A year ago, the Facebook–Cambridge Analytica data scandal was illustrating in the most obvious way that data processing techniques for political purposes can pose serious risks, not just with regard to the rights to privacy and data protection, but also to the institutional integrity of democracy.
This matter of digital precariousness has been recently addressed by the European Data Protection Board, which adopted on 13 March 2019 a statement on the use of personal data during election campaigns. In this statement EDPB welcomes the set of measures presented by the European Commission in September 2018, and highlights a number of key points that need to be taken into consideration, when political parties and candidates process personal data in the course of electoral activities.
In the said statement, following bullet points were underlined to be respected when political parties process personal data during their election campaigns:
- Personal data revealing political opinions is a special category of data under the GDPR. As a general principle, the processing of such data is prohibited and is subject to a number of narrowly-interpreted conditions, such as the explicit, specific, fully informed, and freely given consent of the individuals.
- Personal data which have been made public, or otherwise been shared by individual voters, even if they are not data revealing political opinions, are still subject to, and protected, by EU data protection law. As an example, using personal data collected through social media cannot be undertaken without complying with the obligations concerning transparency, purpose specification and lawfulness.
- Even where the processing is lawful, organisations need to observe their other duties pursuant to the GDPR, including the duty to be transparent and provide sufficient information to the individuals who are being analysed and whose personal data are being processed, whether data has been obtained directly or indirectly. Political parties and candidates must stand ready to demonstrate how they have complied with data protection principles, especially the principles of lawfulness, fairness and transparency.
- Solely automated decision-making, including profiling, where the decision legally or similarly significantly affects the individual subject to the decision, is restricted. Profiling connected to targeted campaign messaging may in certain circumstances cause ‘similarly significant effects’ and shall in principle only be lawful with the valid explicit consent of the data subject.
- In case of targeting, adequate information should be provided to voters explaining why they are receiving a particular message, who is responsible for it and how they can exercise their rights as data subjects. In addition, the Board notes that, under the law of some Member States, there is a transparency requirement as to payments for political advertisement.
The above opinion has been published with an eye on the upcoming European elections and other elections taking place across the EU.
More particularly, as regards Greece, the Hellenic Data Protection Authority has already provided practical guidance and recommendations to stakeholders by means of Directive 1/2010 (available in Greek). Directive 1/2000 covers not only EU and national, but also local, municipal and regional election campaigns. Therein, the Greek Authority clarifies, among others, that communicating a political campaign by e-mail, or SMS messages is allowed without the consent of the potential voter, only exceptionally, that is under the following two concurring conditions: (i) the sender has legally obtained the potential voter’s details in the context of a prior transaction of similar scope, i.e. an older political campaign, and (ii) the recipient is able to exercise the right to object, by being provided with an easy and clear “opt-out” system.
Political campaigners are about to face rough seas in getting their message across this time. And it is a matter of time until the Hellenic Data Protection Authority announces the first sanctions against stakeholders and players of the political arena.