Electoral campaigns in North America are increasingly ‘data-driven’ and political parties have amassed a huge amount of personal data on voters’ political affiliations and behaviour.
These trends are driven by new technologies, but also by the fact that parties in the USA and Canada are generally not covered by strong data protection rules, as they are in Europe.
This article argues that many of the trends observed in North America will likely enter the politics of major European countries; indeed there are already signals that this is happening.
It reviews the application of privacy protection law to data on political affiliation in Canada and Europe, and reviews the likely impact of the General Data Protection Regulation to these practices.
These developments will put pressures on European data protection law, and data protection authorities, as never before.
Recent elections in the USA and Canada have raised to public attention the general question of how political parties and candidates process and analyse personal data on individual voters. The conventional wisdom in both countries, whether accurate or not, is that the modern political campaign needs to be ‘data driven’ to consolidate existing support and to find potential new voters and donors. The capture and consolidation of these data permit the construction of detailed profiles on individual voters and the ‘micro-targeting’ of increasingly precise messages to increasingly refined segments of the electorate, especially in marginal constituencies.1
Although there are huge differences between presidential systems such as the US and European parliamentary systems, there is evidence that parties in other countries are drawing lessons from the US experience and that similar techniques are gradually entering their politics.2 There is extensive cross-national communication about these techniques through the network of political and technical consultants, who are eager to tout the benefits of micro-targeting and data-driven campaigning, and to sell the range of software applications, for both database and mobile environments.
The academic literature on these subjects is still very under-developed. While there is an extensive work on the new ‘tech-driven’ politics as part of a larger assessment of changing campaign techniques and whether they actually affect voter engagement,3 very little of the commentary engages with the larger question about how voter data is being mined and profiled, nor evaluates the risks to privacy. There has also been a relative lack of attention to these issues by the privacy and data protection authorities (DPAs) in different countries. Back in 2005, the DPAs issued a joint Resolution at their international conference in Montreux4 and warned of ‘invasive profiling’ and the unlawful collection of ‘sensitive data related to real or supposed moral and political convictions and activities’. Few authorities, however, whose actions are detailed below, have seriously grappled with these issues.
On the plausible assumption that data-driven campaigning and associated micro-targeting techniques will increasingly be witnessed within European elections, what are the broader impacts on privacy, and what are the implications for data protection laws and for DPAs? This article begins with an overview of contemporary campaigning practices in North America. It then reviews the application of European data protection law to data on ‘political affiliations’ and examines the kinds of privacy issues that have arisen, and might arise when ‘big data analytics’ are used in the electoral process. The article relies on official documentation such as decisions, guidance, and opinions from different DPAs on the processing of personal data in electoral and political contexts, and on interviews with selected experts and data protection officials.
Micro-targeting and the surveillance of the electorate in the USA
The political cultures of the USA, and to a lesser extent Canada, have historically been far more tolerant of a variety of practices to monitor and profile the electorate, and to use the techniques of direct marketing to poll, canvass, and get-out-the-vote. According to Rubinstein:
Political databases hold records on almost 200 million eligible American voters. Each record contains hundreds if not thousands of fields derived from voter rolls, donor and response data, campaign web data, and consumer and other data obtained from data brokers, all of which is combined into a giant assemblage made possible by fast computers, speedy network connections, cheap data storage, and ample financial and technical resources. Ubiquitous personal identifiers (name and address, telephone numbers, e-mail addresses, IP address, cookies, mobile device IDs, and other unique IDs) allow campaigns to link and integrate these diverse datasets, while data mining and sophisticated statistical techniques allow them to engage in highly strategic and cost-effective analysis and targeting.5
Any understanding of the US context has to begin with the overwhelming influence of the First Amendment on the communication of political speech and the raising of money to facilitate that communication. The US Supreme Court has historically regarded unrestricted political speech as central to the purpose of the First Amendment and to the liberal values upon which it is founded. In cases such as US vMiller (1976) and Sorrell vIMS Health (2011),6 it has also refused to extend privacy rights to personal data held by commercial third parties. Thus, any attempt to regulate the flow of personal information for political campaigning purposes in the interests of protecting the privacy of the individual always has to confront very powerful arguments for the free flow of that information under the freedom of speech guarantees in the First Amendment. As Rubinstein concludes, ‘it seems very likely that the Court would subject privacy-based restrictions on campaign data practices and micro-targeting to strict scrutiny, which is usually fatal’.7
A constitutional framework that favours the almost unfettered flow of personal data for political campaigns does not ensure that those data are readily available. The practical availability of these data was facilitated by the Help America Vote Act (HAVA) of 2002, passed in the wake of the irregularities and inefficiencies in the 2000 elections. HAVA requires states, among other things, to maintain a ‘single, uniform, official, centralized, interactive computerized statewide voter registration list’.8 This legislation helped lay the groundwork for political parties to build massive databases of all voters, and also for commercial data brokers to get into the business of compiling, analysing, and selling voter intelligence data.9
On the one hand, there are ‘in-house’ databases for both main parties. The Democrats operate a system called ‘Votebuilder’ now owned by NGP VAN. The equivalent for the Republicans is the GOP Data Center (formerly Voter Vault). Both provide basic voter identification information to their respective candidates, including those in competitive primary elections. Both systems are based on state voter registration data, which are then supplemented by a variety of other sources of data from commercial and public sources, as well as from telephone polling and voter contact.10 Both systems have their origins in the 1990s, but until the HOVA was passed they were incomplete and inconsistent.11
