The use of personal data to advance political causes has never had as high a profile as it does now, thanks mainly to Brexit and the lurid tales of data manipulation usually bundled under the vague heading of the ‘Cambridge Analytica scandal’. Thanks to the efforts of certain journalists, the narrative is now fixed. Cambridge Analytica stole personal data from Facebook and used it to manipulate credulous voters to win the Brexit vote. It doesn’t matter that this didn’t happen (if you don’t believe me, read the ICO’s final monetary penalty on Facebook and their report into the political analytics investigation), this is what most people believe. When I ask people what they think Cambridge Analytica did, they usually don’t know or point to allegations that nobody has been able to prove, and when I tell them that CA didn’t work on the Brexit referendum, they often tell me to read something (Brittany Kaiser’s supposedly revelatory emails, for example) that they clearly haven’t read themselves. One of the most depressing things about all this is the number of supposedly intelligent people who rail against fake news, when they are as guilty of spreading it as anyone.
Nevertheless, if there is a good thing to come out of all this nonsense, it could be better scrutiny of how political parties and campaigns use personal data. The ICO says it has carried out audits of the major parties, though so far, nothing has come to light about what they’ve found. In the meantime, journalists have definitely started to look at political processing in more detail. An interesting example emerged today with Rowland Manthorpe’s story on Sky News of the Liberal Democrats’ use of profiling to understand voters. Using subject access, Manthorpe saw the wide range of different factors gathered and used by the LibDems to predict his likely voting intentions, and therefore inform whether and how they might approach him.
It’s very tempting to say ‘so what’? Any party that claims that they don’t do this, using data gleaned from Experian and other data brokers, is almost certainly lying. To make out that that the LibDems are doing something weird and creepy when it’s standard political practice is perhaps unfair. I did a subject access request to the Conservative Party earlier in the year, and I found an equally large amount of information – the Tories think that I have kids, read the Independent and was aged between 26 and 35 in 2017, but have now moved up to the 36 – 45 age bracket. If you seen me recently, you may wish to pause until you stop laughing. They’ve estimated my personal and household income and when I finished full-time education, and classify my household as “forward-thinking younger families who sought affordable homes in good suburbs which they may now be out-growing“. They know every time I have voted since 2014, although not who for.
Parking that, it’s worth considering the other aspects of GDPR and the Data Protection Act 2018 which are relevant to this question. To process any personal data, an organisation must have a lawful basis from Article 6 of the GDPR to do so. Several are automatically off the table for this kind of profiling – consent (because they haven’t asked), contract (there isn’t one), vital interests (nobody will die if the Tories don’t incorrectly guess that I have kids) and legal obligation are all gone. This leaves two – necessary for a task carried out in the public interest or necessary for a legitimate interest. Neither of these is automatically available. A task carried out in the public interest has to have some kind of statutory underpinning, which is apparently available via Section 8 of the DPA 2018, which specifies ‘an activity that supports or promotes democratic engagement‘ as a task carried out in the public interest. The explanatory notes to the DPA fleshes this out:
“The term “democratic engagement” is intended to cover a wide range of political activities inside and outside election periods, including but not limited to: democratic representation; communicating with electors and interested parties; surveying and opinion gathering, campaigning activities; activities to increase voter turnout; supporting the work of elected representatives, prospective candidates and official candidates; and fundraising to support any of these activities“
In order to rely on what many people call ‘public task’, political parties have to satisfy themselves (and potentially the ICO or the courts) that their profiling fits this definition, and that the best way to, for example, communicate with electors is first to profile them. I’m not saying that it’s impossible to clear that hurdle – necessary doesn’t mean the only way, just the most appropriate and proportionate way, but it’s for the LibDems (and every other party) to show that they have thought about this and considered the alternatives. Because this processing is likely to have been carried out automatically (I presume that they don’t have crowds of artisan psephologists doing it by candlelight), this could mean that a Data Protection Impact Assessment is required. I’m not certain of this because I’m not sure whether the profiling would have a significant legal or other effect on the person, but if you read the ICO’s code of practice on political campaigning, they bend over backwards to argue the case for political advertising having that effect. In any case, there are other criteria in the European Data Protection Board’s guidance which might well lead to a mandatory DPIA (for example, large scale innovative techniques, or depending on the data used, large scale processing of special categories).
Of course, they may choose to rely on legitimate interests, which again requires work. They have to demonstrate that they have balanced their legitimate interest in understanding voters against the rights and freedoms of those voters. This is must be *necessary*, and in my opinion, it is exceptionally difficult to make the case for legitimate interests where a person has not been informed of the processing.
Manthorpe’s story lays out another potential problem. The LibDems are creating special categories data (political opinion) and it’s not unknown for politicos to use profiling to infer other characteristics, like Zac Goldsmith’s apparent attempts to infer ethnicity from surnames in the 2016 London Mayoral Election. The use of special categories is technically prohibited, but one of the exemptions is the substantial public interest. The LibDems would have to demonstrate that it is in the substantial public interest for them to process the data, and as before, that it is necessary for them to process data in this way.
That isn’t enough on its own. The use of substantial public interest has to be underpinned by a specific legal authorisation, which can be found in the Schedules of the DPA 2018. The only one that political parties can rely on is paragraph 22, which allows parties to process political opinions where necessary (that word again) for the purposes of the organisation’s political activities. The GDPR’s demand for accountability means that all of this decision-making will need to be documented, and every party will have to show that they considered the proportionality and necessity of their actions. At this point, I think the DPIA question is clearly answered – because the process leads to the creation by inference of political opinions, the party is processing sensitive data on a large scale, hitting two of the criteria set out by the EDPB guidance. Two criteria means that processing is high risk and requires a DPIA; the processing is unlawful if they cannot demonstrate having carried out one.
Of course, all of this only applies to the processing, and both the GDPR and DPA make clear that they have to stop processing the data if the person requests it, even if they’ve done all of the work I’ve described above. There are no exceptions to this. Moreover, if the party wants to send a text or an email to any person, none of this helps; GDPR and DPA may allow the profiling (I don’t believe any party will have implemented the above rigorously enough to satisfy the law), but it does nothing about the rules for direct marketing in PECR. Even if they satisfy the GDPR requirements for processing special categories, that doesn’t help at all with PECR’s flat demand for GDPR-style consent when emailing individual subscribers (i.e. people using their own email addresses).
I don’t accept this for a moment. I’m a Data Protection nerd and I don’t go on random organisations’ websites to read their privacy policies just in case they might apply to me. The fact that contacting millions of people to tell them that they’re being profiled would be punishingly expensive isn’t GDPR’s problem – the sense of entitlement that political parties feel about data and how they use it should be secondary to the law. But even if you accept their argument, the fact that all parties are likely to have a file on every voter isn’t in our interests, it’s in theirs. They should be under pressure to show that platitudes like the statement above are backed up by the rigour and evidence demanded by the legislation. This should not be a story about the LibDems; this should be seen as a window into what all political parties do, and feel entitled to do. I have no faith in the ICO to sort this out, but scrutiny of what’s going on is in all of our interests.
ADVERT: I’m running GDPR courses across the UK until the end of 2019. In 2020, I’ll be running new courses on the DPA, Law Enforcement and Data Protection and Data Protection by Design. Take a look at my website for more: www.2040training.co.uk