Political Parties warned about using personal data in the election campaign by the ICO.

5th November 2019 Data Protection

The information Commissioner has warned political parties in the UK about their use of personal data in the run up to the General Election on 12th December.

In order to process any personal data for any purpose, a political party (just like any data controller) must have a lawful basis. GDPR Article 6 outlines six lawful bases. The vast majority of processing for political campaigning purposes will fall under one of the following three lawful bases:

  1. Public task – democratic engagement
  2. Consent
  3. Legitimate interests

Can a political party use ‘public task – democratic engagement’ as its lawful basis?

This lawful basis is often misunderstood as an overarching exemption. The General Data Protection Regulation 2016 (GDPR) Article 6(1)(e) gives a lawful basis for processing personal data (only and to the extent that it is) necessary for the performance of a task carried out in the public interest. The GDPR was implemented by the Data Protection Act 2018 (DPA) and Section 8 further specifies that this includes processing of personal data that is: “necessary for … (e) an activity that supports or promotes democratic engagement.” In addition, GDPR Article 6(3) requires that this task must be laid down by domestic or EU law (in addition to the DPA). There are a plethora of electoral laws in the UK which satisfy the requirement. 

So what does “Necessary” mean? In order for a political party to rely on this lawful basis, processing personal data must be necessary for an activity that supports or promotes democratic engagement. This does not mean that processing has to be absolutely essential. However, it must be more than just useful or standard practice. It must be a targeted and proportionate way of achieving the political party’s specific purpose.

This basis does not apply if the political party can reasonably achieve its purpose by some other less privacy intrusive means, or by processing less personal data. The example the ICO cites is a candidate wishing to target voters in a housing development. He or she has two choices – leaflet the entire housing block or use the electoral register. The ICO believes the posting of door to door leaflets is a reasonable alternatives which in this case may involve the processing of much less or perhaps no personal data. So if the candidate chose to use the electoral register, they would be in breach of the DPA and potentially liable for a maximum fine of £17m.

Can a political party rely on legitimate interests as its lawful basis?

The answer is Yes subject to the party satisfying a three part assessment:

  1. identify a legitimate interest (e.g. democratic engagement);
  2. show that the processing is necessary to achieve it); and
  3. balance it against the individual’s interests, rights and freedoms. If they would not reasonably expect the processing, or if it would cause unjustified harm, their interests are likely to override the party’s legitimate interests.

The problem for a political party here is the necessity test. They are likely to fall foul of this is there another reasonable means of reaching the same voters by processing less data about them.

How easy is it for a political party use ‘special category data’?

 The answer is – it is very difficult unless they are simply using it to maintain a party list. The GDPR & DPA prohibit the use of special category data such as a person’s political opinions except under special circumstances. Targeting individuals using special category data raises significant questions around fairness. Under Article 5(1)(a) of GDPR, personal data must be processed fairly. Using special category data to target individuals is intrusive and could be discriminatory and therefore would be in breach of the law.

What about the use of the data to communicate with voters?

As well as the GDPR, a political party would have to comply with PECR (Privacy and Electronic Communications Regulations 2003). There are different rules depending on the type of communication. A cold call can be OK if a political party were to screen telephone numbers against the Telephone Preference Service but emails, texts and other electronic messages are prohibited without prior consent and you cannot email to ask for consent. It is also prohibited to ask people receiving the email to forward it to their friends as the political party would not have consent for that.

Commentary

After the 2017 election the ICO took action and investigated the use of personal data by political parties. All of the parties were found to have misused personal data in one way or another. The results of a year-long review issued by the UK Information Commissioner's Office in November 2018 uncovered a "disturbing disregard for voters' personal privacy" on the part of 30 organisations, including social media platforms, political parties, data brokers, and credit reference agencies. Based on information uncovered during the investigation, the ICO sent 11 warning letters requiring action by the main political parties, and announced its intention to conduct audits; issued an enforcement notice to SCLE Group for its subsidiaries Cambridge Analytica and SCLE Elections; fined Facebook £500,000, the maximum until the 1998 data protection law; referred other issues regarding Facebook to the Irish Data Protection Commission; issued notices of intent to fine Leave.EU and Eldon Insurance (GoSkippy); and issued numerous other assessment notices and continued investigating the Remain side of the referendum campaign. New guidance from the ICO was recently put out for consultation (it ended on 4th October). 

Reminder letters have been sent this week by the ICO to all the main political parties. Whether this leads to a change in practice and a change in attitude remains to be seen. Unless the political parties start to heed the recommendations of the ICO in its guidance we may find that there are more investigations, more fines and perhaps further re-issued guidance. You would hope, in the interests of democracy that the political parties will have more regard for the law than Eldon Insurance had. Their founder Aaron Banks denied there had been a grand data conspiracy and said “Gosh we communicated with our supporters and offered them a 10% Brexit discount after the vote! So what?"

We're Social

Toni Vitale is a Partner and Head of Data Protection, located in London, in our Data Protection department

Let us contact you

*
*
*
*
*
View our Privacy Policy

Areas of Interest