The general election 2019: are our new data protection laws working?

Jon Belcher has written a piece looking at election data, which was first published in PrivSec Report on 4 December.

As I write, the 2019 general election campaign is in full swing. There’s no doubt that this will be an election fought largely online and that data, including personal data, will play an increasingly important role.

This is the first general election since the major reforms of data protection laws in 2018. So are our new laws fit for purpose when it comes to political campaigning? Can regulators ensure that the parties all play by the rules?

Political parties and campaign groups want to know as much as they can about us, the electorate. This knowledge enables them to use micro-targeting techniques to appeal directly to our interests, as well as to our prejudices.

Both Sky News and the BBC have been analysing these techniques during the current campaign. The BBC is asking their audience to send in any political adverts they see on Facebook, along with Facebook’s explanation for why they are seeing that ad. The results have already been revealing. For instance, more adverts have been aimed at men than at women, and the messages are often aimed (not always successfully) at very narrow geographical areas.

As well as using Facebook’s knowledge of us, political parties are creating their own databases about us. They use all sorts of methods for gathering our data directly, sometimes in the form of petitions designed specifically to harvest email addresses to use for marketing purposes. Some of these methods have been less than transparent, if not actually misleading.

The parties are also matching their own information with other data sources, such as credit reference agencies and the electoral register, in order to profile voters and target potential supporters. Although the main parties do have detailed privacy notices, most of us remain completely unaware of these ever more sophisticated profiling methods of our election data.

And then there’s fake news. It has always been difficult to distinguish the facts from the opinions at election time, but the spreading of deliberately faked or misleading news stories has the potential to undermine any remaining trust in the democratic process.

The controversy over the Conservatives’ doctored video of Keir Starmer and the rebranding of their twitter feed to resemble an impartial fact-checking service have perhaps illustrated that the political parties are more concerned with getting people to talk about them than they are of tackling the fake news phenomenon. The Electoral Commission has criticised the Conservatives for the rebranding of their twitter feed, but has noted it has no powers in regulating campaign content.

Is there anything wrong with all this? Although some of the targeted advertising might make us feel uncomfortable, politics is adopting techniques which have been widely used in the advertising industry. But there are significant data protection challenges for the political parties.

Transparency is a key aspect of data protection law. The ICO’s 2018 report, Democracy Disrupted?, found a significant shortfall in transparency information provided by political parties. Individuals did not know or understand how political parties were obtaining personal data about them and then using it to target them. Whilst privacy notices have improved, the parties are arguably doing nowhere near enough to make ordinary citizens fully aware of their complex voter profiling and micro-targeting operations.

Underpinning everything in data protection law is the concept of fairness. Is the processing of personal data fair? And there are specific rules around profiling, as well as processing of personal data relating to political opinions, including inferences of political views obtained from canvassing returns. Too often, the political parties appear to have pushed the boundaries of data protection law to improve their targeting, without considering the potential impact on individuals.

Then there are the specific rules governing ‘unsolicited direct marketing’ sent to individuals, contained in the Privacy and Electronic Communications Regulations. That often means obtaining the consent of individuals before sending them marketing communications. And consent must be freely-given, specific and informed. It is a well-established principle that political campaigning is a form of direct marketing. Indeed, a number of political parties and campaign groups have been subject to enforcement action by the ICO in the past for their direct marketing activities.

Given these challenges, this is a space in which the regulator has been active. The ICO has been investigating the issue of use of personal data for political campaigning for some years. To date this has led to fines for Facebook, the campaign group Leave.EU and Emma’s Diary (a data broker business which shared personal data with the Labour party for use in political campaigns), as well as other enforcement action and warnings issued to all major political parties.

But all of these actions have been reactive. Political parties and campaigners spend millions on elections, and any regulatory action taken after the event cannot fix any perceive unfairness. We will never know for certain if the well-publicised infringements during the EU referendum campaign, for instance, had a material impact on the result.

The ICO has recently consulted on the development of a code of practice on the use of personal data for political campaigning, and campaigners such as the Electoral Reform Society have argued for new electoral rules for online campaigning. All this is no doubt welcome, and there does seem to be a need to tackle the problems associated with fake news. But our data protection laws, updated as recently as 2018, already provide a clear set out rules about how our personal data must be used. If we really want to clean up the use of data for political campaigns, we must do more to ensure these rules are enforced.

If the political will was there, the parties could submit themselves to annual data protection audits. Where issues are discovered, the ICO could issue enforcement notices to compel compliance, backed up by serious fines for repeat offenders. And the ICO and Electoral Commission could work together to co-ordinate responses to alleged infringements.

Without the prospect of such strong regulatory action, the political parties are likely to continue taking calculated risks around their use (and abuse) of our personal data. That doesn’t inspire much confidence in the rules written by the very same politicians only a year ago. It also isn’t good for the health of our democracy.

Contact our data protection team for advice concerning election data and data protection laws in general.