International Data Privacy Law, 2016, Vol. 6, No. 4
ARTICLE
261
Voter databases, micro-targeting, and data
protection law: can political parties campaign in
Europe as they do in North America?
Colin J. Bennett*
Recent elections in the USA and Canada have raised to
public attention the general question of how political
parties and candidates process and analyse personal data
on individual voters. The conventional wisdom in both
countries, whether accurate or not, is that the modern
political campaign needs to be ‘data driven’ to consolidate existing support and to find potential new voters
and donors. The capture and consolidation of these data
permit the construction of detailed profiles on individual
voters and the ‘micro-targeting’ of increasingly precise
messages to increasingly refined segments of the electorate, especially in marginal constituencies.1
Although there are huge differences between presidential systems such as the US and European parliamentary systems, there is evidence that parties in other
countries are drawing lessons from the US experience
and that similar techniques are gradually entering their
politics.2 There is extensive cross-national communication about these techniques through the network of political and technical consultants, who are eager to tout
the benefits of micro-targeting and data-driven campaigning, and to sell the range of software applications,
for both database and mobile environments.
The academic literature on these subjects is still very
under-developed. While there is an extensive work on
the new ‘tech-driven’ politics as part of a larger assessment of changing campaign techniques and whether they
actually affect voter engagement,3 very little of the commentary engages with the larger question about how
voter data is being mined and profiled, nor evaluates the
risks to privacy. There has also been a relative lack of attention to these issues by the privacy and data protection
authorities (DPAs) in different countries. Back in 2005,
*
2
Key Points
Electoral campaigns in North America are increasingly ‘data-driven’ and political parties have
amassed a huge amount of personal data on voters’ political affiliations and behaviour.
These trends are driven by new technologies, but
also by the fact that parties in the USA and Canada
are generally not covered by strong data protection
rules, as they are in Europe.
This article argues that many of the trends
observed in North America will likely enter the
politics of major European countries; indeed there
are already signals that this is happening.
It reviews the application of privacy protection law
to data on political affiliation in Canada and
Europe, and reviews the likely impact of the General
Data Protection Regulation to these practices.
These developments will put pressures on
European data protection law, and data protection
authorities, as never before.
1
Colin J. Bennett, Department of Political Science, University of Victoria,
BC V8W 2Y2, Canada. This article is based on research assistance provided by Eugenio Pazzini and Tim Charlebois, graduate students at the
University of Victoria. Funding for these students was provided by the
Social Sciences and Humanities Research Council of Canada: grant no:
895-2015-1003.
S Delacourt, Shopping for Votes: How Politicians Choose Us and We
Choose Them (Douglas and McIntyre, Madeira Park 2013); S Issenberg,
The Victory Lab: The Secret Science of Winning Campaigns (Random
House, New York 2013); I Rubinstein, ‘Voter Privacy in the Age of Big
Data’ (2014) 5 Wisconsin Law Review 861–936.
3
CJ Bennett, ‘The Politics of Privacy and the Privacy of Politics: Parties,
Elections and Voter Surveillance in Western Democracies’ (2013) 18 First
Monday 8 <http://firstmonday.org/ojs/index.php/fm/article/view/4789>
accessed 13 October 2016.
PJ Davies and BI Newman (eds), Winning Elections and Political
Marketing (Routledge, London 2012); J Lees-Marchment, The Political
Marketing Game (Palgrave MacMillan, Basingstoke 2011); J LeesMarchment, J Stromback and C Rudd (eds), Global Political Marketing
(Routledge, London 2009).
C The Author 2016. Published by Oxford University Press. All rights reserved. For Permissions, please email: [email protected]
V
262
the DPAs issued a joint Resolution at their international
conference in Montreux4 and warned of ‘invasive profiling’ and the unlawful collection of ‘sensitive data related
to real or supposed moral and political convictions and
activities’. Few authorities, however, whose actions are
detailed below, have seriously grappled with these issues.
On the plausible assumption that data-driven campaigning and associated micro-targeting techniques will
increasingly be witnessed within European elections, what
are the broader impacts on privacy, and what are the implications for data protection laws and for DPAs? This
article begins with an overview of contemporary campaigning practices in North America. It then reviews the
application of European data protection law to data on
‘political affiliations’ and examines the kinds of privacy issues that have arisen, and might arise when ‘big data analytics’ are used in the electoral process. The article relies
on official documentation such as decisions, guidance,
and opinions from different DPAs on the processing of
personal data in electoral and political contexts, and on interviews with selected experts and data protection officials.
Micro-targeting and the surveillance of
the electorate in the USA
The political cultures of the USA, and to a lesser extent
Canada, have historically been far more tolerant of a variety of practices to monitor and profile the electorate,
and to use the techniques of direct marketing to poll,
canvass, and get-out-the-vote. According to Rubinstein:
Political databases hold records on almost 200 million eligible American voters. Each record contains hundreds if not
thousands of fields derived from voter rolls, donor and response data, campaign web data, and consumer and other
data obtained from data brokers, all of which is combined
into a giant assemblage made possible by fast computers,
speedy network connections, cheap data storage, and ample
financial and technical resources. Ubiquitous personal
identifiers (name and address, telephone numbers, e-mail
addresses, IP address, cookies, mobile device IDs, and other
unique IDs) allow campaigns to link and integrate these diverse datasets, while data mining and sophisticated statistical techniques allow them to engage in highly strategic and
cost-effective analysis and targeting.5
4
5
6
7
International Data Privacy Law, 2016, Vol. 6, No. 4
ARTICLE
See ‘Resolution on the Use of Personal Data for Political
Communication’ stipulated at International Conference of Data
Protection and Privacy Commissioners (16 September 2005), Montreux.
Rubinstein (n 1) 861.
US v Miller (1976) 425 US 435; Sorrell v IMS Health Inc (2011) 131 S Ct
1653.
Rubinstein (n 1) 912.
Any understanding of the US context has to begin with
the overwhelming influence of the First Amendment on
the communication of political speech and the raising
of money to facilitate that communication. The US
Supreme Court has historically regarded unrestricted
political speech as central to the purpose of the First
Amendment and to the liberal values upon which it is
founded. In cases such as US v Miller (1976) and Sorrell
v IMS Health (2011),6 it has also refused to extend privacy rights to personal data held by commercial third
parties. Thus, any attempt to regulate the flow of personal information for political campaigning purposes in
the interests of protecting the privacy of the individual
always has to confront very powerful arguments for the
free flow of that information under the freedom of
speech guarantees in the First Amendment. As
Rubinstein concludes, ‘it seems very likely that the
Court would subject privacy-based restrictions on campaign data practices and micro-targeting to strict scrutiny, which is usually fatal’.7
A constitutional framework that favours the almost
unfettered flow of personal data for political campaigns
does not ensure that those data are readily available.
The practical availability of these data was facilitated by
the Help America Vote Act (HAVA) of 2002, passed in
the wake of the irregularities and inefficiencies in the
2000 elections. HAVA requires states, among other
things, to maintain a ‘single, uniform, official, centralized, interactive computerized statewide voter registration list’.8 This legislation helped lay the groundwork
for political parties to build massive databases of all voters, and also for commercial data brokers to get into the
business of compiling, analysing, and selling voter intelligence data.9
On the one hand, there are ‘in-house’ databases for
both main parties. The Democrats operate a system
called ‘Votebuilder’ now owned by NGP VAN. The
equivalent for the Republicans is the GOP Data Center
(formerly Voter Vault). Both provide basic voter identification information to their respective candidates, including those in competitive primary elections. Both
systems are based on state voter registration data, which
are then supplemented by a variety of other sources of
data from commercial and public sources, as well as
from telephone polling and voter contact.10 Both
8
9
10
S 303 <http://www.eac.gov/assets/1/workflow_staging/Page/41.PDF>
accessed 13 October 2016.
ED Hersh, Hacking the Electorate: How Campaigns Perceive Voters (CUP,
New York 2015) 67.
