top of page
Mar 2, 20204 min read

Protection of Personal Data and Political Advertising

With the development of information technologies and artificial intelligence, companies process huge amounts of personal data. Unsurprisingly, combined personal data has been used for commercial and research purposes by private companies. When it comes to the use of personal data for political / electoral purposes, social and institutional reactions reflect caution and distrust.



According to media investigations took place in 2018, a UK-based consulting firm, Cambridge Analytica, had collected data on 87 million Facebook users, among which 2.7 million EU citizens, without their consent. It seems that Cambridge Analytica made use of that data to identify voters’ profile, filtered the content to expose them to targeted political campaigning, with the aim to manipulate their behaviour in the 2016 UK and US elections. These revelations demonstrated how vulnerable the democratic institutions can be in the era of information and artificial intelligence, and recalled the urgency of the establishment of the legal boundaries to the misuse of personal data for political advertising.


One can wonder if the political propaganda prior to elections is a traditional democratic practice, why Cambridge Analytica/Facebook case is alarming?


Firstly, Facebook made, indirectly, the data accessible to Cambridge Analytica without the consent of the users and the latter were unaware of this. Consequently, this implies legal and ethical considerations. Certainly, Facebook has exploited, before and after this specific case, the data of its users for commercial purposes, but without giving access to private companies to that data. Misuse of personal data for political campaigning may be considered as detrimental to rights and freedoms enshrined in the Charter of Fundamental Rights of the EU, article 8 of which recognises the right to data protection for everyone. According to the Charter, which is binding as EU primary law since the Lisbon Treaty, data must be processed fairly and for specified purposes, based on the subject's consent or other legitimate grounds laid down by law.


Secondly, this possibility is granted obscurely to some political actors seeking to trespass rules of fair competition. During 2016 UK and US elections, substantial amount of false news and misinformation campaigning circulated through media. Thus, the false propaganda using micro-targeting may negatively manipulate public debate and voters’ choice putting the democratic institutions under threat. This so- called computational propaganda may also render elections and public debate sensible to external interference.


Even though it seems difficult to measure to what extend above-mentioned practice affects (or affected) results of the elections, range of measures is being taken at national and supranational level. Firstly, giant personal data holders, such as Facebook, are increasingly held responsible for the protection of data, obliging them to take action to increase transparency and limit the access to data for third parties. The EU institutions were intransigent in this issue, and demonstrated true leadership in the data protection regulation.


The EU legislation on data protection has been updated and the General Data Protection Regulation (GDPR) has entered into force in 2018. GDPR is the replacement of Data Protection Directive 95/46/EC and the most valuable step in improving privacy regulations in last decades. Driven by the frequency of court cases, related to abuse of reuse of EU-citizens data by foreign companies, the Regulation is now covers the wider territories. It means, that GDPR is applied not only to companies established in the territory of the Union, but to any enterprise that uses personal data of the EU residences. Moreover, political parties or candidates who use personal data in an election campaign have now to comply with this Regulation.


Series of other measures are taken by EU institutions to reinforce the safeguard of the personal data prior to elections. The European Commission adopted a package on free and fair European elections in 2018, including a Communication and a Guidance Document, on securing free and fair elections.


The Commission called on national parties to ensure transparency of the sources and amount of campaign funding for online activities during election campaigns. To increase this transparency the Commission urges national political parties, foundations and campaign organisations to:- ensure citizens can easily recognise online paid political advertisements and communications, and the party, foundation or organisation behind them; - make information available about their spending for online activities on their websites. This includes paid online political advertisements and communications, as well as information on any targeting criteria used in the dissemination of such advertisements and communications;- make their paid online political advertisements and communications accessible through their websites.


Furthermore, the European Commission adopted a communication on 'Tackling online disinformation' and formed an independent European network of fact-checkers. In March 2019, the European Data Protection Board (EDPB), whose main mission is to monitor consistent application of data protection rules throughout the European Union, and promote cooperation between the EU’s data protection authorities, released a statement on the use of personal data in course of political campaigns. According to this statement, Personal data revealing political opinions are a special category of data under the GDPR, and processing of such data is prohibited according to the article 9 GDPR. Furthermore:


- Personal data which have been made public, or otherwise been shared by individual voters including social media, is subject to European data protection law. - Political parties and candidates must stand ready to demonstrate how they have complied with data protection principles, especially the principles of lawfulness, fairness and transparency.- Solely automated decision-making – including profiling – where the decision legally or similarly affects the data subject is restricted. Profiling connected to targeted campaign messaging must be subject to the valid explicit consent of the data subject. - Concerning targeting, adequate information should be provided to voters explaining why they are receiving a particular message, which is responsible for it and how they can exercise their rights as data subjects.


Proactivenness of the EU institutions inspired American legislators to take similar measures. In 2018, Alabama, Arizona, Colorado, Iowa, Louisiana, Nebraska, Oregon, South Carolina, South Dakota, Vermont and Virginia updated their rules to reinforce data protection, on the heels of the GDPR.


In conclusion, the Cambridge Analytica/Facebook case was delayed alarm, but it served as a wake-up call to raise the awareness on possibilities of misuse of citizens’ personal data for political purposes, and provoked decision-makers to act accordingly. However, it is difficult to assess the efficiency of the measures taken.

Comments

bottom of page