16

The question to what extent private insurers may individualise insurance contracts covering supplementary health benefits, automobile or renters insurance, is governed by the provisions of the Insurance Contract Act (ICA), the ISA and the associated Insurance Supervision Ordinance (ISO).  [45] In private insurance law, the ICA supersedes the general provisions of the Code of Obligations (CO). [46]

17

There is no provision in these insurance statutes which would standardise or even prohibit the individualisation of insurance contracts. In addition, the relationship with the insured person is governed by the freedom of contract principle, meaning there is no general obligation for insurance companies to conclude a specific insurance contract, neither for mandatory, nor for voluntary insurance. [47]

18

However, mandatory law, public order and the right of personality set limits to freedom of contract in the area of private insurance. [48] Furthermore, insurance contracts with an impossible, illegal or immoral content are void. But, in general, the individualisation of insurance contracts is neither impossible, nor a violation of public order or morality. With regard to legality, certain compelling requirements for insurance contracts are set forth by Art. 97ff ICA. [49] However, these provisions do not contain rules on individualisation either. [50] Nevertheless, it is conceivable that individualisation of policies could lead to legally relevant discrimination against policyholders and hence would interfere with their right of personality. This question will be discussed in more detail below. [51]

19

Even if private insurance law does not contain any specific provisions prohibiting the individualisation of insurance contracts - at least with regard to certain types of insurances - the insurers’ freedom of contract is limited by ISA’s provisions on the protection of the insured against abuse. The ISA’s objective is not only to protect the insured against the risks stemming from insurance companies becoming insolvent, but also to protect them against abusive practices of insurance companies. [52] Accordingly, the protection against abuse is part of FINMA’s mandate. [53] However, FINMA’s respective supervisory competences differ for different types of insurance. While the legislator does not provide for a systematic preventive review of rates and conditions of most insurance contracts, [54] the rates as well as the general terms and conditions of occupational pension schemes and supplementary health benefits insurance have to be submitted to FINMA for prior approval. [55] For these two types of insurance, FINMA must grant the approval, if the proposed premiums do not jeopardise the solvency of the insurance company and do not lead to an abuse of the insured. [56]

20

Other private insurances, such as automobile insurance or insurance on contents, are not subject to comparable rules. With regard to these types of insurances, the question whether FINMA may and must intervene depends on how the notion of “abuse” pursuant to Art. 1 ISA is construed. [57] While it is clear that FINMA has a statutory competence to protect the insured against abuse, [58] it is contested whether FINMA must take general action against abuses. [59] Narrower interpretations suggest that the overall aim of preventing abuse shall merely guide the interpretation and application of the provisions of ISA, but does not serve as a separate legal basis for intervention by FINMA. [60] If one follows this view, FINMA can merely intervene against the individualisation of rates requiring approval, i.e. the rates for occupational pension schemes and supplementary health benefits insurance. [61] According to a broader interpretation, an intervention to prevent abuse is generally possible. This is the view taken by the Swiss Federal Council, who specified the notion of abuse in Art. 117 ISO and inter alia qualified legally or actuarially unjustified substantial differentiations as abusive. [62] However, the effect of this provision is unclear as scholars rightly question the Federal Council’s competence to enshrine such substantial obligations in an implementing ordinance such as the ISO. [63]

21

Even if one assumes, however, that FINMA is generally competent to take action against abuse with regard to all types of insurance, this does not preclude the individualisation of insurance contracts since varying conditions and premiums for individual customers cannot be qualified as abuse – at least as far as they are actuarially justified. This is probably always the case with individualisation according to the risk profile. [64] While an individualisation based on the willingness to pay cannot be justified from an actuarial point of view, the concept of abuse does not imply an obligation for equal treatment. As a consequence, this form of individualisation should also be permissible under Swiss insurance law, especially since it has positive economic effects. [65]

23

Medicare [71] is a mandatory health insurance programme for people over the age of 65 or for people with certain disabilities or an end-stage kidney disease. [72] It consists of four programmes, parts A (hospital insurance), [73] B (voluntary supplemental medical insurance), [74] C (private-sector alternative to Parts A and B), [75] and D (outpatient prescription drugs), [76] Medicare is administered by the Center on Medicare and Medicaid Services (CMS), which is part of the U.S. Department of Health and Human Services (HHS). [77]

24

Since Medicare is mostly funded by taxes on wages paid over lifetime, [78] most people in the U.S. don't pay a Part A premium when they enter retirement. The Premiums for all Medicare parts are determined [79] and depend on given factors like income, receipt of social security benefits or the Medicare part chosen (Part B, C or D). [80] Therefore, an individualisation of these health insurance “contracts” is not possible.

25

Anyone enrolled in Medicare can purchase a privately offered Medicare supplement insurance (also called Medigap), which is sold as group or individual policy. [81] The insured pay a monthly premium for Medigap [82] and policies may only be designed in accordance with model forms approved by the National Association of Insurance Commissioners. [83] In California, Medigap policies have to be approved by the Commissioner [84] and the premiums shall be calculated in accordance with accepted actuarial principles and practices. [85] Pricing can be based on the actual age (age-rated premium), the age at the time the Medigap policy was taken out (issue age-rated premium), or may be the same for everyone living in a given territory (community rated premium). [86]

26

Medicaid [87] is an insurance programme for people who do not have the financial means to pay for health insurance themselves, aged or blind people in need of long-term care services, and disabled persons with low incomes. [88] In California, the California Department of Health Services (DHS) is in charge of the administration of Medicaid (called Medi-Cal). As with Medicare, there is no leeway regarding the individualisation of Medicaid health insurance premiums: Eligible Californians receive Medicare respectively Medi-Cal as a benefit without paying a premium [89] and the health benefits are determined by federal and state regulation. [90]

27

The most common way to get health insurance in the U.S. is through a group plan for employees. [91] Employers with more than 50 employees (large employers) are encouraged by the federal government to provide health insurance with minimum essential coverage. [92] This so-called “employer-provided coverage” is usually purchased by the employer from an insurance company. Some large employers “self-insure” their employees. [93] However, even self-insuring employers often (have to) use a health insurer to administer the programme and manage the health benefits. [94] Employer-provided health insurance is predominantly taken out as a group policy. Group policies are usually underwritten on the basis of factors common to the group as a whole, such as type of job, average age, etc. [95]