In addition to these in-house systems are a number of commercial operations that offer not just databases, but also integrated voter management platforms that provide an entire suite of services for any campaign: website design and development; social media outreach; the generation of geo-targeted lists for e-mail and texting; the management of volunteers; as well as the publication of more traditional campaign materials. These platforms also integrate data from commercial data brokerage sources, and so the political data on party affiliation and behaviour is combined with other data on activities, interests, and purchasing habits available from data brokerage firms such as Acxiom, Dun and Bradstreet, InfoUSA.12 Marketers tend to assume that people with similar cultural backgrounds, means, and perspectives naturally gravitate towards one another to form relatively homogeneous communities. Once settled, people emulate their neighbours, adopt similar social values, tastes, and expectations and, most important of all, share similar patterns of consumer behaviour towards products, services, media, and promotions. Political parties thus tweak these data to fit political categories and draw inferences about what policies such groups might be interested in hearing about.13
On the Democratic side, the main example of such a system is Catalist, best understood as a ‘data cooperative’ according to its chief executive, Laura Quinn.14 In the Catalist database, every voter is listed with more than 700 descriptive fields, almost half of which come from commercial sources.15 Criticism of the operation of the Republicans’ central database after the 2012 election prompted the Koch billionaires to invest in a parallel commercial operation called i-360, which has been generating voter data for the candidates in the 2016 elections. They claim a massage database of 190 million registered voters:
So we’ve got quantity – but what’s even more important to us is the quality of our data. To ensure it is as accurate as possible, we update our data constantly. We source thousands of attributes from multiple consumer data compilers, constantly refresh voter registration information from all states and gather millions of political and issue attributes on an ongoing basis. We then expand the efficacy of this data by using it to build our national predictive models that help clients answer unknowns through the most advanced data science.16
It is also worth noting that some campaign organizing companies are agnostic as to the type or ideological purpose of the campaign that they support. So a company like NationBuilder now boasts 7000 customers in 98 countries, ranging from Amnesty International to AirBnB to the Republican Party of Florida to Arizona State University.17 One of the oldest companies in the business, Aristotle.com, is similarly non-partisan.
Parties are becoming increasingly adept at using social media to target messages, recruit volunteers and donors, and track issue engagement. Politicians know that a large social media following can lend credibility to their campaigns. Just as a packed town meeting can add to the perception that a candidate is worth following, the same holds true for social media. But a basic count of Twitter followers or Facebook ‘Likes’ (vanity metrics) will not tell much in isolation. Campaigns, therefore, desire answers to other questions: Who is following you? Are they ‘influencers’? Is your following increasing, decreasing, or holding steady? What is the trend over time? Are people interacting with your content? Which of your posts are generating activity and on which issues?18 There are customizable applications that work within the social media platform, making it easier for individuals with the click of a mouse, to donate, join an e-mail list, sign petitions, sign up for events, or volunteer. A contemporary example is ActionSprout: ‘Knowing your supporters and how they are engaging with you on Facebook allows you to more effectively target fundraising or advocacy efforts through email and Facebook ad campaigns.’19 Other apps, such as the Action Center promoted by NGP VAN, empower social media followers to recruit, raise money, and engage from their own networks.20
In 2012, a more controversial app launched by the Obama for America campaign through Facebook allowed access to the entire ‘social graph’ of over 600,000 Facebook friends. In an instant, the campaign had access to more than 5 million contacts that potentially saw each other registering to vote, giving money, sharing videos on the campaign, and voting on or before Election Day. And when matched against other voter files, these contacts were prioritized for ‘targeted sharing’.21 Facebook has since prohibited the practice.
A larger shift in campaign logic underlies many of these new trends, namely that voters are more likely to be persuaded if they see their peers supporting a particular party or candidate.22 Polling evidence suggests emphatically that voters, and particularly young voters, do not trust parties or media organizations, but they are more likely to be influenced by the attitudes and behaviours of their friends. Scientific studies have also indicated that this kind of ‘targeted sharing’ through Facebook can have a small but significant impact on voting, especially among the 18–29 age group.23
Finally, the explosion in the use of mobile applications designed for the new generation of smartphones and tablets build upon these existing trends. In recent election cycles, mobile apps have been used for: more traditional one-way political messaging; door-to-door canvassing; event management; encouraging donations; and broader civic engagement. For instance, the simple use of these apps for ‘push notifications’ allows candidates to keep voters up-to-date with latest campaign activities, and often contain built-in templates that allow supporters to share those messages with friends and family. Mobile applications have also been developed for canvassing. A typical example is ‘Ground Game’ from a company called Moonshadow, which integrates geo-positioning software to plan routes for campaign workers, and to deliver metrics to campaign headquarters about doors knocked on, time in the field, distance walked and so on. Information conveyed during doorstop conversations can also be entered in real time and conveyed to party databases.24 Donating is also becoming quicker and more decentralized. Blue State Digital now integrates a ‘Quick Donate’ feature through mobile e-mail or SMS.
So, modern technologies have fundamentally altered the dynamics of modern campaigning in the USA providing new ways to broadcast relevant political information, to influence voters’ attitudes and behaviour, to encourage campaign donations and to more precisely engage networks of potential supporters. But there is also a considerable hype in popular writing and corporate promotions about the extensiveness and accuracy of these technologies.25 Hersh’s analysis suggests that commercial data is often inaccurate, dynamic, and only weakly correlated with indicators of political affiliation.26 Thus, ‘when campaigns perceive voters, they do not see the opinions, traits and behaviors that voters see themselves. They see perceived voters, a simplified and distorted version of the electorate that is based on the data available to them.’27
From a privacy perspective, however, voter intelligence data may be ‘the largest concentration of unregulated personal data in the US today’.28 Are these trends apparent in other democratic states? I first examine the experiences of Canada, whose parliamentary system is more in line with European states and whose privacy protection laws generally do not cover the activities of political parties. I then turn to the current situation in Europe and to the data protection regime that regulates personal data on political opinions and affiliations.
