European Parliament elections – protecting our data to protect us against manipulation

News & Analysis
European Parliament elections – protecting our data to protect us against manipulation

Photo by DAVID ILIFF. License: CC-BY-SA 3.0

Between 23 and 26 May 2019 Europeans will be voting to elect members of the European Parliament. 

Since the last elections in 2014, much has changed within and without the European Union: the rise of nationalism and Euroscepticism, the protracted armed conflict in Ukraine and the occupation of Crimea by Russia, the new political orientation of the United States, just to name a few.

Among the new challenges facing these elections is disinformation and concern around potential manipulation of voters through online communications (e.g. social media platforms), which have emerged in recent democratic elections and referenda, in Europe and elsewhere.

Protecting our data is crucial as the EU tackles these new challenges. Revelations such as those surrounding the “Facebook/Cambridge Analytica” case have exposed the risks of online activities being used to target people covertly with political advertisements and communications. In the words of the European Commission, this could include “unlawfully processing and abusing […]  personal data to manipulate opinion, spread disinformation or simply undermine the truth when it suits political purposes or increases divisions” 

In the run up of the 2019 European Parliament elections, European institutions (notably the European Commission, the European Council and the Parliament) have adopted measures to seek to protect against these risks. They are detailed in an electoral package and an Action Plan against Disinformation.

 The measures are addressed to the three main actors relevant to online communications that influence modern democratic elections: European member states, which are primarily responsible for the carrying out of free and fair elections; political parties, which have responsibility to conduct their campaigns in ways that respect rules, particularly in relation to targeting potential voters with online campaign messaging; and social media platforms, which are increasingly dominating (given their position in the market) and controlling  (through their technology and terms of services) online communications.

The measures adopted by the EU seek to ensure free and fair elections by intervening in three major areas: (i) transparency in political advertising, (ii) data protection and (iii) coordination and sanctions. Additional measures are also envisaged in relation to cybersecurity.

(i) Transparency in political advertising

The European Institutions have adopted measures to improve transparency regarding political advertising. The measures the EU adopted cover the following aspects:

  • Member States should require reasonable transparency surrounding paid online political advertisements and communications. This includes promoting the disclosure of information on groups that support political campaigns, yet are not officially associated with the campaign, and disclosure of campaign expenditure for online activities, including paid online political advertisements and communications. These measures aim to address growing unease regarding the often-shady support of online political advertising. Significantly, given the concerns related to micro-targeting, Member States should require the disclosure of information on any targeting criteria used in the dissemination of political advertisements and communications. Where such transparency is not ensured, Member States should apply sanctions in the relevant electoral context.
  • Political parties, foundations and campaign organisations should ensure that individuals can easily recognise online paid political advertisements and communications and the party, foundation or organisation behind them. They should make available on their websites information on their expenditure for online activities, including paid online political advertisements and communications, as well as information on any targeting criteria used in the dissemination of such advertisements and communications.

In addition, as part of the efforts to improve transparency, the EU developed a Code of Practice on Disinformation aimed at online platforms, leading social networks, advertisers and the advertising industry. It has been signed by Facebook, Google, Twitter and Mozilla as well as by some national online advertisement trade associations. The Code contains a range of commitments mostly focussed on improving transparency of political and issue-based ads, and on limiting techniques such as the malicious use of bots and fake accounts. Of particular relevance are the commitments to provide:

  • public disclosure of political advertising and issue-based advertising.
  • information and tools to help people make informed decisions, and facilitate access to diverse perspectives about topics of public interest.
  • privacy-compliant access to data to researchers to track and better understand the spread and impact of disinformation.

The implementation of the Code of Practice by the main companies has been patchy. The companies have been criticised by the Commission for the lack of detail in their monthly reports. The European Commission has previously also noted that no individual advertisement company has signed onto the Code. This is of particular concerns given the opacity of the ad tech industry, including data brokers.

(ii) Data protection

The European Institutions are also putting the protection of personal data at the centre of the securing the election process.

Much debate around elections has focussed on the content of digital communications, e.g. fake news, disinformation. It is therefore a welcome step that, in the run up to the European Parliament elections, increased attention has also been dedicated to the role played by personal data and the importance of its protection.

The European Data Protection Board summarised neatly the role of personal data in modern elections: “Political parties, political coalitions and candidates increasingly rely on personal data and sophisticated profiling techniques to monitor and target voters and opinion leaders. In practice, individuals receive highly personalised messages and information, especially on social media platforms, on the basis of personal interests, lifestyle habits and values.”

