Annexes to COM(2018)638 - Commission guidance on the application of Union data protection law in the electoral context - Contribution to the Leaders’ meeting, September 2018

Please note

This page contains a limited version of this dossier in the EU Monitor.

annex.

2.1      Data controllers and

processors

The notion of accountability of data controllers and joint controllers is a central feature of the General Data Protection Regulation. The data controller is the organisation deciding, alone or in cooperation with others, why and how the personal data is processed; the data processor processes personal data only on behalf and under the instructions of the controller (with their relationship determined in a contract or another legal binding act). Controllers must put in place measures appropriate to the risks and implement data protection by design from the outset and be able to demonstrate compliance with the General Data Protection Regulation (accountability principle).

The role as data controller or data processor has to be assessed in each individual case. In the electoral context, a number of actors can be data controllers: political parties, individual candidates and foundations are, in most instances, data controllers; platforms and data analytics companies can be (joint) controllers or processors for a given processing depending on the degree of control they have over the processing concerned12; national electoral authorities are controllers for the electoral registers.

When their processing activities relate to the offering of goods and services to individuals in the Union or the monitoring of their behaviour in the Union, companies based outside the Union also have to comply with the General Data Protection Regulation. This is the case of a number of platforms and data analytics companies.

2.2      Principles, lawfulness of processing and special conditions for “sensitive data”

Actors involved in elections can only process personal data, including those obtained from public sources, in accordance with the principles related to the processing of personal data and based on the limited number of grounds clearly identified by the General Data Protection Regulation13. The most relevant grounds for lawful processing in the electoral context appear

12 The recent case law of the Court of Justice of the European Union (Jehovah Witnesses case C-25/17, judgement of 10 July 2018) clarified that an organisation ‘exercising influence’ over the activity of collecting and processing personal data can,

under certain circumstances, be considered a controller. 13 Articles 5 and 6 General Data Protection Regulation.

to be the consent of an individual, the compliance with a legal obligation under Union or national legislation, the performance of a task carried out in the public interest and the legitimate interest of one of the actors. However, actors in the electoral context can rely on the ground of legitimate interest only if their interests are not overridden by the interests or the fundamental rights and freedoms of the individuals concerned.

In addition storing of information, or gaining access to information already stored, in the terminal equipment (computer, smartphone, etc.), must be in compliance with the e-Privacy Directive's requirements on the protection of terminal equipment, which means that the individual concerned would need to give his/her consent.

When consent is used as a legal ground, the General Data Protection Regulation requires that this is given through a clear and affirmative action and is free and informed14.

Public authorities involved in the electoral context process personal data in order to comply

with a legal obligation or for the exercise of a public task. Other actors in the electoral context

can process data on the grounds of consent or legitimate interest15. Political parties and

foundations can also process data on the grounds of public interest if so provided by national law16.

Public authorities may disclose certain information on individuals included in electoral lists or in registers of residents to political parties only when specifically authorised by Member State law and only for the purpose of advertising in the electoral context and as far as necessary for that purpose, such as name and address.

Processing in the electoral context will often involve “sensitive data”. The processing of such data, including inferred “sensitive data”, is generally prohibited unless one of the specific justifications provided for by the General Data Protection Regulation17 applies. Processing of “sensitive data” requires specific, stricter conditions to be fulfilled: the person must have given explicit consent18 or have made the data concerned public19. Political parties and foundations can also process “sensitive data” if there is substantial public interest on the basis of Union or Member State law and appropriate safeguards are in place20. The General Data Protection Regulation provides that they can also process “sensitive data” to the extent it relates solely to their members or former members, or to persons who have regular contact with them – but only for disclosure within their political party or foundation21. This specific

14 Article 7 and Article 4(11) General Data Protection Regulation.

15 Provided that the rights and freedoms of the concerned individuals are not seriously impacted.

16 See Recital 56 of the General Data Protection Regulation “where in the course of electoral activities, the operation of the democratic system in a Member State requires that political parties compile personal data on people's political opinions, the processing of such data may be permitted for reasons of public interest, provided that appropriate safeguards are established”.

