By Privacy International

The campaigns for the European Parliament elections that will take place on 23-27 May 2019 are well under-way. Since the last elections in 2014, much has changed in the way political campaigns are conducted. Central to these changes is the role played by our data.

In the run-up of the 2019 European Parliament elections, EU institutions (notably the European Commission, the European Council, and the Parliament) have adopted measures to seek to protect against data exploitation for political aims. They are detailed in an electoral package and an Action Plan against Disinformation.

These measures are addressed to the three main actors relevant to online communications that influence modern democratic elections: European member states, which are primarily responsible for the carrying out of free and fair elections; political parties, which have responsibility to conduct their campaigns in ways that respect rules, particularly in relation to targeting potential voters with online campaign messaging; and social media platforms, which are increasingly dominating (given their position in the market) and controlling (through their technology and terms of services) online communications.

The measures adopted by the EU seek to ensure free and fair elections by intervening in areas such as transparency in political advertising and cybersecurity.

Protection of personal data

Central to these measures is the protection of personal data. Much debate around elections has focussed on the content of digital communications, for example fake news and disinformation. It is therefore a welcome step that increased attention has also been dedicated to the role played by personal data and the importance of its protection.

The European Data Protection Board (EDPB) summarised neatly the role of personal data in modern elections: “Political parties, political coalitions and candidates increasingly rely on personal data and sophisticated profiling techniques to monitor and target voters and opinion leaders. In practice, individuals receive highly personalised messages and information, especially on social media platforms, on the basis of personal interests, lifestyle habits and values.” Meanwhile, the European Data Protection Supervisor (EDPS) dedicated a whole report to how personal data may be used to fuel online manipulation, including in election contexts.

Data protection must be seen as necessary for democratic resilience, and the General Data Protection Regulation (GDPR) provides some of the tools needed to address instances of unlawful use of personal data in the electoral context.

It is therefore of particular concern that some EU Member States, such as Spain, Romania and the United Kingdom, have introduced exemptions to the data protection requirements for political parties. These exemptions risk undermine the efforts to address the risks of exploitation of data during elections. The Spanish Data Protection Authority (DPA) has sought to limit the use of this loophole.

Transparency of political advertising

Revelations such as those surrounding the “Facebook/Cambridge Analytica” scandal have exposed the risks of online communications channels being used to target people covertly with political advertisements and messages. That targeting is facilitated by the exploitation of our data. Accordingly, several European institutions have taken steps to address the risk that personal data could be abused to manipulate opinion, spread disinformation or otherwise undermine democratic processes.

The measures adopted by the EU in the run up to the European Parliament elections seek to improve transparency of political advertising:

  • Member States should require reasonable transparency surrounding paid online political advertisements and communications. This includes promoting the disclosure of information on groups that support political campaigns, yet are not officially associated with the campaign, and disclosure of campaign expenditure for online activities, including paid online political advertisements and communications. These measures aim to address growing unease regarding the often-shady support of online political advertising. Significantly, given the concerns related to micro-targeting, Member States should require the disclosure of information on any targeting criteria used in the dissemination of political advertisements and communications.
  • Political parties, foundations and campaign organisations should ensure that individuals can easily recognise online paid political advertisements and communications and the party, foundation or organisation behind them. They should make available on their websites information on their expenditure for online activities, including paid online political advertisements and communications, as well as information on any targeting criteria used in the dissemination of such advertisements and communications.

In addition, as part of the efforts to improve transparency, the EU developed a Code of Practice on Disinformation aimed at online platforms, leading social networks, advertisers and the advertising industry. It has been signed by Facebook, Google, Twitter and Mozilla as well as by some national online advertisement trade associations. The Code contains a range of commitments mostly focussed on improving transparency of political and issue-based ads, and on limiting techniques such as the malicious use of bots and fake accounts.

The implementation of the Code of Practice by the main companies has been patchy. The companies have been criticised by the Commission for the lack of detail in their monthly reports. Focus on the social media platform is important. But there needs to be similar attention to the hidden data ecosystem that supports targeted advertising, often by exploiting our data. On 2 May 2019, the Irish Data Protection Authority announced the launch of an inquiry into the data practices of ad-tech company Quantcast, a major player in the online tracking industry, following EDRi member Privacy International’s 2018 investigation and subsequent submission to the Irish DPC. This is a welcome move to shed the light on the systematic collection and exploitation of people’s data by this industry.

Next steps

As the European Commission starkly noted in 2018: “Online activities, including during the election processes, are developing fast, and thus increased security and a level political playing field are key. Conventional (“off-line”) electoral safeguards, such as rules applicable to political communications during election periods, transparency of and limits to electoral spending, respect for silence periods and equal treatment of candidates should also apply online. […] This is not the case now, and that needs to be remedied before the next European elections”.

As we are entering the last weeks of campaigning for the European Parliament elections, it will be crucial to assess whether the measures taken and the commitments given have ensured that adequate regulations and safeguards are in place for online electoral campaigning.

In the longer term, what the recent elections have taught us is that the whole plethora of laws, regulations and policies developed to ensure free and fair elections and the functioning of democratic institutions (such as Parliaments) need to be reviewed and updated to meet the challenges (and opportunities) of online communications and digital campaigning.

On 1 May 2019, Privacy International launched a new programme called “Defending Democracy and Dissent”. It seeks to defend democracy and dissent by investigating the role technology plays in facilitating and/or hindering everyone’s participation in civic society.

Privacy International
https://privacyinternational.org/

EU election package
https://ec.europa.eu/info/policies/justice-and-fundamental-rights/eu-citizenship/electoral-rights_en#europeanparliamentelections

EU Action Plan against Disinformation
https://ec.europa.eu/digital-single-market/en/news/europe-protects-eu-steps-action-against-disinformation

European Data Protection Board Statement 2/2019 on the use of personal data in the course of political campaigns
https://edpb.europa.eu/sites/edpb/files/files/file1/edpb-2019-03-13-statement-on-elections_en.pdf

Spanish Data Protection Authority opinion on GDPR and political parties
https://www.aepd.es/media/informes/2018-0181-tratamiento-datos-opiniones-politicas-por-partidos-polticos.pdf

Irish Data Protection Commission opens statutory inquiry into Quantcast International Limited
https://www.dataprotection.ie/en/news-media/press-releases/data-protection-commission-opens-statutory-inquiry-quantcast

Privacy International’s programme: Defending Democracy and Dissent
https://privacyinternational.org/strategic-areas/defending-democracy-and-dissent

(Contribution by Tomaso Falchetta, EDRi member Privacy International, international)