PI welcomes new guidelines by the Council of Europe on the use of personal data in political campaigns

PI has repeatedly called for authoritative guidance on the use of data to political parties and other organisations involved in political campaigns. Last November, the Council of Europe Committee on Convention No.108 adopted its Guidelines on the Protection of Individuals with regard to the Processing of Personal Data by and for Political Campaigns, following a thorough process of consultation to which PI participated.

PI welcomes these very comprehensive Guidelines.

Achieved result

Over the course of 2021, PI attended several meetings of the CoE Committee on Convention 108 and its Bureau in our capacity as an accredited observer. We were able to contribute to the development of the guidelines by commenting both orally during sessions and in writing. PI's recommendations on scope of the Guidelines, role of data brokers and other third parties, transparency provisions among other topics were reflected into the guidelines.

Key advocacy points

PI have repeatedly raised concerns about the use of personal data in political campaigning: the lack of transparency and impact on privacy of gratuitous data collection, profiling and targeting of messages/adverts, a process known as "micro-targeting".

Advocacy
jennifer-griffin-xePUAbiilko-unsplash.jpg

The role that personal data plays in political campaigns https://privacyinternational.org/learn/data-and-elections and the risks of data abuse and exploitation only entered into the public discourse a few years ago,  when Cambridge Analytica became a household name thanks to several scandals over the course of 2017 and 2018.

Since then, we have seen a flurry of initiatives that have helped shed light on the otherwise very opaque practices of digital campaigning. There have been public hearings in US Congress and the European Parliament, a code of practice by companies, and investigations by data protection authorities.

The guidelines from the Council of Europe are timely, given how central data has become to political campaigns. As the European Union moves to legislate on transparency and targeting of political advertising and states consider the adoption of legislation, these Guidelines should be central in these efforts to regulate the use of data in political campaigns.

The implementation of these guidelines is a responsibility of a range of actors, from the political parties and organisations, to companies, from national government to parliaments.

The Guidelines note the central role that independent data protection authorities can and should play, and the desirability of cooperation with other regulators, notably with electoral commissions.


Below we provide a brief summary of the main provisions of the Guidelines.

Scope of the Guidelines

In terms of scope, the Guidelines recognise that data is central not only to elections, but to a broader range of processing of personal data on voters and potential voters for the purposes of political influence. The guidelines also recognize the reality of “permanent campaigning” in modern democracies and should apply to the periods between elections.

Further, the Guidelines seek to address the increase reliance of political campaigns on data brokers and companies that provide analytics and marketing services including behavioural and micro-targeted advertising companies; social media and messaging applications. Given the data exploitation of these companies what PI and others have contributed to expose, this is a crucial aspect.  As rightly noted in the Guidelines:

“The mass profiling of the electorate and the delivery of micro-targeted messages to increasingly narrow categories of voters can create: filter bubbles or echo chambers: voter discrimination and disenfranchisement; a possible chilling of political participation; increased polarization; the erosion of robust democratic debate; and weakening of election integrity.”

You can learn more on micro-targeting here.

Legal basis and data sharing

The Guidelines spell out the legal basis necessary for processing personal data for political campaign purposes. They also address some of the most problematic concerns of data exploitation practices.

  • Role of data brokers - The guidelines note that “political campaign organisations often obtain personal data from third party organisations such as data brokers, for election or campaigning purposes to target messages to a particular audience. Data on political opinions might also be inferred from the analysis of personal data from a variety of sources, and which relate to behaviour and activities that may be unrelated to politics.” They put the onus on the political parties and other political organisations to carry out due diligence “before using the data from data brokers […] to ensure the data has been obtained lawfully”. This principle is further confirmed by the Guideline’s insistence that political parties and other organisations should “demonstrate compliance [with data protection obligations] of any third-party organisation that processes personal data on their behalf.” Further they require the law to regulate access to the official voters list from the election regulatory body and call for personal data from the official voter list not to be combined with other data, unless specifically approved by law.
  • Social media monitoring - The Guidelines demand that “political campaigns should not “scrape” data from social media for the purposes of building profiles on the electorate. If a voter is a member of the organisation or has affirmatively expressed a wish to follow a candidate or party on a social media platform, then the campaign might reasonably infer that he/she will wish to receive further communications from the candidate or party. But that inference should not be assumed, for example, for individuals who may be within the wider social network of that voter, and who have not affirmatively expressed a preference to be contacted.”
  • Geolocation tracking or geo-fencing – The Guidelines demand that these services (used to identify the location of a voter or for profiling purposes) “should only be deployed according to an appropriate legal basis. Services should only allow activation with the opt-in of the individual user. Geo- location, as well as other mechanisms for the tracking of location, should not be available by default.”

Transparency

Given the overall opacity of the use of data for political campaigns, the focus on transparency is welcomed.

The Guidelines clearly states:

“the personal data processed by political organisations shall be processed fairly and in a transparent manner, especially taking into account the potential for the manipulation of voters.”

Specifically, to digital advertising, whose practices has attracted much criticism, the Guidelines recommend that

“political campaign organisations should provide voters with: adequate information on why they are seeing a particular message, who is responsible for it, and how they can exercise their rights to prevent being targeted; and information on any targeting criteria used in the dissemination of such communications. In the context of the automated delivery of digital political advertising, the voter should have the right to know ‘why I am seeing this ad.’”

They also recommend “publicly available archives of political advertising operated by social media platforms, including the ad imprints, the targeting criteria and the timing and location of ad delivery” to support transparency in general and the role of supervisory authorities.