This article was written by Bethany Shiner and originally published on UKCLA.
Following on from an earlier piece on this blog which highlighted some of the gaps in the legal framework relating to the use of personal data for political purposes in campaign material, this will consider whether the Data Protection Act 2018, which implements the General Data Protection Regulations (GDPR), provides the regulator with enough investigatory and enforcement powers to better tackle the misuse of data in political campaign practices in future.
The Information Commissioner’s Office
The Information Commissioner’s Office (ICO) published an update on its ongoing investigation into the use of data analytics in political campaigns indicating some preliminary findings of breaches of one or more of the data protection principles as well as some of the enforcement actions it has taken. This update, along with its Democracy Disrupted? report, will feed into the Digital Culture Media and Sport Select Committee’s Fake News inquiry, which is preparing its interim report. The ICO investigation needs to establish whether there had been breaches of the Data Protection Act 1998 and the Privacy and Electronic Communications Regulations 2003 and to do that it had to examine how political campaigns use personal data to micro-target voters with political adverts and messages.
Eleven political parties were served with warning letters and assessment notices for audits and the ICO has concluded that there are ongoing risks and concerns arising from the purchasing of marketing lists and lifestyle information from data brokers without sufficient due diligence, a lack of fair processing, the use of third party data analytics companies with insufficient checks around consent, and the provision of members contacts lists to social media companies. During this investigation the ICO has used the powers available to it under the Data Protection Act 1998 and the 2018 Act, which came into effect in May 2018, including issuing formal notices for information, powers of entry under warrant, and audit and inspection powers.
The Data Protection Act 2018
If there were to be another snap-election or a second UK-EU referendum, and the same practices were alleged, what would the ICO be able to do differently now that a new legislative framework is in place? There are two classes of people found to be engaged in the (mis)use of personal data in politics: 1. elected representatives, political candidates and political parties, and 2. companies including data brokers, political consultancy firms, and social media platforms. As demonstrated by the investigation into the UK-EU referendum, breaches can flow between both classes.
Elected representatives, political parties and candidates are empowered to access and use certain information (for example, the electoral register) to communicate with the electorate and members of the local constituency and respond to inquiries arising from constituency surgeries. Access to such data was established under the 1998 Act and have been carried over to the 2018 Act by sections 22 and 23 of Schedule 1. Section 8 of the 2018 Act provides a lawful basis for processing personal data founded on public interest for an ‘activity that supports or promotes democratic engagement’ such as communicating with electors, campaigning activities, and opinion gathering inside and outside election periods. Although the section 8 exemption will still be subject to the six key principles established by the GDPR, including lawful, fair and transparent processing, this was an unnecessary additional exception because the article 6 GDPR consent or legitimate interests legal bases are more appropriate justifications for processing personal data. The legitimate interest basis enables a balancing test between whether the legitimate interests are overridden by the interests or fundamental rights and freedoms of the data subject. This test ensures that organisations do not use a broad legal basis to legitimise micro-targeting and the other campaigning techniques the ICO was investigating at the time the amendment was inserted into the Bill. How this broad exemption will apply to the future use of data in political campaigning may rely on its interpretation, but the explanatory notes offer little guidance.
The 2018 Act provides some powers which were not available under the 1998 Act. It was perceived that the limitations of the previous regime were played out when the Information Commissioner had to wait five days for a warrant to enter the premises of Cambridge Analytica to seize evidence of data breaches. In actual fact, the ICO had already been in negotiation with the company for almost a month after it put the company on notice of its intention to demand access to the premises before finally applying for a warrant. However, this saga did enable the Commissioner to draw attention to her requests for greater investigatory and enforcement powers to be written into the Data Protection Bill which was being debated at the same time.
The GDPR does incorporate preventative mechanisms, but to investigate and enforce the law, the ICO needs to be able to move at pace in response to allegations such as the ones currently under investigation. Because the particulars of such potential data breaches are hard to detect on social media platforms and other online sources it is critical that the ICO has access to servers and other evidence to trace where data has come from, how the data was used and who it was shared with. Information notices facilitate the acquisition of the information the ICO needs to assess whether the law has been broken. In the ongoing investigation, 23 information notices have been served on 17 organisations (information notices can now be issued to individuals – such as ex-employees of companies – data processors, as well as data controllers) and have been a key tool in the investigation. For example, Facebook was asked about how its platform was used to mine data.
Now, the ICO can issue urgent information notices that have to be complied with in 24 hours. Further, following the Commissioner’s request, it can apply for a court order to compel compliance with information notices so that failure to comply is not solely penalised with a fine. The ICO was concerned that in the absence of compulsion, fines alone would encourage organisations and individuals to simply buy themselves out of data breaches by refusing to reveal the evidence or information relating to such breaches.
The Assessment notice provisions within the 2018 Act enable the ICO to complete urgent inspections to assess compliance with the data protection legislation. Section 148 creates a criminal offence for an organisation to destroy, dispose, block, conceal, alter or falsify information or documents the ICO intends to pursue a warrant to remove. This offence is meant to act as a deterrent and attracts a summary conviction. Section 4(1) of schedule 15 repeats the provision contained in schedule 9 of the 1998 Act for warrants to be sought more quickly if giving the owners of the premises the standard seven days’ notice would defeat the object of entry, or the Commissioner requires access to the premises in question urgently.
Enforcement notices can be issued to stop the processing of data, a power that existed under section 40(1) of the 1998 Act but there are more grounds for an enforcement notice as per section 149 of the 2018 Act. An enforcement notice was served on Aggregate IQ requiring it to ‘cease processing any personal data of UK or EU citizens obtained from UK political organisations or otherwise for the purposes of data analytics, political campaigning, or any other advertising’ within 30 days. The grounds were that contrary to articles 5(1)(a)-(c) and 6 of the GDPR the processing of personal data was in a way data subjects were not aware of, for purposes they would not have expected, without a lawful basis and the processing was incompatible with the purpose of the original data collection. The enforcement notice can be appealed, by virtue of section 162(1)(c), and if appealed, in all but exceptional circumstances, the notice need not be complied with pending determination or withdrawal of that appeal. Failure to comply with the enforcement notice is not a criminal offence but does attract a fine of 4% GPR or £17million. How the ICO can enforce this when Aggregate IQ has no base in the UK or any other EU member state remains to be seen.
The ICO has had to conceive itself as a regulator of the democratic process. Elizabeth Denning is cognizant of concerns that our democracy may be under threat and has called for an ‘ethical pause’ (not a regulatory halt) on the use of data in politics to allow relevant parties to ‘reflect’ on their responsibilities in the era of big data ‘before there is a greater expansion in the use of new technologies’. Of course, parliamentarians are captured by these practices themselves often seeking the most effective ways to direct their messages to selected members of the electorate.
The ICO has embraced its developing role in protecting the electorate from data misuse but this is a role that has emerged with the use of campaign techniques that rely on information about the electorate obtained from the analysis of personal data. The ICO’s investigation into the official referendum campaigns is particularly significant as both campaigns were led by senior ministers. Does the ICO possess enough power to hold those that seek to gain from the misuse of data to account? This is being tested now and the final report on the ongoing investigation is due in October 2018.
Bethany Shiner, Lecturer at Middlesex University and solicitor-advocate
(Suggested citation: B. Shiner, ‘How Does the Data Protection Act 2018 Empower the Information Commissioner to Tackle the Misuse of Personal Data in Political Campaigns?’, U.K. Const. L. Blog (20th Jul. 2018) (available at https://ukconstitutionallaw.org/))