The DPA approves a draft Act prohibiting life and health insurers from processing health sensor data

The DPA approves a draft Act prohibiting life and health insurers from processing health sensor data
March 2, 2020

The Belgian data protection authority (DPA) has approved a draft Act that prohibits life and health insurers from processing the health sensor data of their insurance holders. The Belgian legislator wants to prevent insurers from providing discounts to the “healthy ones”, even if the insurers have their policy-holders’ consent. There is a fear that such processing could lead to infringements of privacy and to unlawful discrimination.

Health sensor data for insurance discounts

With technology development has come an abundance of new devices and tools such as smart watches and health or lifestyle related apps that track sports activities, nutrition, weight loss, specific risk factors (such as diabetes), or measure sleep quality.

Life and health insurers have expressed an interest in the processing of this data. Outside Belgium, some insurers are already proposing discounts or other advantages for policy-holders who are using health sensors and that are willing to share their data with their insurer.[1] In Belgium, such a system already exists with the “Pay as you drive” car insurance offer. To benefit from such an offer, the driver must consent to the installation of a device collecting information relating to his/her driving behaviour in his/her car. For more careful driving, the driver might benefit from a more favourable insurance premium.

Risks of possible unlawful discrimination

In October 2018, some members of parliament introduced a draft Act to restrict such practices regarding the usage of health trackers for the purpose of providing specific health/life insurance.[2] However, ‘restriction’ might not be the most accurate word as the draft Act has provided for a full ban of any use of such data.

The draft Act’s goal is to avoid “hyper individualization of the risk and the hyper accountability of the individual”. Hence, such personal accountability would change the paradigm of our current health insurance system, which is based on the sharing of health-related risks.  

Therefore, according to the draft Act’s authors, any difference in access to any health/life insurance, pricing, and/or regarding the extent of the insurance coverage, based on the collection of data from an individual’s health sensor would be unacceptable. The receipt of such data could result in unlawful discrimination as well as enhance social inequalities as, in general, underprivileged persons have poorer health than others and they will be reluctant to share such data with their insurer for fear that they will have to pay a higher price.

Prohibition for health sensor data usage  

For these reasons, the draft Act prohibits life and health insurers from:

  • Making any segmentation relating to access to insurance, pricing, and/or the extent of insurance coverage, based on the requirement that the insured person accepts buying/using a health sensor, accepting sharing the data with a health sensor, or based upon the use, by the insurer, of such data ; and
  • Processing data collected by a health sensor and relating to the lifestyle or health of an insured person.

The legal basis for this prohibition is Article 9.4 GDPR, which authorises Member States to “maintain or introduce further conditions, including limitations, with regard to the processing of genetic data, biometric data or data concerning health”. The DPA confirmed this position in its opinion of 17 January 2020.[3]

The DPA stated that also Article 9.2.a GDPR could serve as a justification. This article permits a Member State to lift the exemption concerning processing sensitive data based upon the data subject’s explicit consent. In other words, a Member State can forbid a certain processing operation from taking place even if the data subject agrees with it.

Final remarks

Given the current political paralysis in Belgium, this draft Act might not pass any time soon. Yet it nevertheless clearly shows the position of some political parties towards the usage of health data for certain purposes.

Data collected via health trackers or apps cannot be used for ‘tailor made’ health or life insurance, not even with the data subject’s consent. An indirect effect could also be that the practice by which the manufacturers of such health trackers or apps share such data with interested insurance companies will lessen. After all, the latter will no longer be allowed to use this data.

Furthermore, it is important to note that data from health trackers and apps can still be used for any other insurance that does not qualify as a life or health insurance.

In its advice, the DPA seems to acknowledge that all data coming from health sensors and lifestyle related apps are likely to be considered as health data.

[1] For example, in 2015, Discovery insurance, a US based insurer, launched an insurance policy that integrated the sports activities and nutrition habits of its clients. By having “good” behaviour, its clients could obtain discounts on their risk premiums or receive gifts/vouchers.

[1] Chamber of Parliament, 20 June 2019, Draft Act amending the Act of 4 April 2014 on insurance with a view to establish a restriction on the use of personal data from connected objects in the field of health and life insurance, https://www.lachambre.be/FLWB/PDF/55/0263/55K0263001.pdf, p. 6.

[1] Data protection Authority, Opinion 02/2020, https://www.autoriteprotectiondonnees.be/sites/privacycommission/files/documents/AD02-2020.pdf.

Written by

  • Jan Clinck

    Counsel

Recommended articles

June 20, 2024

Belgium gears up to enforce the EU Deforestation Regulation

The EU Deforestation Regulation (EUDR) was published on 9 June 2023 and came into force on 29 June 2023. Member States, including Belgium, must establish legal frameworks for enforcement.

Read on
May 03, 2024

EU Court of Justice interprets import ban on Chinese animal products: fish oil for feed is not an exempted “fishery product”

On 21 March 2024, the EU Court of Justice (‘CJEU’) handed down its ruling in case C‑7/23, concerning a dispute between a feed company and the Federal Agency for the Safety of the Food Chain. The parties differed in their interpretation of an EU import ban on products of animal origin coming from China. The Council of State sought the CJEU’s guidance.

Read on
April 26, 2024

CJEU balances strict obligations for wholesalers of medicines with proportional penalties

On 21 September 2023, the EU Court of Justice ('CJEU’) handed down its ruling in the Apotheke B. case (C-47/22), and it is a good example of the high threshold set by the EU Court of Justice to uphold the Community Code’s main aim of protecting public health.

Read on