Europe: Insurance Europe highlights limits of GDPR and PSD2 in response to FinTech Action Plan
Insurance Europe issued, on 2 July 2020, its response ('the Response') to the European Commission's public consultation on a New Digital Finance Strategy for Europe/FinTech Action Plan ('the FinTech Action Plan'). In particular, Insurance Europe highlighted that there are still regulatory barriers to providing insurance to consumers online, which holds back innovation and the provision of digital services, which consumers expect to be available and easy to use. Furthermore, Insurance Europe noted that requirements under the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') create legal uncertainty and limit the potential use of blockchain and distributed ledger technologies, while also creating difficulties for the development of machine learning models and the data on which they can be based.
Moreover, Insurance Europe outlined that the GDPR sets out numerous rights for the data subject, such as the right to be forgotten and the right to rectification, as well as requiring data to be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data is processed, but that this needs to be reconciled with the fact that blockchain technology is designed to be an immutable and permanent record of all transactions.
Insurance Europe further suggested that the alignment of the GDPR with the realities and needs of artificial intelligence ('AI') development should be carefully considered, and that it is therefore worth considering the recommendations of the Expert Group on Regulatory Obstacles to Financial Innovation ('ROFIEG'), which proposes issuing guidance on the application of the GDPR in relation to the use of new technologies in financial services.
Finally, Insurance Europe highlighted that consent-based data sharing could be beneficial and create added value for consumers in the form of new and innovative digital financial services, but that data protection, protection of business secrets and security-related issues must be carefully considered and solved before introducing legislation regarding data sharing beyond Payment Services Directive ((EU) 2015/2366) ('PSD2').