Opinion on political parties' use of social media before parliamentary elections – Guidance and proposals

Opinion

On 5 March 2020, the Icelandic Data Protection Authority (DPA) approved the following Opinion in case No. 2020010116 (previously 2017111555):

 

I.

Introduction

This Opinion is the conclusion of the DPA's investigation of how political parties used social media, before the parliamentary elections in October 2016 and October 2017, for the purpose of defining target groups and directing marketing at them. The investigation was conducted in two phases; first an investigation of how personal data of members of the political parties were processed and then the data of the general electorate, after a decision had been made to expand the review. Correspondence on the former is described in Part II below and correspondence on the latter in Part III. A discussion on a Facebook reminder button is in Part IV. A description of the DPA's conclusions is in Part V. Finally, concluding comments are in Part VI.

1.

The aim of the Opinion

The last few years have seen the development of political parties using social media to target messages at voters in the run-up to elections. This is a new way of processing personal data and it is important that guidelines are formed to ensure transparency in respect of the data subject and sufficient protection of the data. The main aim of this Opinion is to provide guidelines and make proposals, taking into account the information available on how political parties in this country have conducted this processing to date. The guidelines are provided in view of the current legislation on personal data protection, i.e. Act No. 90/2018 on Data Protection and the Processing of Personal Data and Regulation (EU) 2016/679, but the Opinion also contains conclusions on whether the processing in question was compatible with provisions of the previous Act No. 77/2000 on the Protection of Privacy as regards the Processing of Personal Data.

II.

First part of the DPA's investigation

1.

Origin of the case

At the end of October 2017, it was reported in the Icelandic media that political parties, contesting the parliamentary elections that month, were increasingly advertising their candidacy and candidates on social media and that there were instances where they had shared personal data with social media platforms in order to target their marketing at certain groups of individuals.

With reference to this news, the DPA decided to begin an investigation of political parties' use of social media in the run-up to the parliamentary elections in October 2017. Political parties were notified by letter, dated 2 November 2017, that the DPA had begun this investigation. The parties were invited to comment, in addition to the DPA requesting information on the following:

1. Whether personal data, such as lists of e-mail addresses or member registers, had been shared with social media platforms.

2. Whether data subjects had been informed of the processing, according to Article 20 of the then in force Act No. 77/2000 on The Protection of Privacy as regards the Processing of Personal Data, and what information had been shared with them.

3. How the marketing had complied with Article 28 of Act No. 77/2000.

Later, it was decided that the investigation should be limited to the eight political parties that currently have a representative in Parliament, i.e. Flokkur fólksins, Framsóknarflokkur, Miðflokkur, Píratar, Samfylking, Sjálfstæðisflokkur, Viðreisn and Vinstrihreyfing - grænt framboð. 

2. 

The political parties' response

Flokkur fólksins, Miðflokkur, Píratar, Samfylking, Viðreisn and Vinstrihreyfing - grænt framboð  all responded that the parties had not shared personal data with social media platforms. Their responses indicated that they believed questions 2 and 3 did not apply to them or applied only indirectly. Respecting these responses, the DPA decided to close the case with regard to the above six political parties. The DPA notified five of them of that decision by letter dated 11 May 2018 and the sixth, Flokkur fólksins, by letter dated 30 July of the same year. 

A response from Sjálfstæðisflokkur was received by letter dated 16 November 2017 and from Framsóknarflokkur by e-mail on 15 January 2018. The parties' responses, which vary in terms of detail, are substantially as follows:

1. Framsóknarflokkur

The response from Framsóknarflokkur states that the party made an agreement with the company Sahara ehf. for services relating to the party's Facebook page. Video promotion was a necessary part of election work and the party encouraged members and supporters to share videos and thereby increase their distribution. For the purposes of increasing the distribution of two videos, over 520 party member e-mail addresses were “taken out of the member register” in the final stages of the campaign. The e-mail addresses were sent to Sahara ehf. to ensure maximum distribution of the videos. It states that when joining the party, members declare their e-mail address and phone number. It also states that there is a long tradition for this in political work.