N Judd, ‘Republican Party’s Technology Revival hopes Hinge on Data
and Data Analysis’ (TechPresident, 7 February 2013) <http://techpresi
dent.com/news/23479/republican-partys-technology-revival-hopeshinge-more-just-skype> accessed 13 October 2016; PN Howard and D
Kreiss, ‘Political Parties and Voter Privacy: Australia, Canada, the United
Colin J. Bennett Voter databases, micro-targeting, and data protection law
systems have their origins in the 1990s, but until the
HOVA was passed they were incomplete and
inconsistent.11
In addition to these in-house systems are a number
of commercial operations that offer not just databases,
but also integrated voter management platforms that
provide an entire suite of services for any campaign:
website design and development; social media outreach;
the generation of geo-targeted lists for e-mail and texting; the management of volunteers; as well as the publication of more traditional campaign materials. These
platforms also integrate data from commercial data brokerage sources, and so the political data on party affiliation and behaviour is combined with other data on
activities, interests, and purchasing habits available
from data brokerage firms such as Acxiom, Dun and
Bradstreet, InfoUSA.12 Marketers tend to assume that
people with similar cultural backgrounds, means, and
perspectives naturally gravitate towards one another to
form relatively homogeneous communities. Once settled, people emulate their neighbours, adopt similar social values, tastes, and expectations and, most important
of all, share similar patterns of consumer behaviour towards products, services, media, and promotions.
Political parties thus tweak these data to fit political categories and draw inferences about what policies such
groups might be interested in hearing about.13
On the Democratic side, the main example of such a
system is Catalist, best understood as a ‘data cooperative’ according to its chief executive, Laura Quinn.14 In
the Catalist database, every voter is listed with more
than 700 descriptive fields, almost half of which come
from commercial sources.15 Criticism of the operation
of the Republicans’ central database after the 2012 election prompted the Koch billionaires to invest in a parallel commercial operation called i-360, which has been
generating voter data for the candidates in the 2016
elections. They claim a massage database of 190 million
registered voters:
So we’ve got quantity – but what’s even more important to
us is the quality of our data. To ensure it is as accurate as
possible, we update our data constantly. We source
11
12
13
14
15
Kingdom, and United States in Comparative Perspective’ (2010) 12 First
Monday 15 <http://firstmonday.org/ojs/index.php/fm/article/view/2975/
2627H> accessed 13 October 2016.
Hersch (n 9) 67.
Issenberg (n 1).
Delacourt (n 1) 258.
‘Politics by Numbers’ The Economist (London, 26 March 2016) <http://
www.economist.com/news/special-report/21695190-voters-america-andincreasingly-elsewhere-too-are-being-ever-more-precisely> accessed 13
October 2016.
Hersch (n9), 169.
ARTICLE
263
thousands of attributes from multiple consumer data compilers, constantly refresh voter registration information
from all states and gather millions of political and issue attributes on an ongoing basis. We then expand the efficacy
of this data by using it to build our national predictive
models that help clients answer unknowns through the
most advanced data science.16
It is also worth noting that some campaign organizing
companies are agnostic as to the type or ideological purpose of the campaign that they support. So a company
like NationBuilder now boasts 7000 customers in
98 countries, ranging from Amnesty International
to AirBnB to the Republican Party of Florida to
Arizona State University.17 One of the oldest companies in the business, Aristotle.com, is similarly nonpartisan.
Parties are becoming increasingly adept at using social media to target messages, recruit volunteers and donors, and track issue engagement. Politicians know that
a large social media following can lend credibility to
their campaigns. Just as a packed town meeting can add
to the perception that a candidate is worth following,
the same holds true for social media. But a basic count
of Twitter followers or Facebook ‘Likes’ (vanity metrics)
will not tell much in isolation. Campaigns, therefore,
desire answers to other questions: Who is following
you? Are they ‘influencers’? Is your following increasing,
decreasing, or holding steady? What is the trend over
time? Are people interacting with your content? Which
of your posts are generating activity and on which issues?18 There are customizable applications that work
within the social media platform, making it easier for
individuals with the click of a mouse, to donate, join an
e-mail list, sign petitions, sign up for events, or volunteer. A contemporary example is ActionSprout:
‘Knowing your supporters and how they are engaging
with you on Facebook allows you to more effectively
target fundraising or advocacy efforts through email
and Facebook ad campaigns.’19 Other apps, such as the
Action Center promoted by NGP VAN, empower social
media followers to recruit, raise money, and engage
from their own networks.20
16
17
18
19
20
i-360, ‘What We Do’ <http://www.i-360.com> accessed 13 October
2016.
NationBuilder, ‘Homepage’ <http://nationbuilder.com> accessed 13
October 2016.
C Delany, ‘How Political Campaigns and Advocates Can Use Social
Media Data’ (Epolitics.com, 14 January 2014) <http://www.epolitics.com/
2014/01/14/how-political-campaigns-and-advocates-can-use-social-me
dia-data/> accessed 13 October 2016.
ActionSprout, ‘Fundraising of Facebook’ <www.actionsprout.com> accessed 13 October 2016.
Action Center, ‘Homepage’ <http://plus.ngpvan.com/actioncenter> accessed 13 October 2016.
264
International Data Privacy Law, 2016, Vol. 6, No. 4
ARTICLE
In 2012, a more controversial app launched by the
Obama for America campaign through Facebook allowed access to the entire ‘social graph’ of over 600,000
Facebook friends. In an instant, the campaign had access to more than 5 million contacts that potentially saw
each other registering to vote, giving money, sharing
videos on the campaign, and voting on or before
Election Day. And when matched against other voter
files, these contacts were prioritized for ‘targeted sharing’.21 Facebook has since prohibited the practice.
A larger shift in campaign logic underlies many of
these new trends, namely that voters are more likely to
be persuaded if they see their peers supporting a particular party or candidate.22 Polling evidence suggests emphatically that voters, and particularly young voters, do
not trust parties or media organizations, but they are
more likely to be influenced by the attitudes and behaviours of their friends. Scientific studies have also indicated that this kind of ‘targeted sharing’ through
Facebook can have a small but significant impact on
voting, especially among the 18–29 age group.23
Finally, the explosion in the use of mobile applications designed for the new generation of smartphones
and tablets build upon these existing trends. In recent
election cycles, mobile apps have been used for: more
traditional one-way political messaging; door-to-door
canvassing; event management; encouraging donations;
and broader civic engagement. For instance, the simple
use of these apps for ‘push notifications’ allows candidates to keep voters up-to-date with latest campaign activities, and often contain built-in templates that allow
supporters to share those messages with friends and
family. Mobile applications have also been developed
for canvassing. A typical example is ‘Ground Game’
from a company called Moonshadow, which integrates
geo-positioning software to plan routes for campaign
workers, and to deliver metrics to campaign headquarters about doors knocked on, time in the field, distance
walked and so on. Information conveyed during doorstop conversations can also be entered in real time and
conveyed to party databases.24 Donating is also becoming quicker and more decentralized. Blue State Digital
now integrates a ‘Quick Donate’ feature through mobile
e-mail or SMS.
So, modern technologies have fundamentally altered
the dynamics of modern campaigning in the USA providing new ways to broadcast relevant political information, to influence voters’ attitudes and behaviour, to
encourage campaign donations and to more precisely
engage networks of potential supporters. But there is
also a considerable hype in popular writing and corporate promotions about the extensiveness and accuracy
of these technologies.25 Hersh’s analysis suggests that
commercial data is often inaccurate, dynamic, and only
weakly correlated with indicators of political affiliation.26 Thus, ‘when campaigns perceive voters, they do
not see the opinions, traits and behaviors that voters see
themselves. They see perceived voters, a simplified and
distorted version of the electorate that is based on the
data available to them.’27
From a privacy perspective, however, voter intelligence data may be ‘the largest concentration of unregulated personal data in the US today’.28 Are these trends
apparent in other democratic states? I first examine the
experiences of Canada, whose parliamentary system is
more in line with European states and whose privacy
protection laws generally do not cover the activities of
political parties. I then turn to the current situation in
Europe and to the data protection regime that regulates
personal data on political opinions and affiliations.
21
26
27
28
29
22
23
24
25
M Sherer, ‘Friended: How the Obama Campaign Connected with Young
Voters’ Time Magazine (20 November 2012) <http://swampland.time.
com/2012/11/20/friended-how-the-obama-campaign-connected-withyoung-voters/> accessed 13 October 2016.
Issenberg (n 1).
RM Bond and others, ‘A 61-Million-Person Experiment in Social
Influence and Political Mobilization’ (2012) 489 Nature 295–98 <http://
www.nature.com/nature/journal/v489/n7415/full/nature11421.html>
accessed 13 October 2016.
Moonshadow, ‘Product’ <http://www.moonshadowmobile.com/prod
ucts/ground-game-mobile-canvassing/> accessed 13 October 2016.
Hersh (n 9), 11.
