In recent years, we’ve talked a lot about the rise of online political campaigning and the impact this can have on our democratic processes – the ERS has been at the forefront of calling for enhanced transparency around online campaigning and for our analogue rules to be updated for the digital age.
Given how campaigns are conducted online, the focus has rightly been on how we can shed light on online advertising and on party funding and spending in the digital world, and on the role tech companies play in this ecosystem.
What about personal data?
One aspect we don’t talk about as much – but which is just as important and interrelated with the others – is how parties themselves are adapting to digital campaigning with regards to their use of personal data. As with most aspects of online campaigning, the usual caveat applies: parties have always made use of people’s personal data for their marketing and campaigning, but this has significantly changed with the rise of online platforms and techniques.
Data allows parties to interact with voters and engage them in democratic processes, which can increase turnout and participation and, more broadly, have considerable benefits on the health of our society. But the sophisticated and – to most of us – opaque ways in which parties can collect, process and use data to target voters and tailor increasingly personalised messages to them need to be considered, as reliance on these techniques is only going to grow in the future.
This is an area of concern for voters themselves. The Electoral Commission’s research following the 2019 general election found that 46 percent of people said that ‘they were concerned about why and how political ads were targeted at them’.
The Open Rights Group (ORG) delved into the main political parties’ use of personal data and found that they all made extensive use of personal data to tailor a political relationship with people. This included using data to try to guess characteristics such as income, number of children or nationality, and to profile personal information and highly protected special category data, such as religion and political opinions.
Based on their research, however, the ORG also found that such attempts were generally unsuccessful, and that the accuracy of political profiling done in this way was ‘extremely poor’.
Regulating data rules
Regardless of accuracy in terms of profiling or persuasion, most voters are in the dark about how parties use their data for political purposes – shedding light on this issue is essential.
As the data regulator, the Information Commissioner’s Office (ICO) has been outspoken about the need to enhance transparency, trust and accountability with regards to political use of data so as to ensure confidence in political parties and our democracy more broadly. The ICO first highlighted this issue substantively in their 2018 report on personal data and political influence where they flagged the importance of using personal information in ways that are ‘transparent, understood by people and lawful.’
As part of this work, the ICO also committed to auditing political parties’ compliance with data protection legislation and published its results earlier this month.
Audits of parties’ use of data
The ICO’s audits of seven political parties were the first time parties’ compliance with the new data protection legislation was assessed. The regulator highlighted five broad areas for improvement with regards to transparency and lawfulness:
- Privacy information: parties should be more transparent about the processing that is taking place to profile or target voters; the information they provide should be ‘comprehensive yet brief, and use clear and plain language’.
- Lawful basis: currently parties have three lawful bases for processing personal data for political purposes – democratic engagement (though there are some concerns about whether this justification is always used appropriately), consent and legitimate interests. The ICO stated in its audit that parties should review the lawful bases they use for processing data and ensure they have identified the most appropriate one.
- Profiling: to tackle invisible profiling, unwanted direct marketing and statistically inaccurate automated decision-making, the ICO recommended the parties should be clear with people about ‘any unexpected or intrusive uses of personal data, such as combining information about them from several different sources for the purposes of profiling.’
- Use of social media for marketing and campaigning: parties must be transparent with people about when they use their personal data to profile and target them on social media, and should have appropriate contracts in place, where necessary, with social media companies with regards to user data.
- Accountability: as data controllers in the law, parties are accountable for their use of personal data and ‘must be able to demonstrate their compliance and be proactive about data protection’, including having processes in place internally and externally (e.g. checking that data supplied by third-parties) to ensure compliance.
Following the audits, parties indicated their willingness to take action to improve compliance voluntarily, with the ICO not having to take any enforcement action, though it will be conducting follow-up audits to monitor compliance.
But much more remains to be done to enhance transparency around the political use of personal data for political purposes. The ERS has been calling for a statutory code of practice for political use of data by political parties, in line with the ICO’s own recommendations (indeed the ICO has already developed a draft code) and similar to the existing code of practice on data protection in the media. This would clarify the rules surrounding how parties and campaigners use personal data for political purposes and ensure compliance with the law. We hope the government and political parties will engage in this important effort to improve transparency.
Sign the ERS’ petition to close the ‘dark ads’ loophole now