Usage-based insurance (UBI), or telematics insurance, has become a mainstay of the automotive insurance market. The service can rely on data generated by a connected car, a plug-in device, or even the driver’s smartphone. The idea is simple; pay less if you drive well (pay-how-you-drive) or if you drive rarely (pay-as-you-drive).
All the data generated as a result of UBI relates to the driver of the vehicle, so it is the driver’s personal data. Therefore, UBI providers need to assess what GDPR ‘lawful basis’ they can rely on to process that personal data. The two main contenders are to obtain the driver’s consent, or to state that the processing is necessary for the performance of a contract with the driver. There are benefits and drawbacks to both, but reliance on consent may be going out of fashion.
What were the reasons for relying on consent?
When the data is collected through a publicly available electronic communication service (e.g. via a modem in the connected vehicle or plug-in device), consent will be needed in order to gain access to information that is already stored in the vehicle or device as provided by the EU’s ePrivacy Directive. None of the exemptions to this rule apply in this context: the processing is not for the sole purpose of carrying out the transmission of a communication over a communications network nor does it relate to an ‘information society service’ requested by the user.
In various different guidance documents issued by the European Data Protection Board (EDPB)[1], the EDPB takes the view that if you needed consent under the ePrivacy Directive, then in most cases your GDPR lawful basis should also be consent. This is because the special provisions of the ePrivacy Directive should prevail over the more general rules of the GDPR. The key point is that where you collect data subject to the ePrivacy Directive, you cannot use the other lawful bases in the GDPR to undermine the protection provided to that data by the ePrivacy Directive.
In addition, UBI usually involves the collection of location data. The Article 29 Working Party’s 2011 opinion on geolocation services on smart mobile devices was firm in its view that consent is required to process the location data from smart mobile devices. Connected vehicles are often seen as analogous to a smart mobile device given the type of services provided. Most connected vehicles use location for many purposes so providers of connected vehicle services are in the habit of asking for consent.
On first glance then, relying on consent as the lawful basis for processing makes perfect sense. It’s a two-for-one.
From an industry perspective, pre-GDPR guidance from the Association of British Insurers (ABI) supported this consent-led approach[2]. It is worth noting that at the time this guidance was issued UBI was often sold as an optional extra. If you wanted to provide the data, you could potentially save on your insurance premiums. If you stopped using it, you’d default to your normal premium.
What changed?
However, the EDPB’s recent connected vehicle guidance took a different position on consent. The EDPB didn’t rule it out, but contrary to what had come before, the EDPB made it clear that providers of UBI are likely to be able to rely on the ‘performance of a contract’ lawful basis. This assumes that there is a valid contract between the UBI provider and the driver and that the processing is necessary to fulfil that contract.
The EDPB considers that reliance on the contract lawful basis after having obtained consent under the ePrivacy Directive would not have the effect of lowering the additional protections provided by the ePrivacy Directive. This is one of the few instances we have seen the EDPB provide an exception to its general rule. The ABI updated its Good Practice Guide in November 2020 and this is aligned with the EDPB position. Neither guidance is legally binding, but both reflect best practice in the area.
The EDPB’s guidance on consent gives us a clue as to why the EDPB leans toward the contract basis. At paragraph 31 of the guidance, the EDPB says “if a controller seeks to process personal data that are in fact necessary for the performance of a contract, then consent is not the appropriate lawful basis.” This is because the consent is conditioned and is therefore not ‘freely given’.
Applied to UBI, if a UBI provider has a UBI policy that is exclusively based on vehicle telemetry (i.e., the premiums are set solely using that data), then at least some of the data is necessary for the performance of the UBI insurance contract with the driver. Consent is therefore not the appropriate lawful basis when processing this data.
That being said, relying on the contract lawful basis, even if more appropriate, does not provide much of an advantage. Firstly, the EDPB’s 2019 guidance on the contract lawful basis emphasises that controllers must clearly and specifically identify the purposes of processing when relying on this lawful basis, much like you would need to do if relying on consent. Vague or general statements such as “we process your personal data for usage based insurance purposes”, buried somewhere in the contract, won’t be specific enough. Some examples of different processing activities can be found in the ABI Good Practice Guide, particularly at paragraph 20[3].
Secondly, the UBI provider still needs to respect the consent given under the ePrivacy Directive. To ensure consent is freely given and able to be withdrawn without detriment to the driver, UBI providers need to make sure they can provide an alternative non-UBI policy if needed. The consent may also have an impact on any desired further use of the data in the future.
Is there still a place for consent?
The short answer is yes. Most obviously, it is often required by the ePrivacy Directive.
In some cases, a provider may be able to rely exclusively on consent if the provider can show that the provision of telematics data is not necessary for the performance of the contract. This might be the case with a UBI policy where the processing is genuinely optional (i.e., it is a perk, or incentive, as opposed to a requirement).
However, a hybrid approach is more likely for most UBI policies these days. Some processing activities related to the service may be advantageous to the driver or the provider, but not necessary, meaning that the driver could be asked to consent to these ‘extras’. An example might be where a provider wants to use the data for separate analytics purposes.
Great – so that’s settled then?
Unfortunately not. UBI is another example of a service provided by the automotive industry that struggles with the issue of ‘second drivers’ of vehicles.
If you rely on consent as your GDPR lawful basis, then that consent only applies to the person who gave it. In the context of providing a service to connected vehicles, this means either getting consent from the other drivers of the vehicle too, or implementing a way of determining who is driving the car so that the services aren’t provided to that person (this isn’t really an option in an insurance context).
A similar issue arises with the performance of a contract lawful basis. A key element of that lawful basis is that the contract must be one to which the data subject is a party. It is unclear to what extent a named driver on a policy is actually party to the policyholder’s contract. If they are not, this would render the lawful basis unavailable for collection of data about the named driver.
[1] See for example Opinion 5/2019 on the interplay between the ePrivacy Directive and the GDPR; available at https://edpb.europa.eu/sites/default/files/files/file1/201905_edpb_opinion_eprivacydir_gdpr_interplay_en_0.pdf
[2] Selling Telematics Motor Insurance Policies: Good Practice Guide, 2013 edition; available in archive at https://www.abi.org.uk/globalassets/sitecore/files/documents/publications/public/migrated/telematics/selling-telematics-motor-insurance-policies—abi-good-practice-guide.pdf
[3] This reads “…managing a policy, handling a Claim, setting Premiums, detecting and preventing fraud, responding to consumer queries or for any other purpose that the consumer has been informed of. Managing a policy may include intervention models i.e. extreme events such as speeding, braking, cornering, acceleration, etc. Intervention may also include managing mileage being exceeded, where a vehicle is kept overnight (if not at the declared home address X% of the time) and for those policies where the Telematics Device can also act as a stolen vehicle location/recovery service in the event of theft.”