Voter identification and relationship
management systems in Canada
In Canada, there has been close collaboration between
Republican consultants and the Canadian Conservative
party, whose Constituent Information Management
System (CIMS) was developed in 2004 using the Voter
Vault software. In Canada, voter lists are legally provided to political parties under the authority of the
Canada Elections Act.29 The Conservatives then use this
framework to populate the database with a range of
other data on voter preferences.30 The published training materials on CIMS reveal that each voter is assigned
30
Hersh (n 9), 176.
Hersh (n 9), 12.
Rubinstein (n 1) 881.
CJ Bennett and RM Bayley, ‘Canadian Federal Political Parties and
Personal Privacy Protection: A Comparative Analysis’ (2012) Privacy
Research Papers: Office of the Privacy Commissioner of Canada <http://
www.priv.gc.ca/information/research-recherche/2012/pp_201203_e.asp>
accessed 13 October 2016.
B Curry, ‘Robo-Call Furor Focuses Attention on Massive Tory Database’
The Globe and Mail (29 February 2012) <http://www.theglobeandmail.
com/news/politics/robo-call-furor-focuses-attention-on-massive-torydatabase/article4092455/> accessed 13 October 2016.
Colin J. Bennett Voter databases, micro-targeting, and data protection law
a score of 15 to þ15 on the basis of these data
(Conservative Party of Canada). Walk lists, phone lists,
e-mail lists, lawn sign allocations, and other campaigning tools are then generated that then allow the party to
more efficiently target and mobilize their supporters. It
was reported that a new Conservative voter management system, entitled C-Vote, was scrapped in 2013,
costing the party millions of dollars.31 The Canadian
Liberal Party has a similar ‘voter identification and relationship management system’ called Liberalist, originally based on the Democrats’ Voter Activation
Network platform. The left-of-centre New Democratic
Party uses a system called Populus. There has been
heightened scrutiny of these systems during the October
2015 general election.32
Neither the Canadian Privacy Act of 1982 nor the
Protection of Personal Information and Electronic
Documents Act (PIPEDA) of 2000 cover political parties; like some other non-profit entities, they fall between the cracks of the Canadian privacy protection
regime. Nevertheless, the Canadian Privacy
Commissioner has received a number of complaints
about invasion of privacy by candidates and politicians
going back several years. Partly in response, the office
commissioned a study on the subject, which concluded
that the main federal parties process an increasing
amount of data on supporters, non-supporters, volunteers, candidates, and employees, and should be
brought under the jurisdiction of Canadian privacy
law.33
The issue has also achieved prominence as a result of
a scandal involving the practice of ‘robo-calling’ at the
2011 federal election. Voters in key marginal ridings received automatic calls from an individual purporting to
represent Elections Canada and informing them
(falsely) that their place of voting had changed. The
‘robo-call’ scandal hit the front pages, and prompted investigations from the Royal Canadian Mounted Police
and from Elections Canada. The most interesting aspect
of this affair is that only non-Conservative supporters
were targeted, meaning that the individual must have
had authorized or unauthorized access to the CIMs
database. The Chief Electoral Officer recommended that
the basic privacy principles within PIPEDA should be
applied to political parties.34
31
32
L Payton, ‘Conservative Campaign Database Fiasco Costs Party Millions’
(CBC News, 23 October 2013) <http://www.cbc.ca/news/politics/conser
vative-campaign-database-fiasco-costs-party-millions-1.2187603>
accessed 13 October 2016.
S Ormiston, ‘Federal Election 2015: How Data Mining Is Changing
Political Campaigns’ (Canadian Broadcasting Corporation News, 3
September 2015) <http://www.cbc.ca/news/politics/federal-election2015-how-data-mining-is-changing-political-campaigns-1.3211895>
accessed 13 October 2016; CJ Bennett, ‘They’re Spying on You: How
ARTICLE
265
These voter management systems are less extensive
than in the USA, and have to operate within a general
data protection framework, covering the private sector
and restricting the purchase of personally identifiable
data from the commercial data brokerage market. But
the same logic seems to be at work, and has been eagerly
embraced by the parties and by the consultants and
pollsters that work for them. The micro-targeting of the
electorate enables campaigns to allocate their finite resources more efficiently. It provides innovative ways of
discovering new voters, and it supports new methods of
delivering individualized messages either through direct
mail, door-to-door canvassing, phone calls, e-mail, text,
or social media. The overriding assumption of the data
driven campaign is that the more you know about who
will vote, how they will vote and what issues they are interested in, then the more efficient and targeted the
campaign can become. Despite the obvious legal, structural, and cultural differences between the USA and parliamentary systems, the hype about the data-driven
campaign, and its presumed success in electing
President Obama, have been irresistible trends and are
beginning to alter electoral politics in Canada and in
other democratic countries.
European law, political parties, and
election campaigns
So, what of the application of privacy law in Europe to
political parties? It is first important to note that the distribution of voter lists to candidates and parties is more
heavily regulated in European societies than in either
the USA or Canada. It is difficult to generalize across an
entire continent, but most election legislation contains
some strict stipulations for the sharing of voter contact
data before, during, and after election campaigns. Most
countries only permit the sharing of name, address, and
date-of-birth (no other contact information). And very
few countries make the lists digitally available. DPAs in
countries like Italy and France have also been quite diligent in ensuring that the lists are not used for commercial purposes.
The rules in France are illustrative and stand in stark
contrast to those in the USA. Under the Code Electorale,
electoral lists are handled by each commune though any
33
34
Party Databases Put Your Privacy at Risk’ (Ipolitics.ca, 1 September 2015)
<http://ipolitics.ca/2015/09/01/theyre-spying-on-you-how-party-data
bases-put-your-privacy-at-risk> accessed 13 October 2016.
Bennett and Bayley (n 29).
Chief Electoral Officer of Canada, Preventing Deceptive Communications
with Electors (2013) <http://www.elections.ca/res/rep/off/comm/comm_
e.pdf> accessed 13 October 2016.
266
changes to the list must be reported to l’Institut national
de la statistique et des études économiques within eight
days. The listing on one (and only one) voter list is
obligatory for all French citizens. The voter list is to
contain the family name, surname, and domiciliary address, including the number and street name where
available, of each voter.35 Voter lists are to be kept in a
registry in the commune’s archives, and may be accessed
and copied by ‘any voter, any candidate and any political party or group’, including those who belong to another commune. The list may be accessed at either the
appropriate town hall or prefecture, depending on the
commune. A consultation of the list is a free service,
whereas a paper copy may be subject to a fee of up to
0.18e per black and white page or up to 2.75e for a CDROM.36
Turning to data protection law, under both the 1995
European Data Protection Directive (95/46/EC)37 and
the new General Data Protection Regulation (GDPR),38
political parties are clearly covered. There are a number
of relevant provisions. Data on political opinions is unequivocally defined in the GDPR as a ‘sensitive’ form of
personal data. Article 9(1) states that the ‘processing of
personal data revealing racial or ethnic origin, political
opinions, religious or philosophical beliefs, or trade
union membership, and the processing of genetic data,
biometric data for the purpose of uniquely identifying a
natural person, data concerning health or data concerning a person’s sex life or sexual orientation shall be
prohibited’. These categories mirror those mentioned in
the revised Council of Europe Convention 108.
They are also derived from the principles of nondiscrimination on grounds of political opinion
enshrined in Article 21 of the Charter of Fundamental
Rights of the European Union (EU).
The GDPR then lists a number of exemptions, two of
which are directly relevant to the political context.
Article 9.2(d) permits processing when:
carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any
other non-profit seeking body with a political, philosophical, religious or trade union aim and on condition that the
35
36
37
International Data Privacy Law, 2016, Vol. 6, No. 4
ARTICLE
République Française, ‘Code électoral’ (Legifrance, 31 July 1998)
<https://www.legifrance.gouv.fr/affichCode.
do;jsessionid¼10DE1E6440B8C6DD2D0F2F8AB937C839.tpdila14v_3?
cidTexte¼LEGITEXT000006070239&dateTexte¼20160506> accessed 13
October 2016.
République Française, ‘Comment consulter les listes électorales?’ (Service
Public, 3 February 2016) <https://www.service-public.fr/particuliers/vos
droits/F1963> accessed 13 October 2016.
