Confirmation has emerged from a recent assessment of UK political parties’ handling of voter data, revealing widespread non-compliance with data protection regulations across all parties – with organizations not adequately informing voters about the unseen methods of profiling and targeting employed by their digital campaign operations.

The Information Commissioner’s Office (ICO) cautioned today that, “Political organizations are justified in maintaining personal data for millions of individuals to support their campaigning efforts. However, advancements in data analytics and social media utilization by political parties mean that a significant number of voters are unaware of how their information is being utilized.”

The report continues, stating, “It is essential that all political parties demonstrate clarity and transparency regarding the use of personal data, alongside improvements in governance and accountability.”

“Political parties have consistently sought to leverage data to gain insights into voter interests and concerns, and to communicate relevant policies to specific demographics. Current technology enables this on a considerably more detailed scale. This development can be beneficial, as engaging individuals with topics they find interesting can lead to increased voter participation. However, such engagement must adhere to legal standards, particularly when there are potential risks to privacy – such as covert profiling, the use of sensitive data classifications, and unwelcome, intrusive marketing. The potential threat to democratic processes if elections are influenced by unfair or unclear digital targeting is substantial, and necessitates our continued attention in this area.”

Although the regulator has identified risks to democratic confidence and participation, it has decided against immediate enforcement measures.

Instead, a series of recommendations – with nearly one-third categorized as ‘urgent’ – have been issued, accompanied by a commitment to conduct a further review later in the year, with the possibility of future action if sufficient improvements are not observed. 

“If subsequent reviews reveal that parties have not taken adequate steps to ensure compliance, we retain the authority to pursue further regulatory action in accordance with our Regulatory Action Policy,” the report states, also acknowledging the “positive” engagement from parties regarding these concerns. 

The ICO also announced plans to revise its current guidance on political campaigning later this year, noting that the updated guidance will also be relevant to (non-political) campaigners, advocacy groups, data brokers, and data analytics firms.

Previously, the ICO released guidance for the direct marketing data broking industry following the Cambridge Analytica Facebook data misuse incident.

From Cambridge Analytica to ‘must do better’

The investigation into UK political parties’ data practices was initiated by the ICO following the Cambridge Analytica incident, which brought significant attention to the influence of social media and large datasets in modern political campaigns.

A previous ICO report, released in July 2018, urged a ‘pause for ethical consideration’ regarding the application of microtargeting tools in political advertising – cautioning that a deficiency in transparency surrounding data-driven targeting methods could erode public confidence in the democratic process.

However, the utilization of social media targeting did not diminish prior to or throughout the 2019 UK general election, with concerns raised regarding the Conservative Party’s employment of Facebook advertisements to gather voter information being among those highlighted.

The ICO report deliberately avoids singling out individual parties for criticism, instead presenting ‘consolidated’ insights derived from its thorough examination of the data handling practices of the Conservative Party, the Labour Party, the Liberal Democrats, the Scottish National Party (SNP), the Democratic Unionist Party (DUP), Plaid Cymru, and the United Kingdom Independence Party (UKIP).

The regulator is not issuing strict directives, however.

The ICO phrases its recommendations as actions “that must be taken by the parties,” a deliberately understated construction intended to avoid causing friction with any political organization. (Especially those currently holding office.) Consequently, it is adopting a cautious ‘recommend and review’ strategy to address parties’ questionable data management practices.

Key findings indicate that political parties’ privacy policies do not consistently meet the necessary standards of openness and clarity; they do not always possess a valid legal justification for the data they process, and when relying on consent, may not be securing it lawfully; they are not fully transparent about how they integrate data to create voter profiles, nor are they conducting sufficient verification of data providers to ensure legal data acquisition; they are failing to establish robust contractual safeguards when utilizing social media platforms for voter targeting; and they are not adequately maintaining their data protection responsibilities to demonstrate accountability.

This represents a substantial list of data protection deficiencies.

The ICO’s recommendations to political parties are remarkably fundamental, outlining the need to:

• Perform an information audit or data-mapping exercise to identify the personal data they possess and its location;
• Undertake a comprehensive review to determine the purpose of their data usage, with whom it is shared, and its retention period, through the distribution of questionnaires, direct engagement with key departments, and examination of policies, procedures, contracts, and agreements;
• Document their findings in a thorough and meaningful written record.

Consider this a moment to reflect on the potential complexities inherent in those directives.

“We acknowledge that achieving comprehensive transparency with the UK adult population presents challenges,” the ICO observes in a section of the report addressing transparency requirements, adding that its previous report advocated for “broader, collaborative efforts to enhance awareness of how data is utilized in campaigning.”

The ICO further states that it will continue to collaborate with the Electoral Commission on this matter.

The report quantifies the rapid expansion of digital advertising in UK political campaigning, citing Electoral Commission data showing that 42.8% of campaign advertising expenditure was allocated to digital channels in 2017, compared to only 1.7% in 2014.

Therefore, the use of social media platforms – which the report confirms were utilized by all parties for political campaigning – is directly linked to the concerning lack of transparency identified by the regulator.

“Social media platforms were employed by all parties to connect with individuals who share their values. The majority of this activity occurred on Facebook – including its Instagram platform – and Twitter. When political parties utilized audience selection tools, we had reservations regarding the lack of transparency associated with this practice,” the ICO states. “Privacy information did not clearly indicate that voters’ personal data collected or processed by the party would be profiled and used to deliver targeted marketing messages via social media platforms.”

“A central recommendation stemming from our audits is that parties must inform individuals and be transparent about this processing, ensuring voters fully understand how their personal data will be used to comply with Article 13(1)(e) of the GDPR. For instance, parties should inform voters that their email addresses will be used to identify them on social media for the purpose of displaying political content.”

“Thorough due diligence should be conducted before any campaign commences, enabling parties to confirm that the social media company has: appropriate privacy information and tools in place; and that the data processing they will perform on the party’s behalf is lawful, transparent, and respects individuals’ data protection rights,” it adds.

The report also emphasizes the importance of political parties fully understanding the legal ramifications of employing specific data-driven ad-targeting platforms and tools – before uploading individuals’ data to platforms like Facebook or Twitter – to ensure they can fulfill their obligations.

Specifically:

The ICO describes the data protection implications of joint controller arrangements as “complex” in the report, adding: “We recognize that resolving these issues may require additional time and further guidance for all parties involved.”

“Since our audits, we understand that some adjustments have been made by social media companies within their updated terms and conditions of service for digital advertising,” it further notes. 

The report also briefly mentions the ongoing regulatory scrutiny of Facebook’s advertising platform in Ireland under EU law – focusing on concerns that the use of Facebook’s ‘lookalike audiences’ for voter targeting may not align with the bloc’s GDPR framework. The Information Commissioner, Elizabeth Denham, has previously suggested that the technology company may need to revise its business model to maintain user trust. However, Ireland’s data protection authority has not yet issued any GDPR rulings concerning Facebook’s operations.

“Within the broader landscape, the ICO also acknowledges that other issues related to the use of personal data in the political sphere remain to be addressed,” the regulator now writes. “These include some of the concerns outlined in the report submitted to the Irish Data Protection Commission (IDPC), the lead authority under GDPR, regarding targeted advertising on Facebook and other platforms, including scenarios where the platform could be used in political contexts. The ICO will continue to engage with technology platforms to assess whether any further measures are necessary to address the issues raised in our Democracy Disrupted report. This will be relevant to parties’ use of social media platforms in future elections.”