Our team

Travel Insurance in times of COVID-19 – view from The Netherlands

Travel Insurance in times of COVID-19 – view from The Netherlands 2560 1880 Ekelmans Advocaten
Travel Insurance
Leestijd: 3 minuten
Lesedauer: 3 Minuten
Reading time: 3 minutes
Expertise:

Insurance / Liability /

Due to Covid- 19 travel insurance companies have had to face many claims under the travel insurance policies in the past months. Many travel insurance policies exclude the outbreak of a pandemic from coverage. In a couple of cases the insured party did not give up after the Travel Insurer refused to provide cover and appealed to the Financial Services Complaints Tribunal of The Netherlands.

Travel insurance

As the name suggests, travel insurance provides cover for travelers during a trip. On the basis of travel insurance, travelers can receive assistance if they have to cut their stay short or if they are forced to stay longer as a result of an illness or an accident. Travel insurance usually covers the additional costs in certain cases.

The Policy Conditions of the travel insurance determine which events are covered and which events are excluded from insurance. Travelers can extend coverage by purchasing specific modules.

Financial Services Complaints Tribunal of The Netherlands interpret the policies in favor of the Insurers

The Financial Services Complaints Tribunal of The Netherlands is a dispute settlement authority accessible to consumers where they can complain about, for example, their insurance.

As mentioned before a couple of consumers appealed to the authority after the Insurer refused to provide cover.

An example of such a case is decision no. 2020-628 of 29 July 2020, of the Disputes Committee of the Financial Services Complaints Tribunal of The Netherlands. In this case the Insured was visiting his daughter in Morocco when both Morocco and The Netherlands went into complete lockdown. The flight was canceled and the only way home was repatriation by the Dutch Government. He had to stay in Morocco for weeks.

The Insured called on his travel insurance for the extra costs he would have to make because he couldn’t fly home. The Insurer however refused cover, and took the position that cover only exists when damage is caused by an earthquake, flood or volcanic eruption and that definitions of earthquake, flood and volcanic eruption are given in the General Terms and Conditions. These Conditions did not mention a pandemic or a virus outbreak, such as the coronavirus outbreak, and therefore the Insurer was not obliged to reimburse the Insured.

The Disputes Committee concurred with the position of the Insurer and considered (in so far as relevant) that the starting point should be what is stated in the Insurance Conditions. The Conditions are – according to the Committee – what parties have agreed on. According to The Disputes Committee the Insurer is free to determine the limits within which it is prepared to provide cover.

In this case The Disputes Committee found that the Policy Conditions were sufficiently clear about what would and would not be covered by the Insurer.

Does that mean Travel Insurance never covers COVID-19 related issues?

No, it does not. Firstly the question whether or not the insurance provides cover depends on the Policy Conditions. However in certain circumstances the Insured will be able to successfully make a claim on his travel insurance. This is the case, for example, if the insured or a co-insured himself becomes seriously ill due to the Corona virus and as a result has to make additional accommodation costs. Serious illness is in fact classified as an insured event in most Policy Conditions. In that case it does not matter what made the Insured sick in the first place.

Bron: Insurance Law Global

Author

Simone Eman
Simone Eman

Simone Eman

+31 70 37 46 368

Naar overzicht
Zurück zur Übersicht
Back to main page

Can you transfer personal data to third countries safely after Schrems II? 

Can you transfer personal data to third countries safely after Schrems II?  1120 600 Ekelmans Advocaten
Schrems II
Leestijd: 6 minuten
Lesedauer: 6 Minuten
Reading time: 6 minutes
Expertise:

Privacy Desk /

Since the EU-US Privacy Shield has been declared invalid, it is unclear how a company can transfer personal data to the US. Anne-Mieke Dumoulin Siemens provides guidance in the twilight zone created by the Court.

The Court of Justice of the European Union (ECJ) declared the EU-US Privacy Shield invalid on 16 July 2020 in the so-called Schrems II case. This means that with immediate effect, the EU-US Privacy Shield can no longer serve as a basis for the transfer of personal data to the US. When transferring personal data to countries outside the European Economic Area (EEA), the rules of the GDPR must be followed. Now that the EU-US Privacy Shield can no longer be used as a basis for transfer, the question arises as to how transfer to the US (and to other countries outside the EEA) can be designed to be secure. This article provides guidance in the twilight zone created by the Court.

