Header graphic for print
HL Chronicle of Data Protection Privacy & Information Security News & Trends
Posted in International/EU Privacy

Germany: Pay-As-You-Drive-Insurance – First German Data Protection Authority Issues Requirements

shutterstock_203285494 [Converted]-01Telematics-based pay-as-you-drive insurance is a new, innovative and not yet proven product from the insurance industry. This new product collects information about the driving behavior associated with the vehicle and therefore raises privacy issues for the drivers. The Commissioner for Data Protection and Freedom of Information for North Rhine-Westphalia (Landesbeauftragter für Datenschutz und Informationsfreiheit Nordrhein-Westfalen – “LDI NRW“) is the first German data protection authority to evaluate a pay-as-you-drive product and has recently published its requirements for data protection and data security compliance (22nd report (2015) for 2013/14, point 5.1).

The evaluated insurance product

The product, offered by a German insurance company, analyzes the driving behavior of driver(s) of an insured vehicle by using a telematics-box which is permanently installed in the car and insurance premiums are adjusted in accordance with driving behavior. Subject to the policyholder’s approval, the box is installed in the vehicle and automatically transmits data on driving behavior every second to a telematics service provider working with the insurer. The data, stored on an EU-based server, includes route, time, speed (and speeding), acceleration and braking characteristics etc.

The telematics service provider calculates a total score and four single scores (speed, driving behavior, night-time driving, city rides) based on the collected data. The scores are designed to estimate the probability of an accident. The telematics service provider sends the scores to the insurer on a monthly basis and as an annual summary. The insurer examines the submitted scores in order to determine an individual’s insurance premium for the insured vehicle. If the specified parameters for safe driving behavior are kept, a part of the insurance premium will be refunded to the policyholder to reward cautious drivers.

The data processing does not use real names, but relies on a customer identification number. Each policy holder can access his or her driving data and scores online.

The LDI NRW’s requirements

Given that there is a risk that the data collected via the telematics-box could be misused to create a precise profile of the driver’s movements, the LDI NRW has set out the following requirements for organisations to obtain data protection and data security compliance:

  • Data must be separated. This means that the telematics service provider receives the real-time data, but does not know the names of the policy holders. On the other hand, the insurer knows the names of policyholders, but only receives the scores and the total kilometers and not the raw data.
  • Data must be encrypted in the telematics-box and during transmission using the latest technology. It must not be possible to access the hardware.
  • If there are multiple drivers of a vehicle, they must be given the ability to decide individually before commencing a journey whether they want to allow tracking or not. The insurer must provide the policyholder with a sticker to place in the vehicle which provides information to drivers about the tracking.
  • The collected data can only be used to determine the insurance premium and not for the settlement of claims.
  • The policy holders must be fully informed in an understandable way about the processing of data as well as about the parties involved. Moreover the policy holders must be informed that when an accident occurs they can object to the transmission of data to repair shops.

Future Perspective

Pay-as-you-drive insurance is one of the first practical examples of how connected cars can be used to develop innovative products and services. The LDI NRW points out in a side note that health insurance companies are already working on developing insurance products that  use data about the health-related behavior of their clients. To ensure that these products and services are acceptable not only by data protection authorities but also by customers, companies developing these products should ensure that data protection and data security requirements are taken into account in the conceptual and design phase and are also properly implemented in the final product.

A version of this entry appeared on Hogan Lovells’ Global Insurance Blog on June 18, 2015.