28

Within the scope of the ACA, all products that are approved for sale in the group health insurance market must be offered to any individual or employer in the state, and the health insurer must accept any individual or employer that applies for any of those products (guaranteed availability of coverage). [96] In California, group health insurance must be offered to all the employees of an employer. [97] All group health insurance policies must be approved by the Commissioner before they are issued or delivered to any person in California. [98] The approval of the Commissioner shall among others, prevent fraud, unfair trade practices, and economically unsound insurances. [99] A group health insurance policy shall also not be approved if it contains any provision which is unintelligible, uncertain, ambiguous, or abstruse, or likely to mislead a person to whom the policy is offered, delivered or issued, or if it fails to conform in any respect with any law of California. [100]

29

The framework of employer-provided coverage is set out in the master policy. The insurance company is bound by this master policy and can only include the factors specified therein in the risk assessment of an individual employee. Thus, the leeway for individualisation of policies will be very limited for the group health insurance.

30

People who are not covered by one of the aforementioned governmental programmes or by their employer, can get health insurance from a private insurer on the individual or small group market. [101] On the individual market, individuals take out the insurance policy themselves, while the small group market provides group health plans maintained by a small employer. [102] The policy of an individually-purchased insurance is based on the buyer’s risk profile and the premium is equal to the price the insurer deems adequate to insure said risk. [103]

31

Under the ACA, insurance premiums shall be “fair”. As a result, the rating factors for health insurance policies on the individual or small group market are community rated and subject to limited adjustments based on age, geographic area, individual or family unit, and tobacco use. [104] Insurers must maintain a state-wide risk pool for both the individual market and the small group market [105] and are required to set an index rate for each pool for establishing the premium rates. The premium rates for individual and small group health insurance policies may only vary to a limited extent from the index rates. [106] Also the health insurance policies for the individual market and the respective premium rates have to be filed with and approved by the Commissioner before they are issued or delivered to any person in California. [107] The INS contains a long list of circumstances under which the Commissioner shall not approve health insurance policies. [108] Should the Commissioner find that the benefits provided under the policy are unreasonable in relation to the premium charged, he may withdraw an individual or mass-marketed policy’s approval. [109]

32

As with group insurance, the ACA requires that all products that are approved for sale in the individual or small group market must be offered to any individual or employer in the state, and the health insurer must accept any individual or employer that applies for any of those products (guaranteed availability of coverage). [110] Also California has enacted a detailed review process for rates increases when implementing the respective provisions of the ACA. [111] If the CDI determines that a rate is unreasonable or not justified, the insurer shall notify the policyholder of this determination. [112] However, the Commissioner’s authority is limited to requesting rate changes; he cannot deny or approve proposed rate changes. [113]

33

The leeway for individualisation of individually purchased health insurance or small group health insurance is very limited. Especially since individual policies have to be based on one risk pool and the rates may only be adjusted with regard to geographic region, size of family, and age. The premiums also have to be based on the approved index rate, which will hinder individualisation. The requirements of the ACA, such as the guaranteed availability and renewability of coverage, are another obstacle for individualising insurance rates. Nevertheless, the requirements in connection with unreasonable rate increases do not reduce the leeway for individualisation, at least in those cases in which individualisation is based on the risk profile. Individualisation on the basis of risk will probably not be deemed “unreasonable” as long as it is actuarially sound. In the case of individualisation based on the willingness to pay, however, the requirement to inform customers about unreasonable rate increases could hinder such individualisation, provided that the criterion of the willingness to pay would meet the "unreasonable" threshold. Affected people could regard this practice as unfair and might switch insurers upon receiving a respective-notice.

34

Since the business of insurance in the U.S. is primarily regulated on a state level, there are no federal regulations on property-casualty insurance. [114] On a Californian state level, most insurance on risk and operations are regulated in Proposition 103, an amendment of the Insurance Code adopted in 1988. [115] Proposition 103 shall, among others, protect consumers from arbitrary insurance rates and practices. For all Californians, insurance must be fair, available, and affordable. [116] No rate which is excessive, inadequate or unfairly discriminatory shall be approved or remain in effect. [117] By enacting Proposition 103 California has become a prior-approval state and like most insurance on risk and operations, property-casualty insurances like homeowners, renters and automobile insurance are covered by Proposition 103. [118] Thus, all property and casualty insurance rates have to be approved by California’s Insurance Commissioner prior to use. [119]

35

In February 2015 the Commissioner has prohibited price optimisation in his “Notice Regarding Unfair Discrimination in Rating: Prize Optimization”. Prize optimisation is therein defined as “any method of taking into account an individual’s or class’s willingness to pay a higher premium relative to other individuals or classes.” The Commissioner qualifies any form of price optimisation in the ratemaking process as unfairly discriminatory and as a violation of Californian law. This assessment is based on the finding that “Price Optimization does not seek to arrive at an actuarially sound estimate of the risk of loss and other future costs of a risk transfer.” [120] Accordingly, there is no leeway for the personalisation of property and casualty insurance contracts based on an insured’s willingness to pay.

36

Renters insurance in California usually consists of different insurance coverages like personal property or liability insurance. In this paper we only analyse the regulation concerning the insurance of personal property.

37

Neither Proposition 103, nor the INS contains specific requirements regarding property insurance and hence the general rules set forth by Proposition 103 apply. Renters insurance premiums may not be excessive, inadequate or unfairly discriminatory. [121] Premiums are deemed excessive if it is expected that the insurance company will generate an excessive profit [122] and they are considered inadequate if they are expected to prevent an efficient insurance company from generating an adequate return. [123] To investigate whether an insurance rate is excessive or inadequate, the Commissioner has to balance the interest of the insured in favourable prices with the insurance companies’ interest in high earnings. He also has to take into account that certain insurance policies are in the general public’s interest or legally prescribed. [124] A so-called “ratemaking formula” is used to distinguish appropriate from inadequate or excessive rates . The formula must be applied by all insurers and sets forth the maximum [125] and minimum [126] permitted earned premium. Rates within this range can be described as “fair and reasonable” and “constitutional”. [127] Nevertheless, the Commissioner still may assess on a case-by-case basis whether a rate is “unfairly discriminatory”. Notably, there are no rules and regulations specifying how this assessment shall be made in connection with property-casualty insurance. [128]

