IMPACT OF INDIA’S NEW DATA PROTECTION LAW ON THE INSURANCE SECTOR IN 2024 

INTRODUCTION

The Indian Parliament recently enacted the Digital Personal Data Protection Act, 2023 (“DPDPA”). Although not in effect yet, the law is expected to come into force during the second half of 2024. It imposes several obligations on businesses that handle personal data, with hefty penalties for non-compliance. As the insurance industry increasingly relies on advanced technologies and data-driven processes, it is crucial for businesses to align their data processing activities with the requirements of the DPDPA.

This note examines the impact of the DPDPA on the insurance sector based on our observations and experiences as a data privacy law firm in India. The note goes on to provide practical recommendations on approaching compliance with the new law for entities in this sector.

REGULATION OF THE INSURANCE SECTOR IN INDIA

The Insurance Regulatory and Development Authority of India (“IRDAI”) primarily regulates the insurance sector in India. As part of its supervisory role, the IRDAI has defined obligations in respect of the handling of policyholder data by insurers, insurance agents, and insurance intermediaries (who are collectively referred to as the “Regulated Entities”). The obligations extend to multiple measures aimed at safeguarding data, including setting out data security measures, data sharing requirements, record maintenance obligations, and confidentiality requirements, among others.

ACTOR CHARACTERISATIONS UNDER THE DPDPA

The DPDPA primarily regulates “data fiduciaries.” Data fiduciaries under the DPDPA are defined as a person who determines the purpose and means of processing digital personal data. On the other hand, the Act recognises data processors who process personal data on behalf of a data fiduciary. Even though DPDPA recognises the role, it does not directly regulate data processors. Instead, it imposes the overarching obligation of compliance with the law on data fiduciaries.

Insurers conduct numerous data processing operations, such as – (a) the analysis of health history, lifestyle, and occupation to assess the risk associated with insuring an individual, (b) assessment of the validity of a claim, (c) communication with policyholders to address inquiries and provide customer support, (d) analysis of demographic information, purchasing behaviour, and preferences to create targeted marketing campaigns, etc. As insurers typically define the purposes and methods for processing personal data, they are likely to be categorised as data fiduciaries under the DPDPA.

Insurance intermediaries collect personal data to match individuals with suitable insurance products, calculate premiums, and provide tailored coverage based on the individual’s specific needs and circumstances. Generally, insurance intermediaries independently handle the processing of personal data and separately decide the reason and manner of processing it, thereby functioning as data fiduciaries. In certain situations, they may operate as data processors, following explicit processing instructions provided by an insurer. Upon implementation of the DPDPA, the actor characterisation of insurance intermediaries for each processing activity will have to be carried out on a case-by-case basis.

GROUNDS FOR PROCESSING

The DPDPA provides that the personal data of a data principal (the individual to whom the data pertains) may only be processed for a lawful purpose with the “consent” of the data principal, or for “certain legitimate uses”. The DPDPA obligates high standards for seeking consent. Under the new data privacy act, consent must be free, specific, informed, unconditional, and unambiguous. Additionally, the consent must be capable of being withdrawn. Furthermore, requests for consent must be accompanied or preceded by a detailed notice. The notice must include the datasets collected and the purposes for their collection, among other things. Access to both the consent request and the notice must be provided in English and any of the 22 languages listed within the Eighth schedule of the Indian Constitution. The legitimate uses of personal data include, inter alia:

  • the purposes for which an individual voluntarily provides their personal data and does not indicate to the data fiduciary that they do not consent to its processing; 
  • employment-related purposes and those to safeguard employers from liability.

Consent 

Regulated Entities that offer insurance services directly to current or prospective customers must redesign their consent journeys to meet the requirements of the DPDPA. Adjustments to associated digital applications will be necessary, including modifying permissions within mobile insurance applications. Specific consent will be required for each processing activity, and users must have the option to withdraw consent for each activity to allow for greater flexibility and control.

Insurance companies must conscientiously assess their collection of data of children or persons with disabilities, which is prohibited unless verifiable consent is obtained from the individual’s parent or guardian. To do so, companies will need to institute mechanisms to verify parental consent. These may be done through the use of consent forms to be signed by the parent and returned by mail, fax, or electronic scan, penny-drop verification of the parent’s bank account, etc.

In the event Regulated Entities obtain personal data from sources other than the data principal themselves, such as from data brokers or data aggregators (collectively, “Third Party Sources”), Regulated Entities will have to contractually bind their Third Party Sources to procure consents on their behalf for such disclosures.

The DPDPA stipulates that data fiduciaries must permit individuals to withdraw their consent, notwithstanding any legal implications resulting from such withdrawal. In practical terms, if a policyholder withdraws consent to the processing of specific personal data required by the Regulated Entity to fulfil its contractual obligations under an insurance agreement, the potential outcome could be termination of that agreement. Therefore, the DPDPA allows for denial of service to the limited extent that consent is essential for providing a specific service to the individual.

