In a finding that should surprise no one, an audit of how UK political parties are handling voter information has surfaced a damning lack of compliance with data protection rules across the political spectrum -- with parties failing to come clean with voters about how individuals are being invisibly profiled and targeted by parties' digital campaigning machines.
"Political parties may legitimately hold personal data belonging to millions of people to help them campaign effectively. But developments in the use of data analytics and social media by political parties mean that many voters are unaware of how their data is being used," the Information Commissioner's Office (ICO) warned today.
"All political parties must be clear and transparent with people about how their personal data is used and there should be improved governance and accountability," it goes on to say in the report.
"Political parties have always wanted to use data to understand voters’ interests and priorities, and respond by explaining the right policies to the right people. Technology now makes that possible on a much more granular level. This can be positive: engaging people on topics that interest them contributes to greater turnout at elections. But engagement must be lawful, especially where there are risks of significant privacy intrusion – for instance around invisible profiling activities, use of sensitive categories of data and unwanted and intrusive marketing. The risk to democracy if elections are driven by unfair or opaque digital targeting is too great for us to shift our focus from this area."
Despite flagging risks to democratic trust and engagement the regulator has chosen not to take enforcement action.
Instead it has issued a series of recommendations -- almost a third of which are rated 'urgent' -- saying it will carry out a further review later this year and could still take action if enough progress isn't made.
"Should our follow-up reviews indicate parties have failed to take appropriate steps to comply, we reserve the right to take further regulatory action in line with our Regulatory Action Policy," it notes in the report which also includes warm words for how "positively" parties have engaged with it on the issues.
The ICO also says it will update its existing guidance on political campaigning later this year -- which it notes will have wider relevance for (non-political) campaigners, pressure groups, data brokers and data analytic companies.
It has previously put out guidance for the direct marketing data broking sector as part of its follow up to the Cambridge Analytica Facebook data misuse scandal.
From Cambridge Analytica to 'must do better'
The data audit of UK political parties was instigated by the ICO after the Cambridge Analytica scandal drew global attention to the role of social media and big data in digital campaigning.
In an earlier report on the topic, in July 2018, the ICO called for an 'ethical pause' around the use of microtargeting ad tools for political campaigning -- warning there's a risk of trust in democracy being undermined by a lack of transparency around the data-fuelled targeting techniques being applied to voters.
But there was no let up in the use of social media targeting before or during the 2019 UK general election, when concerns about how Boris Johnson's Conservative Party was using Facebook ads to harvest voter data were among the issues raised.
The ICO report is determined to spare parties' individual blushes, however -- it's only summarized 'aggregated' learnings from its deep dive into wtaf the Conservative Party; the Labour Party; the Liberal Democrats; the Scottish National Party (SNP); the Democratic Unionist Party (DUP); Plaid Cymru; and United Kingdom Independence Party (UKIP) are doing with people's data.
Nor is the regulator handing out the marching orders, exactly.
"We recommended the following actions must be taken by the parties", is the ICO's preferred oxymoronic construction as it seeks to avoid putting any political noses out of joint. (Not least those belonging to people in government.) So it's opting for a softly, softly 'recommend and review' approach to trying to clean up parties' dubious data habits
Among its key findings are that political parties' privacy notices are falling short of required levels of transparency and clarity; don't have appropriate lawful bases for the data they're processing in all cases, and where they're claiming consent may not be obtaining this legally; aren't being up front about how they're combining data to profile voters, nor are they carrying out enough checks on data suppliers to ensure those third parties have legally obtained people's data; aren't putting proper contractual controls in place when using social media platforms to target voters; and are not staying on top of their obligations so as to be in a position to demonstrate accountability.
So quite the laundry list of data protection failings.
The ICO's recommendations to political parties are also hilariously basic -- saying they must:
undertake an information audit or data-mapping exercise to help find out what personal data they hold and where it is;
conduct a review to find out why they are using personal data, who they share it with and how long it is kept, by distributing questionnaires to relevant areas, meeting directly with key business functions and reviewing policies, procedures, contracts and agreements;
document their findings in writing, in a detailed and meaningful way.
