On 14 March 2019 the EDPB issued a Statement on the use of personal data in the course of political campaigns, following its 8th plenary session. This was supposed to be an important position document in light of the upcoming EU Parliament elections in May, however it left us with even more questions and not one solution.
Just a short recap of what’s been going on in relation to the subject matter:
- the Cambridge Analytica scandal – really, there’s no need to remind everyone about the details, but you can consult the ICO’s section on the case.
- There are issues about Member States’ laws regulating the use of personal data for political purposes. See the example of Spain, where the GDPR application law has been approved with an article which raises concerns about collecting personal data from other sources in order to carry out electoral activities. The Spanish DPA states that the law should not be applied as to allow profiling based on political opinions and send personalized communications based on those profiles – however the law was adopted with the problematic provisions in place. This issue was also raised by EU MP Sophia in ‘t Veld and the Commission answered this February that it has contacted the Spanish Minister of Justice to clarify the content of the Spanish legal provisions.
- In Romania, privacy advocacy NGO ApTI sent a complaint to the Commission indicating problems with the Romanian law which applies the GDPR. These problems include the provisions on processing special categories of data by political parties without the data subjects’ explicit consent (GDPR Art. 9.2.d) – i.e. instead of “legitimate activities” the law says “achieving their objectives” and does not limit the processing just to “members or to former members of the body or to persons who have regular contact with it in connection with its purposes”.
Despite the obvious need for clear guidance, the EDPB Statement is very brief and looks like it was rushed in order to tick a box. Here’s why:
- The Statement is an enumeration of general GDPR principles – everyone knows political opinions is a special category of data, subject to GDPR Art. 9 limitations. Also, we know that when you process data from other sources and when you send targeted advertising you still have to comply with the GDPR – already 4 of the 5 points of the Statement are wasted.
- We would have found some useful information in the paragraph about decision-making based on automated processing. But here we were struck with an error (which should stop being promoted) about profiling being considered a form of automated decision-making. Profiling is a form of automated processing which can lead to a decision affecting the data subject, not a form of decision-making in itself.
EDPB Statement | GDPR Article 21(1) |
Solely automated decision-making, including profiling, where the decision legally or similarly significantly affects the individual subject to the decision, is restricted. | The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her. |
- Returning to the issue of significantly affecting the data subject, the EDPB says that “Profiling connected to targeted campaign messaging may in certain circumstances cause ‘similarly significant effects’ and shall in principle only be lawful with the valid explicit consent of the data subject.” How could we identify these circumstances? How do we know when targeted campaigns based on profiling which includes special categories of data are “affecting a person’s vote in an election”?
- For further research and clarifications, the EDPB sends us to a list of other authorities’ opinions and guidance, in an Annex to its Statement. So if you also know Dutch, French and Polish, you might get the full information.
So it’s back to work as usual with our remaining questions:
- What constitutes a “similarly significant effect” according to GDPR Art. 22(1) when it comes to electoral campaign targeting?
- Could political opinions ever actually be used for profiling by political parties without the data subjects’ explicit consent based on Art. 9(2)d)? We believe not, since this would only be limited to members, former members or regular contacts.
- What information is actually considered to fall in the category of “political opinion” and limit the possibility of data processing? Quite simple and trivial information may lead to conclusions about the person’s political preferences in the context of profiling.
If the GDPR were a supermarket, there’s a big spill in the political purposes isle and the EDPB is sending someone in with a tissue.
- Find more GDPR news and articles on our LinkedIn page.
[…] personal data for promoting political messages – this is something which we pointed out in this PrivacyOne article. Much harm can be done by using personal data to infer political opinions and target people with […]