Big data are more and more common in more and more areas: automobile, housing, healthcare, household electrical, clothes, shopping and even for brushing your teeth ! These new connected services need rules capable of leaving the potential of an economic booster. The main issue is to find how to frame this new business market without braking the actual growth trend: this is the purpose of the European authorities. The EU wants to become an international digital actor and needs to adapt the existing regulations and policies in order to create a new legal frame for the digital market. Taking into account that this adaptation process is complicated, how can big data change the traditional system ?
The hard process of law adaptation through the insurance’s case:
The insurance industry is currently including data to improve its services and offers: big data enable a better understanding of the risk and the possibility to adjust healthcare or automobiles services through some applications, softwares and new electronic technologies equipments. Thanks to big data, the insurance industry is becoming more competitive, as it can pinpoint risk and price to balance them better and adapt the offers according to the customers’ personal data. This « selectivity of the risk » won’t allow discrimination, according to Robert Dickie, chief operator and technology Officer of Zurich insurance, because the purpose is to use big data to get more selective on the definition of profiles for several sorts of customers. Furthermore, big data could build a mutual advantage system: the consumers who agree to sell their data can get money and better prices, and the insurance industry can be more competitive thanks to these data. Nevertheless, the EU enacted legislative limits focused on data protection and how you can use the data collected, like laws on gender for cars insurances, and these barriers are creating some tension between regulators and industries.
The European regulations should introduce fair competition and balance market of insurance and data protection, bearing in mind that according to European law the customers cannot be compelled to provide their data to anyone. We can raise then several questions: how can insurance industries use the data and how can they collect them ? How can the data be sold ? And last, but not least, the consumers willing to share their data could have a better price ? It could create a 2 speed market, which is a regulation challenge: how the can regulator frame the insurance system including the use of big data ? The insurance model is a base example: with the new automobiles’ technologies, who will be accountable for the risk ? the manufacturer, the driver ? the software designer ? can the passenger / owner a driverless car be responsible for an accident if he was not driving when it happened ? And, moreover, how will the companies and the insurance industry manage the data collected with the new cars’ technologies, like the driving style analyzing sensors or the localisation systems ? For the accountability issue, the majority of insurance companies indicate that the key is to find the good algorithm through the Cloud, and not necessary with a super computer. But not all companies are ready to work on it, specifically the small one. Concerning the second issue, the General Data Protection Regulation (GDPR) adopted by the EU-authorities last April could protect the citizens just as the Privacy Shield. If this framework provides protection when they use a smart or a driverless car in the US, it is still not clear what happens with regard to countries other then the US.
Cars companies are currently asking for laws to be allowed to commercialize fully autonomous driverless cars across the EU, while « connected cars » are already available (cars that use Internet connectivity to perform several functions as road location or other performances).
Since 2010, several European initiatives and promotion of more harmonisation and cooperation with and between cars companies had been conducted. The legislative proposal for connected cars is expected to be approved by the end of the year – even though these products are already on the market. Concerning the driverless cars, the GEAR 30 Working Group, focused on this issue, will meet for 2 years, starting in January 2016. At the same time, the ‘Intelligent transport systems’ directive regulates data protection to secure communications, implying that informations transiting between the vehicle and infrastructures will be reviewed by 2018. If these new measures already include insurance rules for driverless cars, how insurance can be changed to cover accidents caused by driverless cars ?
As we said before, the insurance industry, the regulator and the cars manufacturers have not found a compromise yet, even after the 13rd June meeting between the European Commission and industry associations. This reunion was meant to clarify who can be accountable for damages when fully autonomous cars will be sold in Europe: the European Commission expressed its will to propose a new legislative frame for 2018. Knowing that the deadline for global commercialization of driverless cars is expected by 2030, and that, during the next 10 years, cars won’t be fully autonomous, the same insurance system will stay relevant during this period. In the meanwhile, driverless cars are already tested on European highways: technically they are fully operational, which means the set time limit depends essentially on the time needed to adapt the legal frame. Driving will be determined by softwares and algorithms and the driver’s fault based approach won’t be adapted any more: the driver won’t have any control, despite of European laws requiring that all vehicles have to be covered by an insurance. So, in case of accident involving driverless cars, the liability will be hardly identified. To solve this issue, several options are explored: the most elected proposal would be to shift the liability from the driver to the manufacturer, maybe completed by an insurance covering the user / passenger. However, according to a report published on the 31st May by the Parliament Legal Affairs Committee, « the greater a robot’s learning capability or autonomy is, the lower other parties’ responsibility should be ». In this case, the EU-priority is to make sure that all victims are compensated, but the relevant authorities have not decided yet if the liability would be incubent on the user or the manufacturer. Moreover, including the insurance cost in the product’s price will be complicated, as in case of accident the victim will struggle to sue all the entities involved, as already pointed out by Mady Delvaux (S&D), the Draft Report rapporteur. Furthermore, the car makers are pushing back against this idea and reject their responsibility, highlighting that the use of softwares from multiple sources and the possibility for the user of downloading several applications create a system they are not capable of controlling.