38

The aforementioned system of pre-approval of insurance rates also applies to automobile insurance. In addition, Proposition 103 has set forth additional requirements for automobile insurance. [129] The permitted rate-making factors are determined and given a hierarchy in INS § 1861.02(a). These are in decreasing order of importance: (1) the insured’s driving safety record; (2) the number of miles driven annually; (3) the years of driving experience; and (4) other factors that have a substantial relationship to the risk of loss and that were set forth in a regulation adopted by the Commissioner. The Commissioner has specified sixteen such optional rating factors. [130] Insurers can base their premiums on these factors as well. However, these optional rating factors must not be weighted greater than the weight of the third mandatory factor, i.e. the years of driving experience. [131] The use of rating factors not set forth in the CCR is prohibited. [132] Considering any other criteria without approval would constitute unfair discrimination.  [133]

39

While insurers can take the insured’s driving safety record into account, this does not mean that they may use crash recorder data for ratemaking, since the law sets forth clear limits with regard to what data may be used in rate-making. [134] Insurers may consider the amount of annually driven miles, but usually base this factor on an own estimation or an estimation by the policyholder. While insurers are free to offer rates that are based on verified actual mileage rather than estimated mileage, participation in these actual mileage programmes is purely voluntary. [135]

58

Under the U.S. constitution, a common characteristic of a group, such as skin colour, gender, or sexual orientation, ought not to form the basis for unequal treatment. This principle is enshrined in the Equal Protection Clause of the Fourteenth Amendment to the U.S. Constitution. [194] Equally there are various other guarantees against certain types of discrimination found in the several Amendments of the U.S. Constitution. [195]

59

With the exception of Part C, Medicare health care coverage is managed by the federal government. [196] All governmental units are bound by the constitutional prohibition of discrimination. This includes those involved in Medicaid administration on a state level, such as CMS, which is responsible for review and approval of the state plans. [197]

60

The Patient Protection and Affordable Care Act (ACA), among others, aims at guaranteeing non-discrimination in connection with programmes funded under the ACA.  [198] Therefore, the ACA prohibits discrimination on the basis of race, colour, national origin, sex, age, or disability in certain health programmes and activities. [199] The ACA also prohibits discriminatory premium rates for health insurance in the individual or small group market. Rating is limited to age, geographic area, individual or family unit, and tobacco use.  [200] Only these listed factors may be taken into account in setting health insurance premiums, while the maximum premium variations that an insurer can charge for these factors are also determined by the ACA. [201] For example, the factor “gender” is not on this list and therefore cannot be considered by health insurers. [202] Moreover, the insurers also have to consider all insureds of the individual and small group market to be members of the same risk pool. [203]

61

With respect to group or individual health insurance coverage, the exclusion based on pre-existing conditions or the discrimination of those who have been sick in the past is also explicitly prohibited under the ACA. [204] Hence, private health insurers must accept all applicants without regard to pre-existing conditions. [205] Furthermore, group health plans must not discriminate against individuals based on health status, medical conditions, medical history, genetic information or the like [206] or discriminate in favour of higher salaries. [207]

62

When interpreting the ACA’s underlying race and sex statutes, courts have held that they only bar direct but not indirect discrimination. Nevertheless, district courts have been unwilling to completely dismiss the viability of indirect disability discrimination. [208] Accordingly, it is not yet excluded that ACA’s anti-discrimination provision might also protect individuals against indirect discrimination.

63

The Health Insurance Portability and Accountability Act (HIPAA) limits insurance companies’ discretion in considering pre-existing conditions in the underwriting process for group health insurance coverage. [209] However, only some provisions of HIPAA are still relevant, due to fact that the ACA largely supersedes HIPAA. [210] To give an example, HIPAA’s prohibition of discrimination based on health status in eligibility for coverage or premiums in older group health plans is still of relevance. [211]

64

The Genetic Information Nondiscrimination Act (GINA) prohibits discrimination in health insurance coverage and employment based on genetic information.  [212] Health insurance providers are prohibited from requiring or requesting genetic information of the person insured or the individual’s family members and may not use such information for fixing rates, decisions on granting coverage or to infer on pre-existing conditions. [213] Therefore denying coverage or charging different premiums to insureds based on genetic information is prohibited in group health insurance. [214] But disparate impact claims, i.e. cases involving indirect discrimination, are not included in GINA. [215]

65

The 1964 Civil Rights Act’s Title VII [216] prohibits employers from imposing discriminatory terms and conditions upon employees. If employers provide health care coverage for employees, discrimination based on various protected characteristics is prohibited. [217] These protected characteristics are race, colour, religion, sex (including gender and pregnancy) and national origin. [218] Title VII of the Civil Rights Acts bars both direct and indirect discrimination. [219]

66

People with disabilities are guaranteed the full and equal enjoyment of the goods, services, facilities, privileges, advantages, or accommodations of any place of public accommodation. Notably, insurance offices, offices of health care providers, hospitals and other service establishments are, among others, qualified as public accommodation. [220] However, it is not clear whether the provisions of the Americans with Disabilities Act (ADA) apply to insurance policies and the underwriting practices of insurance companies. [221] If interpreted narrowly, insurance companies merely have to provide physical access to their service infrastructure. Such an interpretation would not impact the business model of an insurance company. By contrast, a broader interpretation would have a significant effect, as the respective provisions would apply to the goods and services offered by a public accommodation, meaning that disparate treatment of disabilities in an insurance policy's provisions or an insurer's underwriting decisions could be subject to scrutiny under the ADA. However, the literature notes that case law and the Justice Department’s position on this matter have been inconsistent. [222]

68

California’s constitutional anti-discrimination regulation overlaps but is not identical with the equal protection principle of the U.S. Constitution. [224] The U.S. Constitution permits but does not require the state to grant preferential treatment to suspect classes, [225] whereas the Constitution of California prohibits the state from treating any individual or group differently in a positive or negative sense on the basis of race, sex, colour, ethnicity, or national origin in the operation of public employment, public education, or public contracting. [226] The notion of “state” includes political subdivisions and any department, division or sub-division of the state Government. [227] Therefore, any governmental agency has to comply with the constitutional anti-discrimination principle. This regulation is particularly important for the state administration of Medi-Cal and the CDI. Private insurers in California are not bound by this principle.

