Online data processing in election campaigns

2018 was the year of the Cambridge Analytics scandal to which it is due the development and application of a particular model of “behavioral micro-targeting”.

Micro-targeting is a marketing technique that allows you to create, through the processing of personal data, the profile of each individual user and then send him targeted advertisements. The U.S. company developed an algorithm that acts both on users’ tastes, as in traditional marketing, but also on emotions, envisaging and anticipating users’ responses.

Micro-targeting was employed in the 2016 U.S. election campaign and in the 2017 “Brexit” referendum campaign. For this occasion, several ” bots ” (fake profile automation) were created to promote targeted posts and news based on the trend of the electoral campaign. In addition, users’ reactions to ads were daily analyzed and adapted according to the results of evaluations. The Cambridge Analytica case has shown the significant role played by social networks and, more specifically, the role played by the use of users’ personal data in the highly sensitive electoral context.

In order to fight the possibility of a new threat to the electoral process, the European Commission has adopted a guidance on the application of EU on the  data protection law in the electoral context.

The document reiterates that the GDPR applies to all actors in the electoral context, including European and national political parties, political foundations, data analysis platforms and companies, and public authorities responsible for electoral processes. The Commission considers that customised messages may lead to a situation where people do not vote or vote in a particular way, undermining the freedom of expression and the democratic nature of the electoral process. In accordance with the European Commission’s statement, the Italian Data Protection Authority has also issued an electoral propaganda measure highlighting cases of lawful processing of data, the cases in which consent is required and cases of exemption.  In addition, the italian DPA stated that political and propaganda messages sent to users of social networks both privately and publicly, for example via Skype, WhatsApp, Viber, Messanger, are subject to the rules on the protection of personal data.

For these reasons, the Commission and the Italian Data Protection Authority recommend that political parties inform and explain to the interested parties how the data are combined and processed, especially when the data come from third-party sources such as national electoral lists, data intermediaries and other sources.

Violation of data protection rules could be subject to high penalties. If a national data protection supervisory authority establishes a violation, in addition to the sanctions provided for in Regulation 2016/679, the Authority for European Political Parties and European Political Foundations could apply an additional penalty of 5% of the annual budget of the party or foundation. Parties and foundations that commit a violation will not be able to claim funding from the general budget of the European Union in the year in which the sanction is imposed. In the meantime, in order to comply with the legislation and not to be accused again, Facebook started to ask its users for permission to publish political advertisements on their personal profiles. A first step that reflects what is coming.