We need to put an end to the abuse of EU citizens’ personal data in elections

Sent to the Chair of the Petitions Committee European Parliament; European Commission Commissioner Mr. Didier Reynders; Directorate General of Democracy of the Council of Europe (DGII); OSCE Office for Democratic Institutions and Human Rights (ODIHR).
 

The right to data protection is a fundamental right that grants individuals control over their personal data, how it is used and its destination. This right must be respected by both public and private bodies. Even more so when data about our political preferences are involved. Their use requires a higher social need and therefore must be properly justified and balanced in law to compensate for the impact on the fundamental right to privacy. 



As European citizens, we are concerned about what happens to personal data during electoral processes. Their current collection and use sis disproportionate and has consequences for significant parts of the population in ways that are incompatible with the European Convention for Human rights, the Charter of Fundamental Rights and European Union legislation. It is therefore not hard to see how this erodes trust in our democratic system.

It is because of personal data abuse (both those we know about and those yet to come to light) by political parties and third-party agents that we, the undersigned, denounce the fact that, in many member states and countries, the interpretation of the European legislation for the purposes of holding elections fail to respect the fundamental right to data protection, the value of privacy for default and design and harm democracy. Current measures to avoid profiling of the population for political purposes are insufficient and lack the required justification for providing political parties with large amounts of voters’ personal data.

The 2018 Cambridge Analytica scandal revealed the extent and influence of profiling on voting and election campaigns. Despite some politicians criticising to the use of personal data for political campaigning, far too many political parties are still participating in the profiling of voters’ personal data for electoral advantage (See EDRi member Open Rights Group report https://www.openrightsgroup.org/publications/who-do-they-think-we-are-report/).

As a recent example, a Maltese data breach exposed the personal data of 95% of the registered population for a year. The data did not only include the fields available in the published electoral register (i.e. name, address, and ID) but also telephone numbers, dates of birth and political affiliations. This happened because contractor of a Maltese political party, kept a copy of the electoral register in an open directory that was indexed by Google, (as EDRi member NOYB highlight) (https://noyb.eu/en/massive-political-data-leak-malta__).

Elections lie at the very heart of our democracies as a moment of truth for political accountability. For this reason, the right to vote is an indispensable one. So, it should be an essential right to receive correct information about what and who we are voting for. However, microtargeting allows politicians, political movements and parties to take up mutually exclusive or, at the very least, contradictory positions in order to appeal to different voters, as shown by the Dutch experience, highlighted by EDRi member Vrijschrift (https://blog.vrijschrift.org/serendipity/index.php?/archives/247-Kiezersgunst,-gericht-adverteren-en-democratie.html). This practice also allows for foul play against adversaries. Despite the obvious corrosive nature of microtargeting in politics, it is in widespread use.

EU Regulation 2016/679 (GDPR) and the Commission guidance on the application of Union data protection law in the context of elections (https://ec.europa.eu/commission/sites/beta-political/files/soteu2018-data-protection-law-electoral-guidance-638_en.pdf) have improved the protection of the public in the processing of their personal data. As a principle, the GDPR prohibits the processing of data revealing political opinions, but, as pointed out by EDRi member Panoptikon, although the processing of sensitive data is protected under article 9 of the GDPR, it should take into account the fact that data such as political beliefs may be inferred from the public’s behavioural data (online status, location, etc.), and will in practice be processed without the explicit consent required by article 9 (https://panoptykon.org/political-ads-report#part-3-3). 

In the electoral field, and specifically regarding the processing by political parties of special categories of data, the GDPR exceptions that are used without sufficiently strong safeguards, as required by recital 56, in several member states.

EDRi member Xnet reports that, in Spain, although the Constitutional Court declared the processing of special categories of data by political parties without consent, unconstitutional (STC 76/2019, 22 May 2019, https://www.boe.es/boe/dias/2019/06/25/pdfs/BOE-A-2019-9548.pdf), the municipal census (used to create the electoral roll) containing the personal data (including address, date of birth, and nationality) is every election handed over to all political parties without the Law having provided the legal grounds that legitimises this communication, and without providing the public the chance to oppose communication of their data to political parties at the time of registration in the municipal
census (https://xnet-x.net/proteccion-datos-censo-propaganda-electoral/).

As indicated by ORG, in the United Kingdom the legal grounds of “democratic engagement” is claimed in the Data Protection Act, allowing parties to collect excessive amounts of personal data (https://www.openrightsgroup.org/campaign/who-do-they-think-you-are/) which can then be used during election campaigns (https://www.openrightsgroup.org/publications/who-do-they-think-we-are-report/), without the voters’ explicit consent, in order to create highly intrusive profiles of the public without sufficient legal grounds.

Similarly, EDRi member ApTI notes that in Romania the law allows political parties to process personal data, including special categories of data, without the citizens’ consent or proper safeguards. Political parties need only inform and allow the exercise of erasure and rectification rights, without
requiring citizens’ consent or indicating any legal grounds (https://www.gdprtoday.org/european-commission-urged-to-investigate-romanian-gdpr-implementation/).

While the EU member states have varying history, traditions and legislation on how they handle elections, these developments calls for EU-wide measures [See (1)].


 

We therefore propose: 


– Setting minimum standards that are compatible with our European democratic values in order to prevent, where it exists, the communication of the personal data contained in public registers (electoral roll, municipal roll, electoral register) to political parties or other third parties in the context of political and electoral campaigns.

– Instead of such communication taking place quasi-automatically or following a request from the political parties, it would be appropriate for both the communication and subsequent processing of the data by political parties to be legitimised by the
individuals’ explicit consent (opt-in), ensuring individuals’ control over their data in this highly sensitive context (https://xnet-x.net/proteccion-datos-censo-propaganda-electoral/).
This would respect the fundamental rights of the public without renouncing the benefits of data-driven political campaigns (https://www.openrightsgroup.org/publications/who-do-they-think-we-are-report/).


– Enforcing the GDPR so that the processing of data from which special categories of personal data can be inferred be subject to the regime of Article 9 of the GDPR (https://panoptykon.org/political-ads-report#part-3-3) truly is safeguarded, as required by it.

– Reinforcing transparency obligations: as Xnet points out, in order to control the proliferation of disinformation that results from micro-targeted propaganda by political parties, we need to reinforce the application of the obligations on active publicity and right of access regarding expenses, accounting and electoral communications. Specifically, it should be established that those who contract or provide communication services must disclose the details of the expenses or charges for communication
items, listing the amounts and the exact contents of the items/services (messages, publications, bots, banners, posters, campaigns, etc.) (https://xnet-x.net/ley-fakeyou/).

– Reinforcing transparency obligations: on the algorithms used on the profiles of the public (algorithmic transparency). 

We therefore ask, as in other areas, that the safeguards provided for in recital 56 of the GDPR be enforced in a clearer, more constrained manner, so that democracy as a whole is not undermined and personal data are effectively protected. Democracy in Europe is under threat. We need to take action together.
 

Xnet
Vrijschrift
Homo Digitalis