69

According to the California Civil Code (CIV) all persons within the jurisdiction of California are free and equal.  [228] Matters of sex, race, colour, religion, ancestry, national origin, disability, medical condition, genetic information, marital status, sexual orientation, citizenship, primary language, or immigration status shall not play any role with regard to entitlements to full and equal accommodations, advantages, facilities, privileges, or services in all business establishments of every kind whatsoever. This provision applies to property-casualty insurances in California. [229] Therefore the aforementioned characteristics must not be considered when calculating automobile or renters insurance premiums.

70

In Californian insurance law, discrimination on grounds of specific protected classes is prohibited. [230] By law, Californian insurance companies are prohibited from denying insurance coverage based on sex, marital status, race, ancestry, colour, religion, national origin, disability, medical condition, physical or mental impairment, genetic characteristics or sexual orientation. [231] The California Insurance Code (INS) expressly bars health insurers from discriminating on the basis of these characteristics. [232] Considering sexual orientation as an underwriting criteria or using it to determine whether to require an HIV-test is also prohibited. Even if insurers were to infer sexual orientation from marital status, living arrangements, occupation, sex, beneficiary designation, ZIP Codes or other territorial classification, this would qualify as an unlawful discrimination. [233] However, charging differing health insurance premiums for different sexes is allowed if it is based on objective, valid, and up-to-date statistical and actuarial data or sound underwriting practices. [234] Furthermore, adjusting health insurance rates for the same coverage, solely because of a physical or mental impairment, is prohibited unless the differentiation is based on sound actuarial principles or is related to actual and reasonably anticipated experience. [235]

71

For property-casualty insurances, Proposition 103 prohibits unfairly discriminatory insurance rates. [236] But there are no rules that specify how the “unfairly discriminatory” nature of rates shall be determined, since this concept is neither defined in the INS, nor in other regulations. [237] Therefore the CDI must make a case-by-case assessment. [238] Rates are deemed unfairly discriminatory whenever price differentials fail to reflect the difference in expected losses and expenses in an equitable manner. [239]

81

The principle of transparency obliges controllers to be transparent with regard to their processing operations. [263] This principle is closely connected to the principle of purpose limitation as it requires the controller to provide information on the purpose of its processing. [264] The transparency of data processing is arguably not only the single most important principle of data protection law, but also the reason for the broad information duties of data controllers [265] and the right of access. [266]

82

The principle of purpose limitation is a key principle of data protection law and consists of two aspects: first, the purposes for which the controller intends to process the data need to be specified (purpose specification); and second, these purposes set the limits for the controller’s processing operations (use limitation). [267] The purposes have to be clearly and unambiguously specified pursuant to the GDPR and a controller’s processing operations are limited to what is compatible with these specified purposes. Swiss law allows processing for purposes that are specified or merely obvious due to the circumstances of the collection of the data. But in turn, a controller’s operations are strictly limited to these purposes. [268]

83

In order to meet the requirements of transparency and purpose specification, insurance companies must ensure that their customers are aware of the fact that their personal data is processed for providing an individual offer, taking into account their personal risk profile and/or their willingness to pay. This should not cause particular problems with regard to data obtained directly from the (potential) policyholder in the context of a specific insurance contract. But insurance companies may want to use data that has not been obtained for the purpose of running big data analytics to calculate individual premiums, e.g. data on treatments and therapies collected for billing and reimbursement purposes. Such use would have to be classified as data repurposing [269] and would trigger the insurance companies’ duty to inform the data subject accordingly. While informing their customers about such repurposing should not be a problem, it might be difficult or even impossible for insurance companies to comply with this requirement if their analysis includes data about individuals who are not their customers. As in other cases, the principle of transparency and purpose limitation appear to be in a fundamental conflict with big data analytics’ idea of gaining new insights from existing data. [270]

84

According to the data minimisation principle, as few data as necessary, for the purposes of the processing shall be processed. [271] Similarly, the principle of storage limitation’s objective is to ensure that controllers do not keep data longer than necessary for the initial purpose of the processing. [272] Thus, as few data as needed for the purposes specified at the initial collection shall be processed and as soon as the initial purpose of the collection is fulfilled, the personal data has to be deleted. As seen already, it is arguably impossible to be specific about the purposes of big data analysis. Since the data would have to be deleted as soon as the initial purpose is fulfilled, data reuse would be generally impossible according to these principles. Thus, if interpreted strictly, the data minimisation and storage limitation principles go head to head with big data analytics and many other data processing practices, since the data would have to be deleted and be lost for future analysis. [273] These challenges also affect the processing of personal data by insurance companies. Namely, the principles of data minimisation and storage limitation may have a negative impact on the accuracy of the data analysis carried out to determine individual risk profiles and willingness to pay, but they do not hinder the individualisation of insurance contracts as such.

85

An important aspect of any data analysis is data quality. Data protection laws in Switzerland and the EU incorporate a data accuracy principle, according to which personal data must be accurate and, where necessary, kept up to date. [274] The principle intends to prevent decisions made on the basis of poor data. However, the controller should only alter and update data when it is necessary to mitigate potential dangers to the fundamental rights of the data subjects. [275] Whenever this danger cannot be identified, there is no need to “correct” or update the data. While ensuring data quality might be as difficult for insurance companies as for other data controllers, this principle does not hinder the individualisation of insurance contracts.

86

The principle of fairness or good faith [276] has a catch-all function. [277] It is understood as a duty to safeguard the interests of the data subject in good faith and not to interfere unnecessarily with his protected interests. Clandestine data processing as well as data processing which the data subject did not need to expect, often conflict with the principle of good faith. [278] Even though the principle of good faith might be affected in many constellations, its importance should not be overestimated. Scholars rightly argue that it should only be used restrictively to correct disturbing results that would otherwise be in accordance with the law. [279] Thus, the principle also has little steering effect regarding the interpretation of legal norms. [280] In particular, good faith should not be equated with an obligation to equal treatment or a general prohibition of differential treatment. Rather these prohibitions need to be specified in statutes. [281] Hence the principle of good faith does not hinder individualisation of insurance contracts.

