InsurTech: An Opportunity Riddled with Threats

By: Abhinav Gupta


Innovation by way of technology is the key driver for the financial sector and now, even the insurance sector is no stranger to technology. The insurance industry is being greatly disrupted due to the rise in InsurTech startups (hereinafter ‘InsurTechs’). InsurTech is the integration of Insurance services and technology. 

Although InsurTech is in its initial phase in India, it has moved beyond the traditional ways to improve ‘digital distribution’ and ‘customer experience’. For example, some insurers have introduced chatbots for assisting customers through messaging and hence, improving customer service. Some insurers have gone to the extent of using drones to ascertain claims in agriculture insurance. No doubt, InsurTech improves the consumer experience and provides easy access to insurance services, however, it poses serious cybersecurity and data protection issues. In this article, the author seeks to explore the developments in the InsurTech industry and reflect upon the data protection issues posed by this innovation. 


Insurance Regulatory & Development Authority of India (hereinafter ‘IRDAI’) realised the increasing use of technology in order to provide insurance services to consumers and in 2017, they started a discussion about the use of telematics in order to provide motor insurance. In 2018, IRDAI constituted a working group on Wearable Technology in order to analyse the interface of insurance services and wearables. After the Reserve Bank of India released its ‘Enabling Framework for Regulatory Sandbox’, IRDAI released IRDAI (Regulatory Sandbox) Regulations, 2019. These regulations allow insurers to be part of the regulatory sandbox if they intend to promote innovation which is beneficial to insurance in India. Under the regulation, IRDAI puts the onus on the insurer to ensure confidentiality of consumer data. 

Allowing the inclusion of insurers in Regulatory Sandbox is a positive step towards the promotion of innovation in insurance. It will increase access to insurance services which is the current requirement, considering the low insurance penetration in India. Moreover, market players have a wider scope of exploring and innovating with new technologies in a controlled environment. In order to address the concerns related to data protection during the testing phase, the Insurance Sandbox Committee recommended that despite special exemptions, participants will have to mandatorily comply with regulations related to data protection and policyholder safeguards. 


The insurance industry in general is greatly dependent upon customer data. InsurTechs seek to match the customer with the appropriate insurer. This matchmaking requires them to collect a variety of data such as Aadhaar details, medical prescriptions, customer’s medical history. Moreover, for such a data-driven industry Internet of Things (hereinafter ‘IoT’) is a gold mine. By using IoT, insurance companies do not need indirect indicators like age and gender to determine the premium, they can just track fitness bands or access driving apps to understand customers’ habits, lifestyle and preferences. New York’s Department of Financial Services went to the extent of allowing insurance companies to access social media accounts of customers in order to determine the premiums.  

The use of big data and automated decision-making by InsurTech companies may be perceived as interfering with the individual’s right of self-determination and breach of informational privacy. This usage and storage of data raise the question of whether we are compromising with our privacy for convenience? Whether access to personal data is warranted and safe? These questions become even more pertinent in light of increasing data breaches in the insurance sector. IoT further exposes customers to data breaches and a study suggests that the majority of the companies are unable to detect such security breaches.

These issues highlight the importance of privacy as a fundamental right. Privacy includes the right of an individual to control his digital identity and the right of self-determination. The Supreme Court of India in Justice K.S. Puttaswamy (Retd.) vs. Union Of India, recognised informational privacy as a fundamental right. As a result of this judgment, the government of India put forth the first-ever Personal Data Protection Bill (hereinafter the ‘PDP bill’). The PDP bill sought to balance business interests with the right to informational privacy. In furtherance of the same, the bill put forth elaborate obligations of the data fiduciary. A data fiduciary is an entity or individual who decides the means and purpose of processing personal data. Their duty includes preparing a privacy policy, implementing safeguards to prevent data breach and ensuring transparency while sharing data with third parties.

The intention behind putting such obligations on data fiduciary is to put consumers in control of their data. The service provider will be duty-bound to handle the data carefully and for fair and reasonable purposes only. As a result, the way businesses collect data will change drastically and they will need to modify their policies accordingly.