Exit EU-US Privacy Shield

The GDPR facilitates the transfer of personal data on the basis of an adequacy decision. The European Commission has issued an adequacy decision for 12 countries.  An adequacy decision guarantees the third country concerned provides an adequate level of data protection. The EU-US Privacy Shield is based on an adequacy decision issued by the European Commission. The Court has annulled the EU-US Privacy Shield in Schrems II because of the lack of an adequate level of protection in the US. There are surveillance regulations in the US that allow US intelligence and security services to access personal data. Such access is not limited to strictly necessary data. In addition, US citizens have no enforceable data protection rights and no effective legal remedies.

Consequences exit EU-US Privacy Shield

The clash between the European privacy regulations and the US surveillance laws has serious consequences for the many companies and organisations that transfer personal data to the US under the EU-US Privacy Shield on a daily basis. They are now acting in violation of the GDPR. Schrems II does not offer a transition period: the transfer of personal data to the U.S. on the basis of the EU-US Privacy Shield has been declared invalid as of the date of the ruling. Schrems II does not only cover future data flows, but also personal data that have been transferred in the past and are still accessible to U.S. authorities. At present, it is not to be expected that the European supervisory authorities will start immediate enforcement proceedings, but the question what is an acceptable alternative mechanism for the transfer of personal data should be at the top of your company’s action list. How to proceed?

Alternative mechanism for the transfer of personal data?

The transfer of personal data to recipients in third countries must not undermine the level of protection guaranteed by the GDPR to individuals within the EU. The recipient country must provide a level of protection for personal data comparable to that guaranteed within the EU. In short, transfers should only take place in full compliance with the GDPR.

If no adequacy decision is in place for a particular country, the data exporting company or organisation must ensure that the transfer is secured with appropriate safeguards. The standard contractual clauses (SCCs) as adopted by the European Commission provide appropriate safeguards according to the GDPR.

Can SCCs still be used after Schrems II?

Article 46 GDPR, which forms the basis for the use of standard provisions, explicitly sets two requirements for transfers to countries to which no adequacy decision applies. Firstly, the exporting company must provide adequate safeguards (through SCCs, for example) and secondly, enforceable data subject rights and effective legal remedies for data subject must be available in the third country.

The SCCs passed the test of criticism in Schrems II. In principle, personal data can still be transferred to third countries on the basis of SCCs. However, the Court emphasises the importance of requirements in Article 46 GDPR concerning the use of standard clauses. Prior to any transfer of personal data, the transmitting company must verify that the receiving country provides the data subjects with enforceable rights and effective legal remedies.

In general, companies are imposed with the almost impossible task of assessing – on a country-by-country and transfer-by-transfer basis – whether recipient countries have legal rules in place regarding the protection of data subjects and their personal data. In addition, it is not clear what criteria should be used in the assessment. The Court does not address this and Article 46 GDPR does not provide any further explanation either. We now know that standard provisions cannot (or no longer) be used as a mechanism for the transfer of personal data to the US because US surveillance legislation prevents this. However, companies are in the dark as to how the surveillance and security legislation in other third countries is to be valued.

The reality is that few companies have sufficient knowledge and resources to properly assess the data protection legislation and surveillance practices of third countries. It is also clear that the European authorities seem to be struggling with such assessments. So far, the European Commission has issued adequacy decisions for only 12 countries, and the adequacy decision for the US has now been invalidated twice.

How can SCCs be used in practice?

The European Data Protection Board (EDPB) has announced to publish recommendations on how to deal with the consequences of Schrems II. In anticipation of these recommendations, the following guidelines may help you to implement the transfer of personal data to third countries on the basis of SCCs.

