GDPR | Parties face hefty fines over electoral profiling without consent

Political parties must get consent from citizens before profiling them in order for the practice to be legally compliant, the Office of the Information and Data Protection Commissioner has said.

Touted as one of the toughest internet privacy laws to date, the EU’s General Data Protection Regulation (GDPR) came into force on Friday, and promises to give EU citizens more control over how their personal data is processed.

Companies in Europe and across the globe have in the last months been scrambling to ensure that their internal and business practices are compliant with the new regulations. Fines for violating the new rules can go up to the higher of €20 million or 4% of the company’s annual revenue.

But it isn’t just companies that store and use people’s personal data, particularly in the digital age – information about citizens can be valuable to other entities too, like political parties.

The utility of data-based campaigning and political strategy has been a game changer in recent years, allowing those with the most accurate data to have a significantly better chance of success at the polls. The harnessing of big data and social media was one of the drivers of Barack Obama’s 2008 election win and is widely believed to have brought about the election of Donald Trump as well as the results of the Brexit vote.

“If parties are processing data related to people’s political affiliations, more stringent rules apply since the data is sensitive,” David Cauchi, the head of compliance at the Office of the Data Protection Commissioner told MaltaToday.

Under Article 9 of the GDPR, the processing of so called “special categories of personal data” – which includes data revealing political opinions, religious or philosophical beliefs, among others – is prohibited except in very specific circumstances, unless the explicit consent of the individual is obtained. Effective campaigning is not, needless to say, one of the specific circumstances listed in the law.

“Even if you are just collecting data about whether a person supports a particular party, that is considered data about political opinions and needs to be treated with special care as per Article 9,” Cauchi said.

This means that any type of profiling carried out by political parties, even simply recording IP addresses that visit the party’s website or social media profile, requires “as a minimum” a cookie consent form on the website.

“Visitors must give consent for their data to be collected, especially if it is then going to be used to target them and their peers based on their IP address.”

Both with party members and the general public, political parties should clearly state, upon collecting the data or at the start of the relationship, how they will be using individuals’ personal data and how long they will be keeping it, Cauchi said.

The lines are also blurred between party and candidate, as people who allow their personal data to be used by a political party have not necessarily given that data to candidates. “There needs to be a distinction between candidate and party and that people need to know exactly who is using their information,” said Cauchi.

Parties need to inform the data subjects if they intend to share personal data with third parties, including candidates. “What we suggest is that if there is a chance of data moving to a different data controller, that there is a tick box whereby an individual can agree to processing also being done by a candidate,” he said.

Once a candidate comes to be in possession of personal information on potential voters, even if they obtain that data legitimately, they can only use it for the purpose for which it was collected, unless they get consent to do otherwise.

For instance, it is common for candidates and MPs to keep in touch with or target their constituents by sending a card or text message on a person’s birthday. The information they use to do this will usually have been collected for a completely different purpose, and therefore in sending such cards or messages without consent candidates and MPs are in breach of the law.

While parties are obliged to be as transparent as possible, Cauchi acknowledged the inevitable likelihood that parties regularly process personal data obtained from a variety of sources, often without any legal basis. Under the GDPR, there are a number of rights that a person can exercise if he or she would like to know more about how his or her data is being processed. These include the right to access, rectify and erase the personal data being processed about them, as well as the right to object to processing and file a complaint with the Information and Data Protection Commission.

Moreover, while the new regulations’ introduction has thrust data privacy issues into the spotlight, Cauchi said that most of the aspects which applied to the processing of data by political parties were in the original Data Protection Act and were laid out in a set of guidelines for political campaigning published by the IDPC before the last election.

MaltaToday sought to find out what changes, if any, both parties would be implementing following the implementation of the new regulations. Questions included whether a review had been ordered into the party’s internal practices, including any data analytics; whether a data protection officer had been employed by the party and whether they would continue to send out mailshots.

Labour Party CEO Randolph Debattista replied that “Partit Laburista is taking all the necessary measures to be compliant with the new GDPR regulation” but did not elaborate.

Replies from the Nationalist Party had not yet been received by the time of going to print.