Driving home from a successful day in Court where a number of Fraudulent cases were successfully dismissed on the strength of admitting a Liability Investigation Report on the Plaintiff’s activities as posted on Social Media, a question arose for those working in the Insurance Industry, is profiling somebody on social media a breach of their privacy rights or indeed, GDPR?

In order for any Insurance Company to successfully identify a fraudulent claim made by a third party, there must be a sharing of information between Insurance Companies.  This was previously covered under the Data Protection Act 1998 where Insurance Companies were covered to process “data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences”. The key wording in the Act is for the purposes of the prevention, investigation and detection of fraudulent representations made by third parties.

On 25 May 2018, the GDPR came into effect replacing the Data Protection Act 1998. The aim of the GDPR is to protect all EU citizens from privacy and data breaches.

There can be serious consequences of processing data and getting it wrong under the GDPR with the top end fines being highly publicised. These fines can be as much as €20m or 4% of annual turnover (whichever is the greater), not to mention the damage any adverse publicity would inflict.

GDPR was introduced in Ireland through the Data Protection Act 2018. Under this Statutory Provision, the Data Protection Commissioner has been replaced with a Data Protection Commission. Each supervisory authority will: Monitor and the enforce the application of the GDPR. Promote public awareness of the rules and rights around data processing.

The Data Protection Acts 1988-2018 are designed to protect people’s privacy. The legislation confers rights on individuals in relation to the privacy of their personal data as well as responsibilities on those persons holding and processing such data.

Personal data means data relating to a person who is or can be identified either from the data itself or in conjunction with other information that is in, or is likely to come into, the possession of the Department. It covers any information that relates to an identified or identifiable living individual. These data can be held on computers or in manual files.


Any information shared under the GDPR, must be subject to the consent of the party who the investigation is taken upon.  This is very difficult for Investigation departments of Insurance Companies. However, such information can be obtained and shared if “processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party”.  This effectively allows an Investigation Unit to obtain and share information such as social media profiles which are posted publicly without the consent of the Third party when it is in pursuance of a qualified legitimate interest such as :

  • Preventing fraud
  • Preventing or detecting a crime
  • Preventing or detecting unlawful acts
  • Necessary for an insurance purpose (the handling of a claim)


So now the GDPR provides a stronger position for Insurance Companies to lawfully process information in the circumstances where a fraudulent claim is being investigated. The key steps to protect against a breach of GDPR is for the Investigative Agent to carefully establish the legitimate interest and to document the thought process for arriving at this conclusion.  The Investigative Agent should also ensure and document that they are processing such information for the Prevention of Fraud.

At MDM Solicitors, our specialists in Defence Litigation and anti-fraud have advised our clients on this issue and through our collaborative efforts with our clients we have arrived at a successful outcome with such cases concluding in a resounding dismissal.

Leave a Reply

Your email address will not be published. Required fields are marked *