  • Check that the data importer is able to comply with all the provisions of the SCCs.
  • Carry out a due diligence on the type of data transferred, the categories of data subjects, the processing purposes, the retention period, the type of recipient and the sector to which the recipient belongs.
  • Examine to what extent the legal system of the third country allows public institutions to require disclosure of data and whether data subjects (including foreign data subjects) are aware of the disclosure and are able to take legal action before the courts. Determine the category of data affected by the laws of the third country.
  • Investigate the extent to which the importer is bound by these laws and the likelihood of the importer disclosing or having to disclose the exporter’s personal data to the authorities in the third country.
  • Check whether the data importer has a procedure to inform the data exporter if a government request extends to the data of the data exporter and offers the possibility of opposing disclosure.
  • Check whether the risks posed by national surveillance legislation can be offset by agreeing additional safeguards with the data importer. This could include agreements on the application of proper encryption, the suspension of the transfer of data and the removal of data by the data importer.
  • Make sure you document your choices and agreements. The GDPR requires you to be able to demonstrate that you comply with the GDPR.

Can Binding Corporate Rules be used?

Binding Corporate Rules (BSRs) are, in addition to SCCs, a mechanism for the transfer of personal data to third countries. BCRs are rules specifically designed for transfers of personal data within an international group of companies. Once established and approved, BCRs can only be used for the transport of personal data within the group of companies. A different mechanism must be used for transfers outside the group.

BCRs were not subject of debate in Schrems II. However, if the lawfulness of the transfer of personal data on the basis of SCCs is in question, because the regulations in the receiving third country do not comply with European safeguards, then one may wonder whether transfer to the same country on the basis of BCRs is lawful.

BCRs are drawn up by the group company concerned and must be approved by the competent supervisory authority. SCCs are a product of the European Commission. In practice, the main difference is that the burden of assessing the adequacy of protection measures lies with the supervisory authority when a company uses BCRs, whereas the user of SCCs (re Schrems II) has to make his own adequacy assessment and is responsible if he makes a mistake. This raises the question of how supervisory authorities within the EU deal with pending applications for the approval of BCRs. Approval of BCRs implies that the relevant supervisory authority considers that appropriate safeguards are in place in the receiving third country. This may be a sensitive issue, given the reasoning in Schrems II.

Can the exceptions in Article 49 GDPR be used?

According to the Court in Schrems II, the invalidation of the EU-US Privacy Shield does not create a vacuum because companies can rely on one of the derogations for specific situations (Article 49 GDPR). However, the possibilities to justify transfers using the exceptions of Article 49 GDPR are limited. EDPB has stated (Guidelines 2/2018) that these exceptions should be interpreted restrictively and that the exception should not be made the rule. In addition, the use of article 49 GDPR imposes a heavy administrative burden on the company. The data exporter must justify why each of the mechanisms for the transfer in question cannot be used and why the exception in question is suitable as a basis for transfer in the specific case. The option provided for in Article 49 GDPR therefore does not seem very attractive.

EDPB recommendations on implications of Schrems II

Schrems II shows that the application of and compliance with strict European privacy rules for the transfer of personal data in international traffic is problematic. The EDPB has set up a task force which will hopefully soon come up with recommendations on how to deal with the consequences of the Schrems II decision.

Would you like to know more about this subject? Then please contact our Privacy Desk.

Author

Anne-Mieke Dumoulin-Siemens-Ekelmans Advocaten
Anne-Mieke Dumoulin-Siemens-Ekelmans Advocaten

Anne-Mieke Dumoulin-Siemens

+31 70 374 64 34

Naar overzicht
Zurück zur Übersicht
Back to main page

De Zorgverzekering (‘Health Insurance’) — the first clear overview of the law in Dutch healthcare

De Zorgverzekering (‘Health Insurance’) — the first clear overview of the law in Dutch healthcare 2560 1707 Ekelmans Advocaten
overzicht zorgverzekeringsrecht
Leestijd: 2 minuten
Lesedauer: 2 Minuten
Reading time: 2 minutes
Expertise:

Insurance / Liability /

Dutch health insurance and long-term healthcare are riddled with rules and customary practices, in which it is easy to lose your way.

But now the first edition of the book De Zorgverzekering (i.e.: healthcare insurance) has appeared.

Dutch health insurance and long-term healthcare are riddled with rules and customary practices, in which it is easy to lose your way. But now the first edition of the book De Zorgverzekering (i.e.: healthcare insurance) has appeared. In this book, Jan Ekelmans provides a picture of the health insurance scene and unpicks it layer by layer. Health insurers, healthcare providers, regulatory bodies, consumers and their advisors can use this book to help them make better, faster choices on what action to take.

