Political parties rely increasingly on data analytics and sophisticated profiling techniques to monitor and target voters and opinion leaders. These activities can pose a risk, not only to privacy rights and data protection, but also to the belief of voters in the integrity of the democratic process.

Following two prominent investigations into the (mis)use of personal data in political campaigns in both the UK and the US, the European Parliament (EP) and the Council have approved a Regulation (amending Regulation (EU, Euratom) 1141/2014 on the statute and funding of European political parties and European political foundations) which introduces financial sanctions for European political parties that deliberately misuse personal data and breach data protection rules to gain illegal campaigning advantages in political campaigns for election to the EP. The Regulation, which is subject to publication in the Official Journal, has been approved just three months ahead of the next EU Parliament elections in May 2019.

Key Aims

The Regulation:

  • is intended to protect the electoral process from online disinformation campaigns based on misuse of voters’ personal data; and
  • allows the Authority for European Political Parties and Foundations to impose appropriate sanctions where political parties infringe the rules on the protection of personal data in relation to elections to the European Parliament.

Background

The Regulation comes in the wake of, and has likely been influenced by, significant press coverage surrounding the use of personal data for electioneering purposes on both sides of the Atlantic.

In May 2017 the UK Information Commissioner’s Office (“ICO“) launched a formal investigation into the use of data analytics for political purposes, which looked at the activities of (amongst other parties) Cambridge Analytica and Facebook.

This formal investigation was undertaken because allegations were made about the micro-targeting of political adverts, in particular during the referendum which was held on the UK’s membership of the European Union in June 2016, and the ‘invisible processing’ of people’s personal data.

The ICO’s investigation particularly focused on the data protection principle of transparency, which is at the heart of EU data protection law. It was highlighted that voters could not be empowered to exercise their legal rights in relation to their data or challenge the content they were exposed to if they were unaware of how their data was being used, specifically to target them with political messages.

The investigation is the largest in the history of the ICO, and has involved monetary penalties (including against Facebook) and, in the case of Cambridge Analytica, criminal proceedings.

Meanwhile, the Facebook/Cambridge Analytica case has also raised serious concerns about the use of similar misleading and manipulative techniques in the context of elections in the United States of America, and primarily the 2016 presidential election.

The special counsel investigation led by Robert Mueller has examined alleged Russian interference in the US presidential election. This is said to have included the use of so called “troll farms” to create fake social media accounts, the hacking of private email accounts (including those of Clinton campaign officials), and micro-targeting of social media users with political misinformation intended, allegedly, to sway voting intentions similar to that seen in the UK.

New Regulation

To combat the misuse of data in elections, the new Regulation amends the existing Regulation 1141/2014 in two key areas:

Verification Process

  • The Regulation brings in a new verification procedure whereby the independent authority for European political parties and foundations (“Authority“), must refer the matter to the Committee if it becomes aware of a decision of a Data Protection Authority finding that a natural or legal person has infringed applicable rules on the protection of personal data and if it follows from that decision, or where there are otherwise reasonable grounds to believe, that the infringement is linked to political activities by a European political party or a European political foundation in the context of elections to the European Parliament.. Where the Committee finds that to be the case, the Authority should impose sanctions;
  • The committee’s opinion – to be delivered within a short deadline and no later than 1 month after the decision of the Authority – would assess whether such infringement was used to deliberately influence or attempt to influence the outcome of elections to the European Parliament.

Financial Sanctions

  • Where the Committee finds that a European political party or a foundation has deliberately influenced or attempted to influence the outcome of an election, the Authority must impose sanctions.
  • The Sanctions could amount to 5% of the annual budget of the European political party or foundation concerned.
  • In addition, those found to be in breach would not be able to apply for funding from the general budget of the European Union in the year in which the sanction is imposed.

European Data Protection Board (“EDPB”) Statement

In anticipation of the forthcoming European Parliament elections the EDPB has issued a statement supporting the Regulation and reiterating key points to be respected when political parties process personal data for electoral campaigns including:

  1. In case of targeting, adequate information should be provided to voters explaining why they are receiving a particular message, who is responsible for it and how they can exercise their rights as data subjects;
  2. Personal data which has been made public, or otherwise been shared by individual voters, even if they are not data revealing political opinions, are still subject to, and protected, by EU data protection law; and
  3. Even where the processing is lawful, organisations need to observe their other duties pursuant to the GDPR, including the duty to be transparent and provide sufficient information to the individuals who are being analysed and whose personal data are being processed, whether data has been obtained directly or indirectly.

It is clear that there is currently a particular political and regulatory focus on this highly sensitive area. Political parties and candidates, as well as any organisation which provides services in the context of political campaigning, should be ready to demonstrate how they have complied with data protection principles, especially the principles of lawfulness, fairness and transparency.