Explicit consent for processing health-related data by (re)insurers no longer needed in Belgium?
Yesterday, several press articles mentioned that the FPS Economy had prepared a preliminary draft law on the processing of health-related personal data by (re)insurers. Due (or thanks) to an information leak, the text was made public. This preliminary draft has not yet been submitted to the Chamber of Representatives. Nor has it yet been submitted to the Belgian Data Protection Authority or the Council of State for advice. The text is therefore far from being final.
At present, Belgian law does not provide for a specific legal ground for (re)insurers to process health-related personal data in the context of (re)insurance. Hence, (re)insurers must rely upon the exemptions (special legal grounds) set out in Article 9 (2) GDPR on special category data, which includes health-related data.
Contrary to Article 6 GDPR, Article 9 (2) GDPR on legal grounds for special category data does not provide for legal ground to process health-related data “when such processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract”.
Hence, (re)insurers in Belgium have had to rely upon other Article 9 (2) GDPR exemptions, such as:
- the explicit consent of the data subject for one or more specified purposes;
- the necessity of the processing for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law; and
- the necessity of the processing for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity.
This has led to (re)insurers in Belgium heavily relying on prior explicit consent of the policyholder, the insureds and the beneficiaries in order to process their health-related data in view of the possible conclusion of insurance contract, the management and performance of these contracts including the management of claims and indemnification of bodily injury.
Using consent as a legal ground for the processing of health-related data has however many disadvantages:
- gathering explicit consent for policyholders, insureds and beneficiaries is burdensome;
- (re)insurers do not always have a direct contractual relationship with the data subjects whose health-related data are being processed, making it difficult to obtain their consent;
- once obtained, consent can be withdrawn at any time; consent is hence not a sufficiently reliable and efficient legal ground for processing operations that are in the end necessary to be able to perform the (re)insurance contract; and
- the validity of the consent could be challenged as the conclusion and performance of a (re)insurance contract is often simply not possible without the processing of health-related data; hence it could be argued that data subjects do not have a free choice.
Already back in 2020, the Dispute Chamber of the Belgian Data Protection Authority recognised the tension between consent and the necessity for the performance of the (re)insurance contract and invited the legislator to create a more reliable legal ground for (re)insurers to process health-related data.
Preliminary draft law
The preliminary draft law now aims to create such specific legal ground, providing greater legal certainty for the processing of health-related data in the context of (re)insurance. Article 9 (4) GDPR indeed provides that Member States may maintain or introduce further conditions, including limitations, with regard to the processing of health-related data.
The preliminary draft law proposes to introduce a new Article 61/5 in the Belgian Insurance Act of 4 April 2014.
Such provision would stipulate that the processing of health-related data must be considered as necessary for reasons of substantial public interest in accordance with Article 9 (2) (g) GDPR, in particular the social and economic protection, which is the object of the insurance coverage.
Based on such legal ground, (re)insurers would be able to process health-related data, be it only to the extent strictly necessary for the performance of their tasks of general interest of social and economic protection and hence for specific purposes, namely:
- for insurers: the possible conclusion of insurance contract, the management and performance of these contracts; and
- for reinsurers: the possible conclusion of contracts.
The processing of health-related data for the purposes of direct marketing, including profiling insofar as it relates to direct marketing, is explicitly prohibited by the preliminary draft law.
The preliminary draft also provides for a specific data retention period. It stipulates that health-related data should not be kept beyond the statutory limitation period laid down in Article 88 of the Insurance Act, except in the case of legal proceedings.
Finally, the preliminary draft law provides that health-related data must be encrypted.
The preliminary draft law already raised many comments from consumer and patient organisations. These comments will now be examined and discussed.
The draft is in any event an interesting first step. Of course, the advice of the Belgian Data Protection Authority is also to be awaited.
We will keep you informed on any further developments on this topic, which is crucial for all (re)insurance companies active on the Belgian market. Stay tuned