Market worth 80 billion euros

Insured healthcare is a market with a turnover of 80 billion euros. Producing an overview of what happens in that market is quite a challenge, one that has been taken up by this book. It focuses on four topics: the various kinds of insurance (health insurance, insurance under the Long-Term Care Act and supplementary insurance); the legal relationship between the healthcare provider and the health insurer; privacy protection and possible breaches of privacy; and the audits and fraud investigations by health insurers, plus the consequences attached to the findings from these investigations.

Practical approach

The book has a practical approach; it devotes attention to different perspectives on decisions and includes examples from actual practice, future developments and sources for further information and application. It contains a wealth of facts and legal information that has never before been brought together in one place, ordered and made accessible in this way.

About the author

Jan Ekelmans is a lawyer and partner at Ekelmans & Meijer Advocaten. He is an authority in the field of insurance law in the Netherlands. Insurers ask him for advice on complex and politically sensitive matters. For a number of years Jan was a deputy justice at the Arnhem–Leeuwarden court of appeal and a member of the advisory committee that advises the Dutch Parliament and Government on civil procedural law. His extensive experience with insurance law enables him to provide a clear overview of health care insurance in the Netherlands.

Contact

Jan Ekelmans
Jan Ekelmans

Jan Ekelmans

+31 6 23 36 99 58

Naar overzicht
Zurück zur Übersicht
Back to main page

Abdi Youssuf: the most driven mentor

Abdi Youssuf: the most driven mentor 1900 1357 Ekelmans Advocaten
Abdi Youssuf-Ekelmans Advocaten
Leestijd: < 1 minuut
Lesedauer: < 1 Minute
Reading time: < 1 minute
Expertise:

Insurance / Liability /

We are proud of Abdi! “The most driven mentor” is how he was described by the jury tasked with selecting the mentor of the year.

And our best wishes to Annemieke Hazelhoff, who won the ‘best mentor of the year award’.

Abdi, a lawyer specialized in insurance law at Ekelmans & Meijer, acts as a mentor to young lawyers (trainees) during the first three years of their career.

Our firm attaches a high priority to coaching and training for our young lawyers. An excellent mentor makes an important contribution to this. We see the nomination of Abdi as recognition of his qualities. And not only is Abdi a great mentor and fantastic person to work with, he is also an outstanding lawyer with a successful practice!

Contact

Naar overzicht
Zurück zur Übersicht
Back to main page

Beware of the Cyber Security Act!

Beware of the Cyber Security Act! 1920 1280 Ekelmans Advocaten
cybersecuritywet
Leestijd: 4 minuten
Lesedauer: 4 Minuten
Reading time: 4 minutes
Expertise:

Privacy Desk /

The Network and Information Systems Security Act (Wbni) is applicable in the Netherlands. The act is also known as the Cyber Security Act. The directive applies to operators of essential services and providers of digital services. This directive may also apply to your organisation.

Since 9 November 2018, the Network and Information Systems Security Act (in dutch: “Wet beveiliging network – en informatiesystemen”) has been applicable in the Netherlands, also known as the Cyber Security Act. This Act is the Dutch translation of the European Cyber Security Directive (EU Network and Information Security Directive 2016/1148). Each Member State is mandatory to have its own translation of the directive. The directive applies to operators of essential services and providers of digital services. This directive may also apply to your organization. In this article the operators of essential services and digital service providers are explained first and then the duty of care arising from the European Cyber Security Directive will be discussed.

When are you a operator of essential services or a provider of digital services?

Essential service operators include organizations in the energy, financial and transport sectors. The digital service providers includes for example cloud services, search engines and online market places, also known as “DSPs”. However, not every party that offers a digital service is automatically covered by the European Cyber Security Directive. For example, social media and web shops also offer digital services, but do not necessarily have to comply with the European Cyber Security Directive. Required is that the organization must have a head office or representation in the Netherlands. In addition, more than 50 employees must be employed within the organization or there must be a balance sheet total or an annual turnover of more than 10 million euros. Small and micro-enterprises therefore do not fall under the scope of the European Cyber Security Directive.

