If you’re political, GDPR fines aren’t the only sanctions you need to worry about. New rules mean European political parties and foundations can be penalized up to 5 percent of their annual budget for “deliberately influencing, or attempting to influence, the outcome of elections by taking advantage of breaches of data protection rules.”

March 19, the European Union adopted new rules to “prevent misuse of personal data by European political parties.” The move comes ahead of the European Parliament elections, which will take place across the continent in May 2019.

Following the Cambridge Analytica scandal and mounting concerns over the misuse of personal information for micro-targeting in the Brexit referendum in the U.K., politicians at all levels have become increasingly worried that abuses could take place during the so-called EP2019 campaigning.

The current EU law on the funding of European political parties and foundations dates from a 2014 regulation, but the new additions mean that not only will organizations face a fine for taking advantage of data breaches, but they will also lose funding from the EU budget the following year. In 2018, 10 European political parties and 10 European political foundations received funding from the EU budget.

An independent committee, already established under the 2014 law, will carry out a “verification procedure” to determine whether a breach of the EU General Data Protection Regulation is linked to political activities in the context of European Parliament's elections.

According to the European Data Protection Board, “Political parties, political coalitions and candidates increasingly rely on personal data and sophisticated profiling techniques to monitor and target voters and opinion leaders. In practice, individuals receive highly personalized messages and information, especially on social media platforms, on the basis of personal interests, lifestyle habits and values. Predictive tools are used to classify or profile people’s personality traits, characteristics, mood and other points of leverage to a large extent, allowing assumptions to be made about deep personality traits, including political views and other special categories of data. The extension of such data processing techniques to political purposes poses serious risks, not only to the rights to privacy and to data protection, but also to trust in the integrity of the democratic process. The Cambridge Analytica revelations illustrated how a potential infringement of the right to protection of personal data could affect other fundamental rights, such as freedom of expression and freedom to hold opinions and the possibility to think freely without manipulation.”

The EDPB also warned that social media platforms, interest groups, data brokers, analytics companies and ad networks all play a role and reminded controllers that personal data that has been made public, “even if they are not data revealing political opinions, are still subject to, and protected, by EU data protection law and using personal data collected through social media cannot be undertaken without complying with the obligations concerning transparency, purpose specification and lawfulness.” 

European Parliament Civil Liberties, Justice and Home Affairs Committee Chair Claude Moraes said, "These new rules are an important step in the right direction and will introduce financial sanctions on European political parties that deliberately infringe data protection laws or attempt to influence European elections. They respond to some of the proposals in the European Parliament's resolution on the Facebook and Cambridge Analytica scandal, adopted in October last year, which called for a full audit of the company and new measures to prevent the interference in elections."

He added that the resolution also set out further steps that should be taken," including greater accountability and transparency on algorithmic-processed data by any actor, be it private or public, to prevent the risk of secret profiling and discrimination and resolve the questions surrounding the role of social media in interference in our elections

"We also need to move forward with the e-Privacy Regulation, which remains blocked in Council and which is much needed to protect the privacy of communications data, building on the protections of the GDPR for personal data," he said. "Progress is being made, but more action is needed to fully protect citizens’ privacy and restore trust and confidence in our democratic systems"

Castlebridge Associates Managing Director Daragh O’Brien, who has direct experience as the data protection officer of campaigns in Ireland, told The Privacy Advisor, “The introduction of sanctions is to be welcomed given the broad scope of carve-outs for 'electoral activities' in a number of member states’ implementations of the GDPR and the historically lax attitudes and approaches to data protection by political parties that we can see in many member states. The potential for significant sanctions over and above GDPR enforcement sanctions should make political parties sit up and take notice ahead of the May elections.”

But how sure are political parties of their compliance with the GDPR?

“My experience as the data protection officer for [Irish President] Michael D. Higgins’ campaign is that there will be a range of levels of compliance and understanding,” O’Brien said. “The focus of the legislation on political parties is welcome, but the challenge will be proving that a particular party has benefited from unlawful acts of a lobby group or a self-organizing campaign/canvassing group. The current practice of filing a complaint and the data protection authority getting back to you in two years won’t cut it."

He added that the Irish presidential election was the first election in EU held under the GDPR and compliance "was a challenge" given the potential complexity of controller/processor and joint controller relationships between registered political parties and other non-affiliated political or campaign groups.

"We had huge challenges in getting people to understand what the GDPR rules meant," O'Brien said. "In fact, only one campaign was even close to being compliant. At a simple level, a political campaign by definition must have a nominated DPO."

He predicted that independent candidates, in particular, will face a challenge. “The new rules have been brought in at the last possible minute. Campaigning will start in two weeks; campaign managers will have already collected their data and have plans in place.”

Future of Privacy Forum Policy Counsel Gabriela Zanfir-Fortuna told The Privacy Advisor she was also cautiously optimistic about the new rules.

"In principle, measures that support fair elections are more than welcome so that there is no way the Cambridge Analytica situation in the Brexit campaign will happen again. However, I am always skeptical about fragmenting data protection law," she said. "The GDPR is very well equipped to deal with any processing of personal data, including processing for political campaigns. I don't think we want to find ourselves in a piecemeal data protection framework because we know that this model doesn't effectively work.”

Like O’Brien, she too flagged the issue of enforcement.

“We already have strong, independent, newly empowered data protection authorities, both at the national level and EU level, if we take into account both the European Data Protection Supervisor and the [EDPB]. I wonder whether empowering a new authority with enforcing data protection related rules, which is not specialized in data protection, is a good solution,” she said.

In tandem with the new rules for political groups, the European Commission is also monitoring social media’s managing of electoral campaigning demanding increased transparency from Facebook, Google and Twitter in the form of mandatory monthly reports.