Blindspots in new guidance on use of data in campaigning

The Information Commissioner’s Office published their new “Guidance for the use of personal data in political campaigning”. Open Rights Group had already contributed to their consultation, but this is not our only initiative in this field.

We engaged with the issues exposed by the Cambridge Analytica scandal early on, raising the alarm about the potential for data misuses to erode trust in the democratic process. Later on, we focused on the issue of profiling for electoral purposes, setting up a tool to allow individuals to easily submit access requests to political parties.

Eventually, we poured these insights into our “Who do they think we are” report. Here we reviewed UK political parties’ use of personal data both from electoral registers and commercial databases, and called for

  • regulation of the scope of the “democratic engagement” lawful basis, which was widely being used by political parties to justify any collection or use of personal data;
  • implementation of collective redresses in the data protection field via the implementation of article 80.2 of the GDPR;
  • political parties to adopt a strictly opt-in model for individual profiling, in compliance with the law as well as with individuals’ reasonable expectation of not being profiled by a political party without their consent.

While the UK Government refused to implement article 80.2, the ICO has eventually developed their new guidelines for the use of personal data for political purposes. Here is our analysis.

The use of electoral registers’ data

The ICO state that the “UK GDPR Article 6(1)(e) gives a lawful basis for processing personal data only and to the extent that it is necessary for the performance of a task carried out in the public interest”. In order to be “necessary”, this activity must be more than just useful or standard practice, and there must not be some less intrusive means to achieve the same goal.

We are disappointed that the guidance does not provide greater clarity on the necessity and establishment of a meaningful limit on the profiling or processing of personal data. This is the core concern in our complaint submitted to the ICO in December about the parties’ use of personal data. We hope our complaint can help bring further clarity to this key question.

Furthermore, the ICO specifies that this lawful basis applies only for the exercise of tasks that are clearly identified by the law, and that the electoral registers’ data that are obtained for the performance of these tasks must not be shared with any other controllers. For the use of non-electoral register data, instead, it is upon elected officials to demonstrate that such a law exists and is applicable to their case — if not, data may still be processed based on legitimate interest, provided that a “three-part assessment” has been carried out beforehand.

While we would have liked more clarity about what ways and uses of electoral registers’ data are in line with the law, we welcome the overall work of the ICO in clarifying the scope of the “democratic engagement” legal basis, as well as the clarity about the fact that reliance on legitimate interest needs to be underpinned by a meaningful assessment and balancing against the rights of the individuals. This is particularly important in light of the next section.

Direct marketing and online profiling for political purposes

We applaud the ICO clarity concerning the requirement for political actors to asks for individuals’ consent before emailing them with direct marketing emails, as well as for the use of cookies, fingerprinting, pixel targeting, and other forms of online tracking.

Furthermore, the ICO clearly spells out that consent must be specifically intended to allow these communications or uses, and that “soft opt-in” is not a viable alternative. This means, for instance, that if you registered to a party-sponsored event, your email address cannot be reused to target you with electoral messages unless you gave a separate and specific consent to be contacted for this purpose as well.

On the other hand, the lines start to become blurred when we move to the field of profiling. Here, the ICO describes two different scenarios:

  • one encompassing any form of profiling, against which individuals have an unconditional right to object and opt-out from such profiling;
  • another where profiling fits the definition of “solely automated decision making” under article 22 of the GDPR. In this case, the ICO stipulates that profiling can only be carried out after having obtained explicit consent from the individual. Then, the ICO continues by arguing that micro-targeting, i.e. targeted advertising for political purposes, may indeed fall under the restrictions of article 22, provided that 5 vaguely defined criteria are met.

In doing so, the ICO seem to leave the door open for political parties to profile individuals without asking for users’ consent, unless it can be demonstrated that this had or may have “legal or similarly significant effects” on the individuals being targeted.

Other than being vague and open to interpretation, the ICO appears to be contradicting themselves. Provided that you cannot profile individuals under the “democratic exemption rule”, it is unclear how a meaningful “three-part assessment” would successfully demonstrate that the legitimate interest of a political actor overrides the rights and freedom of an individual. Indeed, it is the same ICO that points out that “profiling is often invisible”, and people may not expect their data to be used in this way, nor understand how the process works and how to exercise their rights. Knowing that, it is rather clear that profiling for political purposes will require consent in order to be performed in practice, unless some very specific and unusual circumstances apply.

Missed shots and opportunities

Profiling is one of the most controversial activities being carried out for electoral purposes. In failing to spell out this requirement in clear terms, the ICO is effectively undermining the main purpose of their guidance — to provide clarity about the interpretation of data protection principles in this particular context, and to inform non-data protection experts (campaigners, organisers, etc.) about the practical requirements they need to comply with, in the fulfillment of their tasks.

As it is, however, this guidance may already have far-reaching implications. Few of you ever gave your consent to be tracked by cookies, pixel tracking, fingerprinting, and other technologies, yet this is the kind of data that credit reference agencies have been supplying in the context of political campaigning. On top of that, legitimate interest assessments would be useful to scrutinise data processing for electoral purposes, as well as to get political parties to evaluate their own electoral activities with a critical eye.

In other words, this guidance already highlights many areas where the ICO could intervene with their powers, and ensure that political parties align with these directions.

In the meantime, you can follow our updates, check what political parties think you are, or join us, and help us shape the future of our digital lives.