The failure or disruption of operators of essential services or digital service providers can lead to major social disruption. The European Cyber Security Directive therefore includes a duty of care for security measures.

The duty of care

The duty of care means that operators of essential services and the digital service providers must take appropriate organizational and technical measures to manage security risks and to reduce the consequences of incidents. In the GDPR (art. 24) we also have such an arrangement for the processing of personal data. However, the European Cyber Security Directive specifically focuses on digital security and includes the operators of essential services and the digital service providers in the broad sense.

The European Cyber Security Directive works out five aspects that operators of essential services and the digital service providers must take into account. This elaboration is based on art. 2 Implementing Regulation (EU) 2019/151 and consists – in brief – of taking the following measures:

First of all, the network and information systems must be adequately secured. In addition, organizations must be able to demonstrate that they take measures in the event of incidents. This could include processes for reporting incidents and for identifying shortcomings and weaknesses in the system. Provision must also be made for measures to properly maintain or restore business continuity and services after an incident. These measures include the establishment and use of contingency plans. It is also relevant that regular checks are made to ensure that the measures in question work properly and are therefore periodically tested. Finally, international standards must be taken into account in all of this.

All these measures aim to ensure that operators of essential services and the digital service providers comply with the principle of duty of care as set out in the European Cyber Security Directive: “taking appropriate measures to prevent incidents and, if incidents do occur, the consequences thereof so as much as possible “.

The duty of care in practice

The European Cyber Security Directive mainly indicates what needs to be done, but not how the implementation of this duty of care should subsequently be given shape.

Operators of essential services and the digital service providers must complete the implementation of the duty of care and the measures themselves, whereby each Member State needs to have a supervisory body (the Telecom Agency in the Netherlands) to supervise and take enforcement action if needed. However, because the duty of care and the measures are lacking, it is to be expected that organizations have many uncertainty about this. This could result in a failure to fulfill their duty of care.

Recommendation therefore deserves legal advice in applying the duty of care arising from the European Cyber Security Directive as correctly as possible in practice. It is important thereby that a balance is found in complying with the duty of care and respecting the commercial interests of companies and the privacy of natural persons. Creating a security protocol with a concrete step-by-step plan/checklist could be an example of this. However, due to the diversity of organizations that fall within the scope of the European Cyber Security Directive, this is a matter of customization.

What does this mean for the insurer?

The imposition of a specific duty of care on one hand, but the absence of specific standards on the other hand, makes the operators of essential services and the digital service providers vulnerable not only to the regulator but also to (possible) claims.

This increases the risk of an insurer that insures operators of essential services and the digital service providers. For insurance companies it is therefore advisable to take this into account in the underwriting processes regarding these operators and providers. For example this can be done by checking whether protocols and step-by-step plans to meet the duty of care are present within the organization. It is also advisable to oblige insured operators of essential services and digital service providers to inform the insurer of any changes to this duty of care within the organization.

Contact

Like to know more?
Like to know more?

Like to know more?

+31 70 374 63 00

Naar overzicht
Zurück zur Übersicht
Back to main page

The Obstacle Criterion

The Obstacle Criterion 150 150 Ekelmans Advocaten
Leestijd: 4 minuten
Lesedauer: 4 Minuten
Reading time: 4 minutes
Expertise:

Insurance / Liability /

Dutch healthcare insurers provide three types of insurance. Under the in-kind contracted care policy, the insurer reimburses the provided care received by contracted care providers.

The insured can however still receive health care from non-contracted care providers, but –in that case – under Dutch law – the insurer does not have to reimburse all the costs. The Dutch Supreme Court recently issued an important ruling on this matter.

In-kind-contracted care policies

Generally, Dutch healthcare insurers provide three types of insurance: in-kind contracted care policies, restitution non- contracted care policies and the combined policy.

Under the in-kind care policy, the insurer reimburses the care received by the insured provided by a care provider that the insurer has a contract with. The insured are not entitled to reimbursement of the costs of the care provided, but to the care itself.

The restitution non-contracted care policies on the other hand, reimburse the costs of care given by the insured’s care provider of his/her own choice. These policies are usually more expensive.

Lastly, there is the combined policy, which is a combination of the aforementioned policies.

The in-kind-contracted care policy is central to this article.