The crucial issue of responsibility without a clear frame will constitute a limit for the expansion of these technologies and have a negative impact on the European economic growth. The absence of a clear regulation will impact also on the rate of dead people on the road: driverless vehicles are safer according to several studies and tests which show that a major part of car accidents are caused by a fault of the driver.
Another issue concerns the protection of data related to the driver / owner, now collected through connected cars – and in some years, driverless cars. In fact, informations as addresses, routes and other private data are known thanks to the softwares used by the car. Several digital companies like Apple or Google are currently developing softwares and are looking for carmakers as partners. And they already have an access to a vast data bank thanks to the other services they are providing. Also the question is: what can they do with all of these data ? and what happen in case of cyberattack ?
The main issue is concerning how these new technologies can impact the drive and how to handle the risk management, but the lack of studies focused on these areas prevents to take the adequate measures.
The hard balancing work between data protection, digital economy and cybersecurity:
Cybersecurity is another new market for insurance industry: this is a new risk to manage and cover, especially as the new European rules for the digital area states that the companies and administrations have to guarantee a strong protection of their services and network. This goal is now pursued with the Network and Information Security Directive (NIS) and the General Data Protection Regulation (GDPR). These new rules have to be implemented (the deadline is expected for 2018); they could boost the cybersecurity insurance market and the security of the networks and services provided through the Internet. The insurance industry needs to adapt its offer and create new options, because the European insurance are currently not covering hacking attacks yet – the companies said that the market should be too young right now – and 90% of the current offers were based in the US in 2014.
This opportunity could be a chance to support the European economic growth: with the GDPR and the NIS directive the need of this kind of insurance will become more present and begins to be an issue for the companies, the administrations and for the EU-authorities too. Indeed, the EU-cybersecurity working group Agency (ENISA) is currently setting a task force focused on this issue. ENISA has already pointed out that studies and projections on the cost of cyberattacks are still missing, even if the companies demands have increased. This increase has benefited by the NIS Directive provision of notification requirement for « essential services », i.e. health care, transports, energy, banking services. Furthermore, more data about the security breaches will help the insurance industry to adapt the offers and to sort out a method for calculating the probability of future breaches: this cooperation could support the cyber-insurance market and finally start in Europe.
Cybersecurity insurance will cover liability complains and the cost of the losses due to cyber-attacks, and just as the issue of the accountability for driverless cars, it shows that big data is changing the traditional economic model: the European citizens are doing a global use of big data, so it affects more and more areas, including global concepts like freedom or public security as threat as well as benefit.
Emmanuelle Gris
To find out more:
- European Parliament, Directorate General for internal policies, Policy Department Citizens’ rights and Constitutional affairs, Cross-border traffic in the EU – The potential impact of driverless cars: http://www.europarl.europa.eu/RegData/etudes/STUD/2016/571362/IPOL_STU(2016)571362_EN.pdf
- European Commission, Directorate General for Internal Market, Industry, Entrepreneurship and SMEs, GEAR 2030 Discussion paper, Roadmap on Highly Automated vehicles: https://circabc.europa.eu/sd/a/a68ddba0-996e-4795-b207-8da58b4ca83e/Discussion%20Paper%C2%A0-%20Roadmap%20on%20Highly%20Automated%20Vehicles%2008-01-2016.pdf
- Euractiv: New EU digital laws could boost specialised cybersecurity insurance: http://www.euractiv.com/section/digital/news/new-eu-digital-laws-could-boost-specialised-cybersecurity-insurance/
- Incentives and barriers for the cyber insurance market in Europe, Dr. Konstantinos MOULINOS, ENISA: https://www.enisa.europa.eu/media/news-items/cyberinsurance_final.pdf
- Federation of European Risk Management Association: http://www.ferma.eu/blog/2015/03/cyber-insurance-market-incentives-improved-cybersecurity-organisations/