In this edition of the Spotlight Series, Bethany examines how data is obtained online and used in political campaigns, suggests reforms for loopholes in the law and recommends ways social media users can gain control over their information.
1. Over the past few years, the use of data to drive political campaigns has come under major scrutiny, in particular the use of ‘microtargeting’. What differentiates political microtargeting from other forms of targeting? And why is it problematic?
Many of the techniques used in commercial microtargeting are used in political microtargeting but raise a series of critical issues, which relate to the exercise of our democratic rights as well as our data rights.
Political communication is central to the exercise of our political agency. How can we decide who to vote for if we do not know a candidate’s or political party’s policies or what their response is to a particular issue? So, in some ways more targeted and tailored political communication can be democracy enhancing.
However, the Cambridge Analytica scandal exposed the deceptive and opaque use of personal data and the global web of connections between political campaigns and corporate interests. In short, the problem is not microtargeting but that microtargeting often relies on the use of illegitimately gained personal data used against people in an effort to persuade (or manipulate) their worldview or voting intentions. Part of this is that personal data is used to better understand the electorate and steer public opinion, not through open and robust debate but through personalised, localised and private digital advertisements following an often-automated profiling process to categorise demographics.
In relation to personal data, the use of political microtargeting remains problematic for several reasons only a few of which I will discuss. There is the problem of consent. Political opinion is classed as special category data and attracts higher standards of protection before it can be lawfully used including the requirement for explicit consent. But individuals do not always know what they are consenting to when agreeing to a website or mobile application privacy statement. Consent cannot be said to have been knowingly given if data subjects were misled or deceived when giving consent. As the ICO makes clear, in most circumstances, special category data (which includes inferred information such as political opinions) cannot be used to target individuals with political messaging without explicit consent.
More research needs to be done to understand exactly how political parties are relying on these sections of the DPA 2018 to collect and process data and then profile individuals based on that data.
Conversely, there is still scope for registered political parties to use political opinions in digital campaigning if it can be shown that the processing of that data to reveal political opinions is “necessary” for the party’s “political activities” (schedule 1, para 22 DPA 2018) or “necessary” to an “activity that supports or promotes democratic engagement” (section 8(e) DPA 2018) even without explicit consent. However, it looks as though this democratic engagement basis is being used more freely than it should be.
There is not much clarity at all around exactly how political parties gather and use data – how do they process the data? Do they infer political opinions? If so how? Are those inferences associated to identifiable individuals? If not, how do they target people with political material based on those inferences? There are lots of questions here but there is not much transparency around this which is problematic.
For example, during the 2019 election campaign the Conservative party’s website asked users to complete a survey, and by completing this survey, this meant that users were also consenting to the collection and processing of personal data including special category data for the purpose of microtargeting (amongst other uses). The privacy policy said that the legal basis for the data collection was promoting “democratic engagement and our legitimate interest to understand the electorate and identify Conservative supporters” – how this use of data harvesting and processing was “necessary” is unclear. It is likely that the ‘democratic engagement’ basis was wrongly relied on in this example.
2. Are there any gaps in the current laws, that fail to protect the use of data in this way?
Yes! The Data Protection Act 2018 implements the General Data Protection Regulations and established numerous conditions, which must be met before personal data can be lawfully and fairly processed and introduced several new data rights such as the right to be informed, the right to object and the right of access. However, one major concern is section 8(e) DPA 2018, which provides a lawful basis for the processing of personal data “that is necessary for the performance of a task carried out in the public interest”, including “an activity that supports or promotes democratic engagement” such as communicating with electors, campaigning activities, and opinion gathering inside and outside election periods. Also, Schedule 1, paragraph 22, DPA 2018 enables registered political parties to process data revealing political opinions without explicit consent for campaigning purposes.
More research needs to be done to understand exactly how political parties are relying on these sections of the DPA 2018 to collect and process data and then profile individuals based on that data. A recent report from the Open Rights Group states that according to its research, the Conservatives, Liberal Democrats and the Labour Party are using the grey areas within the political activities and democratic engagement sections of the DPA 2018 to harvest personal data for microtargeting without consent. The combining of the electoral register, data bought from data brokers and data already held was shown to provide complex profiles on individuals. The Data Subject Access Requests made by individuals showed that those profiles were not always accurate but nevertheless made people feel “spied upon” and “anxious and powerless”.
There have been plenty of recommended reforms and some of the ones worth mentioning in relation to this topic include, reforming the Electoral Commission before increasing its powers to monitor spending on digital political campaign materials and sanction violations.
On this point, it is clear that microtargeting does not brainwash people into voting a particular way but there are still real issues with the use of this technique (on top of the data-related problems). Some people say that we should not be so hung up on political microtargeting because there is no evidence that it changes the way someone votes. But, we do not know whether or not political microtargeting does or does not change the way someone votes. In regards to commercial microtargeting, research suggests that consumer behaviour is influenced when it comes to deciding what to buy. The other, more important point is that political microtargeting, from what we have seen, is not always about how to vote but whether to vote. Voter mobilisation is positive, but voter suppression is incredibly corrosive and is the antithesis to what political communication should be seeking to achieve, yet there have been instances of voter suppression through microtargeted advertisements.