Reimbursement for non-contracted care

As mentioned before, the insured with an in-kind contracted care policy is entitled to healthcare. To meet the obligation to provide care under these policies, insurers enter into agreements with care providers about the care or service to be provided and the price to be charged for it. This way insurers try to achieve savings on healthcare costs.

The insured can however still receive health care from non-contracted care providers. In accordance with article 13 of the Dutch Health Insurance Act insurers must give the insured reimbursement for non-contracted care. The insurers determine the amount of this reimbursement, as long as the reimbursement isn’t so low that it constitutes an obstacle for the insured to turn to a non-contracted health care provider of his/her choosing.

The court of appeal held that a general reimbursement of 75-80% of the market rates was regarded as a widely accepted practice standard of how low a reimbursement may be to not constitute an obstacle to be free in the choice of a care provider.[1] This judgment of the Court of Appeal has been upheld by the Dutch Supreme Court in2014.[2]

Despite that, a non-contracted healthcare provider tried his luck again and brought a case all the way before the highest Dutch Court. On June 7th 2019, The Dutch Supreme Court ruled on the matter.

Dutch Supreme Court Judgment on obstacle criterion

In this case, the insurer reimbursed 75% of the market rates for the healthcare provided by this particular healthcare provider. The healthcare provider, however, argued that this system was not fair. He maintained the opinion that the insurer was acting in breach of the ‘obstacle criterion’ enclosed in article 13 of the Dutch Health Insurance Act. Also, he took the position that the ‘obstacle criterion’ precludes a generic discount. Therefore, the healthcare provider was of the opinion that the insurer was only entitled to deduct a small amount for the extra administrative acts they had to carry out as a result of not having a contract with this healthcare provider.

The Dutch Supreme Court considers that article 13 of the Dutch Health Insurance Act speaks in general terms of “a reimbursement to be determined by the health insurer”. Furthermore, the explanatory memorandum of that act shows – according to the Dutch Supreme Court -that the health insurer has a great deal of freedom to determine the amount of the reimbursement as long as they do not act contrary to the “obstacle criterion’ and as long as they use the same method of calculation for each insured person who requires the same form of care or service.

Therefore, the Dutch Supreme Court rules that neither the explanatory memorandum of the Dutch Health Insurance Act nor the text in article 13 of the Act support the view that a health insurer may only reduce the reimbursement for non-contracted care by the (average) extra (administrative) costs they had to carry out because of the absence of a contract with the concerned health provider. According to the Dutch Supreme Court the latter view would also undermine the legislators’ desired system of Dutch in-kind care policies that differentiate between contracted and non-contracted care. Accepting the view of the healthcare provider would mean that even with the use of non-contracted care there would still be a right to an almost complete reimbursement, which was not the intention of the legislator.

According to the Dutch Supreme Court the complaint that the ‘obstacle criterion’ generally opposes a generic discount can also not be supported by the explanatory memorandum of the Dutch Health Insurance Act. Whether and to what extent the ‘obstacle criterion’ precludes a generic discount in certain cases can only be determined on the basis of concrete facts and circumstances.[3]

Reimbursement of 75% not (necessarily) an obstacle

This ruling of the Dutch Supreme Court is in line with the previous case law. Therefore, the health insurer is (still) entitled to determinate how much they reimburse under an in-kind contracted care policy in case of health care provided by non-contracted healthcare providers as long as they do not act contrary to the ‘obstacle criterion’. A general Reimbursement of 75% of the market rates on its own, is considered not to be an obstacle for the freedom of choice of a care provider.

[1] Court of Appeal Den Bosch, July 9th 2013, ECLI:NL:GHSHE:2013:2971.
[2] Dutch Supreme Court July 7th 2014, ECLI:NLHR:2014:1646.
[3] Dutch Supreme Court June 7th 2019, ECLI:NL:HR:2019:853.

Bron: Insurance Law Global

Author

Simone Eman
Simone Eman

Simone Eman

+31 70 37 46 368

Naar overzicht
Zurück zur Übersicht
Back to main page
Click here to enter your search term
We use cookies to make sure that our website functions smoothly. If you continue to use the website, we assume that you consent to the cookies.
Privacy Policy