Profiling and automated decision-making by the insurance company in the light of personal data protection

Main Article Content

Jovana Rajić Ćalić
Iva Tošić

Abstract

Insurance companies collect  personal data of their customers on a daily basis in their regular business, they are profiling their users and often make decisions in an automated way. Profiling is usually used in the insurance industry as a means of undertaking actions like setting premiums, uncovering possible fraud and planning marketing campaigns. For these reasons, the adoption of the General Data Protection Regulation and Law on Personal Data Protection of Serbia has a great impact on the insurance companies business, taking into account that those acts introduce mandatory notification when collecting data from data subjects. Namely, these acts introduced the obligation to inform data subject of the existence of automated decision-making, including profiling, as well as the obligation to provide the data subject with meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing.


The authors strive to address the impact of the General Data Protection Regulation, and above all Article 22, on profiling and automated decision-making by insurance companies, which is a regular activity within their business. According to this article data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her. For these reasons, the authors will analyze the impact of this provision on the business of insurance companies.

Article Details

Section
Članci

References

Andonović S., Prlja D., Osnovi prava zaštite podatak o ličnosti, Institut za uporedno pravo, Beograd 2020.

Bara D., Utjecaj GDPR Uredbe na poslovanje osiguravajućih društava, Hrvatski dani osiguranja (ur. Marijan Ćurković, Jakša Krišto, Damir Zorić), 2017.

Boban M., Zaštita osobnih podataka i nova EU uredba o zaštiti podataka, Bilten HDMI 24(1)/2018.

Borgesius F. Z., Poort J., Online Price Discrimination and EU Data Privacy Law, Journal of Consumer Policy 3/2017.

Brkan M., Do Algorithms Rule the World? Algorithmic Decision-Making in the Framework of the GDPR and Beyond, International Journal of Law and Information Technology 27(2)/2019, https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3124901, 15. decembar 2022. https://doi.org/10.1093/ijlit/eay017

Casey B., Farhangi A., Vogl R., Rethinking Explainable Machines: The GDPR's "Right to Explanation" Debate and the Rise of Algorithmic Audits in Enterprise, Berkeley Technology Law Journal 34(1)/2019.

Eskens S. J., Profiling the European Consumer in The Internet of Things - How Will the General Data Protection Regulation Apply to This Form of Personal Data Processing, and How Should It?, Thesis Research Master Information Law, University of Amsterdam, 2016. https://doi.org/10.2139/ssrn.2752010

Kamarinou D., Millard C., Singh J., Machine Learning with Personal Data, Queen Mary University of London, School of Law Legal Studies Research Paper No. 247/2016.

King J. N., Forder J., Data Analytics and Consumer Profiling: Finding Appropriate Privacy Principles for Discovered Data, Computer Law & Security Review 32(5)/2016. https://doi.org/10.1016/j.clsr.2016.05.002

Liapakis X., A GDPR Implementation Guide for the Insurance Industry, International Journal of Reliable and Quality E-Healthcare 7(4)/2018. https://doi.org/10.4018/IJRQEH.2018100103

Mendoza I, Bygrave L. A, The Right not to be Subject to Automated Decisions based on Profiling, University of Oslo Faculty of Law Legal Studies Research Paper Series No. 2017-20, https://papers.ssrn.com/sol3/papers.cfm?abstract_id=2964855, 21. novembar 2022.

Petrović Tomić N., Zaštita potrošača usluga osiguranja analiza i predlog unapređenja regulatornog okvira, Pravni fakultet Univerziteta u Beogradu, Beograd 2015.

Petrović Tomić N., Zaštita potrošača usluga osiguranja i informaciona paradigma - odluka Narodne banke Srbije o zaštiti prava i interesa korisnika usluga osiguranja, Pravo i privreda 7-9/2016.

Saserat-Alberti N., Nove tendencije u zaštiti potrošača u Evropi i Nemačkoj, Pravo osiguranja Srbije u tranziciji ka evropskom (EU) pravu osiguranja (ur. Pjerpaolo Marano, Slobodan Jovanović, Jasmina Labudović Stanković), Udruženje za pravo osiguranja Srbije, Beograd 2013.

Tene O., Polonetsky J., Big Data for All: Privacy and User Control in the Age of Analytics, Northwestern Journal of Technology and Intellectual Property 11(5)/2013.

Thaira S., The Use of AI in (Telematics) Insurance and the GDPR, Master in Information Technology and Intellectual Property Law 2019-2020.

Tošić I., Novaković O., Uticaj nove regulacije u oblasti zaštite podataka o ličnosti na rad osiguravajućih društava, Zaštita podataka o ličnosti u Srbiji (ur. Stefan Andonović, Dragan Prlja, Andrej Diligenski), 2020.

Tošić I., Novaković O., Zaštita potrošača usluga osiguranja - analiza zakonodavnog okvira Republike Srbije, Prouzrokovanje štete, naknada štete i osiguranje (ur. Zdravko Petrović, Vladimir Čolović, Dragan Obradović), Beograd - Valjevo 2022.

Veale M., Edwards L., Clarity, surprises, and further questions in the Article 29 Working Party draft guidance on automated decision-making and profiling, Computer law and Security Review 34(2), 2018. https://doi.org/10.1016/j.clsr.2017.12.002

Wachter S., Normative challenges of identification in the Internet of Things: Privacy, profiling, discrimination, and the GDPR, SSRN-id3083554.pdf, 20. novembar 2022.

Wiedemann K., Automated Processing of Personal Data for the Evaluation of Personality Traits: Legal and Ethical Issues, Max Planck Institute for Innovation and Competition Research Paper No. 18-04, SSRN-id3102933.pdf, 15. novembar 2022.

Zarsky Z. T., The Trouble with Algorithmic Decisions: An Analytic Road Map to Examine Efficiency and Fairness in Automated and Opaque Decision Making, Science, Technology, & Human Values 41 (1), 2016. https://doi.org/10.1177/0162243915605575

Zarsky Z. T., Mine Your Own Business!: Making the Case for the Implications of the Data Mining of Personal Information in the Forum of Public Opinion, Yale Journal of Law and Technology 5/2003, https://yjolt.org/sites/default/files/zarsky-5-yjolt-1.pdf, 17. novembar 2022.

Article 29 Data Protection Working Party, Guidelines on Automated individual decision-making and Profiling for the purposes of Regulation 2016/679, 2017.

Article 29 Data Protection Working Party, Guidelines on Consent under Regulation 2016/679, 28. novembar 2017.

Uredba (EU) 2016/679 Evropskog parlamenta i Veća od 27. aprila 2016. O zaštiti pojedinaca u vezi s obradom ličnih podataka i o slobodnom kretanju takvih podataka te o stavljanju van snage Direktive 95/46/EZ (GDPR).