88

Most often, the data subject’s consent serves as a legal basis. [284] Consent must be freely and unambiguously given after adequate information on specified purposes of the processing operation. [285] Notably, consent to processing may be withdrawn by data subjects at any time without having to specify any reasons. [286] While this makes it difficult for controllers to rely on consent, the processing on other lawful bases remains possible.

89

Swiss and EU law contain hardly any formal requirements regarding consent. Neither law requires it to be given in writing. However, since a controller has the burden of proof when relying on consent for processing, he or she is advised to obtain consent in writing or another documentable form. [287] Unambiguous consent means that insurance companies may not rely on opt-out mechanisms, but actually require their customers to opt-in to the processing of their personal data. [288]

90

Regarding substantive requirements, the requirement of freely given consent is the one that limits controllers the most. In this context so-called bundling, i.e. making the performance of a contract conditional upon consent to the processing of personal data that is not necessary for the performance of that contract, is discussed controversially. [289] Some scholars argue that take-it-or-leave it choices do not qualify as a freely given consent. [290] However, one may also take the view that whenever providing personal data is part of the data's subject's main obligation, such processing is necessary and not prohibited by data protection law. [291]

91

With regard to insurance contracts, providing information that enables assessing risks in underwriting procedures is part of the insured’s main obligation. The same can be said for data collected during the term of the contract. While data on the insured’s behaviour related to the risks which are covered by the insurance contract may not be strictly necessary for the performance of the contract, this data is so closely linked to the insurance contract that requesting consent to collecting such data can hardly be qualified as bundling. The same is true for data on the data subject’s willingness to pay. While there is no direct connection to the performance of the contract, such data is used to provide an individualised offer for entering into a specific contract and is thus so closely related to the contract that requesting consent for the processing of such data cannot be qualified as bundling. There might be bundling and no freely given consent, however, if the insurance company requests consent for collecting of data which is neither related to the risks covered by the insurance contract, nor to the insured’s ability or willingness to pay.

92

Since consent is only valid with regard to the specific purpose for which it was given, controllers need to get renewed consent if they want to process personal data for other purposes than the one it had been collected for. [292] As mentioned above, [293] this emanation of the principle of purpose limitation goes head to head with the idea of big data analytics to analyse data for other purposes than the ones initially intended. However, the limitation is not strict. While the GDPR allows the processing for compatible purposes, the DPA allows processing for purposes that were indicated by the controller or obvious from the circumstances. [294] While it remains unclear what purposes would qualify as “obvious” under Swiss law, the GDPR states which criteria must be taken into account to assess the compatibility of a new purpose. [295] As the repurposing of data does not always need consent, the controller may use the data for big data analytics as far as the new purpose is compatible with the one for which the data was collected for.

93

The purposes for which insurance companies use personal data will most often be closely connected – at least as long as the data is used in the realm of one specific insurance contract; e.g. the processing of personal data to decide on whether the insurance company has to pay for an insured event (e.g. a car accident) and the use of such data for estimating the insured’s (future) risk (e.g. his or her driving behaviour) are closely connected and these purposes should therefore be considered compatible. In addition, the data would remain in the controller-data subject relationship, so that the latter has a reasonable expectation of an insurance company using data on an insured event to amend and alter the terms of this relationship. Such forms of re-use would therefore not trigger the need to get renewed consent. It would be different, however, if data collected in connection with one contract (e.g. automobile insurance) is used for assessing the risks covered by a different contract (e.g. health insurance). In these cases, the insurance company would need to get the data subject’s specific consent.

94

Processing is lawful if it is necessary for the performance of a contract that the data subject is a party to, or to take steps to enter into a contract that the data subject has requested. [296] “Necessity” means that the purpose of the processing could not be fulfilled with anonymous information. [297] If the data is merely useful, this lawful basis shall not apply. [298] Controversially, the European Data Protection Board (EDPB) stated that only objectively necessary processing operations may be based on this legal ground and the contract cannot “artificially expand” the categories of personal data or processing operations beyond the data subject’s reasonable expectations. [299] However, other scholars highlight that data may be processed if the purpose of the contract cannot “reasonably” be fulfilled by other means. Thus, they argue against a restrictive understanding of necessity and state that reducing costs and fostering efficiency are reasonable and hence necessary aspects of performing a contract. [300]

95

Certainly, insurers need comprehensive, granular and accurate data in order to assess the data subject’s risks accurately. Thus, on the one hand it could be argued that the processing of any data facilitating the risk analysis is objectively necessary for the performance of the contract. On the other hand, business transactions can be performed in situations of uncertainty and such uncertainty is the very reason customers are willing to conclude insurance contracts. An insurer, it could therefore be argued, initially bears the risk of imperfect information and performing data analysis in order to reduce that risk with regard to individual customers could be deemed “unreasonable”, since the insurer can always rely on risk groups and does not necessarily have to individualise insurance contracts. As establishing the necessity of processing for a contractual obligation comes with considerable uncertainties, controllers are advised to rely on other grounds for the lawfulness of processing. [301]

96

In Switzerland and the EU, data processing can be based on an interest analysis. [302] Despite explicit interest analysis being regarded as a tool that would allow a judge to do the specific case justice, [303] in practice it is the controller who has to perform this balancing exercise. [304] In this interest analysis, the legitimate interests pursued by the controller are at the heart of the reasoning. But the interests of a third party may be taken into account as well. [305] These interests have to be legitimate, meaning that they shall be in accordance with the law in the broadest sense. [306] The controller’s or a third party’s interests have to be balanced against the interests of the data subject. In a first step, the necessity of the processing in question has to be ascertained. In the literature, necessity is usually defined negatively, meaning one has to ask whether it would be possible to pursue the legitimate interests in a less interfering manner with the data subject’s right to data protection. [307] Once it has been established that the legitimate interest in question cannot be fulfilled by less-invasive means, the interests have to be balanced against in a second step.

97

Insurers have an interest in collecting and processing comprehensive, granular and accurate data on the insured’s characteristics and behaviour related to the risks covered by the insurance contract and on their ability and willingness to pay. As this interest is backed by the controller’s fundamental freedom to conduct business [308] and since it may be assumed that neither Switzerland nor the EU member states prohibit the processing of data for these purposes, the interest of the controller in having access to that data can be considered legitimate.