Directive 95/46/EC of the European Parliament and of the Council of
24 October 1995 on the protection of individuals with regard to the
processing of personal data and on the free movement of such data
[1995] OJ L281.
processing relates solely to the members or to former members of the body or to persons who have regular contact
with it in connection with its purposes and that the personal data are not disclosed outside that body without the
consent of the data subjects.
Article 9.2(e) permits processing that ‘relates to personal data which are manifestly made public by the data
subject’. Recital 56 of the GDPR attempts to clarify this
exemption in the case of political parties: ‘Whereas
where, in the course of electoral activities, the operation
of the democratic system requires in a Member State requires that political parties compile data on people’s political opinions, the processing of such data may be
permitted for reasons of public interest, provided that
appropriate safeguards are established.’ None of these
provisions is substantially different from those in the
1995 Directive. As far as can be gathered, questions
about the processing of personal data in the political
arena were not issues of contention in the lengthy debates about the provisions of the GDPR and about its
uniform application across the EU.
So what do they now mean? According to earlier
guidance provided by the Article 29 Working Party, the
assumption behind the special category classification is
that misuse of these data could have more severe and
irreversible consequences for the individual’s fundamental rights.39 They also stress that the term ‘data revealing racial or ethnic origin, political opinions,
religious or philosophical beliefs, trade-union membership’ means not only the data itself, but also data from
which sensitive information with regard to an individual might be concluded or inferred.40 With few exceptions, the Working Party found that these provisions
had been translated into national legislation under the
Directive in a similar fashion, although some interestingly had added a category of ‘party membership’ in
addition to that of trade union membership. In their
subsequent discussion of potential problems with the
implementation of Article 8, they do not explicitly
mention any issues related to the processing of personal
data on political opinions by political parties. They
highlighted problems with the definition of
38
39
40
Regulation (EU) 2016/679 of the European Parliament and of the
Council of 27 April 2016 on GDPR, OJ L119/1 (2016) <http://ec.europa.
eu/justice/data-protection/reform/files/regulation_oj_en.pdf> accessed
13 October 2016.
See EU Art 29 Data Protection Working Party, ‘Advice Paper on Special
Categories of Data (“Sensitive Data”)’ (2011) <http://ec.europa.eu/jus
tice/data-protection/article-29/documentation/other-document/files/
2011/2011_04_20_letter_artwp_mme_le_bail_directive_9546ec_annex1_
en.pdf> accessed 13 October 2016.
EU Article 29 (n 39), 6.
Colin J. Bennett Voter databases, micro-targeting, and data protection law
philosophical beliefs, race, and health data, but there
was no indication that ‘political opinions’ were a problematic category. Neither was there any discussion of
the meaning of the Recital on electoral activities and
political opinions.
Where the European DPAs have been asked to resolve complaints about the processing of political data,
they have generally taken a strong stance. They do receive complaints during the election cycle, but the issues
raised tend to be quite familiar and mundane: the inappropriate communication by phone, e-mail, or text to
people who have not given their consent; the nonconsensual capture of personal data by elected officials
who come into contact with constituents in their capacities as electoral officials and communicate data on electors to their party headquarters; and the use of
membership lists for other organizations (churches,
unions, clubs, schools, etc) used by candidates for political canvassing. As noted above, there also tend to be far
stricter rules on the transfer and maintenance to political parties of the basic address and contact information
from the respective electoral regulatory agencies.
The fact that these questions have not been raised in
Europe to the same extent as in North America should
not, however, lead us to conclude that the law is clear.
The definition of ‘political opinions’ is vague and they
might be inferred from a whole range of different
behaviours and sources, magazine and newspaper readership, group memberships, and so on. And should we
regard political opinions as confined to questions of political ‘affiliation’? These data might be processed when
they relate to ‘the members or to former members of
the body or to persons who have regular contact’. All
parties have done this legally; indeed many are required
under law to do so when those members are making financial donations. But what does ‘regular contact’
mean? Attending a meeting, following on Twitter, liking
the candidate or party on Facebook? And what of political communication that might be in the public domain—signs in windows, letters in newspapers, blog
postings, and so on? Increasingly, citizens convey explicitly and implicitly their political affiliations and preferences in an increasing number of contexts, and in a
41
42
43
T Ross, How the Tories Won: The Inside Story of the 2015 Election
(Biteback Publishing, London 2015) 95.
J Messina, ‘Big data e door to door nel piano per i sindaci Pd del guru di
Obama e Cameron’ (The Huffington Post, 31 March 2016) <http://www.
huffingtonpost.it/2016/03/31/jim-messina-pd-amministrative_n_
9583614.html> accessed 13 October 2016.; Data Driven Politics,
‘l’America è Vicina’ (Ilsole24ore, 2 February 2016) <http://nova.ilso
le24ore.com/progetti/data-driven-politics-lamerica-e-vicina/> accessed
13 October 2016.
In Italy, Policylab has recently launched the app ‘GIS for election’, an integrated service for political campaign that aims at integrate street maps
with socio-economic data extractable form big data. See PolicyLab,
ARTICLE
267
range of manners. And what does Recital 56 actually
mean? ‘In the course of electoral activities’, it begins. Is
that solely during an election campaign? Most parties
would contend that they are engaged in a perpetual process of campaigning in modern politics. ‘The processing
of such data may be permitted for reasons of public interest’, it continues. Is the mobilization of a party’s supporters during an election a ‘public interest’? And what
are the ‘appropriate safeguards’?
I contend that the meaning of these provisions will
come under increasing scrutiny as a result of the import
of campaigning techniques from North America, and
the promotion of these practices by American political
consultants. We know, for instance, that Jim Messina,
Obama’s campaign manager has assisted both the
British Conservative Party in its 2015 reelection campaign41 and Italian Prime Minister, Matteo Renzi, on
the upcoming referendum for constitutional reform.42
Within the confines of European law and political culture, new start-ups are arising across major European
countries for voter engagement and outreach.43
Within this context, I note four interconnected issues
that will probably be prominent: the legality of voter
management databases; the question as to whether political parties should be treated the same as commercial
organizations in the rules for unsolicited communications by phone, text, email, and web-based advertising;
the processing of personal data from social media; the
fair use of personal data as a result of more open processes for the selection of party leaders; and, of course,
the greater likelihood of data breaches.
Voter management databases in Europe
The internal data processing operations of political parties
in every country are typically shrouded in a good deal of
secrecy. The inherent competitiveness of the electoral environment, and the proprietary nature of the new campaigning technologies, mean that outsiders have
considerable difficulty discovering the extent to which
parties capture data on the wider electorate, beyond that
of their members, donors, and ‘regular contacts’.
‘Servizi’ <http://policylab.it/servizi#> accessed 13 October 2016;
Inpolitix and PolicyBrain also claim to use Big Data for political purposes; see Inpolitix, ‘Tutte le caratteristiche’ <http://www.inpolitix.com/
caratteristiche.php > accessed 13 October 2016; see Policy Brain, ‘Capire
cosa faranno i Politici grazie ai Big Data’ (Linkiesta, 2 July 2015) <http://
www.linkiesta.it/it/article/2015/07/02/policy-brain-capire-cosa-faranno-ipolitici-grazie-ai-big-data/26531/> accessed 13 October 2016; in France,
a new start-up called Cinquante Plus Un (50 þ 1) claims to be the ‘first
campaign technology start up in Europe’ with clients in several European
countries. See Liegey Muller Pons, ‘Homepage’ <http://www.liegeymul
lerpons.fr/> accessed 13 October 2016.
268
That said, we do know that the only European country whose parties admit operating voter management
databases of the kind seen in North America is the UK.
The main British political parties have operated such
databases for several years, using similar proprietary
software to their counterparts in the USA and Canada.