The European Data Protection Supervisor dedicated a whole report to how personal data may be used to fuel online manipulation, including in election contexts.

Data protection is seen as necessary for democratic resilience and the General Data Protection Regulation ("GDPR") provides some of the tools necessary to address instances of unlawful use of personal data in the electoral context.

Of particular relevance are the following aspects of the GDPR, as recently outlined by the European Data Protection Board:

  • Personal data revealing political opinions is a special category of data under the GDPR. As a general principle, the processing of such data is prohibited and is subject to a number of narrowly-interpreted conditions, such as the explicit, specific, fully informed, and freely given consent of the individuals.
  • Personal data which have been made public, or otherwise been shared by individual voters, even if they are not data revealing political opinions, are still subject to, and protected, by EU data protection law. As an example, using personal data collected through social media cannot be undertaken without complying with the obligations concerning transparency, purpose specification and lawfulness. 
  • Solely automated decision-making, including profiling, where the decision legally or similarly significantly affects the individual subject to the decision, is restricted. Profiling connected to targeted campaign messaging may in certain circumstances cause ‘similarly significant effects’ and shall in principle only be lawful with the valid explicit consent of the data subject
  • In case of targeting, adequate information should be provided to voters explaining why they are receiving a particular message, who is responsible for it and how they can exercise their rights as data subjects.

In light of the importance of the GDPR in the context of elections, it is of particular concern that some Member States, such as Spain, Romania and the United Kingdom, have introduced exemptions to the data protection requirements for political parties. These exemptions risk to undermining the efforts to address the risks of exploitation of data during elections. The Spanish Data Protection Authority has sought to limit the use of this loophole.

(iii) Cooperation and sanctions

Finally, the European Institutions seek to enhance cooperation between competent authorities and to provide for effective sanctions and other remedies to safeguard the integrity of the electoral process.

Threats to the election come from different actors and require both the engagement of multiple authorities as well as coordination among them. For this reason, they envisaged cooperation not only between European governments (both at national and European levels), but also national authorities (beyond those working on election matters). The EU has demanded the following measures from European governments:

  • National authorities with competences in electoral matters should cooperate with authorities in connected fields (such as data protection authorities, media regulators, cyber security authorities etc.) in a timely and effective manner. Where necessary, they should also engage with law enforcement authorities; 
  • Governments should establish and support a national elections network to coordinate their activities; and
  • Governments should take part in a European cooperation network for elections to the European Parliament to alert on threats, exchange on best practices, discuss common solutions, etc.

Also, given the role of personal data, it is of particular importance that data protection authorities (DPAs) collaborate with relevant election authorities both at national and European levels.

National DPAs are to immediately and proactively inform the Authority for European Political Parties and European Political Foundations of any decision finding an infringement of data protection rules where such infringement is linked to political activities by a European political  party or European political foundation with a view to influencing elections to the European Parliament.

The imposition of sanctionsdepends in large part on this close cooperation between data protection and other authorities. As noted by the European Commission, “it should be possible to impose sanctions on political parties or political foundations that take advantage of infringements of data protection rules with a view to deliberately influencing the outcome of elections to the European Parliament.”

For that purpose, a procedure at European level has been introduced to ensure the sanctioning of actions that not only breach people’s privacy but that “could also potentially influence the outcome of elections to the European Parliament”. The proposal allows for the sanctions to be imposed by the Authority for European Political Parties and European Political Foundations. They could amount to 5% of the annual budget of the European party or foundation concerned. In addition, the European party or foundation subject to a sanction would not be able to receive funding from the EU budget the following year. Notably, the Authority may only act if it is informed of a decision of the competent national data protection authority establishing such an infringement. 


As the European Commission starkly noted in 2018: “Online activities, including during the election processes, are developing fast, and thus increased security and a level political playing field are key. Conventional (“off-line”) electoral safeguards, such as rules applicable to political communications during election periods, transparency of and limits to electoral spending, respect for silence periods and equal treatment of candidates should also apply online. […] This is not the case now, and that needs to be remedied before the next European elections”.

As we are entering the last month of campaigning for the European Parliament, the next few weeks will be crucial to assess whether the measures taken and the commitments given have ensured that adequate regulations and safeguards are in place for online electoral campaigning.

In the longer term, what the recent elections have taught us is that the wholeplethora of laws, regulations and policies developed to ensure free and fair elections and the functioning of democratic institutions (such as Parliaments) need to be reviewed and updated to meet the challenges (and opportunities) of online communications and digital campaigning.