98

While many scholars and data protection authorities (implicitly) base the pondering of interests on the assumption that data subjects have a general interest in not having their data collected and processed, a person seeking out insurance may actually have an interest in the processing of his or her personal data for the purpose of individualisation as they may get a better offer if their risk profile and/or their willingness to pay is below average. Therefore, the balancing of interests must be nuanced: On the one hand, the portion of policyholders whose individual risks are smaller than the average risk of the group they would be part of actually benefits from the data processing. Their personalised premiums should be lower than the premiums they would have to pay when classified in a risk group. On the other hand, policyholders whose risks are higher than the average risk of their group have no interests in a personalised risk profile and insurance contract. Furthermore, persons who are not part of the data-controller-data-subject relationship would benefit from another individual’s data being analysed as long as the analysed individual has a higher risk than they do. The more high-risk individuals pay individualised premiums, the more likely it is that the low risk individuals pay lower premiums and eventually benefit from the data processing. The same argument applies to the willingness to pay.

99

Following this train of thought leads to a situation where the interests of individuals that would pay more due to individualisation outweigh the controller’s legitimate interests in analysing the data, whereas the processing of data relating to policyholders that are better off with individualised premiums could be justified with the legitimate interests of the controller and the concurring interests of these data subjects. Such an interpretation, however, cannot solve the issue at stake and must be rejected for two reasons: First, it merely focuses on an analysis of the potential advantages or disadvantages of the data processing and does not take into account the general interest of (some) data subjects in not having their data analysed, irrespective of the effect of such analysis. Second – and this is the crucial point – in order to determine whether a (potential) policyholder actually benefits from the analysis of his or her data, the policyholder’s data would have to be analysed. Hence an a priori differentiation between “winners” and “losers” is impossible, and the lawfulness of the processing can thus only be determined after the data has already been processed. As a consequence, the lawfulness of processing of personal data for the individualisation of insurance contracts cannot be based on such a pondering of interests.

100

As mentioned above, public interests should be taken into consideration as well [309] – and in this case they could actually help to solve the dilemma. From this perspective, the individualisation of insurance contracts based on the processing of personal data is a meaningful way to help solve the problems of adverse selection and moral hazard. [310] Since the processing of personal data allows for the offering of individual premiums, insurance companies should now be able to also attract policyholders with a low risk profile, thereby gaining additional customers and making insurance coverage attractive to low risk individuals as well. This would help tackle the problem of adverse selection much better than the mere sorting of policyholders into different risk groups. The problem of moral hazard could be significantly mitigated if the collection and processing of personal data gathered after the conclusion of the insurance contract (e.g. by using driving or fitness trackers) is considered legitimate, since the risk of having to pay higher premiums due to risky behaviour would provide powerful incentives to policyholders to behave more carefully. [311] Finally, from a public policy perspective, it is hard to dispute the fact that the individualisation of insurance premiums has positive effects on the economy as a whole. [312]

101

In sum, there are good arguments for an overriding legitimate interest of the insurance companies which would ensure the lawfulness of processing of the insured’s personal data. Nevertheless, since the balancing of interest analysis requires a case-specific assessment, it may be argued that a universal interest analysis is impossible. After all, an interest analysis should do justice to specific cases. As a consequence, insurance companies would run a considerable risk if they base the lawfulness of processing on their legitimate interests alone.

108

The Health Insurance Portability and Accountability Act (HIPAA), which was supplemented by the Health Information Technology for Economic and Clinical Health Act (HITECH Act) in 2009, [334] provides for national standards to protect the privacy and security of healthcare information. The HIPAA regulations regarding information privacy are set forth in the HIPAA Privacy and Security Rule. [335] HIPAA regulates the use and disclosure of “protected health information” by covered entities. [336] Protected health information is defined as “individually identifiable health information”. [337] The information has to be created or received by a health care provider, relate to health or the provision of health care, and there has to be reasonable grounds to believe that a person can be identified through the data. [338] HIPAA’s Privacy Rule does not apply to de-identified data, meaning such information may be shared freely. Nevertheless HIPAA provides protection to a lesser degree with respect to data that is largely de-identified but may contain data which could enable re-identification (limited data set). [339] By regulation, limited data sets can only be shared for research, public health, and health care operations, but no other purposes. [340] Covered entities are health plans, health care clearinghouses and some health care providers. [341] The notion of “health plan” refers to an individual or group plan that provides or pays the cost of medical care. Health plan includes group health insurance and health insurance issuers, which are defined as a licensed and state-level regulated insurance company, as well as insurance service providers, and insurance organisations. [342] Most insurance companies are covered by this notion [343] and accordingly, health insurance policies are subject to HIPAA.

109

Covered entities have to comply with certain administrative, physical, technical and organisational security standards. For example they must ensure the confidentiality, integrity, and availability of electronic protected health information. [344] A covered entity may not use or disclose protected health information, unless permitted or required by the privacy rule or with written authorisation by the individual who is the subject of the information. [345] Protected health information may be used with the consent of the individual or for treatment, for payment, and for health care operations. [346] Generally, underwriting, enrolment, premium rating, and other activities in connection with health insurance contract formation or renewal, as well as with health benefits, qualify as such health care operations. [347] While use, disclosure and requests of protected health information shall be limited to the minimum necessary to accomplish the intended purposes of said operation, the use and disclosure of genetic information for underwriting purposes is entirely prohibited. [348] Finally, under HIPAA an individual has a right to be adequately notified (notice of privacy practice) of the possible uses and disclosures of its protected health information, as well as of its rights and the covered entity's legal duties with respect to protected health information. [349] In this notice of privacy practice, a health plan that uses protected health information for underwriting must include a statement that it is prohibited from using or disclosing genetic information for this purpose. [350]