They too augment the basic address information from
the electoral roll with additional personal data on supporters and non-supporters from census data, commercially available databases and polling data.44 The
Conservative Party originally used the ‘Voter Vault’
software developed by the Republicans and then shifted
to MERLIN (Managing Elector Relations through Local
Information Networks).45 The Tories made a further,
and quite late, change for the 2015 election, adopting a
new system called VoteSource, which profiled voters on
a 1–10 scale and arguably allowed the party to build a
more nuanced and complete picture of voter intentions.46 How effective the system was, however, is open
to debate; VoteSource reportedly crashed on election
night.47 There were also complaints that this system,
like many others, has to work within a constitutional
structure that relies on local party organizations to sign
up new members and keep the database updated.48
The Labour Party adopted a system, developed by
Experian, called ‘Contact Creator’ in 2008. The system
was supposed to integrate membership lists with voter
identification information from the electoral roll and
place this in the hands of local campaigners. If you visit
the Labour Party website and enter your e-mail,
that too is immediately captured. The system was designed to allow the canvasser to ‘know exactly who
you are talking to’.49 The system was retooled using
NationBuilder software in 2013.50 The Liberal
Democrats adopted a version of the Voter Activation
Network system for the 2015 election.51
Under the existing Data Protection Act, data controllers like the Conservative Party are obliged to register
with the Information Commissioner’s Office (ICO) and
44
45
46
47
48
International Data Privacy Law, 2016, Vol. 6, No. 4
ARTICLE
N Anstead, Data, Democracy and Political Communication: A Case Study
Examining the Use of Data in the 2015 UK General Election (Unpublished
Report, October 2015); Amberhawk Training Ltd, Could the Conservative
Party’s Electoral Database Breach the Data Protection Act? (5 March 2013)
<http://amberhawk.typepad.com/amberhawk/2013/03/could-the-conser
vative-partys-electoral-database-breach-the-data-protection-act.html?
utm_source¼feedburner&utm_medium¼feed&utm_campaign¼Feed%
3AþHawkTalkþ%28HawkþTalk%29> accessed 13 October 2016.
J Crabtree, ‘David Cameron’s Battle to Connect’ Wired Magazine (24
March 2010) <http://www.wired.co.uk/magazine/archive/2010/04/fea
tures/david-camerons-battle-to-connect> accessed 13 October 2016.
Ross (n 41), 93–94.
Ross (n 41), 105.
P Abbott, ‘Don’t Just Blame VoteSource: The Party Needs Constitutional
Change’ (Conservative Come, 2015) available at < http://www.conservati
vehome.com/thecolumnists/2015/09/paul-abbott-dont-just-blame-vote
describe the reasons for processing, the type of information processed, the subjects of the processing, and to
whom the information may be shared. One registration
seems to have been submitted for the Conservative
Party, whereas all Constituency Labour Parties seem to
have separate entries. Interestingly, however, the register
entries read very similarly. Both parties claim to process
various categories of non-sensitive classes of personal
information: personal details; family details; lifestyle
and social circumstances; goods and services; financial
details; education and employment details. They also
claim that they may process sensitive classes of information that may include: physical or mental health details;
trade union membership; racial or ethnic origin and political opinions. Both parties state that they only process
information about ‘our members, supporters, complainants and enquirers and employees’. Neither admits
in its registration to the processing of personal data on
the general voting public, including non-supporters.52
The ICO has not ruled on the legality of such databases. According to Christopher Pounder, however, systems like VoteSource, that profiles the entire electorate,
and not just members of those with regular contacts are
of questionable legality.53 He raises a number of issues.
First, it is not true to assert that data that is otherwise
‘public’ is somehow removed from the ambit of data
protection law and, therefore, ‘off limits’. Some citizens
do reveal a great deal about their political affiliations in
many ways in the offline and online world (law signs,
bumper stickers, letters to the editor, blog and social
media posts, and so on). However, rights of access and
correction would still apply to these data, as would security safeguards. Secondly, there are probably enormous problems of accuracy and issues of fair processing
when the party is processing comments from third parties on someone’s political views. And is it fair to process personal data from social media postings when they
have not been posted with the intent that they be copied, stored, and used to profile the data subject? In the
49
50
51
52
53
source-the-party-needs-constitutional-change.html > accessed 13
October 2016.
See Introducing Contact Creator (2008), Labour Party YouTube Channel
<https://www.youtube.com/watch?v¼kgb33yfHl8g> accessed 13
October 2016.
M Ferguson, ‘5 Key Things to Take Away from Labour’s Target Seat List
(and Election Strategy)’ (LabourList, 8 January 2013) <http://labourlist.
org/2013/01/5-key-things-to-take-away-from-labours-target-seat-listand-election-strategy/> accessed 13 October 2016.
R Cookson, ‘Parties Make It Personal with Tailored Messages in Election
Battle’ Financial Times, Politics and Policy (London, 17 February 2015)
<https://www.ft.com/content/ad97068e-b062-11e4-92b6-00144feab7de>
accessed 13 October 2016.
See ICO, ‘Data Protection Public Register’ <https://ico.org.uk/esdweb
pages/search> accessed 13 October 2016.
Amberhawk (n 44).
Colin J. Bennett Voter databases, micro-targeting, and data protection law
ARTICLE
269
personal data outside the EU given the demise of the
EU–US Safe Harbor program.57
In Italy, the influential Five Star movement has
launched a system called ‘Rousseau’ to facilitate more
effective engagement of members and supporters.58
Two other platforms, Inpolitix and PolicyBrain, are reportedly also promoting the use of big data analytics for
campaigning purposes.59 Other companies offer candidates and parties basic products for website development, social media outreach, and some basic mapping
applications. Each new European start-up that claims to
empower, mobilize, network, and recruit, has to do so
within the confines of a European data protection regime based on principles of express consent. The balance is going to be a tricky one.
absence of notice and consent then, UK (and European
law) requires a balance of interests test. Do the legitimate interests of the political party (to educate the public and mobilize the vote) override the privacy rights of
the data subject, where sensitive data is being processed?
How then can the party take into account those legitimate interests without informing data subjects about
the nature and purpose of the processing in the first
place?
Beyond the UK, there is evidence that certain techniques for voter management have entered the politics
of other European countries. A company called
Cinquante Plus Un, created by three students who
worked together on the 2008 Obama campaign, is
claimed to be the first campaign technology start-up in
Europe. According to their website, ‘[they] design
groundbreaking campaign apps for candidates and
elected officials, based on the latest research in political
science and the opportunities offered by Open Data, Big
Data, and new technologies’.54 Their focus seems to be
on addressing voter apathy and abstention in France using door-to-door canvassing as a method of ‘recovering’
alienated voters, and particularly young people, ethnic
minorities and people in poorer neighbourhoods.55 Like
equivalents in the USA, the software permits a campaign
to analyse and map neighbourhoods, plan effective canvassing, and manage contacts. They now claim to have
supported over 300 electoral campaigns in 14 different
European countries.
The community organizing system, NationBuilder is
now also quite popular among right-wing candidates
and parties in France; the Republican Party (Parti
Republicain) signed a contract with the company in
2015. NationBuilder claims to offer a fully integrated
suite of tools for the organization of a campaign, and
outreach through e-mail, telephone, social media, and
traditional door-to-door campaigning. Some claim that
the use of these technologies represents a paradigm shift
in French politics, and will ‘uber-ize’ French political
life.56 The Commission de l’Informatique et Libertes
(CNIL) has audited some of these systems, but not, of
course, NationBuilder, based in the USA, thus raising
profound questions about the continued transfer of
A second, and related, set of issues concerns how the
communications of parties and candidates should be
regulated under data protection (and related) law.
These issues have taxed the DPAs in the past and will
continue to do so as the means of delivering political
ads to more precise segments of the electorate gets more
sophisticated. At root lies the question of whether the
communication of political content should be treated in
a fundamentally different way to the delivery of commercial messages.
The rules for unsolicited communications in
Europe are not just guided by the 1995 Data
Protection Directive, but also by the 2002 Directive on
Privacy and Electronic Communications—the EPrivacy Directive,60 Article 13 of which governs unsolicited communications. The latter makes no reference
to marketing for political purposes in the text. In a
2005 case before the UK ICO relating to the Scottish
National Party, the UK Information Tribunal confirmed that the provisions of the E-Privacy Directive
did have a broad application, beyond the strictly
‘commercial’ world, and, therefore, applied to political parties.61 Political parties, therefore, in promoting
their ideas and soliciting support and donations are
54
55
59
60
56
57
58
Liegey, Muller, Pons (n 43).
G Liegey, A Muller and V Pons, ‘L’abstention n’est pas un fatalité’ (2011)
3 Esprit 77.
A Guiton, ‘NationBuilder: aide-toi, le logiciel t’élira’ Libération (Paris, 20
April 2016) 24.
NationBuilder has recognized this problem and is encouraging its customers to execute separate data processing agreements <http://nation
builder.com/safe_harbor> accessed 13 October 2016.
Rousseau, Sistema operative del M5S, ‘Homepage’ <https://rousseau.
movimento5stelle.it/> accessed 13 October 2016.
Political communication and
marketing rules
61
PolicyBrain (n43).
