Data protection

New paper explains how to improve the new e-Privacy Regulation to benefit consumers and improve road safety


Insurance Europe has today published a paper on how the European Commission’s proposal to revise the e-Privacy Directive can be improved to benefit consumers and help to improve road safety.

The proposal for the e-Privacy Regulation is currently being discussed by the three institutions — ie the Commission, the European Parliament, and the Council of the EU — and seeks to update privacy rules for the digital age. However, in its current form, it may inadvertently hamper insurers’ ability to develop innovative new products, such as telematics-based insurance, which helps to improve road safety by incentivising careful drivers with lower premiums.

To offer telematics-based insurance policies, insurers collect and process data from terminal equipment (ie, telematics boxes), which will be regulated by article 8 of the new e-Privacy Regulation. Unfortunately, neither the Commission’s proposal nor the European Parliament’s amendments provide a sound legal basis on which this processing can continue. The lack of a clear legal basis will eventually make it more difficult and riskier for insurers to offer this type of innovative product to consumers. This would mean less choice for consumers and a missed opportunity to increase road safety in Europe.

To avoid this, Insurance Europe suggests that the co-legislators should preserve the Council’s version of article (8)(1)(c) of the e-Privacy Regulation, which would allow insurers to collect data as part of telematics-based insurance, as it would constitute a service “specifically requested by the end-user”. This article would provide a solid legal basis on which insurers could continue to offer telematics-based insurance policies.

It is also vital that the co-legislators safeguard the current interplay between the e-Privacy Directive and the General Data Protection Regulation (GDPR). The collection of data from terminal equipment, which is currently regulated by the e-Privacy Directive, should remain protected under the new e-Privacy Regulation, while any subsequent processing of personal data should fall under the GDPR, as called for by the European Data Protection Board.