U.K. political parties should have to follow a statutory Code of Practice under the country’s data privacy law if they use personal data in political campaigns, the country’s information commissioner has urged in a report this week.
The tough recommendation stands in contrast with the Trudeau government’s proposed Election Modernization Act (Bill C-76), which if passed in its current form would only oblige federal parties here to have an easily understandable policy explaining what personal information they collect, how it is used and how it is protected.
Bill C-76 is now being studied by the House of Commons committee on procedure.
The proposed U.K. Code of Practice for political parties would come under that country’s just updated Data Protection Act. In fact Britain’s privacy law has applied to political parties since 1998. In essence, that’s what Canadian information commission Daniel Therrien called for here after Bill C-76 was released, because federal privacy law doesn’t apply to Canadian federal parties. Bill C-76 wouldn’t change that. Instead it leaves political parties to define the standards they want to apply. Only British Columbia forces political parties to apply all generally applicable privacy principles.
In his testimony last month before the Commons procedure committee Therrien noted Bill C-76 doesn’t require federal parties here to
- seek consent from individuals,
- limit collection of personal information to what is required,
- limit disclosure of information to others,
- provide individuals access to their personal information
- be subject to independent privacy oversight.
Parliament has a choice of where the privacy rules political parties here should follow have to be set down, Therrien said. He suggests they could be installed in the Personal Information Protection and Electronic Documents Act (PIPEDA), but the Elections Act or another piece of legislation will do.
“What matters are that internationally recognized privacy principles (not policies defined by parties) be included in domestic law and that an independent third party, potentially my Office as we have expertise, have the authority to verify compliance,” Therrien said.
Last month the House of Commons ethics committee recommended the government subject federal political activities to laws that protect Canadians’ privacy. It was one of a number of recommendations to address potential threats to democracy.
A U.K. Code of Practice would apply not only to political parties there but also to online platforms, analytics organizations and others engaged with the election-related processes.
The international debate on how political parties should be able to use personal data in campaigns has sharpened after the U.S. issued an  indictment alleging Russia attempted to interfere in the 2016 U.S. election, and the U.K. and Canada started ongoing investigations into the use of data analytics in political campaigns stemming from allegations that Britain’s Cambridge Analytica and Victoria, B.C’s Aggregate IQ were behind the creation of an app that allegedly improperly harvested the data of 87 million Facebook users across the world. It is alleged that some of that data may have been misused during the 2016 Brexit referendum in Britain and to target voters during the 2016 American Presidential election.
In a separate progress report on that investigation the U.K. information commissioner issued Facebook with a notice of intent of a £500,000 fine for lack of transparency and security issues relating to the harvesting of data. It also ordered Aggregate IQ to stop processing any data on UK citizens it has.
The U.K. information commissioner (who is former B.C. privacy commissioner Elizabeth Denham) said in her report that “to retain the trust and confidence of electorates and the integrity of the elections themselves, all of the organizations involved in political campaigning must use personal information and these techniques in ways that are transparent, understood by people and lawful.”
“A significant finding of the ICO (information commissioner’s office) investigation is the conclusion that Facebook has not been sufficiently transparent to enable users to understand how and why they might be targeted by a political party or campaign. Whilst these concerns about Facebook’s advertising model exist generally in relation to its commercial use, they are heightened when these tools are used for political campaigning. Facebook’s use of relevant interest categories for targeted advertising and it’s Partner Categories Service are also cause for concern. Although the service has ceased in the EU, the ICO will be looking into both of these areas, and in the case of partner categories, commencing a new, broader investigation.”
Among Denham’s recommendations is that U.K. political parties apply due diligence when sourcing personal information from third party organizations, including data brokers, to ensure the appropriate consent has been obtained. Here in Canada commissioner Therrien has opened an investigation into the data collection practices of six of the country’s largest data brokers. Denham is doing the same.
Elections around the world are becoming increasingly ‘datified’, Denham wrote, with advertising and marketing techniques being offered by a network of private contractors and data analysts, offering cutting-edge methods for audience segmentation and targeting to political parties all over the
world. “This is attractive to political parties and campaigns as it enables them to target individual voters with messages in keeping with their particular interests and values.”
On the other hand, she added, voters may not understand why they are receiving particular messages, or the provenance of the messages. “It is therefore essential that political parties and campaigns operate from a level playing field when accessing the electorate, and that voters have access to the full spectrum of political messaging and information and understand who the authors of the messages are. The rules that apply offline should apply online.”
After questioning most U.K. political parties Denham found that the privacy notices provided by political parties on their websites and apps and in emails did not explain the full extent of data gathered from voters and how it would be used. “The privacy notices were often aimed at supporters rather than all voters, and were often inaccessible and hard to find on websites.”
