With polling day almost upon us, most of us have been on the receiving end of campaign activity relating to the upcoming parliamentary elections in Scotland and Wales, and local council elections England. While the pandemic has placed restrictions on traditional door-to-door canvassing, political parties have taken advantage of digital technology to profile, monitor and target voters in the hope of securing their support at the ballot box. However, digital campaigns brings additional risks and responsibilities in relation to privacy rights and data protection.
In a democratic society, political campaigning can help to inform policy and increase public engagement. However, as demonstrated by the Facebook-Cambridge Analytica scandal, the “invisible processing” of people’s personal data can undermine the trust and confidence of the electorate and threaten the integrity of the democratic process. It is therefore incumbent upon UK parties, candidates and volunteers to ensure that they comply with the UK GDPR and Data Protection Act 2018 (DPA) when handling any personal information. Failure to do so could result in significant financial penalty and reputational damage.
How can voter personal data be processed lawfully?
Under electoral law registered political parties, candidates and campaigners are entitled to receive copies of the full electoral register and to use personal data contained in the register – names and address – to contact voters to promote their political viewpoint or policies. This is known as direct marketing, which is defined in section 122 of the DPA as “the communication (by whatever means) of any advertising or marketing material which is directed to particular individuals”. This includes contacting an individual to promote a political view or otherwise influence an individual.
There are additional rules for direct marketing by electronic means – such as email, text, telephone, or social media – under the Privacy and Electronic Communications Regulations 2003 (PECR), which complement the UK GDPR and DPA. When sending electronic political messages to individuals, campaigners may only do so if the individual has specifically consented, and they must also enable an individual to opt-out or unsubscribe.
In carrying out this type of processing political campaigners are data controllers and responsible for determining the means and purposes of processing and must demonstrate compliance with the UK GDPR and the DPA.
More controversial data protection issues arise in the context of profiling in political campaigning. Developments in digital technology, data analytics and social media mean voters may be oblivious to the use of their personal data for profiling.
Article 4(4) of UK GDPR defines profiling as: “Any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.”
The practice is not of itself unlawful, but if a political party intends to carry out profiling then there are particular compliance considerations and assessments to be made around the fairness of that processing, including the potential effects on the privacy of individuals and wider society.
Following allegations of “invisible processing” of people’s personal data and the micro-targeting of political adverts during the Brexit Referendum, the ICO launched a year-long investigation into the use of data analytics and profiling by Cambridge Analytica, Facebook and others. The review, published in 2018, revealed a "disturbing disregard for voters' personal privacy" on the part of political parties, social media platforms and data brokers. Facebook was fined £500,000 – the highest permitted by the 1998 DPA – while criminal proceedings were pursued against Cambridge Analytica’s parent company.
Separately, concerns about the use of people’s data in political campaigns were documented by the ICO in 2018, when it identified a significant shortfall in transparency and lawfulness in terms of the provision of fair processing information by political parties. For instance, the use of software that assigns a predicted ethnicity and age to individuals which is used target individuals for certain political messaging related to assumptions about their inferred ethnicity or age, was not deemed to be conducted in a transparent manner.
What lessons can be learned from these investigations?
In additional to lawfulness, UK GDPR Article 5(1)(a) is concerned with fairness and transparency. Fairness means handling personal data in a way individuals expect and not using it in ways that lead to unjustified adverse effects, while transparency means being clear, open and honest to individuals about how their personal data is being used.
A 2020 ICO audit of data protection compliance by the UK’s main political parties made five key recommendations to improve data protection transparency and practice.
Political parties should make sure individuals are provided with clear privacy information so individuals understand from the outset how the parties are using their data.
Parties should review the lawful bases for their processing of personal data and special category data to ensure they have identified the most appropriate basis.
If carrying out profiling for political purposes, parties should be clear about any intrusive uses of personal data, particularly if combining information from different sources to find out more about individuals with whom they have had no prior contact. It should be noted that Article 21 of the UK GDPR gives individuals the right to object to profiling, while Article 22 has additional rules to protect individuals where “solely automated decisions”, including those based on profiling, have a “legal or similarly significant effect” on people’s behaviour or choices.
There is also a need for greater transparency when using personal data to profile and target people with marketing via social media platforms.
Parties must be able to demonstrate accountability and compliance with their data protection obligations, while ensuring all potential processors and third-party suppliers also comply with the key transparency, security and accountability requirements of data protection law.
This election campaign is the first opportunity for parties to demonstrate that they have put these recommendations to practice, and its likely that the ICO will be closely monitoring compliance as it continues to update and develop its guidance on political campaigning.
Insight from Morgan O'Neill, Director Data Protection Services. For more information contact Morgan on 03330 430350.