Voter identification and relationship management systems in Canada
In Canada, there has been close collaboration between Republican consultants and the Canadian Conservative party, whose Constituent Information Management System (CIMS) was developed in 2004 using the Voter Vault software. In Canada, voter lists are legally provided to political parties under the authority of the Canada Elections Act.29 The Conservatives then use this framework to populate the database with a range of other data on voter preferences.30 The published training materials on CIMS reveal that each voter is assigned a score of −15 to +15 on the basis of these data (Conservative Party of Canada). Walk lists, phone lists, e-mail lists, lawn sign allocations, and other campaigning tools are then generated that then allow the party to more efficiently target and mobilize their supporters. It was reported that a new Conservative voter management system, entitled C-Vote, was scrapped in 2013, costing the party millions of dollars.31 The Canadian Liberal Party has a similar ‘voter identification and relationship management system’ called Liberalist, originally based on the Democrats’ Voter Activation Network platform. The left-of-centre New Democratic Party uses a system called Populus. There has been heightened scrutiny of these systems during the October 2015 general election.32
Neither the Canadian Privacy Act of 1982 nor the Protection of Personal Information and Electronic Documents Act (PIPEDA) of 2000 cover political parties; like some other non-profit entities, they fall between the cracks of the Canadian privacy protection regime. Nevertheless, the Canadian Privacy Commissioner has received a number of complaints about invasion of privacy by candidates and politicians going back several years. Partly in response, the office commissioned a study on the subject, which concluded that the main federal parties process an increasing amount of data on supporters, non-supporters, volunteers, candidates, and employees, and should be brought under the jurisdiction of Canadian privacy law.33
The issue has also achieved prominence as a result of a scandal involving the practice of ‘robo-calling’ at the 2011 federal election. Voters in key marginal ridings received automatic calls from an individual purporting to represent Elections Canada and informing them (falsely) that their place of voting had changed. The ‘robo-call’ scandal hit the front pages, and prompted investigations from the Royal Canadian Mounted Police and from Elections Canada. The most interesting aspect of this affair is that only non-Conservative supporters were targeted, meaning that the individual must have had authorized or unauthorized access to the CIMs database. The Chief Electoral Officer recommended that the basic privacy principles within PIPEDA should be applied to political parties.34
These voter management systems are less extensive than in the USA, and have to operate within a general data protection framework, covering the private sector and restricting the purchase of personally identifiable data from the commercial data brokerage market. But the same logic seems to be at work, and has been eagerly embraced by the parties and by the consultants and pollsters that work for them. The micro-targeting of the electorate enables campaigns to allocate their finite resources more efficiently. It provides innovative ways of discovering new voters, and it supports new methods of delivering individualized messages either through direct mail, door-to-door canvassing, phone calls, e-mail, text, or social media. The overriding assumption of the data driven campaign is that the more you know about who will vote, how they will vote and what issues they are interested in, then the more efficient and targeted the campaign can become. Despite the obvious legal, structural, and cultural differences between the USA and parliamentary systems, the hype about the data-driven campaign, and its presumed success in electing President Obama, have been irresistible trends and are beginning to alter electoral politics in Canada and in other democratic countries.
European law, political parties, and election campaigns
So, what of the application of privacy law in Europe to political parties? It is first important to note that the distribution of voter lists to candidates and parties is more heavily regulated in European societies than in either the USA or Canada. It is difficult to generalize across an entire continent, but most election legislation contains some strict stipulations for the sharing of voter contact data before, during, and after election campaigns. Most countries only permit the sharing of name, address, and date-of-birth (no other contact information). And very few countries make the lists digitally available. DPAs in countries like Italy and France have also been quite diligent in ensuring that the lists are not used for commercial purposes.
The rules in France are illustrative and stand in stark contrast to those in the USA. Under the Code Électorale, electoral lists are handled by each commune though any changes to the list must be reported to l’Institut national de la statistique et des études économiques within eight days. The listing on one (and only one) voter list is obligatory for all French citizens. The voter list is to contain the family name, surname, and domiciliary address, including the number and street name where available, of each voter.35 Voter lists are to be kept in a registry in the commune’s archives, and may be accessed and copied by ‘any voter, any candidate and any political party or group’, including those who belong to another commune. The list may be accessed at either the appropriate town hall or prefecture, depending on the commune. A consultation of the list is a free service, whereas a paper copy may be subject to a fee of up to 0.18€ per black and white page or up to 2.75€ for a CD-ROM.36
Turning to data protection law, under both the 1995 European Data Protection Directive (95/46/EC)37 and the new General Data Protection Regulation (GDPR),38 political parties are clearly covered. There are a number of relevant provisions. Data on political opinions is unequivocally defined in the GDPR as a ‘sensitive’ form of personal data. Article 9(1) states that the ‘processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a person’s sex life or sexual orientation shall be prohibited’. These categories mirror those mentioned in the revised Council of Europe Convention 108. They are also derived from the principles of non-discrimination on grounds of political opinion enshrined in Article 21 of the Charter of Fundamental Rights of the European Union (EU).