Insert your own face-palm emoji as you imagine the chaotic evil underlying those bullet points.
"We recognise that achieving effective transparency to the UK adult population is challenging," the ICO notes in a section of the report on transparency requirements, adding that its earlier report recommended "wider, joined-up approaches should be also taken to raising awareness of how data is used in campaigning".
It adds that it will continue to work with the Electoral Commission on this recommendation.
The explosive growth of digital ads for UK political campaigning is quantified by a line in the report citing Electoral Commission data showing 42.8% of advertising spending by campaigners was on digital advertising in 2017, compared to just 1.7% in 2014.
So the use of social media platforms -- which the report notes were used by all parties for political campaigning -- is chain-linked to the troubling lack of transparency being called out by the regulator.
"Social media was used by all parties to promote their work to people who may be interested in their values. The majority was delivered via Facebook -- including their Instagram platform -- and Twitter. Where political parties were using audience choice tools, we had concerns with the lack of transparency of this practice," the ICO writes. "Privacy information did not make it clear that personal data of voters collected or processed by the party would then be profiled and used to target marketing to them via social media platforms.
"A key recommendation made following our audits was that parties must inform individuals and be transparent about this processing, so that voters fully understand their personal data will be used in this way to comply with Article 13(1)(e) of the GDPR. For example, parties should tell voters that their email addresses will be used to match them on social media for the purposes of showing them political messaging."
"Due diligence should be undertaken before any campaign begins so that parties can assure themselves that the social media company has: appropriate privacy information and tools in place; and the data processing they will be doing on the party’s behalf is lawful and transparent, and upholds the rights of individuals under data protection law," it adds.
The report also discusses the need for political parties to fully understand the legal implications of using specific data-fuelled ad-targeting platforms/tools (i.e. before they rush in and upload people's data to Facebook/Twitter) -- so they can properly fulfil their obligations.
When parties look to use a platform’s targeting tools, both the party and the platform itself should clearly identify the circumstances where joint controllership exists and put measures in place to fulfil those obligations. They must assess this on a case-by-case basis, irrespective of the content of any controller or processor arrangement. Joint controllership may exist in practice, if the platform exercises a significant degree of control over the tools and techniques they use to target individual users of their service with political messages on behalf of the party.
Article 26 of the GDPR specifies the requirements for joint controller situations. Parties should agree and fully understand who is responsible for what. This means they must work with any social media platform they use to make sure there are no gaps in compliance, and ensure they have appropriate contracts or agreements in place. They should also undertake in-life contract monitoring to ensure that the platforms are adhering to these contracts.
In the report, the ICO describes the data protection implications involved in joint controller situations as "complex", adding: "We recognise that the solutions to the issues... may take more time to resolve and will require more guidance for all the actors involved."
"Since our audits, we understand that some steps have been taken by social media companies within their revised terms and conditions of service for digital advertising," it adds.
The report also includes a passing nod to regulatory scrutiny of Facebook's ad platform in Ireland under EU law -- focused on concerns that the use of Facebook's ‘lookalike audiences’ for targeting voters may not comply with the bloc's GDPR framework. Information commissioner, Elizabeth Denham, has previously suggested the tech giant will have to change its business model to maintain user trust. But Ireland's data protection agency has not yet issued any GDPR decisions related to Facebook's business.
"In the wider ecosystem, the ICO also recognises that there are still other matters that need to be addressed about the use of personal data in the political context," the regulator writes now. "These include some of the issues set out in the report it made to the Irish Data Protection Commission (IDPC), as the lead authority under GDPR, about targeted advertising on Facebook and other issuing [sp] including where the platform could be used in political contexts. The ICO will continue to liaise with the technology platforms to consider what, if any, further steps might be required to address the issues raised by our Democracy Disrupted report. This will be of relevance to the parties’ use of social media platforms in future elections."