Directive 2002/58/EC of the European Parliament and the Council of 12
July 2002 concerning the Processing of Personal Data and the Protection
of Privacy in the Electronic Communications Sector (‘E-Privacy
Directive’, 2002), OJ L201 <http://ec.europa.eu/justice/data-protection/
law/files/recast_20091219_en.pdf> accessed 13 October 2016.
E Kosta, Consent in European Data Protection Law (Koninklijke Brill,
Leiden 2013) 353.
270
International Data Privacy Law, 2016, Vol. 6, No. 4
ARTICLE
engaged in ‘marketing’ and are, therefore, subject to
the same provisions.
Article 5(3) of the E-Privacy Directive also requires
prior informed consent for storage or access to information stored on a user’s terminal equipment. In other
words, controllers must ask users if they agree to most
cookies and similar technologies before the site starts to
use them. For consent to be valid, it must be informed,
specific, freely given and must constitute a real indication of the individual’s wishes. There is nothing in the
Directive to suggest that this provision does not apply
to political party websites. Indeed there was a case in the
Netherlands where Dutch political parties were found
to be violating the rules they had just passed in furtherance of these rules.62
Most DPAs in Europe, according to my brief survey,
have received complaints about unsolicited communications by political parties. Some of these complaints
stem from solicitations from parties that the data subject would never support, triggering irate questions
about how that party got their contact details. Three
countries, the UK, France, and Italy, have produced
more detailed guidance directed at political communication. The rules are becoming increasingly complex, as
the methods and nature of political communication
have extended to different technologies.
The first general guidance on political communication from a European DPA appears to come from the
Italian Garante per la Protezione dei Dati Personali in
2004.63 The guidance expressly addresses ‘Privacy and
Electoral Propaganda’ and stipulates that ‘personal data
may be used without the data subjects’ consent for electoral propaganda purposes if the data are taken from
sources that are truly “public”, i.e. unlimitedly available
to anyone’. It then lists the types of public registers that
do, and to not, fall within this category. Interestingly,
the Garante concedes that ‘although electoral propaganda may not be classed with commercial and marketing communications, it is not permitted in cases other
than those mentioned above without the data subject’s
prior, specific consent’. The guidance addresses text and
email communications but dates before the time when
political parties made extensive use of websites or social
media. Updated guidance, published in 2014, details
further who might be considered as having a ‘regular
contact’ with an Italian political party. It stipulates that
‘it is forbidden to use for electoral propaganda’: data
gathered automatically through software; lists of subscribers to Internet service providers; data published on
websites; and data gathered by social networks, news forums, or news groups.64
The British guidance from the ICO dates from 2005
and was issued partially in response to the case against
the Scottish National Party for using automated robocalling for political marketing purposes. There was a
similar complaint and ruling against the Labour Party
in 2010. The guidance was updated in 2014.65 It
addresses the practical meaning of consent in the electioneering context, by means of post, email, text, fax,
phone, and automated messages. It discusses the oftentricky relationship between national party headquarters,
local campaigns, and the third party market research
firms that work for parties. When a party purchases or
rents lists from a third party data broker to contact individuals that meet a particular profile, it needs to be assured that personal data was collected legitimately. The
same applies to contact information that might be collected in response to a local campaign. The guidance
also addresses the rules for ‘viral-marketing’ or ‘tell a
friend’ campaigns. The party must always identify itself,
and provide contact details and easy procedures for opting out.
Political marketing by established political parties is
one thing, but similar issues are often raised during referendum campaigns, the organization of which might
be more temporary, and whose members and supporters will cut across the established political allegiances.
The ICO has recently found the need to issue guidance
on marketing during the UK referendum on EU membership.66 It also fined a company for sending unsolicited text messages on behalf of the Brexit campaign,
having received more than 2600 complaints in two
months.67
Spamming was also the main impetus behind the
closer regulation of political marketing in France. The
so-called ‘Sarkospam’ scandal occurred in September
62
65
63
64
V Oord and M Kampschreur, ‘Dutch Political Parties Violate Their Own
Cookie Law’ (FleischmanHillard News and Opinions, 2012) <http://fleish
man.nl/2012/06/dutch-political-parties-violate-their-own-cookie-law/?
lang¼en> accessed 13 October 2016.
‘Electoral Propaganda: A Decalogue by the Garante’ (2005) <http://
www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/doc
web/1187710> accessed 13 October 2016.
Provvedimento no 107 in materia di Trattamento di Dati presso i Partiti
Politici e di Esonero dall’Informativa per fini di Propaganda Elettorale 6
Marzo 2016 [3013267] <http://www.garanteprivacy.it/web/guest/home/
docweb/-/docweb-display/docweb/3013267> accessed 13 October 2016.
66
67
UK Information Commissioners Office, Guidance for Political Parties for
Campaigning or Oromotional Purposes (2014) <https://ico.org.uk/media/
for-organisations/documents/1589/promotion_of_a_political_party.
pdf> accessed 13 October 2016.
J Jones, ‘Nine Points EU Referendum Campaign Groups Should
Remember If They Don’t Want to Break the Rules’ (Information
Commissioner’s Office Blog, 6 January 2016) <https://iconewsblog.word
press.com/2016/01/06/nine-points-eu-referendum-campaign-groupsshould-remember/> accessed 13 October 2016.
‘Firm behind Thousands of Spam Texts Fined by ICO’ (ICO News and
Blog, 9 June 2016) <https://ico.org.uk/about-the-ico/news-and-events/
Colin J. Bennett Voter databases, micro-targeting, and data protection law
2005, when hundreds of thousands of unsolicited emails were sent on behalf of presidential candidate
Nicolas Sarkozy.68 The case prompted a series of recommendations from the CNIL about the use of files by political parties, groups, candidates, and elected officials.
Political canvassing by e-mail should not use any databases other than those who had explicitly ‘opted in’.
And those who had opted in to commercial databases
who were not explicitly told at the time that their information may be used for political marketing (as occurred
in the Sarkospam case), must be contacted again and offered the opportunity to opt out.69 The guidance also
recommended that political parties declare to the CNIL
when they are processing data on people who are occasionally in contact (for instance, those who have signed
a petition, requested documentation, or visited the
blog), but not those who are regularly in contact, such
as donors or regular members.
The CNIL issued further guidance in 2012.70 The
rules about political communication were placed in the
context of the broader application of French data protection law to the entire processing activities of parties
in France and the information they collect. The guidance addressed: the types of internal files of the elected
official, the candidate, or the political party, and distinguishes how each might use files of members, regular contacts, and occasional contacts; the use of the
electoral register, of directories and of files from the private sector; and the rules for communication by telephone, SMS, e-mail, and Internet. The CNIL also
provided examples of best practice for obtaining
consent.
All major political parties in Western democracies
make extensive use of Facebook, Twitter, YouTube, and
other social media to target messages, recruit volunteers,
and donors and to track issue engagement. The most advanced use of social media in Europe occurred in the
2015 UK general election. The Conservative Party made
unprecedented use of Facebook data to reach key groups
of voters in swing constituencies. Unlike Twitter, which
can often only operate as an echo-chamber for the likeminded to reinforce their political opinions, Facebook,
the Tories realized, offered a potential database of 55 per
cent of the British population, including all demographic
68
69
news-and-blogs/2016/06/firm-behind-thousands-of-spam-texts-fined-byico/> accessed 13 October 2016.
T Lebegue, ‘Françaises, Français, Nicolas Sarkozy vous spamme’
Libération (Paris, 27 September 2005) <http://www.liberation.fr/france/
2005/09/27/francaises-francais-nicolas-sarkozy-vous-spamme_533767>
accessed 13 October 2016.
Délibération no 2006-228 du 5 octobre 2006 portant recommandation
relative a la mise en oeuvre par les partis ou groupements a caractère
politique, élus ou candidats a des fonctions électives de fichiers dans le
ARTICLE
271
groups. Facebook sells advertising to a wide range of different organizations, including to political parties. The
Conservatives, therefore, engaged in the kind of ‘microtargeting’ efforts familiar in North America with a striking degree of precision.71 And they did this only in the
100 key marginal seats that they had identified as likely to
sway the election.
It is quite obvious that the rules have to be more nuanced to reflect the different media through which political campaigning now occurs, and many DPAs have
yet to come to terms with this new environment. The
relationship is not simply a bilateral one between candidate and voter. Third party intermediaries (research and
polling firms) also play important roles. And any social
media user can potentially, then, be engaging in forms
of political communication.