17 Article 9 General Data Protection Regulation.

18 Article 9(2)(a) General Data Protection Regulation.

19 Article 9(2)(e) General Data Protection Regulation.

20 Article 9(2)(g) General Data Protection Regulation.

21 Article 9(2)(d) General Data Protection Regulation. Political party or foundation cannot share the data relating to their members or former members, or to persons who have regular contact with them, with a third party without the consent of the individual concerned.

provision however cannot be used by a political party to process data of prospective members or voters.

The purpose of the data processing should be specified at the time of collection (“purpose limitation” principle)22. Data collected for one purpose can only be further processed for a compatible purpose; otherwise a new legal ground, provided for by the General Data Protection Regulation, such as consent, has to be found for the processing for the new purpose. In particular, when lifestyle data brokers or platforms collect data for commercial purposes, that data cannot be further processed in the electoral context.

Unless political parties and foundations apply due diligence and check that the data has been obtained lawfully, they cannot use any such data received from a third party.

2.3      Transparency requirements

The Cambridge Analytica case has shown the importance of fighting opacity and properly informing the individuals concerned. Individuals often do not know who processes their personal data and for which purposes. The principles of fair and transparent processing require that individuals be informed of the existence of the processing operation and its purposes23. The General Data Protection Regulation clarifies the obligations of data controllers in this respect. They have to inform individuals about key aspects related to the processing of their personal data such as:

the identity of the controller,

the purposes of processing,

the recipients of personal data,

the source of the data when not collected directly from the person,

the existence of automated decision-making and

any further information necessary to ensure fair and transparent processing24.

Moreover, the General Data Protection Regulation requires that information to be given in a concise, transparent, intelligible and easily accessible form, using clear and plain language25. For instance, a short, opaque notice on data protection printed only in small print in electoral materials would not meet the transparency requirements.

According to the preliminary findings, incomplete information on the purpose for which the data were collected was a key shortcoming in the Cambridge Analytica case, which also put into question the validity of the consent of the persons concerned. All organisations processing personal data in the electoral context have to make sure that individuals fully understand how and for what purpose their personal data will be used, before they give their consent or before processing by the controller commences based on any other ground for processing.

22 Article 5(1) (b) General Data Protection Regulation.

23 Article 5(1) (a) General Data Protection Regulation.

24 Articles 13 and 14 General Data Protection Regulation.

25 Guidelines of the European Data Protection Board on transparency.

Information has to be provided to individuals at each stage of the processing, not only when data is collected.

In particular, when political parties process data obtained from third party sources (such as from electoral registers, data brokers, data analysts and other sources) they typically need to inform and explain to the individuals concerned how they combine and use this data to ensure fair processing26.

2.4      Profiling, automated decision-making and micro-targeting

Profiling is a form of automated data processing used to analyse or predict aspects concerning for instance personal preferences, interests, economic situation, etc27. Profiling can be used to micro-target individuals, namely to analyse personal data (such as a search history on internet) to identify the particular interests of a specific audience or individual in order to influence their actions. Micro-targeting may be used to offer a personalised message to an individual or audience using an online service e.g. social media.

The Cambridge Analytica case has shown the particular challenges raised by micro-targeting methods on social media. Organisations can be mining the data collected through social media users to create voters’ profiles. This might allow such organisations to identify voters who can be more easily influenced and therefore allow such organisations to exert an impact on the outcome of elections.

All the general principles and rules of the General Data Protection Regulation apply to such

data processing, such as the principles of lawfulness, fairness and transparency and purpose

limitation. Individuals very often are not aware that they are subject to profiling: they do not

understand why they receive some advertisement so clearly linked to the last searches they

made, or why they receive personalised messages from different organisations. The General

Data Protection Regulation obliges all data controllers, for instance political parties or data

analysts, to inform the individuals when they use such techniques and on their consequences28.

The General Data Protection Regulation recognises that automated decision-making, including profiling, can have serious consequences. The General Data Protection Regulation provides that an individual has the right not to be subject to a decision based solely on automated processing and producing legal effects concerning him or her or similarly significantly affects him or her, unless such processing is carried out under strict conditions, namely when individuals provide their explicit consent, or when Union or Member State law which lays down appropriate safeguards allows for it29.

