Yesterday’s announcement that Twitter is suspending targeted political advertising from next month (and Facebook’s decision today not to follow suit) has received front page coverage in the media.
However, no-one has mentioned the fact that the GDPR/Data Protection Act 2018 (DPA2018) provides each data subject with the ability to stop such advertising. This blog explains how (in theory) data subjects can stop receiving targeted political adverts (especially those that are likely to be “Brexit bus” misleading).
Personal data that reveals political opinions fall within the class of special category of personal data defined in Article 9(1) of the GDPR. Any processing of such personal data requires an Article 6 lawful basis and a condition found in Article 9(2) of the GDPR (or in schedule 1 of the DPA2018) which overturns the prohibition on processing found in Article 9(1).
Consent and explicit consent
One combination of lawful basis and condition is “consent” and “explicit consent” where consent has all the attributes of Articles 4(11) and 7 of the GDPR (e.g. unambiguous indication of data subject’s wishes, informed, affirmative action). I expect that not many voters have given consent let alone explicit consent; however, this does not stop data subjects contacting the sender of the political message in writing (e.g. email) to withdraw consent if they receive political marketing.
What is not widely known is that the GDPR standard of “consent” is now part of the Privacy and Electronic Communications Regulations 2003 (PECR) and applies to all electronic marketing communications (e.g. political messages sent via email or SMS). This is because Regulation 8 of the Data Protection, Privacy and Electronic Communications (EU Exit) Regulations (SI 2019/419) expands the PECR definitions to include “consent” where….
…“consent” by a user or subscriber corresponds to the data subject’s consent in the GDPR (as defined in section 3(10) of the Data Protection Act 2018);” and that…
Regulation 8 … comes into force on 29th March 2019.”
So, all you need do is reply to the sender of the political marketing advert (e.g. email) that you are withdrawing consent (include the advert). Keep your own record of the advert and your message withdrawing consent just in case another advert is sent.
If you cannot identify the sender of the advert, complain to the social media platform that has been used; explain that you need to be provided the identity of the sender to exercise your data protection rights. Keep a record of this communication also. Repeat this every time you get a political marketing advert directed at you.
I would also put a free subject access request in for your personal data. It might be an “education” to see what personal data are held; it also requires the controller to respond and that response will be evidence that the right to withdraw consent (or objection) has been received.
The objective here is to have evidence of non-compliance that you can use to send to the ICO after the election on December 12. If several data subjects complain, and if each complaint is accompanied with evidence, it will assist in any investigation by the ICO.
Legitimate interest and Democratic engagement
The above does not quite work for political parties as they have an alternative to “consent” and “explicit consent”. In this case, the Article 6 lawful basis is either “legitimate interest” (A.6(1)(f)) or “democratic engagement” (A.6(1)(e)) and the condition that overcomes the prohibition on processing is described in Schedule 1, paragraph 22 of the DPA2018 which allows political parties to canvass voters. The right to object to the processing or the right to object to the processing of personal data for a marketing purpose thus applies to this processing.
However, this condition does not apply (i.e. personal data relating to your political views is prohibited from being processed) if …
“(a) an individual who is the data subject (or one of the data subjects) has given notice in writing to the controller requiring the controller not to process personal data in respect of which the individual is the data subject (and has not given notice in writing withdrawing that requirement),
(b)the notice gave the controller a reasonable period in which to stop processing such data, and
(c)that period has ended”.
This notice in writing (e.g. email) should explicitly specify the exercise of the right to object to the processing and that you expect that the controller to satisfy “promptly” and within a month (i.e. well before the date of the Election). As above consider also exercising the right of access (see four paragraphs back).
Now as most political parties have your personal data (e.g. at least by obtaining the electoral roll) you do not have to wait until they send you political adverts; you can exercise the right to object now as they hold your personal data. To assist this step, I have provided contact details for some political parties (see References below) and their privacy policies.
A problem might be that by objecting you could remove non-targeted political information sent to you in the normal post, so if you want this information, I would limit any objection to electronic political marketing messages (and see what the controller can do).
The Conservative Party (other parties likewise) state that they receive personal data “From commercial organisations with whom we have a contract guaranteeing full data protection compliance” or “On social media platforms, where you have made the information public”. These items of personal data are used in targeting.
Putting aside the knowledge that a contract guarantees GDPR compliance (!!?), you could augment your objection by referring to the obtaining of personal data from all sources other than the Electoral Roll. You could also contact the credit reference agencies (an example of the “commercial organisations”) registering your objection to any processing (e.g. disclosure) of your personal data for non-credit related purposes (e.g. for a political marketing purpose).
So, will the above work? Of course it won’t, as I suspect many controllers do not have the procedures to deal with the right to object or withdrawal of consent.
However, if there are sufficient complaints from data subjects, future electioneering is more likely to comply with these data protection rules if data subjects combine their efforts; indeed, the ICO’s draft “Code of Practice on political campaigning” might even get adopted by our political parties.
James Callaghan, UK Prime Minister in the late 1970s, once advised a new Minister that if he acted like a doormat, he should expect to be trod on.
Perhaps it is a good time for data subjects not to be doormats and proactively exercise their data protection rights during this Election.
References
Conservative Party privacy policy is on https://www.conservatives.com/privacy: objections by e-mail to [email protected].
Labour Party privacy policy is on https://labour.org.uk/privacy-policy/ ; objections by e-mail to [email protected]
Lib Dems privacy policy is on https://www.libdems.org.uk/privacy; objections by e-mail to [email protected]
Brexit Party privacy policy is on https://www.thebrexitparty.org/privacy-policy/; objections by e-mail to: [email protected]
Scottish National privacy policy is on https://www.snp.org/privacy/; objections by e-mail to [email protected]
With apologies to the Northern Ireland Parties (e.g. DUP, UUP, SF), Greens, Welsh Nationalists, Choice UK etc but I suspect they do not have the financial resources of the parties mentioned above .
ADVERT
Our popular UPDATE session is on (1 day, November 18); the Agenda is:
- Update on Brexit, adequacy and the replacement for the Privacy and Electronic Regulations (PECR). Elisabeth Stafford, DCMS, Head of Policy on EU Data Flows
- Case Law Review or Morrisons case. Rosemary Jay (Solicitor, Hunton Andrews Kurth LLP)
- Google's approach to transparency, control and grounds for processing ; William Malcolm; Legal Director of Google, Privacy
- Update on PI’s campaign against ad-tech companies and mental health websites. Eliot Bendinelli, Privacy International
- News from the FOIA/DPA interface? Sue Cullen (Director, Amberhawk)
- Guidance from the ICO/EDPB checklist and related commetns. Dr. C. N. M. Pounder (Director, Amberhawk).
- News Roundup: Recent enforcement and audit reports. Dr. C. N. M. Pounder (Director, Amberhawk)
Venue for the Update is in Central London (near Chancery Lane Tube); £260+VAT for the day, booking arrangements from http://www.amberhawk.com/bookevents.asp or by emailing [email protected]