We have not seen the kinds of ‘targeted sharing’ programmes in Europe so far. The few mobile campaigning
apps in existence do claim that they are operating
within the confines of European data protection law,
meaning that they should only be contacting voters who
have given express consent to be contacted. But social
media do introduce a general confusion between the
notion of the data controller and the data subject.
‘Friending’ a political party on Facebook, or following
them on Twitter, without the user implementing the appropriate privacy controls can also result in the unintentional broadcast of the user’s political beliefs. The
practices of political parties, and the privacy rights of
their members, are closely related to the privacy policies
and mechanisms embedded within these social media
platforms, as well as to the privacy choices that individuals make according to varying degrees of knowledge
and concern about privacy, and their sophistication
about the technology. Thus, the use of social media in
elections will inevitably be shaped by the broader actions of DPAs against Facebook and other social networking companies.
Data protection and the expansion of
the ‘selectorate’ for party leaders
The public nature of voter engagement and party identification in the USA is attributable, in part, to the quite
70
71
cadre de leurs activités politiques <https://www.legifrance.gouv.fr/
affichTexte.do?cidTexte¼JORFTEXT000000459927> accessed 13
October 2016.
Communication Politique: Obligations Legale et Bonnes Pratiques
édicion Janvier 2012, Les guides de la CNIL <http://www.cnil.fr/filead
min/documents/Guides_pratiques/CNIL_Politique.pdf> accessed 13
October 2016.
Ross (n 41), 118.
272
International Data Privacy Law, 2016, Vol. 6, No. 4
ARTICLE
extraordinary role played by the Democratic and
Republican parties in the voter registration process.
Nomination processes for both main parties and for a
range of state and federal officeholders operate in every
state and entrench the parties as the main organizations
for the recruitment of political candidates. Some states
operate open primaries to members of the other party
and to independents. Others organize closed primaries
to registered members of the party. Some require voters
to show up in person at local caucuses, where they can
discuss the candidates and register their preferences.
Some states even operate different systems for each
party. And the overall system can vary by different electoral cycles. This complex and diverse system resists easily generalizations. In general, primary elections have
become more frequent, open and widespread in recent
years for both Republican and Democratic Parties.72
But the type of process also has massive implications for
the capture and processing of data on party affiliation.
The use of party databases during competitive primary elections can create difficult dilemmas during primary elections and the need for strong firewalls between
the basic household information and other data that
might be added from individual campaigns. In 2016,
there was a dispute between the Sanders and Clinton
campaigns about the deliberate exploitation of a vulnerability in the NGP VAN voter database by a staff member
in the Sanders campaign, allowing temporary access to
confidential voter lists created by the Clinton campaign.
The dispute resolved itself with a firing of the staffer and
an apology from Senator Sanders. But the issue raised
some searching questions about the use of the same database within highly competitive primary elections.73
In parliamentary systems, primary elections are far
less common and far more recent, but raise some similar
questions. The most extensive participation in a primary
occurred in France in 2011. Based on the Italian experience of 2005 and 2007, the French Socialist Party decided that its candidate for the 2012 presidential election
would be decided on the basis of an open primary. Not
only would registered Socialist voters be able to participate, so would all voters who donated one euro to the
party and agreed to sign a commitment attesting to the
values of the left (freedom, equality, fraternity, secularism, justice, solidarity, and progress). The party organized one national vote in two stages on 9 and 16
October 2011 and elected Francois Hollande. Some 2.6
million voters participated in the first round and three
million in the second.
In the USA, the parties would typically have access to
the lists of those who voted in their primary election in
a particular state, and use those contact details to mobilize their vote in the general election. In Europe, this
question poses some peculiar and novel challenges for
privacy principles, and DPAs. The CNIL struggled with
the question of whether the party might continue to
process data on those who had voted in the primaries,
as if they were members or ‘regular contacts’. They
concluded eventually that they could not, because
the purpose of collection was different,74 unless
the voter separately consented to be contacted. Similar
issues arose for the Italian DPA after primary elections for the centre-left coalition, Common Good, in
2012.75 The Garante also concluded that the purposes for collection were different, and that consent
for political marketing during the general election had
to be actively obtained at the time of the primary
election.
The 2015 selection of the leader of the UK Labour
Party raised a somewhat different set of questions about
the parties’ rights to association and the privacy rights
of voters. In 2014, the Party changed its method of
electing the leader from a three-way electoral-college
system (party members, parliamentarians, and affiliated
trade unions) to a one-member-one-vote system. The
new system created three categories of voters: full
Labour Party members; affiliated supporters (who had
signed up as a Labour Party supporter through an affiliated organization or union); and registered supporters
(people who declare that they support the Labour party
by signing up online and paying a fee of just £3).76 Over
600,000 people ended up receiving ballots in the recent
election, of whom around 400,000 had signed up over
the summer months.77
72
75
73
74
SJ Wayne, The Road to the White House 2016: The Politics of Presidential
Elections (Cengage Learning, Boston 2015).
D Atkins, ‘An Explanation of What Bernie Sanders Staffers Actually Did
and Why It Matters’ Washington Monthly (Washington, 19 December
2015) <http://washingtonmonthly.com/2015/12/19/an-explanation-ofwhat-bernie-sanders-staffers-actually-did-and-why-it-matters/> accessed
13 October 2016.
Deliberation no 2012-020 du Janvier 2012 portant recommendation relative a la mise en oeuvre par les partis ou groupements a caractère politique, eélus ou candidats a des fonctions électives de fichiers dans le cadre
de leurs activités politiques <https://www.legifrance.gouv.fr/affichTexte.
do?cidTexte¼JORFTEXT000025344843> accessed 13 October 2016.
76
77
Garante per la Protezione Dei Dati Personali, Elezioni primarie 2012 e
trattamento di dati personali 31 October 2012 <http://www.garantepri
vacy.it/web/guest/home/docweb/-/docweb-display/docweb/2079275>
accessed 13 October 2016.
‘How to Vote for Our Next Leader and Deputy Leader’ (Labour Party
Blog, 2015) <http://www.labour.org.uk/blog/entry/how-to-vote-for-ournext-leader-and-deputy-leader> accessed 13 October 2016.
Over 600,000 people will be able to vote in Labour leadership contest,
(Labourlists, 2015) <http://labourlist.org/2015/08/over-600000-peoplewill-be-able-to-vote-in-the-labour-leadership-contest/> accessed 13
October 2016.
Colin J. Bennett Voter databases, micro-targeting, and data protection law
ARTICLE
273
The final issue, and a perennial one in any contemporary discussion of privacy, is the data breach. Many legislatures around the world have enacted legislation
mandating notice to data subjects about the loss or
unauthorized acquisition by an unauthorized person of
an information resource containing personal information. The scope and standards of these laws vary, and
some of them limit liability when the data are suitably
encrypted. Articles 33 and 34 of the GDPR establish
new and uniform rules for notification of data breaches
to both the supervisory authority and the data subject.
Many organizations that suffered a breach learned that
the cost of providing notice to data subjects can be
large, and the damage to reputation significant.
No type of organization has been immune from such
losses, including political parties. In December 2015, a
database of 191 million US voter records was posted online. Neither the origins of the data nor the identity of
the hacker were known. But the findings were reported
by Chris Vickery of www.databreaches.net and raised
some searching questions about the range of voter data
publically available, and the relative ease of obtaining
these data in many states. In both the 2008 and 2012
elections, the campaigns of each of the main presidential
candidates were subjected to repeated attempts at unauthorized access.80
Breaches of voter data also occur in countries that do
have more centralized voter registration agencies. In 2012,
there was a leak of over 2 million voter files from
Elections Ontario. Two USB keys went missing containing names, addresses, genders, birth dates and whether a
person voted in the last election for residents in as many
as 25 ridings. An investigation by the Ontario
Information and Privacy Commissioner found systemic
failures in privacy management within Elections
Ontario.81 Other breaches occur through the malicious
activity of hackers, such as the breach of information on
online donors to the Canadian Conservative Party, caused
by a hacker who exploited a vulnerability within the
Conservative Party website.82 In Ireland in 2011, Fine
Gael’s website was the subject of a sustained denial of service attack during which the personal details (including
IP addresses, mobile phone numbers, location, and e-mail
addresses) of up to 2000 users of the site were compromised.83 Perhaps the most egregious example of a data
breach of voter data occurred in Mexico, where it was
78
81
This more open process of registration was controversial. It invited ‘entryism’—supporters of other parties
who wanted to create mischief by voting for the more
left-wing candidate, Jeremy Corbyn. The party confirmed that it would cancel supporters’ votes if they
were found either not to be on the electoral roll, or if
they were members of other political parties. The latter
raised some searching questions about how this monitoring would occur in such a short time frame. There
were reports that Labour staffers were checking social
media pages and posts, and doing Google searches to
determine if the applicant had been a candidate or local
activist of another party.78
In the end, the size of Mr Corbyn’s victory in the
election made this vetting moot, but it does raise some
intriguing privacy issues.79 To be sure, political parties
have a legitimate interest in the integrity of their internal electoral procedures, and can take steps to check eligibility. Can the Labour Party scour the Internet for
evidence of support for another party? Yes, but only if
the individual has knowingly put this data in the public
domain. If the party relies on third party accounts of
someone’s political affiliation, then that raises questions
of fair processing, requiring appropriate notification.
