The adoption of a draft law amending criminal law provisions protecting insurance related information will finally enable life insurers to make wider use of outsourcing by removing disclosure to service providers from the scope of Sec. 203 German Criminal Code (StGB) under certain conditions. In spite of some uncertainties, this is a major breakthrough and will lead to a significantly higher demand for outsourcing solutions in the German life insurance industry. The following describes the impact of the amendment specifically for life, health and accident insurers, even though the scope of the amendment extends to other persons bound by professional secrecy provisions as well.
Sec. 203 (1) and (2) StGB makes it a criminal offence for certain persons to unlawfully disclose personal information concerning another individual which was confided to, or otherwise made known to, them in their professional capacity. This provision applies not just to lawyers and physicians, as one might expect, but also to any employee of a life, health or accident insurer. The provision does currently not provide for any exception regarding the disclosure and transfer of insurance related data to an external service provider, regardless of whether or not the transfer of data was compliant with German data protection law.
Many measures mitigating the – largely theoretical – risk of criminal prosecution have been discussed. However, as the German federal criminal court never had the chance to clarify the law in a precedent decision, significant legal uncertainties of potential criminal liability of officers and employees of both life, health and accident insurers and service providers remained, where it was impossible or impracticable to obtain the informed and specific prior consent of every insured.
After almost two decades of debate, urgent calls from the industry and the adoption of the European General Regulation on Data Protection, the German government has submitted its white paper dated 15 February 2017. The new law is expected to be approved by parliament before the summer and will finally facilitate modern and centralised platform structures instead of expensive stand-alone solutions for each single insurer.
Purpose of the draft law
The purpose of the legal initiative is to achieve legal certainty for life, health and accident insurers by clearly permitting the disclosure of sensitive data to specialist service providers. In turn, the officers and employees of the relevant service providers will become subject to criminal law sanctions pursuant to Sec. 203 German Criminal Code and accordingly need to preserve the privacy of the insurance related information which has been confided to or otherwise made known to them in their professional capacity.
Scope of the draft law
The draft law on amending the relevant Criminal Code provision states that the disclosure of “professional secrets” to persons outside of the insurer’s control is permitted:
- where external persons contribute, with the insurer’s consent, to the provision of its services (for example within the scope of IT maintenance work, IT outsourcing, outsourcing of business processes, file destruction); and
- disclosure is limited to what the relevant external person needs to know.
Pursuant to the draft law, it is the person primarily bound by professional secrecy (i.e. the employees of the life or health insurer) who is – as a requirement for being exempted from the criminal law sanction – is obliged to bind each relevant external person to enhanced privacy measures. As it would practically not be possible to enter into a contract with each external person, it is sufficient to agree with the relevant service provider that the latter undertakes to impose the enhanced privacy obligations on the relevant employees which thereby become subject to criminal law sanctions in case of an unlawful disclosure of insurance related data. Subject to the same conditions, disclosure shall also be permitted to subcontractors which the outsourcing service provider involves with the prior consent of the life, health or accident insurer.
Any intentional failure by the responsible employee or officer of a life, health or accident insurer to make sure that the relevant external persons are committed to enhanced privacy, is a criminal offence which may, in the event that the relevant external person has actually unlawfully disclosed private information, be punished with imprisonment of up to one year or a monetary fine.
Data protection considerations
Criminal and data protection law provisions will continue to be applied in parallel. Even after the amendment, the admissibility of a disclosure to an outside person under criminal law will not automatically be compliant with data protection law. It will therefore continue to be necessary to keep in mind both criminal and data protection law requirements and guidelines whenever external service providers obtain access to information of the life insured.
From the point of view of the persons bound by professional privacy requirements it is a welcome development; as the legislative reform will finally correct an identified deficiency. It is expected that the adoption of the proposed amendment will lead to a much higher demand for outsourcing solutions in the German life insurance.