at the European level. Consequently, the Data Protection Authority informs the EDPB (European Data Protection Board) and, in consultation with the Executive Committee of the Data Protection Board, other competent authorities at national and European level of this decision.
This decision highlights the challenges insurers face when processing health data. These challenges can be summarized as follows:
- According to the principle of accountability, the insurer needs to be able to demonstrate that the data subject has consented to processing of his or her personal data. It is recommended that insurers obtain written consent.
- Obtaining (written) consent of persons that are not directly part of the insurance contract (third persons, insureds who are not the policyholders, beneficiaries, etc.) can prove to be challenging task.
- Consent in an insurance context will often be regarded as being conditional for the performance of the contract. A conditional consent is by definition not freely given. Thus, the validity of explicit consent in the context of an insurance contract is left hanging in the balance.
- The data subject has the right to withdraw his or her consent at any time. It is important to note that an insurer cannot swap from consent to other lawful bases. This could make it impossible for insurers to continue and honour the insurance contract.
Therefore, Amankwah Law applauds the decision by the Data Protection Authority. Hopefully, this decision will gain traction and lay the groundwork for clear legislative initiatives at European or national level.
Amankwah Law can provide the necessary guidance to navigate you through the delicate landscape of the processing of personal data in an insurance context.