Fraud: Draft Data Protection Regulation
There is some concern within the insurance industry that the new Data Protection Regulation (which will replace the old 95/46/EC Directive) could somehow hamper insurer’s future abilities to wash or screen data to detect fraudulent claims. This Regulation has (after much delay and significant amendment) finally been approved by the European Parliament Committee for Civil Liberties, Justice and Home Affairs (LIBE) but a number of further stages need to be completed before the regulation will have effect in UK law.
Negotiations will now take place between the European Commission, the Council of Ministers and Members of the European Parliament on proposed amendments to the regulation as approved by the LIBE.
A deadline is set for a plenary vote (first reading) at some point in 2015 (which has been pushed back from March 2014). There are European elections in May 2014 which may result in further delay.
As things currently stand, Spring 2016 looks to be the earliest date by which the Regulation could be in force in the UK.
The draft currently the subject of negotiations and as amended by LIBE, provides businesses with the right to process personal data, if the processing is necessary for the purposes of the “legitimate interests” of the business, albeit with some requirements upon the processor to inform the data subject of the new right to object to such processing on grounds relating to their particular situation. There will be a test of whether the fundamental rights and freedoms of the data subject override the legitimate interests.
What is particularly concerning the counter fraud industry is the lack of certainty about how ‘legitimate interest’ will finally be defined and the means by which data processors will be expected to warn subjects of their right to object.
Presumably there is also concern surrounding a target subject’s right to object to their data being processed for fraud detection purposes, and what test will be applied to decide when an individual’s fundamental rights and freedoms trump a legitimate business interest.
Will the current warning given: that insurers check databases for the purpose of combatting fraud with a notice that an individual can object, be sufficient?
One amendment proposed by LIBE in November 2013 assumes that the “prevention or limitation of damages” will fall within the ‘legitimate interests’ definition. Given that the processing of data for direct marketing for own or similar products will be presumed to be within the scope of the ‘legitimate interest’ definition, there is hope that the industry’s fraud data screening processes will also comfortably fall within the scope of that definition.
Readers should also note that there will also be an EU Directive which deals with personal data that is processed for the purpose of law enforcement. The extent to which that directive might impact upon the processing of data for the detection of insurance fraud remains to be seen.
At this stage the key proposals can be summarised as follows but as always the devil will be in the detail:
Requirements for greater evidence of consent from data subjects
The ‘right to be forgotten’ (data erasure)
Organisations required to report breaches to the regulator and all the affected data subjects, within 24 hours
Organisations to demonstrate compliance, through appointment of DP Compliance individuals, answerable to their board or equivalent
Increased powers for regulators
Increased financial penalties for breaches: for companies a fine of up to €100 million or 5% of global annual turnover, whichever is the greater (up from the €1 million/2% originally proposed)
Whilst it is clear that the new Regulation will place additional burdens on businesses, it is it too early to predict the precise nature and extent of those burdens, at least until the first reading takes place in the European Parliament.
DWF will continue to monitor progress and provide further briefings as the various negotiations take place and as the final form of the Regulation becomes clearer.
For further information, contact Paul Holmes, Partner, on 0113 261 6521
This information is intended as a general discussion surrounding the topics covered and is for guidance purposes only. It does not constitute legal advice and should not be regarded as a substitute for taking legal advice. DWF is not responsible for any activity undertaken based on this information.