The GDPR then lists a number of exemptions, two of which are directly relevant to the political context. Article 9.2(d) permits processing when:
carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other non-profit seeking body with a political, philosophical, religious or trade union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed outside that body without the consent of the data subjects.
Article 9.2(e) permits processing that ‘relates to personal data which are manifestly made public by the data subject’. Recital 56 of the GDPR attempts to clarify this exemption in the case of political parties: ‘Whereas where, in the course of electoral activities, the operation of the democratic system requires in a Member State requires that political parties compile data on people's political opinions, the processing of such data may be permitted for reasons of public interest, provided that appropriate safeguards are established.’ None of these provisions is substantially different from those in the 1995 Directive. As far as can be gathered, questions about the processing of personal data in the political arena were not issues of contention in the lengthy debates about the provisions of the GDPR and about its uniform application across the EU.
So what do they now mean? According to earlier guidance provided by the Article 29 Working Party, the assumption behind the special category classification is that misuse of these data could have more severe and irreversible consequences for the individual’s fundamental rights.39 They also stress that the term ‘data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership’ means not only the data itself, but also data from which sensitive information with regard to an individual might be concluded or inferred.40 With few exceptions, the Working Party found that these provisions had been translated into national legislation under the Directive in a similar fashion, although some interestingly had added a category of ‘party membership’ in addition to that of trade union membership. In their subsequent discussion of potential problems with the implementation of Article 8, they do not explicitly mention any issues related to the processing of personal data on political opinions by political parties. They highlighted problems with the definition of philosophical beliefs, race, and health data, but there was no indication that ‘political opinions’ were a problematic category. Neither was there any discussion of the meaning of the Recital on electoral activities and political opinions.
Where the European DPAs have been asked to resolve complaints about the processing of political data, they have generally taken a strong stance. They do receive complaints during the election cycle, but the issues raised tend to be quite familiar and mundane: the inappropriate communication by phone, e-mail, or text to people who have not given their consent; the non-consensual capture of personal data by elected officials who come into contact with constituents in their capacities as electoral officials and communicate data on electors to their party headquarters; and the use of membership lists for other organizations (churches, unions, clubs, schools, etc) used by candidates for political canvassing. As noted above, there also tend to be far stricter rules on the transfer and maintenance to political parties of the basic address and contact information from the respective electoral regulatory agencies.
The fact that these questions have not been raised in Europe to the same extent as in North America should not, however, lead us to conclude that the law is clear. The definition of ‘political opinions’ is vague and they might be inferred from a whole range of different behaviours and sources, magazine and newspaper readership, group memberships, and so on. And should we regard political opinions as confined to questions of political ‘affiliation’? These data might be processed when they relate to ‘the members or to former members of the body or to persons who have regular contact’. All parties have done this legally; indeed many are required under law to do so when those members are making financial donations. But what does ‘regular contact’ mean? Attending a meeting, following on Twitter, liking the candidate or party on Facebook? And what of political communication that might be in the public domain—signs in windows, letters in newspapers, blog postings, and so on? Increasingly, citizens convey explicitly and implicitly their political affiliations and preferences in an increasing number of contexts, and in a range of manners. And what does Recital 56 actually mean? ‘In the course of electoral activities’, it begins. Is that solely during an election campaign? Most parties would contend that they are engaged in a perpetual process of campaigning in modern politics. ‘The processing of such data may be permitted for reasons of public interest’, it continues. Is the mobilization of a party’s supporters during an election a ‘public interest’? And what are the ‘appropriate safeguards’?
I contend that the meaning of these provisions will come under increasing scrutiny as a result of the import of campaigning techniques from North America, and the promotion of these practices by American political consultants. We know, for instance, that Jim Messina, Obama’s campaign manager has assisted both the British Conservative Party in its 2015 reelection campaign41 and Italian Prime Minister, Matteo Renzi, on the upcoming referendum for constitutional reform.42 Within the confines of European law and political culture, new start-ups are arising across major European countries for voter engagement and outreach.43
Within this context, I note four interconnected issues that will probably be prominent: the legality of voter management databases; the question as to whether political parties should be treated the same as commercial organizations in the rules for unsolicited communications by phone, text, email, and web-based advertising; the processing of personal data from social media; the fair use of personal data as a result of more open processes for the selection of party leaders; and, of course, the greater likelihood of data breaches.
Voter management databases in Europe
The internal data processing operations of political parties in every country are typically shrouded in a good deal of secrecy. The inherent competitiveness of the electoral environment, and the proprietary nature of the new campaigning technologies, mean that outsiders have considerable difficulty discovering the extent to which parties capture data on the wider electorate, beyond that of their members, donors, and ‘regular contacts’.