Even if political microtargeting has no effect on how someone votes or whether someone votes, the associated tactics that we have witnessed have damaged the health of democratic discourse in this country and many others by driving policy pledges and debates under the radar of open debate and by sending a signal to the electorate that political parties want to know more about them to better persuade them. Trying to extract insights into people based on inferences made from available data conflicts with our sense of privacy and creates the impression that voters are being manipulated. Associated with this is the increase in misinformation and disinformation being spread online for political advantage. As the House of Lords have reported, this erodes trust in democracy.
3. The Information Commissioner’s Office (ICO) launched an investigation into the misuse of personal data in political campaigns, after the Cambridge Analytica scandal surfaced, and subsequently published a report. What key steps have been taken since, both in law and policy, to ensure transparency around the use of data by political actors and third-party groups?
There have been no laws, regulations or policies introduced in response to the evidence of misuse of data in political campaigning, which appears to implicate foreign states, corporations, political parties, campaign groups and politicians.
In its 2018 ‘Democracy Disrupted’ report, the ICO called on the government to legislate at the earliest opportunity to introduce a statutory code of practice on the use of data in political campaigns but the government have not initiated any legislation. Since then, the ICO has instead developed a framework code of practice (in draft form) on the processing of personal data for political campaigning purposes. The code simply clarifies the laws and regulations applicable to political campaigning, which is helpful because there have been several perceived loopholes or ambiguities in the application of the DPA 2018 to political campaigning (as I already described).
The absence of any legislation suggests the government welcomes self-regulation by social media platforms, at least in the meantime. Facebook has introduced some changes to “protect the integrity of elections” which includes an ad library displaying all paid-for political adverts, cracking down on the use of private digital advertisements known as dark ads, creating an account-holder verification requirement for political campaign Facebook accounts and flagging false news. But, self-regulation is not a complete answer and has been found to have very limited success. On the other hand, there are recommendations to further regulate this area through legislation and regulatory oversight. I wonder how we can have state regulation of political communication without encroaching on freedom of expression. This is something I intend to spend more time thinking about over the next few months.
4. Do you think the measures taken are sufficient? And what reforms would you recommend?
There have been calls for legislative reform from the ICO, the Electoral Commission, the House of Lords Select Committee of Democracy and Digital Technologies, the Digital, Culture, Media and Sport Committee and the All Party Parliamentary Group on Electoral Campaigning Transparency. But, despite the warnings and recommendations not a single law has been passed even though since the 2016 UK-EU referendum, when we discovered the misuse of data for political purposes, there have been two general elections and during each campaign period similar problems were reported. So, there are not any measures to really point at.
There have been plenty of recommended reforms and some of the ones worth mentioning in relation to this topic include, reforming the Electoral Commission before increasing its powers to monitor spending on digital political campaign materials and sanction violations. The ICO needs to challenge the unrestricted reliance on the democratic engagement basis to hoover up vast amounts of personal data for profiling for the purpose of microtargeting, which does not appear to be lawful nor in line with its draft code on political campaigning. There are calls for the ICO’s draft code on political campaigners’ use of personal data to be put on a statutory footing to aid this. Another recommendation from the House of Lords is for a regulatory committee on political advertising which will involve the Advertising Standards Association, the Electoral Commission, Ofcom and the UK statistics Authority. This committee will establish a code to create basic standards in political communication including restricting “fundamentally inaccurate advertising” during elections.
Social media users have to be wise to the use of microtargeting and data abuse that happens on a mass scale and scrutinise online material to establish why they are seeing a particular advertisement (for example by clicking the ‘why am I seeing this ad?’ button on Facebook) and where it’s come from.
I’m not the first, nor am I the only person to call for this but article 80(2) GDPR needs to be incorporated into the DPA 2018 at the end of this year when it comes under statutory review. This will enable collective complaints to be lodged with the ICO by organisations on behalf of groups of data subjects. This will hugely enhance the ability to scrutinise the use of data for political purposes, as well as other issues with data abuse. Finally, the Intelligence and Security Committee’s intelligence report into Russian covert actions in the UK, the so-called Russian Report, must be urgently published.
Of course, the real issue at the core of all of this, is that there is an attitude towards the electorate which is totally disrespectful where some of those seeking office will do and say almost anything to gain more votes. The lucrative data-based business models that profit from this exacerbate the problem even further. More than anything this is what needs to change or else we risk losing even more faith in the democratic process. Only a comprehensive examination of how political parties communicate with the electorate can begin to address this.
5. What measures, if any, can social media users take, to gain more control over their information?
Social media users have to be wise to the use of microtargeting and data abuse that happens on a mass scale and scrutinise online material to establish why they are seeing a particular advertisement (for example by clicking the ‘why am I seeing this ad?’ button on Facebook) and where it’s come from.
Social media users also have to be alert to the fact that when clicking on political advertisements that take the user to another webpage that requests their email address and other personal details, they may be allowing their personal data and online behaviour to be consumed and analysed. I also recommend reading information about cookies before accepting them and rejecting the tracking cookies.
Under the DPA 2018, social media users can exercise their right to object to direct marketing, the right to make a data subject access request, which allows an individual to gain a copy of the data held on them by any organisation and the right to lodge a complaint with the ICO. This is as good as it gets until additional regulations are introduced. Of course, users can choose to leave platforms or join other social media platforms.