Micro-targeting practices in the electoral context fall into this category when they produce sufficiently significant effect on individuals. The European Data Protection Board stated that

26 Article 14 General Data Protection Regulation.

27 As defined in Article 4(4) General Data Protection Regulation.

28 Article 13(2) General Data Protection Regulation.

29 Article 22 General Data Protection Regulation.

this is the case when the decision has the potential to significantly affect the circumstances, behaviour or choices of the individuals or have a prolonged or permanent impact on the individual30. The Board considered that online targeted advertisement could have in some circumstances the capability to sufficiently significantly affect the individuals when, for instance, it is intrusive or uses knowledge of vulnerabilities of the individuals. Given the significance of the exercise of the democratic right to vote, personalised messages which have for instance the possible effect to stop individuals from voting or to make them vote in a specific way could have the potential of meeting the criterion of significant effect.

In the electoral context therefore controllers need to ensure that any processing using such techniques is lawful in accordance with the above mentioned principles and strict conditions of the General Data Protection Regulation.

2.5       Security and accuracy of personal data

Security is of particular importance in the electoral context given the size of the data sets

involved, and the fact that such sets often contain “sensitive data”. The General Data

Protection Regulation requires operators processing personal data (both controllers and

processors) to implement appropriate technical and organisational measures to ensure a level

of security appropriate to the risks posed by the processing to the rights and freedoms of individuals31.

The General Data Protection Regulation requires controllers to notify personal data breaches to the competent supervisory authority without undue delay and at the latest within 72 hours. When the personal data breach is likely to result in a high risk to the rights and freedoms of individuals, the controller must also inform the individuals affected by that data breach without undue delay32.

Political parties and other actors involved in the electoral process have to pay particular attention to ensure the accuracy of personal data when big data sets are concerned and when data are compiled from different, heterogeneous sources. Inaccurate data must be immediately erased or rectified and, where necessary, updated.

2.6       Data protection impact assessment

The General Data Protection Regulation introduces a new tool for assessing the risk before processing starts: the data protection impact assessment. It is required whenever processing is likely to result in a high risk to the rights and freedoms of individuals33. This is the case in the electoral context when a data controller evaluates, systematically and extensively, personal aspects of an individual (including profiling), significantly affecting the individual, and when

30 Guidelines of the European Data Protection Board on automated decision making, WP251rev.01 as last revised and adopted on 06.02.2018.

31 Article 32 General Data Protection Regulation.

32 Articles 33 and 34 General Data Protection Regulation; and Guidelines of the European Data Protection Board on personal data breach notification.

33 Articles 35 and 36 General Data Protection Regulation; and Guidelines of the European Data Protection Board on data protection impact assessment.

the controller processes “sensitive data” on a large scale. National electoral authorities acting in the performance of their public tasks might not have to conduct a data protection impact assessment if a data protection impact assessment has already been carried out in the context of the adoption of the legislation.

The impact assessments to be carried out by the various actors in the context of elections should include the elements necessary to address the risks involved in such processing, notably the lawfulness of processing also for data sets obtained from third parties and the transparency requirements.

3. Rights of

individuals

The General Data Protection Regulation gives individuals additional and stronger rights which are particularly relevant in the electoral context:

the right to access to their personal data;

the right to request the deletion of their personal data if the processing is based on consent and that consent is withdrawn, if the data is no longer needed or if the processing is unlawful; and

the right to have incorrect, inaccurate or incomplete personal data corrected.

Individuals also have the right to object to processing (for example of data included in electoral lists transmitted to political parties) if the processing of their data is based on the

“legitimate interest” or the “public interest” grounds.

Individuals have the right not to be subject to decisions based solely on the automated processing of their personal data. In such cases the individual may request intervention by a natural person and have the right to express their point of view and to contest the decision.

In order for individuals to be able to exercise those rights, all actors involved have to provide the necessary tools and settings. The General Data Protection Regulation provides for the possibility to develop a code of conduct approved by a data protection authority specifying the application of the Regulation in specific areas, including in the electoral context.