That said, we do know that the only European country whose parties admit operating voter management databases of the kind seen in North America is the UK. The main British political parties have operated such databases for several years, using similar proprietary software to their counterparts in the USA and Canada. They too augment the basic address information from the electoral roll with additional personal data on supporters and non-supporters from census data, commercially available databases and polling data.44 The Conservative Party originally used the ‘Voter Vault’ software developed by the Republicans and then shifted to MERLIN (Managing Elector Relations through Local Information Networks).45 The Tories made a further, and quite late, change for the 2015 election, adopting a new system called VoteSource, which profiled voters on a 1–10 scale and arguably allowed the party to build a more nuanced and complete picture of voter intentions.46 How effective the system was, however, is open to debate; VoteSource reportedly crashed on election night.47 There were also complaints that this system, like many others, has to work within a constitutional structure that relies on local party organizations to sign up new members and keep the database updated.48
The Labour Party adopted a system, developed by Experian, called ‘Contact Creator’ in 2008. The system was supposed to integrate membership lists with voter identification information from the electoral roll and place this in the hands of local campaigners. If you visit the Labour Party website and enter your e-mail, that too is immediately captured. The system was designed to allow the canvasser to ‘know exactly who you are talking to’.49 The system was retooled using NationBuilder software in 2013.50 The Liberal Democrats adopted a version of the Voter Activation Network system for the 2015 election.51
Under the existing Data Protection Act, data controllers like the Conservative Party are obliged to register with the Information Commissioner’s Office (ICO) and describe the reasons for processing, the type of information processed, the subjects of the processing, and to whom the information may be shared. One registration seems to have been submitted for the Conservative Party, whereas all Constituency Labour Parties seem to have separate entries. Interestingly, however, the register entries read very similarly. Both parties claim to process various categories of non-sensitive classes of personal information: personal details; family details; lifestyle and social circumstances; goods and services; financial details; education and employment details. They also claim that they may process sensitive classes of information that may include: physical or mental health details; trade union membership; racial or ethnic origin and political opinions. Both parties state that they only process information about ‘our members, supporters, complainants and enquirers and employees’. Neither admits in its registration to the processing of personal data on the general voting public, including non-supporters.52
The ICO has not ruled on the legality of such databases. According to Christopher Pounder, however, systems like VoteSource, that profiles the entire electorate, and not just members of those with regular contacts are of questionable legality.53 He raises a number of issues. First, it is not true to assert that data that is otherwise ‘public’ is somehow removed from the ambit of data protection law and, therefore, ‘off limits’. Some citizens do reveal a great deal about their political affiliations in many ways in the offline and online world (law signs, bumper stickers, letters to the editor, blog and social media posts, and so on). However, rights of access and correction would still apply to these data, as would security safeguards. Secondly, there are probably enormous problems of accuracy and issues of fair processing when the party is processing comments from third parties on someone’s political views. And is it fair to process personal data from social media postings when they have not been posted with the intent that they be copied, stored, and used to profile the data subject? In the absence of notice and consent then, UK (and European law) requires a balance of interests test. Do the legitimate interests of the political party (to educate the public and mobilize the vote) override the privacy rights of the data subject, where sensitive data is being processed? How then can the party take into account those legitimate interests without informing data subjects about the nature and purpose of the processing in the first place?
Beyond the UK, there is evidence that certain techniques for voter management have entered the politics of other European countries. A company called Cinquante Plus Un, created by three students who worked together on the 2008 Obama campaign, is claimed to be the first campaign technology start-up in Europe. According to their website, ‘[they] design groundbreaking campaign apps for candidates and elected officials, based on the latest research in political science and the opportunities offered by Open Data, Big Data, and new technologies’.54 Their focus seems to be on addressing voter apathy and abstention in France using door-to-door canvassing as a method of ‘recovering’ alienated voters, and particularly young people, ethnic minorities and people in poorer neighbourhoods.55 Like equivalents in the USA, the software permits a campaign to analyse and map neighbourhoods, plan effective canvassing, and manage contacts. They now claim to have supported over 300 electoral campaigns in 14 different European countries.
The community organizing system, NationBuilder is now also quite popular among right-wing candidates and parties in France; the Republican Party (Parti Republicain) signed a contract with the company in 2015. NationBuilder claims to offer a fully integrated suite of tools for the organization of a campaign, and outreach through e-mail, telephone, social media, and traditional door-to-door campaigning. Some claim that the use of these technologies represents a paradigm shift in French politics, and will ‘uber-ize’ French political life.56 The Commission de l’Informatique et Libertes (CNIL) has audited some of these systems, but not, of course, NationBuilder, based in the USA, thus raising profound questions about the continued transfer of personal data outside the EU given the demise of the EU–US Safe Harbor program.57
In Italy, the influential Five Star movement has launched a system called ‘Rousseau’ to facilitate more effective engagement of members and supporters.58 Two other platforms, Inpolitix and PolicyBrain, are reportedly also promoting the use of big data analytics for campaigning purposes.59 Other companies offer candidates and parties basic products for website development, social media outreach, and some basic mapping applications. Each new European start-up that claims to empower, mobilize, network, and recruit, has to do so within the confines of a European data protection regime based on principles of express consent. The balance is going to be a tricky one.
Political communication and marketing rules
A second, and related, set of issues concerns how the communications of parties and candidates should be regulated under data protection (and related) law. These issues have taxed the DPAs in the past and will continue to do so as the means of delivering political ads to more precise segments of the electorate gets more sophisticated. At root lies the question of whether the communication of political content should be treated in a fundamentally different way to the delivery of commercial messages.
The rules for unsolicited communications in Europe are not just guided by the 1995 Data Protection Directive, but also by the 2002 Directive on Privacy and Electronic Communications—the E-Privacy Directive,60 Article 13 of which governs unsolicited communications. The latter makes no reference to marketing for political purposes in the text. In a 2005 case before the UK ICO relating to the Scottish National Party, the UK Information Tribunal confirmed that the provisions of the E-Privacy Directive did have a broad application, beyond the strictly ‘commercial’ world, and, therefore, applied to political parties.61 Political parties, therefore, in promoting their ideas and soliciting support and donations are engaged in ‘marketing’ and are, therefore, subject to the same provisions.
