With the generalisation of health-related apps, health and life insurers are keen to use the collected data to improve the accuracy of their insureds’ profiles. This trend raises important questions in terms of privacy but also in terms of risks mutualisation in society.
A bit of context
With the increase of technology and the ability of our smartphones or smartwatches to collect our heartbeats, count our steps, and assess our pace, developers have naturally seen an opportunity to develop health-related apps.
These apps track running performances (Runkeeper, Runtastic, Nike+, Fitbit…), monitor diet (MyFitness Pal…), analyse sleeping habits (Fitbit, Jawbone, isommeilr…), etc.
Citizens are using more and more of these health-related apps in their daily life.
Of course, health and life insurers are greatly interested in the health data collected by these apps. This is not necessarily a bad thing as this can mean that insurers can better assess the risk they insure and its evolution, and request more accurate premiums from their policyholders. Nonetheless, this trend also raises important questions in terms of privacy, but also in terms of insurance paradigm as such.
The privacy issue
The privacy issue is rather obvious. One might reasonably desire to keep certain aspects of one’s life private.
The privacy issue is not limited to the insurance world. Privacy is primarily addressed by the EU General Data Protection Regulation (GDPR). The purpose of this news is not to examine this regime in details. Let us simply remind that under Article 9 of the GDPR, health-related data are considered as “special categories of data”.
The process of this kind of data is subject to higher requirements and may only serve highly valued purposes. The data subject may, however, always give its explicit consent to the use of his/her health-related data (Art. 9, 2, (a) GDPR).
This explicit consent is rather well protected and must be free and genuine. For instance, a service provider may normally not monetise or subject the delivery of its services to the data subjects’ consent.
The segmentation issue
Where do we stand?
The insurance industry is based on the idea of risk mutualisation. This principle can be extremely useful to the operation of a society. In a nutshell, the healthy clients’ premiums pay for the insurance indemnity of the ill insured persons.
Health and life insurers have always tried to assess the risks presented by insured persons with the highest accuracy possible using statistical data. Typically, all things being equal, a young sporty person is less likely to die than and old person suffering from diabetes. This reality will normally result in the young person paying a lower insurance premium.
The division of insured persons in categories (e.g. young and healthy versus old and ill) is called “segmentation”. To each category corresponds a level or premium, certain categories of risk being simply refused by insurers (depending on their risk appetite). This is the reason why health and life insurances are almost systematically subject to a medical questionnaire and, in some cases, a medical examination.
Naturally, the more accurate and detailed the segmentation is, the less insurance services offer a mutualisation of risk to society and – arguably – the less useful become insurance services to society as a whole.
This risk has been identified by the Belgian legislator. One of the main Belgian attempts to avoid the risk of “demutualisation” is embodied in Article 44 of the law of 4 April 2014 relating to insurances. Under this provision “Any segmentation made in terms of acceptance, cost, and/or extent of the insurance cover must be objectively justified by a legitimate purpose, and the means to achieve this purpose must be appropriate and necessary”.
This provision lays down the legislator’s ideal but it is very broad and offers a lot of room for interpretation.
Certain members of Parliament fear that connected devices and health-related apps unduly change the paradigm of mutualisation in the insurance sector.
To prevent this potentiality, they have filed a law proposal with the intention of prohibiting the use by health and life insurers of personal data collected by connected devices. The law proposal further prohibits to subject insurance acceptance, pricing and/or extent of the insurance cover to the use by the insured person of health checkers and the sharing of data collected by such health checkers with insurers.
Practically, if enacted, the law proposal would bring a new Article 44, § 2nd, to the Law Insurances:
“In derogation to Article 43, § 1st, this paragraph applies to the following insurance contracts:
1° Individual life insurance;
2° health insurance […].
No segmentation can be applied to acceptance, pricing and/or extent of the insurance cover subject to the condition that the policyholder accepts to acquire or use a health checker, accepts to share the data collected by the health checker, or subject to the condition that the insurer uses such data. The processing of the personal data collected by a health checker, relating to the way of life or health of the policyholder, is prohibited”.
The concept of “health checker” would be defined in a new Article 5, 53°, of the Law Insurances as “a device allowing the measurement of one or more variables associated to the way of life or the health of the policyholder”.
At the end of January 2020, the Belgian Data Protection Authority (“DPA”) issued an opinion on the law proposal.
The law proposal is primarily based on Article 9.4 of the GDPR, according to which “Member States may maintain or introduce further conditions, including limitations, with regard to the processing of genetic data, biometric data or data concerning health”.
The proposal is further based on abovementioned Article 9, 2, (a) of the GDPR, which provides that special categories of data (such as health-related data) cannot be processed unless “the data subject has given explicit consent to the processing of those personal data for one or more specified purposes, except where Union or Member State law provide that the prohibition […] may not be lifted by the data subject”.
According to the DPA, these two provisions of the GDPR effectively allow the Belgian legislator to introduce additional limitations to the processing of health data so that the law proposal is compliant with the GDPR.
While nothing is (yet?) cast in stone, the discussed law proposal is a perfect illustration of the difficult balance regulators need to strike between innovation and the preservation of existing paradigms.
Interestingly, it shows a strong desire of certain members of Parliament to safeguard the principle of mutualisation of risks in the insurance industry. This mutualisation is often seen as a key principle to the health system as a whole.
The DPA’s opinion is also a good reminder that the GDPR, although an EU regulation, still allows Member States to adopt stricter requirements when it comes to protecting special categories of data. In the case at hand, the law proposal somehow “protects the data subjects from themselves” by revoking their right to agree to certain use of their connected devices.