Collection of data and privacy policy

The current model under which businesses collect data is known as the ‘Notice and Consent model’. Here, ‘notice’ signifies the information provided to the consumer about business’s data collection and sharing policies. ‘Consent’ is the act of accepting the terms and conditions mentioned therein. The privacy policy available on the website of InsurTechs requires you to agree to all the terms & conditions which allows divulging of data to third parties. The only option to not share personal data is to stop using the website. For this reason, this model is not considered to be sufficient for data protection, as it does not provide any real choice to the consumers.

Formulating a privacy policy in an industry reliant on a multitude of personal data becomes even more difficult. A similar challenge was faced by the Justice Srikrishna Committee, which formulated a Data protection report. It was a difficult task before the committee to design a privacy framework in such a way so as to reap the benefits and address the challenges of big data and artificial intelligence. The Data Protection Committee was entangled in the dichotomy between purposes for which data can be used and restrictions on the use of data. While confronted with this issue it observed that “limiting collection is antithetical to large-scale processing; equally, meaningful purpose specification is impossible with the purposes themselves constantly evolving”. This is a clear indication of the importance of data in current times and its indispensability for technological developments and innovation. 


  • There is a need for adopting a new model for the protection of consumer’s data. A leading international organisation proposed a new model for the protection of consumer data. As opposed to the ‘Notice and Consent Model’ where the burden of ensuring privacy is on individuals, the onus should shift on to the providers. In doing so, they advocate for a ‘legitimate purpose test’ or imposing a ‘fiduciary duty’. A similar model is being adopted by India. PDP bill provides that every person processing personal data should do it ‘in a fair and reasonable manner’ and for the purpose consented by the individual.
  • As the PDP bill proposes rigorous obligations on data fiduciary, the InsurTechs will have to revise their data policies in order to accommodate the customer’s right to prevent the use of data. The obligations of data fiduciary under PDP bill compels them to provide prior notice, obtain specific consent for using data, implement privacy safety measures and remove personal data after the specific purpose is fulfilled. Furthermore, it provides for substantial penalties for non-compliance. Therefore, making a PDP bill compliant privacy policy should be one of the foremost considerations for the InsurTechs.
  • Increased reliance on information technology means an increased risk of cyber-attacks and breaches. Considering, that the insurance industry is facing the highest number of data breaches, insurers need to ensure optimum internal checks, establish technology risk management capabilities and be ready to handle IT security incidents and system failures. There is a need for robust security mechanisms in order to protect data against cyberattacks. Organizations need to move beyond simple PINs and necessarily adopt multifactor authentication.
  • The introduction of the Regulatory Sandbox in India allows new InsurTechs to experiment and try their products before launching them into the market. This provides InsurTechs with an opportunity to gain a better understanding of the market in a controlled environment and they can analyse how consumer data can be protected, and develop an optimum privacy policy. Considering insurance penetration in India is one of the lowest across the world at 3.69%, there is an opportunity for InsurTechs to expand its operations and exploit an untouched market base.


The insurance industry in India is undergoing a massive change. Where insurance involved a lot of paperwork, with the integration of technology and delivery of services, this paperwork has been reduced and has resulted in ease and easy accessibility of information to consumers. At the same time, this integration has led to concerns related to informational privacy and use of data. The categorization of right to privacy as a fundamental right and the PDP Bill are few positive steps towards protecting the confidential and personal information of consumers. It is of the utmost importance to create a balance between privacy and innovation. If privacy protection proves to be insufficient, it will hamper consumers’ trust in innovation. On the other hand, if the regulators develop an overly strict legal regime barring the use of personal data, it may hamper innovation and easy access to services.

(Abhinav is currently a law undergraduate at National Law University, Jodhpur. He may be contacted via LinkedIn.)

Cite as: Abhinav Gupta, ‘InsurTech: An Opportunity Riddled with Threats’ (The RMLNLU Law Review Blog, 21 October 2020) < > date of access.

One thought on “InsurTech: An Opportunity Riddled with Threats

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s