Article 5(3) of the E-Privacy Directive also requires prior informed consent for storage or access to information stored on a user’s terminal equipment. In other words, controllers must ask users if they agree to most cookies and similar technologies before the site starts to use them. For consent to be valid, it must be informed, specific, freely given and must constitute a real indication of the individual’s wishes. There is nothing in the Directive to suggest that this provision does not apply to political party websites. Indeed there was a case in the Netherlands where Dutch political parties were found to be violating the rules they had just passed in furtherance of these rules.62
Most DPAs in Europe, according to my brief survey, have received complaints about unsolicited communications by political parties. Some of these complaints stem from solicitations from parties that the data subject would never support, triggering irate questions about how that party got their contact details. Three countries, the UK, France, and Italy, have produced more detailed guidance directed at political communication. The rules are becoming increasingly complex, as the methods and nature of political communication have extended to different technologies.
The first general guidance on political communication from a European DPA appears to come from the Italian Garante per la Protezione dei Dati Personali in 2004.63 The guidance expressly addresses ‘Privacy and Electoral Propaganda’ and stipulates that ‘personal data may be used without the data subjects’ consent for electoral propaganda purposes if the data are taken from sources that are truly “public”, i.e. unlimitedly available to anyone’. It then lists the types of public registers that do, and to not, fall within this category. Interestingly, the Garante concedes that ‘although electoral propaganda may not be classed with commercial and marketing communications, it is not permitted in cases other than those mentioned above without the data subject’s prior, specific consent’. The guidance addresses text and email communications but dates before the time when political parties made extensive use of websites or social media. Updated guidance, published in 2014, details further who might be considered as having a ‘regular contact’ with an Italian political party. It stipulates that ‘it is forbidden to use for electoral propaganda’: data gathered automatically through software; lists of subscribers to Internet service providers; data published on websites; and data gathered by social networks, news forums, or news groups.64
The British guidance from the ICO dates from 2005 and was issued partially in response to the case against the Scottish National Party for using automated robo-calling for political marketing purposes. There was a similar complaint and ruling against the Labour Party in 2010. The guidance was updated in 2014.65 It addresses the practical meaning of consent in the electioneering context, by means of post, email, text, fax, phone, and automated messages. It discusses the often-tricky relationship between national party headquarters, local campaigns, and the third party market research firms that work for parties. When a party purchases or rents lists from a third party data broker to contact individuals that meet a particular profile, it needs to be assured that personal data was collected legitimately. The same applies to contact information that might be collected in response to a local campaign. The guidance also addresses the rules for ‘viral-marketing’ or ‘tell a friend’ campaigns. The party must always identify itself, and provide contact details and easy procedures for opting out.
Political marketing by established political parties is one thing, but similar issues are often raised during referendum campaigns, the organization of which might be more temporary, and whose members and supporters will cut across the established political allegiances. The ICO has recently found the need to issue guidance on marketing during the UK referendum on EU membership.66 It also fined a company for sending unsolicited text messages on behalf of the Brexit campaign, having received more than 2600 complaints in two months.67
Spamming was also the main impetus behind the closer regulation of political marketing in France. The so-called ‘Sarkospam’ scandal occurred in September 2005, when hundreds of thousands of unsolicited e-mails were sent on behalf of presidential candidate Nicolas Sarkozy.68 The case prompted a series of recommendations from the CNIL about the use of files by political parties, groups, candidates, and elected officials. Political canvassing by e-mail should not use any databases other than those who had explicitly ‘opted in’. And those who had opted in to commercial databases who were not explicitly told at the time that their information may be used for political marketing (as occurred in the Sarkospam case), must be contacted again and offered the opportunity to opt out.69 The guidance also recommended that political parties declare to the CNIL when they are processing data on people who are occasionally in contact (for instance, those who have signed a petition, requested documentation, or visited the blog), but not those who are regularly in contact, such as donors or regular members.
The CNIL issued further guidance in 2012.70 The rules about political communication were placed in the context of the broader application of French data protection law to the entire processing activities of parties in France and the information they collect. The guidance addressed: the types of internal files of the elected official, the candidate, or the political party, and distinguishes how each might use files of members, regular contacts, and occasional contacts; the use of the electoral register, of directories and of files from the private sector; and the rules for communication by telephone, SMS, e-mail, and Internet. The CNIL also provided examples of best practice for obtaining consent.
All major political parties in Western democracies make extensive use of Facebook, Twitter, YouTube, and other social media to target messages, recruit volunteers, and donors and to track issue engagement. The most advanced use of social media in Europe occurred in the 2015 UK general election. The Conservative Party made unprecedented use of Facebook data to reach key groups of voters in swing constituencies. Unlike Twitter, which can often only operate as an echo-chamber for the like-minded to reinforce their political opinions, Facebook, the Tories realized, offered a potential database of 55 per cent of the British population, including all demographic groups. Facebook sells advertising to a wide range of different organizations, including to political parties. The Conservatives, therefore, engaged in the kind of ‘micro-targeting’ efforts familiar in North America with a striking degree of precision.71 And they did this only in the 100 key marginal seats that they had identified as likely to sway the election.
It is quite obvious that the rules have to be more nuanced to reflect the different media through which political campaigning now occurs, and many DPAs have yet to come to terms with this new environment. The relationship is not simply a bilateral one between candidate and voter. Third party intermediaries (research and polling firms) also play important roles. And any social media user can potentially, then, be engaging in forms of political communication.
