Written by Mickaël Tome et Cyril Pierre-Beausse - Avocats à la Cour

Published on 07.04.2020 - Paperjam

A bill currently being examined by the Chamber of Deputies should make it possible to legitimize in Luxembourg law the processing of health data implemented by insurance and reinsurance companies, in a context made complex by the GDPR.

Almost two years after its entry into force, the General Data Protection Regulation (GDPR) continues to impact the regulatory strategy and practices of insurance and reinsurance companies in Luxembourg. It must be said that the GDPR has swept away the fragile legal bases that allowed Luxembourg insurers to process data, creating a very unclear legal context for them. The Luxembourg government has just published a bill (n°7511) aiming to remedy this legal insecurity, in particular for insurers processing health data.

This text is expected by insurers covering health, life or accident risks.

In passing, it is surprising that an entire sector of the economy as significant as insurance has been ignored by the European and Luxembourg legislators and plunged into uncertainty, while the first draft of the RGPD dates back more than 8 years.

The bill therefore fills a deep gap. The principle of "lawfulness" obliges any processing of personal data to be founded on one of the legal bases provided for by the law. In the case of data revealing health status, the requirements of the RGPD are even stricter. For insurers, this is precisely where the problem lies.

Indeed, the former Luxembourg legislation had rightly introduced an exception allowing insurers to process health data. For the legislator at the time, the fact that insurance companies were subject to professional secrecy was a sufficient guarantee. The entry into force of the RGPD wiped the slate clean and this valuable exception went out with the bathwater, as it were, leaving insurers in a tricky legal situation.

For want of anything better, insurers then had no choice but to base some of their health data processing on the explicit consent of their customers. This is indeed another possibility offered by the RGPD, but at the price of cumbersomeness, costs and the permanent risk that the consent will be withdrawn, thus threatening the durability of the processing. The GDPR has also tightened the conditions under which consent can be considered valid. In particular, it is difficult to prove that consent has been freely given when contractual terms are accepted by customers without any real possibility to negotiate them.

While other exceptions are provided for by the GDPR (e.g. for legal defense), they are not suitable for the monitoring of usual contractual relationships.

This is why the Luxembourg legislator is considering exploiting one of the margins of maneuver granted by the RGPD. The bill thus provides for the explicit legitimization of health data processing by insurers on the grounds that such processing is necessary for "important public interest reasons". This wording is explained by the contribution of insurers to the public interest, and in particular to the role of private insurance in covering health or old age risks.

This legislative reform, if successful, will result in the introduction of a new article (181bis) in the law of December 7, 2015 on insurance. It will allow insurers to get out of their discomfort, provided that they respect the rules of professional secrecy and provide for appropriate measures (appointment of a data protection officer or "DPO", carrying out impact analyses, anonymization or pseudonymization measures, encryption, strict management of access authorizations). These are all natural safeguards for this type of risky processing. An appreciable indirect effect of the bill will be to reduce the use of consent to cases where it is really necessary, thereby strengthening the control of policyholders over their data.

In practice, insurers will have to review their internal analysis of the applicable RGPD legal bases (including updating their register of processing and customer information notices). In addition, they will need to maintain rigorous documentation, in line with the RGPD accountability principle, justifying their strategic choices (use of consent or not, appropriate measures), especially in situations where the data protection regulations still have some grey areas.

The image above is under license CC BY 2.0