Telematics-based pay-as-you-drive insurances are new innovative and not yet practice-proven products by the insurance industry. The Commissioner for Data Protection and Freedom of Information for North Rhine-Westphalia (Landesbeauftragter für Datenschutz und Informationsfreiheit Nordrhein-Westfalen – “LDI NRW“) is the first German data protection authority which evaluated a pay-as-you-drive product and stipulated requirements for data protection and data security compliance (22nd report (2015) for 2013/14, point 5.1).
The evaluated insurance product
A German insurance company offers to analyze the driving behavior of the driver(s) of an insured vehicle by using a telematics-box permanently installed in the car to adjust the insurance fees to the individual driving behavior. Subject to the policyholder’s approval, the box is installed in the vehicle and sends every second data on the driving behavior to a telematics service provider cooperating with the insurer. The data comprises route, time, speed (and speeding), acceleration and braking characteristics etc. The data is stored on an EU-based server.
The telematics service provider calculates a total score and four single scores (speed, driving behavior, night-time driving, city rides) based on the collected data. The scores are intended to estimate the probabilities of an accident. The telematics service provider transfers the scores to the insurer on a monthly basis and as an annual summary. The insurer determines based on the submitted scores an individual insurance fee for the insured vehicle. If the specified parameters for safe driving behavior are kept, a part of the insurance fee will be refunded to reward cautious drivers.
The data processing is not conducted with real names, but with a customer identification number. The policy holders can access their driving data and scores online.
Requirements of the LDI NRW
Given the risk that the data collected via the telematics-box could be misused for a motion profile, the LDI NRW has established the following requirements for data protection and data security compliance:
- Data have to be separated, meaning the telematics service provider knows the real-time data, but not the names of the policy holders, whereas the insurer knows the names, but only receives the scores and the total kilometers.
- Data must be encrypted in the box and during the transmission using the latest technology; access to the hardware must be excluded.
- If there are multiple drivers, they must be able to decide individually before departure whether they want to allow tracking or not. The insurer must provide a sticker which informs about the tracking.
- Collected data may only be used for the determination of the insurance fee, not for claims settlement.
- The policy holders must be informed in a comprehensive and comprehensible way about the processing of data as well as the parties involved. Moreover the policy holders have to be informed, that in case of an accident they may object to the transmission of data to repair shops.
Pay-as-you-drive insurances are first practical examples of how the connected car can be used for innovative products and services. The LDI NRW points out in a side note that health insurance companies are already working on insurance products depending on the health-related behavior of their clients. To ensure that these products and services will be accepted not only by data protection authorities but also by customers, data protection and data security requirements should be taken into account already in the conceptual phase and should be implemented consequently.