We have not seen the kinds of ‘targeted sharing’ programmes in Europe so far. The few mobile campaigning apps in existence do claim that they are operating within the confines of European data protection law, meaning that they should only be contacting voters who have given express consent to be contacted. But social media do introduce a general confusion between the notion of the data controller and the data subject. ‘Friending’ a political party on Facebook, or following them on Twitter, without the user implementing the appropriate privacy controls can also result in the unintentional broadcast of the user’s political beliefs. The practices of political parties, and the privacy rights of their members, are closely related to the privacy policies and mechanisms embedded within these social media platforms, as well as to the privacy choices that individuals make according to varying degrees of knowledge and concern about privacy, and their sophistication about the technology. Thus, the use of social media in elections will inevitably be shaped by the broader actions of DPAs against Facebook and other social networking companies.
Data protection and the expansion of the ‘selectorate’ for party leaders
The public nature of voter engagement and party identification in the USA is attributable, in part, to the quite extraordinary role played by the Democratic and Republican parties in the voter registration process. Nomination processes for both main parties and for a range of state and federal officeholders operate in every state and entrench the parties as the main organizations for the recruitment of political candidates. Some states operate open primaries to members of the other party and to independents. Others organize closed primaries to registered members of the party. Some require voters to show up in person at local caucuses, where they can discuss the candidates and register their preferences. Some states even operate different systems for each party. And the overall system can vary by different electoral cycles. This complex and diverse system resists easily generalizations. In general, primary elections have become more frequent, open and widespread in recent years for both Republican and Democratic Parties.72 But the type of process also has massive implications for the capture and processing of data on party affiliation.
The use of party databases during competitive primary elections can create difficult dilemmas during primary elections and the need for strong firewalls between the basic household information and other data that might be added from individual campaigns. In 2016, there was a dispute between the Sanders and Clinton campaigns about the deliberate exploitation of a vulnerability in the NGP VAN voter database by a staff member in the Sanders campaign, allowing temporary access to confidential voter lists created by the Clinton campaign. The dispute resolved itself with a firing of the staffer and an apology from Senator Sanders. But the issue raised some searching questions about the use of the same database within highly competitive primary elections.73
In parliamentary systems, primary elections are far less common and far more recent, but raise some similar questions. The most extensive participation in a primary occurred in France in 2011. Based on the Italian experience of 2005 and 2007, the French Socialist Party decided that its candidate for the 2012 presidential election would be decided on the basis of an open primary. Not only would registered Socialist voters be able to participate, so would all voters who donated one euro to the party and agreed to sign a commitment attesting to the values of the left (freedom, equality, fraternity, secularism, justice, solidarity, and progress). The party organized one national vote in two stages on 9 and 16 October 2011 and elected Francois Hollande. Some 2.6 million voters participated in the first round and three million in the second.
In the USA, the parties would typically have access to the lists of those who voted in their primary election in a particular state, and use those contact details to mobilize their vote in the general election. In Europe, this question poses some peculiar and novel challenges for privacy principles, and DPAs. The CNIL struggled with the question of whether the party might continue to process data on those who had voted in the primaries, as if they were members or ‘regular contacts’. They concluded eventually that they could not, because the purpose of collection was different,74 unless the voter separately consented to be contacted. Similar issues arose for the Italian DPA after primary elections for the centre-left coalition, Common Good, in 2012.75 The Garante also concluded that the purposes for collection were different, and that consent for political marketing during the general election had to be actively obtained at the time of the primary election.
The 2015 selection of the leader of the UK Labour Party raised a somewhat different set of questions about the parties’ rights to association and the privacy rights of voters. In 2014, the Party changed its method of electing the leader from a three-way electoral-college system (party members, parliamentarians, and affiliated trade unions) to a one-member-one-vote system. The new system created three categories of voters: full Labour Party members; affiliated supporters (who had signed up as a Labour Party supporter through an affiliated organization or union); and registered supporters (people who declare that they support the Labour party by signing up online and paying a fee of just £3).76 Over 600,000 people ended up receiving ballots in the recent election, of whom around 400,000 had signed up over the summer months.77
This more open process of registration was controversial. It invited ‘entryism’—supporters of other parties who wanted to create mischief by voting for the more left-wing candidate, Jeremy Corbyn. The party confirmed that it would cancel supporters’ votes if they were found either not to be on the electoral roll, or if they were members of other political parties. The latter raised some searching questions about how this monitoring would occur in such a short time frame. There were reports that Labour staffers were checking social media pages and posts, and doing Google searches to determine if the applicant had been a candidate or local activist of another party.78
In the end, the size of Mr Corbyn’s victory in the election made this vetting moot, but it does raise some intriguing privacy issues.79 To be sure, political parties have a legitimate interest in the integrity of their internal electoral procedures, and can take steps to check eligibility. Can the Labour Party scour the Internet for evidence of support for another party? Yes, but only if the individual has knowingly put this data in the public domain. If the party relies on third party accounts of someone’s political affiliation, then that raises questions of fair processing, requiring appropriate notification. There were also questions about the use of personal data from the electoral register, which are tightly controlled by law, and about the appropriate procedures for redress.
These cases suggest that the nature of political parties is changing in Europe. They are beginning to embrace more open procedures for the selection of candidates and leaders. While these changes will never emulate the primary election system in the USA, they do raise profound questions about the nature of party ‘membership’ and about the meaning of ‘regular contact’.
The final issue, and a perennial one in any contemporary discussion of privacy, is the data breach. Many legislatures around the world have enacted legislation mandating notice to data subjects about the loss or unauthorized acquisition by an unauthorized person of an information resource containing personal information. The scope and standards of these laws vary, and some of them limit liability when the data are suitably encrypted. Articles 33 and 34 of the GDPR establish new and uniform rules for notification of data breaches to both the supervisory authority and the data subject. Many organizations that suffered a breach learned that the cost of providing notice to data subjects can be large, and the damage to reputation significant.
