The Spanish Data Protection Authority (DPA), the Agencia Española de Protección de Datos (AEPD), has issued a notification (circular) on the use of political data during elections that could shake the foundation of political campaigning online.
The notification is a legally binding document under Article 55 of the Spanish Data Protection Law of 2018, which implements the General Data Protection Regulation (GDPR). It interprets Article 58 of the Spanish law, which complements GDPR provisions on the use of technology and personal data in election activities. Article 58 has been widely perceived in Spain as being too permissive: societal concerns about data misuse by political parties prevail after several corruption scandals and the Catalan crisis. With a social mandate to clamp down, AEPD’s notification sets some of the most restrictive conditions for political campaigning in Europe.
The notification asserts that certain safeguards are needed to permit parties to collect personal data related to political opinions during election periods. It contends that if national legislators failed to include such safeguards in the GDPR implementation law, it is the duty of the AEPD to set these out, without prejudice to measures taken by other authorities, including Spanish electoral regulators.
The notification sets out a list of general GDPR-based safeguards that it insists Spain must implement, such as the need for a Data Protection Officer (DPO), a Data Protection Impact Assessment (DPIA) and security measures for processing high risk data. In addition to this, it goes much further. It states that for personal data to be used in election campaigning it must have been “freely expressed” – not just with free will but in the strictest sense of an exercise of the fundamental rights to free expression and freedom of political opinion protected by Articles 16 and 20 of the Spanish Constitution.
The “freely expressed” provision puts an incredibly tight rein on how political parties can process personal data. According to the notification, they’re allowed to obtain political data from the web or other public sources but not from private messaging groups, excluding the possibility to obtain data from services such as WhatsApp or Telegram. They might not be able to use data obtained from data brokers and definitely can’t infer political ideology through the use of big data or artificial intelligence techniques.
This extremely restrictive approach is justified by the need to protect fundamental rights enshrined in the Spanish Constitution. It is also predicated on GDPR provisions. Importantly, the Spanish legislator in its Data Protection Law opted to use the exemption allowed by Article 9(2) GDPR to not permit consent as one of the legal bases to enable the processing of special category data, and only allow for processing in the public interest. This created an imperative for the AEPD to be restrictive in relation to political campaigning, which it labels a “high risk” activity due to both scale and sensitivity.
Even more controversially than this, however, the notification goes on to ban any form of data processing that attempts to influence (desviar) the will of voters, claiming that such processing is not proportionate under GDPR requirements. The practical implementation of this measure may prove extremely difficult. The notification explicitly mentions “microtargeting” as a disproportionate activity, without defining what this is – a point that Spanish critics have already picked up in media coverage. A key aspect of political campaigning is also trying to change the mind of undecided voters, so where will the line be drawn?
The notification further restricts profiling activities. People can only be classified at the level of general characteristics. Profiling is not permitted at the individual level or on the basis of very specific personal characteristics. This means that political parties are only allowed to generate insights over the behavioural patterns of aggregate groups, not individuals. Clearly, this is the corollary of the microtargeting ban.
When all put together, the AEPD notification is one of the most direct challenges to the power of social media companies from a European Data Protection Authority. The measures in the document would completely stop the kind of political campaigning seen, for example, during the UK’s Brexit referendum in 2016. The complication with its enforcement, however, is that most political parties are already engaging in the activities it aims to prohibit. Both Facebook and Google have dedicated sales teams targeting politicians and vying for advertising budgets to be spent on their platforms.
Whilst the notification is a strong statement of intent, it is unclear whether the AEPD will manage to turn the tide on political campaigning alone, or whether a broader European effort will be required. Ultimately, to make any real difference, the collaboration of internet companies will be central. However, it is hard to see how they would go along with something that fundamentally undermines their whole business model.
By Open Rights Group