There were also questions about the use of personal
data from the electoral register, which are tightly controlled by law, and about the appropriate procedures for
redress.
These cases suggest that the nature of political parties
is changing in Europe. They are beginning to embrace
more open procedures for the selection of candidates
and leaders. While these changes will never emulate the
primary election system in the USA, they do raise profound questions about the nature of party ‘membership’
and about the meaning of ‘regular contact’.
Data breaches
79
80
‘How is Labour Vetting New Members?’ (BBC News, 10 August 2015)
<http://www.bbc.com/news/uk-politics-33849773> accessed 13 October
2016.
Amberhawk Training Ltd, ‘Voting for Jeremy? Labour Party’s Vetting
Ensures Approved Voters Score Low Marx’ (21 August 2015) <http://
amberhawk.typepad.com/amberhawk/2015/08/voting-for-jeremy-labourpartys-vetting-ensures-approved-voters-score-low-marx.html> accessed
13 October 2016.
N Corasaniti and R Shorey, ‘Millions of Voter Records Posted, and Some
Fear Hacker Field Day’ New York Times (30 December 2015) <http://
www.nytimes.com/2015/12/31/us/politics/voting-records-released-pri
vacy-concerns.html> accessed 13 October 2016.
82
83
Information and Privacy Commissioner, Election Ontario’s
Unprecedented Privacy Breach: A Special Investigation Report (Toronto, 31
July 2012) <https://www.ipc.on.ca/resource/elections-ontarios-unprece
dented-privacy-breach-a-special-investigation-report/> accessed 13
October 2016.
‘Online Donors Data Breached: Conservatives’ (Canadian Broadcasting
Corporation, 8 June 2016) <http://www.cbc.ca/news/politics/story/2011/
06/08/pol-conservatives-hacker-donors.html> accessed 13 October 2016.
EO Caollai, ‘FG Site Data Breach Investigated’ The Irish Times (Dublin,
10 January 2011) <http://www.irishtimes.com/news/fg-site-data-breachinvestigated-1.869893> accessed 13 October 2016.
274
International Data Privacy Law, 2016, Vol. 6, No. 4
ARTICLE
It is tempting to conclude that the practices now observed in the USA are the direct result of a set of unique
political and social conditions: a liberal campaign finance system; a constitutional tradition that provides
robust protection for political speech; two dominant
political parties, with a very decentralized structure; a
powerful political consulting industry often with impressive technical credentials, who aggressively market
their predictive models and algorithms to partisan professionals desperate for any political advantage within a
highly competitive electoral environment; a digital
economy and culture that puts huge emphasis on the
power of ‘Big Data’; and comparatively weak and fragmented privacy laws.85
It is also tempting to conclude that these same techniques could never migrate to Europe because the sensitivity of data concerning political affiliation is rooted in
a European political culture with more recent experiences of authoritarian rule.86 Anecdotally, it is generally
observed in many European countries that there is a
greater sensitivity among the public about their political
views, and a general distrust of the intrusive political
marketing and campaigning techniques. Beyond these
questions lay some more troubling implications, especially when asked in the aftermath of the Snowden revelations about the intelligence practices of the National
Security Agency, and its equivalents in the ‘Five Eyes’
states. There has been sufficient evidence of ‘function
creep’ to question whether or not voter management
platforms and databases that profile the political opinions of the electorate in increasingly detailed ways,
could not be accessed and used for more sinister purposes by the national security agencies of the state.87
There is no evidence that this has occurred. But it was
surely these issues that European regulators had in
mind when they defined data on ‘political opinions’ as a
sensitive form of data that could only be processed with
knowledge and consent.
So far European parties and candidates cannot campaign in Europe, as their counterparts do in North
America. Cultural, legal, institutional, financial, and
other constraints will continue to block the more intrusive campaigning practices now seen in the USA.
There is, however, another set of more general
sociopolitical factors that are driving the contemporary trends in political marketing and voter surveillance. We need to examine this larger context in order
to begin to ask the really critical questions about the
implications of these trends for the future application
of data protection law in Europe to political and elections campaigns.
Voter surveillance has arisen during an era when political analysts have noted, and lamented, a general process of partisan de-alignment. In simple terms, fewer
people have fixed attachments to political parties; fewer
are now members of political parties; and fewer regard
them as the main vehicle of political participation and
engagement. The trend is a general one across Western
democracies and rooted in an overall decline in trust in
political institutions.88 One of the implications of
‘parties without partisans’89 is that political parties have
needed to find newer methods to engage with the electorate to find donors, volunteers, members, and supporters. They cannot rely on huge proportions of the
voting public based on conventional class or religious
affiliations.
Voter surveillance techniques have arisen, therefore,
partly to address this fundamental shift in partisan allegiances. Voters have become more distrustful of politics,
but also more demanding. In rational choice terms, a
greater proportion can be regarded as ‘clients’ of the political system, whose allegiances float depending on the
personalities and programmes on offer. Unlike earlier
generations, where family partisan attachments typically
predicted voting behaviour, for the last 30 years higher
proportions of voters in Western democracies can be
susceptible to the correct marketing pitch. And that
method of persuasion, it is contended, is likely to be
more effective when the party knows more about the individual preferences and attitudes of the voting public.
Europe is, of course, not one political culture and shifts
in campaigning practices will not be felt uniformly. I
would suggest, however, there are structural shifts in
democratic politics that are converging with advances in
84
87
discovered that the names and addresses of all 87 million
Mexican voters were accessible through Amazon’s cloudcomputing site. In this case, the publication of the database was in clear violation of Mexican law.84
Conclusion: data protection, election
campaigns, and partisanship
85
86
A Tanner, ‘Mexico’s Entire Voter Database Made Accessible on the
Internet’ Scientific American (22 April 2016) <http://www.scientificameri
can.com/article/mexico-s-entire-voter-database-made-accessible-on-theinternet> accessed 13 October 2016.
Bennett (n 2).
DH Flaherty, Protecting Privacy in Surveillance Societies (University of
North Carolina Press, Chapel Hill 1989).
88
89
B Schneier, Data and Goliath: The Hidden Battles to Collect Your Data
and Control Your World (Norton, New York 2015) 136.
RJ Dalton, Democratic Challenges, Democratic Choices: The Erosion of
Political Support in Advanced Industrial Democracies (OUP, Oxford
2004).
RJ Dalton and MP Wattenberg, Parties Without Partisans: Political
Change in Advanced Industrial Democracies (OUP, Oxford 2002).
Colin J. Bennett Voter databases, micro-targeting, and data protection law
information and communications technologies. No democracy will be immune from these trends.
On the whole, DPAs have been reluctant to provide
guidance to parties and candidates, and less still to regulate their activities. These are inherently ‘political’ questions that would involve the DPAs in the oversight of
powerful party organizations and political actors. All
DPAs have limited budgets, the magnitude of which is
often dependent upon the goodwill of elected politicians
of all parties. So there is a natural tendency to shy away
from regulatory action that would strike at the heart of
the ability of politicians to communicate with the electorate and to mobilize support. On the other hand, the
ARTICLE
275
European data protection regime will probably be under
continuing pressure from technological, political, and social forces that will demand the freer flow of information
about the behaviours and attitudes of voters. DPAs nationally, and collectively under the new European Data
Protection Board, will need to address both the ambiguities within the GDPR surrounding the processing of data
on ‘political affiliation’ and give up-to-date and relevant
guidance in this new era of the ‘data-driven’ election.
doi:10.1093/idpl/ipw021
Advance Access Publication 10 December 2016