Following its investigation into the Facebook-Cambridge Analytica scandal, and just eight months ahead of the European Parliament elections, MEPs worried about malicious interference via Facebook plan to issue a series of recommendations.
The motion is likely to be debated and presented in LIBE, the Parliament’s civil liberties committee, on Sept. 27, with a deadline for amendments the following day and a vote in LIBE on Oct. 10.
A leaked draft of the suggestions from the committee includes the recommendation that “all online platforms distinguish political uses of their online advertising products from their commercial uses.”
The draft motion's text says that “profiling for political and electoral purposes ... should be prohibited,” and social media platforms should monitor and actively inform authorities if such behavior occurs. The text continues that the Digital Age requires an update of electoral laws and suggests national authorities introduce an “obligatory system of electronic fingerprinting for electronic campaigning and advertising.
“Any form of political advertising should include easily accessible and understandable information on the publishing organization and who is legally responsible for spending, so that it is clear who sponsored campaigns, similar to existing requirements for printed campaign materials currently in place in various member states,” continues the proposal.
It also recommends that after a referendum or election, third-party audits should be carried out to ensure “personal data held by the campaign is deleted, or if it has been shared, that the appropriate consent has been obtained.”
European Data Protection Supervisor Giovanni Buttarelli told The Privacy Advisor that the motion, alongside last week's "election package" proposed by the European Commission, "demonstrates that unaccountable data practices like tracking and profiling on a massive scale have become a threat not just to fairness in the commercial space, but also a threat to core EU values of dignity and democracy.
“It highlights the need for DPAs with other bodies, like election monitors, audiovisual media regulators and others, including antitrust and consumer agencies, to cooperate and ensure they are joined up to prevent malpractice not only during the 2019 European Parliament elections, but also the parliamentary or presidential elections in 12 of the EU’s member states,” he continued, adding that the EDPS will organize a workshop on the issue, bringing together different regulators in early 2019.
Privacy International's head of advocacy and policy team, Tomaso Falchetta, said it, too, approves of the motion.
“In the U.K., the adoption of the U.K. Data Protection Act, which aims to operationalize the GDPR, fails to address the risks of profiling by political parties. In fact the law introduces exemptions for processing personal data by political parties," Falchetta said.
He added, "Profiling can result in being able to infer sensitive data about people from non-sensitive data, such as political opinions or philosophical beliefs. This can impact significantly on citizens being able to exercise of their right to vote, a position recently reflected in the guidance by the European Commission. PI therefore supports the recommendation in the resolution that such activities should be prohibited, at least until stricter regulation and monitoring are in place."
The draft of the motion also calls on data protection authorities to undertake a thorough investigation of Facebook and urges Facebook, Twitter, Google, LinkedIn and similar platforms to allow ENISA and the European Data Protection Board to carry out a full and independent audit of its platform investigating data protection and security of user personal data.
MEPs also take the view “that data protection authorities should have the same, if not more technical expert knowledge as those organisations under scrutiny,” and suggested this could be funded by introducing a levy on the sector concerned.
The data obtained by Cambridge Analytica from Facebook was allegedly for research purposes. But the draft motion's text stressed that “the research argument exemption in data protection law can never be used as a loophole for data misuse.”
The U.S. Federal Trade Commission is currently investigating whether Facebook failed to honor its privacy promises in compliance with Privacy Shield. But given that such a major breach occurred despite registration to the framework, the Parliament text “considers that the revelations clearly show that the Privacy Shield mechanism does not provide adequate protection of the right to data protection.”
In response, Lukasz Olejnik, cybersecurity and privacy researcher and advisor, said: “Calling the U.S. to act within the well intended meaning of Privacy Shield is potentially explosive. On this level and in this respect, does the European Parliament intend to suggest a possible interference via a U.S. company in European elections? That would be a paradox.”
But S&D group leader, MEP Udo Bullmann disagrees with that sentiment. “It is now almost six months since the revelation that 50 million Facebook profiles had been harvested by Cambridge Analytica to be used for political purposes. Despite Mark Zuckerberg’s promises that Facebook is doing everything in its power to ensure this can never happen again, we still have not seen enough real action to protect our citizens and our democracies,” he said.
“We urge Facebook to outline how exactly they are going to act to ensure that there is no attempt to manipulate the European elections next year and how they are acting to stop the spread of fake accounts,” he continued.
But with figures from the Electoral Commission of the U.K. showing that British political parties in spent £3.2 million on direct Facebook advertising during the 2017 general election, he's asking them to walk away from a lot of money.
“National governments must adopt the ePrivacy regulation as soon as possible,” continued Bullmann. “The right to privacy of communication is a fundamental right, and our current laws are not adequate for the way we communicate in the digital age. The European Parliament backed strong new proposals earlier this year, and we now urge national governments to do the same. We have only eight months until the European elections. If we are going to ensure that they can truly be called free and fair then we need to take action now.”
The Buttarelli, the EDPS, also wants to see ePrivacy signed as soon as possible: “Perhaps the biggest gesture from the EU to safeguard democracy in the digital era is to complete the reform of the privacy and data protection framework and finalize the reform of ePrivacy rules, essential for giving people more control over their private online communications,” he said.
However “both ePrivacy and the GDPR contain provisions exempting political activity,” explained Olejnik. “Furthermore, in many countries, national or presidential elections aren’t even bound by data protection rules at all. To be effective, such regulations would need to apply to all election types. But it is unclear whether countries would be open on harmonizing this sphere in the name of protection from foreign interference or unethical domestic activity.
“Keep in mind that the Bulgarian Council presidency tabled a provision exempting political activity in the ePrivacy [Regulation] at the very beginning of the Cambridge Analytica scandal, which was an impressive timing indeed. In this light, the justified and right call to renew the work on ePrivacy looks bleak,” he added.
MEPs were disappointed with Facebook for not sending the requested speakers to a series of hearings over the summer on June 4, 25 and July 2, and this is mentioned more than once in the draft text. The hearings were a follow up to the May 22 meeting between Facebook Founder and CEO Mark Zuckerberg, Parliament President Antonio Tajani, political group leaders and the chair of the LIBE Committee, Claude Moraes.
“The information provided by Facebook representatives during the hearings lacked precision on the concrete and specific measures taken to ensure full compliance with EU data protection law and was rather of general nature,” complains the text.
If you want to comment on this post, you need to login.