Employment-related purposes 

Insurance companies that engage with employers to provide insurance coverage to their employees may be able to rely on “employment-related purposes” as a legal basis for processing employee data.

Voluntary provision of data

Several insurance companies feature a web form on their site, allowing individuals to submit their contact information and connect with a company representative. The form includes a disclaimer at the bottom, indicating that by supplying their contact details, individuals give their consent for the company to collect their data.

When individuals initiate communication with the company using the website form, the company may be able to use the “voluntary provision of data” as a legal basis for processing and may not necessarily need to request consent for processing contact details. However, the DPDPA lacks specific details regarding the scope of the voluntary provision of data as a ground for processing. Additional guidance on this matter is anticipated from the Indian government in the coming months. It must be noted that any subsequent collection of personal data from the individual following initial contact will be subject to consent standards established under the DPDPA.

KEY CONSIDERATIONS FOR INSURANCE PLAYERS

Relationships with third parties

Data fiduciaries have the overarching obligation of compliance with the DPDPA, including for processing activities undertaken by their processors. Additionally, data fiduciaries may only engage data processors under the terms of a valid contract.

The insurance industry typically engages various third parties, including intermediaries, investigators, and service providers, many of whom process the personal data of the insured individual. Regulated Entities must establish contracts that explicitly define the relationships between these parties and outline specific processing instructions to guarantee proper adherence by third parties to the DPDPA.

Retention of Policyholder Data

The DPDPA requires data fiduciaries to erase personal data in instances where the data principal withdraws consent or where the data is no longer required for the purpose for which it was collected unless retention is mandated by a legal obligation. Additionally, data fiduciaries must ensure the deletion of data by any processors they engage.

This implies that Regulated Entities will need to reconfigure their data retention practices. Regulated Entities may establish varying retention periods for distinct datasets or define circumstances that necessitate the deletion of personal data, such as the expiry of an insurance plan or withdrawal of consent. Additionally, Regulated Entities must contractually bind their service providers to expeditiously delete personal data upon receiving instructions to do so.

Automated Decision Making

The insurance industry relies on automated decision-making coupled with profiling techniques to assess risk factors and to determine whether to accept, reject, or modify an insurance application. Automated algorithms also play a role in determining insurance premiums by analysing information about the policyholder such as their age, location, claims history, and other relevant data.

The DPDPA imposes enhanced obligations on data fiduciaries for processing children’s personal data. Data fiduciaries are prohibited from undertaking:

  1. processing of personal data that is likely to cause any detrimental effect on the well-being of a child, and 
  2. tracking or behavioural monitoring of children, or targeted advertising directed at children.

Considering that Regulated Entities frequently collect children’s data, particularly as nominees in insurance plans, it is imperative for these entities to implement stringent controls to ensure that the management of children’s data aligns with the provisions of the DPDPA.

Unlike its global counterparts, the DPDPA does not restrict the use of automated decision-making, including profiling for adults. However, it imposes a positive obligation on data fiduciaries to ensure the completeness, accuracy, and consistency of personal data where that data is likely to be used to make a decision that affects the data principal.

Therefore, Regulated Entities may continue to engage in automated decision-making, but as good practice, we recommend introducing human oversight to ensure the accuracy of datasets fed into their algorithms.

Cyber Insurance

Cyber insurance, also known as cybersecurity insurance or cyber risk insurance, is a type of insurance coverage designed to protect businesses and individuals from the financial consequences of cybersecurity incidents and data breaches.

As organisations gear up for the impending implementation of the DPDPA within the next 6-12 months, there is a foreseeable trend of organisations revamping their security practices and procedures to align with the DPDPA’s stringent requirements. This is likely to prompt a surge in the demand for cyber insurance packages as businesses seek comprehensive protection against cybercrime.

PRACTICAL GUIDANCE FOR BUSINESSES

On 24 November 2023, the IRDAI released a directive to establish a task force to assess the impact of the DPDPA on the insurance sector. According to the order, the task force was required to present its findings within one month of the directive’s issuance, i.e. by 24 December 2023. As of now, there has been no communication from the regulator regarding the report’s status. Future developments on this matter are anticipated.

To establish a foothold before the actual implementation of the DPDPA, insurance companies should begin internally effecting comprehensive data inventories, restructuring their data processes by evaluating the grounds on which they process personal data, escalating processes to ensure adequate security practices, and internally streamlining and appointing personnel to front-end relationships with their customers. More practically, albeit a longer process towards compliance, companies must actively begin putting together notices, engaging translators to adhere to notice requirements, and rethinking specific purposes for the use of personal data. Assistance may be sought from data privacy law firms in India in this regard.