110

The Gramm-Leach-Bliley Act (GLBA) limits the disclosure of non-public personal information collected by a financial institution, [351] i.e. an institution engaging in activities which are financial in nature. [352] By statute, insuring against loss, harm, damage, illness, disability, or death is qualified as financial activity. [353] Therefore, insurance companies are subject to the GLBA. With regard to its material scope of application, the GLBA protects personally identifiable financial information that is provided by, results from, or is otherwise obtained in connection with consumers and customers who obtain financial products. [354] However, the Act is neither applicable to information in the public domain, nor to non-public financial information. With regard to substantive provisions, the GLBA imposes privacy and data security obligations on financial institutions. The Financial Privacy Rule foresees that privacy notices need to be provided to customers who obtain a financial product or service. Furthermore, certain restrictions on a financial institution’s information sharing practices, as well as a duty to safeguard customer information (Safeguard Rule), are imposed. [355] The customer must be informed about the institution’s privacy policies and practices ab initio and kept up-to-date at least annually. [356] In particular, information on the disclosure and protection of non-public information must be given. [357] The customers must also be informed about the possibility that their non-public personal information may be disclosed to a non-affiliated [358] third party and they must be given the opportunity to opt-out of having their non-public personal information shared with non-affiliated third parties, except for fraud prevention or the processing of consumer transactions. [359] Additionally, the financial institutions have to ensure the security of the customer‘s information and records. The latter must be protected against anticipated security threats or hazards and unauthorised access or use. [360]

111

Besides the relatively detailed rules on privacy policies and information sharing, the GLBA does not restrict the use of personal information and hence does not limit the possibilities of personalising insurance contracts based on big data.

112

The Fair Credit Reporting Act (FCRA) [361] shall protect consumers from inaccurate or unfair uses of their personal information in credit reports. [362] The Act regulates the disclosure and use of personal information supplied by Consumer Reporting Agencies (CRA), [363] and in particular the use of consumer reports [364] for adverse action. [365] Insurance companies might have an interest in consumer reports when individualising insurance contracts with regard to the willingness to pay. By statute, denial, cancellation, or other adverse or unfavourable change of coverage, as well as unfavourable changes of the charged amount of any insurance, are considered such adverse actions. [366] Thus the use of consumer reports by insurers would have to comply with the FCRA. [367]

113

A CRA may only furnish a consumer report in accordance with the instructions of the consumer, or when it has reason to believe that the requesting person has a permissible purpose to obtain a consumer report. [368] By statute, the underwriting of insurance is such a permissible purpose. [369]

114

Where an adverse action is taken based on information contained in a consumer report, the user of the report shall inform the consumer about this fact. [370] Whenever consumer reports are used for big data analytics and such analysis leads to an insurer taking an adverse action, the insurer has to inform the consumer. However, the FCRA does not apply to companies when they use data derived from their customer-relationship in their decision-making processes. [371] As long as all the data in the insurer’s database is derived directly from the consumer and not from a consumer reporting agency, the FCRA would not prevent performing big data analytics.

115

The Genetic Information Nondiscrimination Act (GINA) prohibits employers and health insurance companies from discriminating against individuals on the basis of genetic information. [372] Therefore companies should refrain from collecting genetic information unless it is absolutely necessary and permitted by law. [373] Health insurers, in particular, are not allowed to request or purchase genetic information for underwriting purposes or prior to an individual’s enrolment under a plan or coverage in connection with this enrolment. [374] They may also not request an individual’s family member to undergo genetic testing. [375] Furthermore, premiums may not be adjusted on the basis of genetic information. [376]

117

The Californian constitution grants all people certain inalienable rights, one of them being a right to privacy. [379] This right applies to the local government, to private entities and to individuals. [380] But neither the wording, nor its interpretation by courts, impose concrete compliance obligations on companies. [381] A cause of action based on a violation of the right to privacy is possible if three elements are present: a legally protected privacy interest; a reasonable expectation of privacy; and a serious invasion of the privacy interest. [382] Thus, companies should keep the constitutional right to privacy in mind, even if intrusive invasions of personal privacy are in line with specific statutes and common law principles. [383]

118

The personal information of insurance applicants or policyholders is strictly regulated in California, in particular by the Insurance Information and Privacy Protection Act (IIPPA). [384] The IIPPA’s purpose is to establish standards for the collection, use, and disclosure of information gathered in connection with the insurance business, and to maintain a balance between the insurers’ need for information and the public’s need for fairness in insurance information practices. [385] The regulations apply to health and property-casualty insurance. [386]

119

Among others, the act contains provisions regarding the notice of information practices to all applicants and policyholders in connection with insurance transactions, [387] the disclosure of personal or privileged information, [388] the right to access recorded personal information, [389] and the right to have recorded information corrected or a portion of it deleted. [390] Notably, the IIPPA restricts on what basis an adverse decision may rest. [391] By statute, declination and termination of insurance coverage as well as charging higher rates for property or casual insurance or offering higher than standard rates in health insurance qualify as adverse actions. [392] Information on preceding adverse underwriting decisions, the information that an individual previously obtained insurance coverage through a residual market mechanism, and information possibly stemming from insurance-support organisations shall not be used as a basis for an adverse action. [393] Thus the information an insurance company can base an adverse underwriting decision on is limited. Furthermore, IIPPA also vests the insured with a right to receive reasons for an adverse underwriting decision. [394]

120

The California Confidentiality of Medical Information Act (CMIA) [395] protects the privacy of California residents’ medical information. [396] Any individually identifiable information regarding a patient’s medical history, mental or physical condition, or treatment in possession of or derived from a provider of health care, health care service plan, pharmaceutical company, or contractor, is protected. [397] The CMIA applies to providers of health care and their contractors and to health service plans. [398] Health insurers must comply with the Act. [399] In 2014 the CMIA was amended to cover providers of software and hardware that allow customers to manage their health, [400] making it applicable to wearables.

121

The use or disclosure of health information "for any purpose not necessary to provide health care services to the patient," is prohibited unless the individual has given his consent, or it is otherwise permitted by the CMIA. For example, the disclosure to an insurer for the payment of services is permitted by statute. [401] If an insurance company receives medical information from a person or company that is subject to the CMIA, it may not further disclose this information except in accordance with a new authorisation that meets the requirements of the CMIA. [402] However, the CMIA does not prevent the disclosure of medical information by a provider of health care to an insurance institution subject to the IIPPA, provided the institution has complied with all requirements for obtaining the information set forth by IIPPA. [403]

