Engaging with voters is inherent to the democratic process. It allows the preparation of
political programmes, enables citizens to influence politics and the development of campaigns
in line with citizens expectations.
Political parties, political coalitions and candidates increasingly rely on personal data and
sophisticated profiling techniques to monitor and target voters and opinion leaders. In
practice, individuals receive highly personalised messages and information, especially on
social media platforms, on the basis of personal interests, lifestyle habits and values.
Predictive tools are used to classify or profile people’s personality traits, characteristics, mood
and other points of leverage to a large extent, allowing assumptions to be made about deep
personality traits, including political views and other special categories of data. The extension
of such data processing techniques to political purposes poses serious risks, not only to the
rights to privacy and to data protection, but also to trust in the integrity of the democratic
process. The Cambridge Analytica revelations illustrated how a potential infringement of the
right to protection of personal data could affect other fundamental rights, such as freedom
of expression and freedom to hold opinions and the possibility to think freely without
manipulation.
The EDPB observes that, in addition to political parties and candidates, several other actors
can be involved in the processing of personal data for political purposes: social media adopted
platforms, interest groups, data brokers, analytics companies, ad networks. These actors can
play an important role in the election process and their compliance is subject to supervision
by independent data protection authorities.
In light of the elections to the European Parliament and other elections in the EU scheduled
for 2019, the EDPB wishes to underline a number of key points to be respected when political
parties process personal data in the course of electoral activities:
1. Personal data revealing political opinions is a special category of data under the GDPR. As a general principle, the processing of such data is prohibited and is subject to a
number of narrowly-interpreted conditions, such as the explicit, specific, fully
informed, and freely given consent of the individuals.
2. Personal data which have been made public, or otherwise been shared by individual
voters, even if they are not data revealing political opinions, are still subject to, and
protected, by EU data protection law. As an example, using personal data collected
through social media cannot be undertaken without complying with the obligations
concerning transparency, purpose specification and lawfulness.
3. Even where the processing is lawful, organisations need to observe their other duties
pursuant to the GDPR, including the duty to be transparent and provide sufficient
information to the individuals who are being analysed and whose personal data are
being processed, whether data has been obtained directly or indirectly. Political
parties and candidates must stand ready to demonstrate how they have complied with
data protection principles, especially the principles of lawfulness, fairness and
transparency.
4. Solely automated decision-making, including profiling, where the decision legally or
similarly significantly affects the individual subject to the decision, is restricted.
Profiling connected to targeted campaign messaging may in certain circumstances
cause ‘similarly significant effects’ and shall in principle only be lawful with the valid
explicit consent of the data subject.
5. In case of targeting, adequate information should be provided to voters explaining
why they are receiving a particular message, who is responsible for it and how they
can exercise their rights as data subjects. In addition, the Board notes that, under the adopted
law of some Member States, there is a transparency requirement as to payments for
political advertisement.
The EDPB refers political parties and other stakeholders to the practical guidance and
recommendations issued by several data protection authorities regarding the
use of data in
the course of elections. It also welcomes the set of measures presented by the European
Commission in September 2018, and the
Conclusions of the Council and of the Member
States on securing free and fair European elections.
EDPB members also work together with other relevant competent authorities to ensure
consistent interpretation and compliance with applicable laws, including the GDPR, to
safeguard trust in the security and integrity of the elections to the European Parliament and
other elections in the EU scheduled for 2019 and beyond.
Compliance with data protection rules, including in the context of electoral activities and
political campaigns, is essential to protect democracy. It is also a means to preserve the trust
and confidence of citizens and the integrity of elections. Ahead of the upcoming electoral
deadlines, data protection authorities are committed to monitor and, if necessary, enforce
the application of data protection principles in the context of elections and political
campaigns, such as transparency, purpose limitation, proportionality and security, as well as
the exercise of data subject rights. Data protection authorities will make full use of their
powers, as provided by the GDPR, and ensure cooperation and consistency in their actions
within the framework of the EDPB.
For the European Data Protection Board
The Chair
(Andrea Jelinek)