No type of organization has been immune from such losses, including political parties. In December 2015, a database of 191 million US voter records was posted online. Neither the origins of the data nor the identity of the hacker were known. But the findings were reported by Chris Vickery of www.databreaches.net and raised some searching questions about the range of voter data publically available, and the relative ease of obtaining these data in many states. In both the 2008 and 2012 elections, the campaigns of each of the main presidential candidates were subjected to repeated attempts at unauthorized access.80
Breaches of voter data also occur in countries that do have more centralized voter registration agencies. In 2012, there was a leak of over 2 million voter files from Elections Ontario. Two USB keys went missing containing names, addresses, genders, birth dates and whether a person voted in the last election for residents in as many as 25 ridings. An investigation by the Ontario Information and Privacy Commissioner found systemic failures in privacy management within Elections Ontario.81 Other breaches occur through the malicious activity of hackers, such as the breach of information on online donors to the Canadian Conservative Party, caused by a hacker who exploited a vulnerability within the Conservative Party website.82 In Ireland in 2011, Fine Gael’s website was the subject of a sustained denial of service attack during which the personal details (including IP addresses, mobile phone numbers, location, and e-mail addresses) of up to 2000 users of the site were compromised.83 Perhaps the most egregious example of a data breach of voter data occurred in Mexico, where it was discovered that the names and addresses of all 87 million Mexican voters were accessible through Amazon’s cloud-computing site. In this case, the publication of the database was in clear violation of Mexican law.84
Conclusion: data protection, election campaigns, and partisanship
It is tempting to conclude that the practices now observed in the USA are the direct result of a set of unique political and social conditions: a liberal campaign finance system; a constitutional tradition that provides robust protection for political speech; two dominant political parties, with a very decentralized structure; a powerful political consulting industry often with impressive technical credentials, who aggressively market their predictive models and algorithms to partisan professionals desperate for any political advantage within a highly competitive electoral environment; a digital economy and culture that puts huge emphasis on the power of ‘Big Data’; and comparatively weak and fragmented privacy laws.85
It is also tempting to conclude that these same techniques could never migrate to Europe because the sensitivity of data concerning political affiliation is rooted in a European political culture with more recent experiences of authoritarian rule.86 Anecdotally, it is generally observed in many European countries that there is a greater sensitivity among the public about their political views, and a general distrust of the intrusive political marketing and campaigning techniques. Beyond these questions lay some more troubling implications, especially when asked in the aftermath of the Snowden revelations about the intelligence practices of the National Security Agency, and its equivalents in the ‘Five Eyes’ states. There has been sufficient evidence of ‘function creep’ to question whether or not voter management platforms and databases that profile the political opinions of the electorate in increasingly detailed ways, could not be accessed and used for more sinister purposes by the national security agencies of the state.87 There is no evidence that this has occurred. But it was surely these issues that European regulators had in mind when they defined data on ‘political opinions’ as a sensitive form of data that could only be processed with knowledge and consent.
So far European parties and candidates cannot campaign in Europe, as their counterparts do in North America. Cultural, legal, institutional, financial, and other constraints will continue to block the more intrusive campaigning practices now seen in the USA. There is, however, another set of more general sociopolitical factors that are driving the contemporary trends in political marketing and voter surveillance. We need to examine this larger context in order to begin to ask the really critical questions about the implications of these trends for the future application of data protection law in Europe to political and elections campaigns.
Voter surveillance has arisen during an era when political analysts have noted, and lamented, a general process of partisan de-alignment. In simple terms, fewer people have fixed attachments to political parties; fewer are now members of political parties; and fewer regard them as the main vehicle of political participation and engagement. The trend is a general one across Western democracies and rooted in an overall decline in trust in political institutions.88 One of the implications of ‘parties without partisans’89 is that political parties have needed to find newer methods to engage with the electorate to find donors, volunteers, members, and supporters. They cannot rely on huge proportions of the voting public based on conventional class or religious affiliations.
Voter surveillance techniques have arisen, therefore, partly to address this fundamental shift in partisan allegiances. Voters have become more distrustful of politics, but also more demanding. In rational choice terms, a greater proportion can be regarded as ‘clients’ of the political system, whose allegiances float depending on the personalities and programmes on offer. Unlike earlier generations, where family partisan attachments typically predicted voting behaviour, for the last 30 years higher proportions of voters in Western democracies can be susceptible to the correct marketing pitch. And that method of persuasion, it is contended, is likely to be more effective when the party knows more about the individual preferences and attitudes of the voting public. Europe is, of course, not one political culture and shifts in campaigning practices will not be felt uniformly. I would suggest, however, there are structural shifts in democratic politics that are converging with advances in information and communications technologies. No democracy will be immune from these trends.
On the whole, DPAs have been reluctant to provide guidance to parties and candidates, and less still to regulate their activities. These are inherently ‘political’ questions that would involve the DPAs in the oversight of powerful party organizations and political actors. All DPAs have limited budgets, the magnitude of which is often dependent upon the goodwill of elected politicians of all parties. So there is a natural tendency to shy away from regulatory action that would strike at the heart of the ability of politicians to communicate with the electorate and to mobilize support. On the other hand, the European data protection regime will probably be under continuing pressure from technological, political, and social forces that will demand the freer flow of information about the behaviours and attitudes of voters. DPAs nationally, and collectively under the new European Data Protection Board, will need to address both the ambiguities within the GDPR surrounding the processing of data on ‘political affiliation’ and give up-to-date and relevant guidance in this new era of the ‘data-driven’ election.