On 28 January 2021, the European Insurance and Occupational Pensions Authority (EIOPA) launched a public consultation on data access and sharing in the insurance industry. Data is a key industry asset, available in quantity and widely used – from risk identification to pricing. The increase of partnerships with technology vendors and new data “sources” such as social media and Internet of Things (IoT) devices are further driving the industry’s race toward innovation, bringing improvements in terms of efficiency and customer experience.

The question is whether and to what extent insurance value chains should be “opened,” ie whether and to what extent insurance related data should be shared with other insurance or non-insurance operators. Open insurance means access to and sharing of data, both personal and non-personal, generally through Application Programming Interfaces (APIs), which are sets of functions and protocols allowing interaction and integration between different applications.

Existing examples of data sharing between insurance operators include risk statistics, data on claims settlement as well as access to meteorological data. Moreover, recent programmatic (eg the EU Commission’s communications on “European Data Strategy” and “EU Digital Finance Strategy”) and legal (eg the General Data Protection Regulation (GDPR) and the Payment Services Directive in the Internal Market (PSD2)) EU initiatives laid the groundwork for data-centric innovation and data sharing. According to EIOPA, proper use of data has huge potential for consumers, companies, regulators and the insurance industry in general, provided that the right balance is ensured with privacy/personal data protection as well as insurance and competition law.

With specific reference to the insurance sector, a harmonized regulatory framework and acceptable levels of standardization and interoperability are still lacking. Pending any measures aimed at facilitating the creation of a data-sharing ecosystem, insurance operators looking to exploit the potential of data must resort to bilateral or plurilateral negotiations and agreements.

Joint ventures and outsourcing agreements between traditional operators and technology vendors are becoming increasingly frequent. On the one hand, technological solutions are often aimed at offering a richer and customized insurance experience to end users. On the other hand, they can provide companies with valuable information to adjust their offering. For example, wearable devices allow the collection of data on health status and physical activity. According to recent statistics, the use of these devices has more than tripled over the last four years and more than 80% of consumers say they are willing to wear them. Another growing trend is the use of digital platforms to provide advanced and easily usable services to both business customers and consumers.

These projects require careful prior analysis in terms of compliance, particularly as to industry regulations and privacy/personal data protection, paying extra attention to the use of artificial intelligence tools. Where the project is being launched in different countries and jurisdictions to benefit from economies of scale and take greater advantage of processing larger data sets, the analysis will also need to take into account local rules and specificities.

From a contractual perspective, insurance operators and technology vendors must carefully regulate multiple aspects. First and foremost, the scope of the data exploitation and the flows between the parties involved must be precisely defined, especially if – as is often the case – services are to be provided via cloud and Software-as-a-Service (SaaS). It is then essential, among other things, to clearly set out the obligations and responsibilities of the technology vendor, also with reference to the project pilot phase, the service levels to be met, the audit tools available to the customer and the contractual rules governing termination and the consequent internalization of the service or replacement with a new provider. In addition, contracts should include sound contractual mechanisms for the protection of data, both personal and non-personal, and obligations of return or destruction at the end of the relationship.

The EIOPA consultation is open for comments until 28 April 2021, and hopefully its outcome will contribute to fostering the process of data valorization and data sharing within the insurance industry.