GDPR loopholes facilitate data exploitation by political parties

image

This piece was first published in GDPR today in March 2019.

Elections, referendums and political campaigns around the world are becoming ever more sophisticated data operations. This raises questions about the political use and abuse of personal data. With the European Union elections fast approaching and numerous national and local elections taking place across EU Member States, it is essential that the legal frameworks intended to protect our personal data do just that.

Member State laws that implement General Data Protection Regulation (GDPR) derogations by including loopholes for political parties risk undermining the protections for personal data. GDPR is clear that derogations do not provide a ‘free-for-all’ for Member States, including in relation to exemptions and the processing of special category personal data. This flexibility has been interpreted as such, however, leading to the jarring outcome that certain national laws in this way invites data exploitation rather than data protection.

Despite concerns raised by civil society during the passage of national legislation – and since – there are loopholes for political parties included in, at least, the Spanish, Romanian and UK laws implementing the GDPR derogations.

In February, Romanian civil society organisation, the Association for Technology and Internet (ApTI) complained to the EU Commission. ApTI called on the EU Commission to review, among other matters, the provisions in the Romanian data protection law that allow political parties to process personal data from special categories without explicit consent and without implementing appropriate safeguards.

The Spanish law allows political parties to process personal data from publicly available sources. The Spanish Data Protection Authority (DPA) has been at pains to point out in an Opinion published in December that this provision must be given a restrictive interpretation and should not be used for microtargeting. The Opinion sets out safeguards. It remains to be seen, however, the extent to which this Opinion will be followed in the run-up to elections and whether parties that fail to adhere will be held accountable.

The UK law permits political parties to process personal data “revealing political opinions” without the need for consent. This provision remains in the law despite concerns raised by Privacy International and others during the passage of the Bill. The UK DPA, the Information Commissioners Office (ICO) has reported extensively on the risks that the abuse of personal data pose for democracy and has recently consulted on a Code of Practice on the use of personal data in political campaigns.

In practice, meaningful data protection requires constant vigilance and enforcement. Legal loopholes make that even more challenging. Preferably, these exemptions for political parties would not have been passed into law. Still, where they have been, it is essential that DPAs give these provisions a restrictive interpretation, that political parties comply with this interpretation and that DPAs use their powers to audit and follow up to ensure compliance.