The General Data Protection Regulation grants in divi dua ls th e right to lodge a complaint to a supervisory authority and the right to a judicial remedy. It also gives individuals the right to mandate a n on - gover nm ental organisation to lodge a complaint on their behalf . In certain Member States, national legislation allows a non - govern m ental organisation to lodge a complaint without being mandated by an individual. This is particularly relevant in the electoral context given the large number of persons potentially concerned.

34 Article 80(1) General Data Protection Regulation.

Key data protection issues relevant in the electoral process35

Political parties and foundations

Political

parties and foundations are data controllers

Data

brokers and

data

analytics

companies

Comply with purpose limitation, further processing only for compatible purpose (for example, when sharing data with platforms)

Choose the appropriate legal basis for processing (also for inferred data): consent, legitimate interest, task in the public nterest (if provided by law),

specific conditions for “sensitive data” (for instance: political opinion)

Conduct a data protection im pact assess m ent

Inform individuals on each processing purpose (transparency requirements), either when collecting data directly or when obtaining it fro m third parties

Ensure data accuracy, in particular for data coming from different sources and for inferred data

Check if data received from third parties have been obtained lawfully and for which purposes (for instance: whether concerned individuals gave their informed consent for a given purpose)

Take into account the specific risks of profiling and adopt appropriate safeguards

Comply with specific conditions when using automated decision making (for example, obtain explicit consent and implement suitable safeguards)

Clearly identify who has access to the data

Ensure security of processing through technical and organisational measures; report data breaches

Clarify obligations in contracts or other legal binding acts with data processors, such as data analytics companies

Delete the data when it is no longer necessary for the initial purpose for which it was collected

Data brokers and data analytics companies are either (joint) controllers or processors depending on the degree of control they have over the

processing

As data controller

As data processor

Comply with purpose limitation, further processing only for compatible purpose (especially when sharing the data with third parties)

Choose the appropriate legal basis for processing: consent, legitimate interest.

Comply with obli gati on s fro m the contract or other binding legal act with the controller

Ensure security of processing through technical and organisational measures

35 The information above is in no way exhaustive. It aims at highlighting a number of key obligations linked to data under the General Data Protection Regulation which are relevant in the electoral process. They correspond to a scenario where political parties are collecting data themselves (from public sources, from their presence on social media, directly from voters, etc.) and use the service from data brokers or data analytics companies with the objective to target voters through social media platforms. Platforms can also be a source of data for the actors mentioned above. Other legislation may be relevant as well, such as the rules on the sending of unsolicited communications and the protection of terminal equipment in the ePrivacy Directive.


Social media

platforms /

online ad

networks

National

electoral

authorities

If “sensitive data”, processing only

possible if explicit consent or data manifestly made public

Conduct a data protection impact assess ment

Inform individuals on each processing purpose (transparency requirements) -in particular when consent is sought since usually the data will be sold to a third party

Comply with specific conditions when using automated decision making (e.g. obtain explicit consent and implement suitable safeguards)

Pay particular attention to lawfulness of processing and to accuracy when combining diff erent data sets

Ensure security of processing through technical and organisational measures; report data breaches

Support f or the controller in data protection impact assessment or in the exercise of data subjects rights or in communicating to the controller a data breach without delay if they become aware of one

Platforms are usually data controllers for processing taking place on their platforms and possibly co-controller with other organisations

Choose the appropriate legal basis for processing: contract with individuals,

consent, legitimate interest. If “sensitive data”, processing only possible if

explicit consent or data manifestly made public

Use only data that is necessary for the identified purpose

Conduct a data protection im pact assess m ent

Ensure lawfulness when sharing members data with third parties

Comply with transparency requirements, in particular as regards the Terms and Conditions, if data are subsequently shared with a third party, etc.

Comply with specific conditions when using automated decision making (e.g. obtain explicit consent and mplement suitable safeguards)

Ensure security of processing through technical and organisational measures; report data breaches

Provide controls and settings for individuals to effectively exercise their rights, including the right not to be subject to a decision based solely on automated processing including profiling

National

electoral authorities are data controllers

Legal basis for processing: legal obligation or task of public interest based on law

Conduct a data protection impact assessment if impact not already assessed in the law