122

The California Financial Information Privacy Act [404] (CFIPA) makes use of the GLBA’s reservation for states wishing to expand and tighten its rules on financial privacy protection. [405] The CFIPA requires financial institutions [406] to obtain written consent from a customer before disclosing said customer's non-public personal financial information. [407] In some cases, CFIPA mandates that this consent must be provided by an affirmative action (opt-in), whereas, in general, opt-out consent would be sufficient pursuant to the GLBA. [408] The written consent (opt-in) of the consumers must be obtained, if financial information shall be disclosed to third parties that are neither affiliates nor financial institutions for the purpose of offering non-financial products and services. [409] However, when disclosing non-public personal information to an affiliate, a health insurer must only provide the insured with an opt-out option and remind them annually in writing that the information is being disclosed. [410] An opt-out notice must also be sent if a financial institution wants to share financial information with another (non-affiliated) financial institution for the purpose of offering financial products or services. [411] However, under the CFIPA financial institutions are not required to obtain a consumer’s consent for sharing non-medical, non-public information with their fully owned subsidiaries, as long as they are engaged in the same line of business and regulated by the same functional regulator. [412]

123

Insurers would be interested in non-public financial information for individualising insurance contracts in accordance with the willingness to pay. In such a scenario the CFIPA’s requirements regarding the disclosure of non-public personal information need to be observed. Opt-out and opt-in requirements do limit the information on which the individualisation of insurance contracts may be based with regard to individuals that object to their information being shared. But as far as the individualisation is based on non-public financial information already in possession of an insurer or its subsidiaries, the CFIPA does not limit the leeway for individualisation.

124

The Consumer Credit Reporting Agencies Act (CCRAA) [413] and the Investigative Consumer Reporting Agencies Act (ICRAA) [414] govern how consumer credit reporting agencies furnish information and reports for the needs of commerce. They require that such agencies need to adopt reasonable procedures and contain provisions concerning the confidentiality, accuracy, relevancy, and proper utilisation of such information. [415] While the CCRAA regulates consumer credit reports [416] and thus concerns a person's creditworthiness, [417] the FCRA also applies to reports regarding a consumer’s character, i.e., general reputation, personal characteristics, or mode of living. [418] To a large extent both Acts, the CCRAA and the ICRAA, duplicate federal law, while in addition many provisions may be pre-empted by the FCRA. [419] Thus the relationship between CCRAA and FCRA is very complex.

125

A consumer credit report under the CCRAA is any written, oral, or other communication of any information by a consumer credit reporting agency bearing on a consumer’s credit worthiness, credit standing, or credit capacity, which is among others, used for insurance underwriting. [420] Overall the CCRAA defines terms similarly to the FCRA and contains similar obligations for reports regarding someone’s creditworthiness. [421] As is the case under the FCRA, whenever a CRA has reason to believe that a person intends to use a consumer report in connection with the underwriting of insurance, it may furnish said report to that person. [422] If information in a consumer credit report leads to adverse action with respect to any consumer, he or she also has to be provided with an adverse action notice. [423]

126

Investigative consumer reports as regulated in the ICRAA are reports in which information is obtained on a consumer’s character, general reputation, personal characteristics, or mode of living. [424] This definition is broader than the definition of investigative consumer reports contained in the FCRA, since it includes information obtained "through any means" [425], while under the FCRA, the information is obtained through personal interviews only. [426]

127

The ICRAA’s rules are stricter than the CCRAA rules pertaining to consumer credit reports. [427] An investigative consumer report may only be prepared when a need for a specific purpose can be demonstrated, e.g. for determining eligibility or rates for insurance. [428] In general, the consumer needs to be informed a priori when an investigative consumer report is requested by the user. [429] Also a consumer has to give his consent if an investigative report that contains medical information shall be sent to an insurer. [430] If an insurance for personal, family, or household purposes increases the charge for insurance, or denies the consumer insurance based on a consumer's investigative consumer report, the insurance must inform the consumer and supply the name and address of the investigative consumer reporting agency that made the report. [431]

128

In 2018 a Californian ballot initiative for a comprehensive consumer privacy act enforced through litigation had received sufficient signatures to cast a vote. Since laws enacted through ballot initiatives are almost impossible to revise, the legislature was under pressure to present an indirect counter-proposal, which would make the initiators withdraw the ballot initiative. It was not until the last day of possible withdrawal that the Californian legislative hastily enacted the California Consumer Privacy Act (CCPA). [432] The CCPA will enter into force 1 January 2020 and will be supplemented by regulations issued by the Californian Attorney General on or before 1 July 2020. [433] This guidance will likely determine the scope of how the law is to be enforced in practice, since it is expected to elaborate on key definitions such as “personal information” and “unique identifiers”, as well as procedures companies must have in place to effectuate the CCPA’s consumer rights.

129

The CCPA protects “consumers”, which are defined as California residents and the act thus applies to personal information relating to any California resident. [434] Companies that do business in California and either: (i) have an annual gross revenue of more than $25 million; (ii) receive or share personal information of more than 50,000 consumers, households, or devices; or (iii) derive more than 50 percent of their annual revenues from selling consumers’ personal information have to comply with de CCPA. [435]

130

The CCPA regulates the selling of personal information and provides consumers with various rights. Selling is defined as “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration”. [436] However, businesses can claim that they are covered by one of several complexly specified exemptions from the definition of “selling”. [437]

131

Consumers will have a right to be informed, to receive a privacy notice, and they will have access rights. [438] The information to be provided includes inter alia the categories of personal information collected about the consumer, the categories of sources and the categories of recipients. [439] Unlike the ballot initiative, consumers do not have a right to receive the name and identity of the data recipients. [440] Furthermore, consumers are vested with opt-out options, whereas minors have to opt-in to the collection of personal information. [441] The CCPA prescribes certain means of communication; for example, it requires businesses to communicate the opt-out option with consumers via a clear and conspicuous link on the business’s Internet homepage, titled “Do Not Sell My Personal Information”. [442] Furthermore, consumers have a right to get their data deleted. [443] Also companies must not discriminate against California residents on the basis of them exercising their rights under the CCPA by denying goods or services, charging different prices, or providing a different service quality. However, differing prices, rates or quality may still be applied, if these differences are reasonably related to the value of the consumer’s data. [444]

132

California Civil Code (CIV) § 1798.175 provides that in the event of a conflict, the law that provides the greatest privacy protection takes precedence. However, the CCPA appears to prevent some of these conflicts by clarifying that it neither applies to medical information governed by the Medical Information Act nor to protected health information that is collected by a covered entity or business associate governed by the privacy, security, and breach notification rules issued pursuant to HIPAA and the HITECH Act. [445] Further reservations concern the FCRA, the GLBA and the CFIPA. [446]