The DPA sent the party a letter, dated 17 July 2018, and requested further information. The questions to which answers were requested were as follows:

1. Whether Framsóknarflokkur had shared any personal data, other than e-mail addresses, with Sahara ehf. in the run-up to the parliamentary elections in 2017.

2. Whether Framsóknarflokkur had made a processing contract with Sahara ehf. according to Article 13 of Act No. 77/2000, cf. now Article 25 of Act No. 90/2018.

3. Whether Sahara ehf. had shared the e-mail addresses it received from Framsóknarflokkur with social media platforms.

The party's response, dated 16 September that same year, states that no personal data had been shared with Sahara ehf., other than e-mail addresses from the member register, in the run-up to the parliamentary elections in 2017. It also states that, according to Sahara ehf., the e-mail addresses were imported to Facebook and used in the party's advertising account. No processing contract was made with Sahara ehf. according to Article 13 of Act No. 77/2000 on The Protection of Privacy as regards the Processing of Personal Data. 

2. Sjálfstæðisflokkur

The response from Sjálfstæðisflokkur states that the party did not share personal data, neither lists of e-mail addresses, members register nor any other identifiable data with social media platforms. However, the party had used Facebook in the election campaign to share information with its members, such as the opening hours of polling stations, policies and constituency meetings where party members had the opportunity to talk to candidates and ask questions. According to the party's response, it must be assumed that political parties are authorised to communicate with their members. Political parties have at any given time had to adapt to changing technologies and patterns of communication in order to perform their democratic duty. This applies to sending messages to members through social media platforms. The party sought ways to respond to its members' demand that social media be better utilised for communication, especially Facebook. However, the party had not wanted to share its members register with such platforms in an identifiable format . Notifications were shared with members through Facebook but only with those who had agreed to receive such notifications and advertisements, in accordance with Facebook's terms.

On the arrangement for sharing information about members of Sjálfstæðisflokkur, the letter states that Facebook offers a method intended to ensure that only registered users of Facebook, and who have agreed to its terms, including consent to receiving notifications and advertisements, are contacted. Only information users have themselves shared on Facebook are processed. Facebook therefore, in this instance, collected no further information on individuals on the party's members register, which was used for this purpose.

Data from the party's member register was run, by the party, through what is known as a hash function before it was shared. The hash function, which is a one-way encryption process, generated a short code for each member, not containing any of the original data. It is not possible to decrypt the data and the codes are therefore not identifiable. Each code was then compared to similar codes of Facebook users who had agreed to the social media platform's terms, e.g. that notifications and messages could be targeted at them. With this comparison, a list was created with Facebook of registered Facebook users who would receive relevant notifications from Sjálfstæðisflokkur. The party therefore did not share any identifiable personal data with Facebook about the users in question but only confirmed that some of the data, which relevant individuals had shared about themselves on Facebook, were similar to the data the party had sent through the hash function, e.g. name, postcode, e-mail address. The protection of other members' personal data was also ensured as the above variables did not correspond with any of Facebook's users. In this regard, the letter refers to information on a specified Facebook page. It also states that care was taken not to identify or indicate what type of register had been run through the hash function. The processing therefore had not involved sensitive personal data but merely general contact details, made non-identifiable in accordance with the above.

Sjálfstæðisflokkur considers the party to be the controller and Facebook the processor. For this reason, the party made a processing contract with Facebook. The letter refers to a specific Facebook page regarding the terms of the contract.. The terms state that the controller is responsible for ensuring relevant authorisation for the processing. The processor takes on various obligations to ensure the protection of the personal data of the data subject, such as using the received list with codes only to determine which registered users of the platform will receive the notifications in question, not utilising the data for any other purpose and deleting it once processing is completed. The contract also stipulates how the data are secured and specifies that the social media platform is party to arrangements for the protection of personal data transferred from the EEA countries to the United States, i.e. what is known as a security shield, the EU-US Privacy Shield. Sjálfstæðisflokkur states in the letter that it had verified that the platform's registration as party to the arrangement was valid.

The party also assumes the explicit consent of those who have joined the party to receiving notifications and messages regarding the party's activities, such as notifications of meetings with candidates and the execution of an election. The party furthermore states that it seeks to inform those who want to join the party that it engages in widespread communication in the run-up to local and parliamentary elections, on meetings with candidates and execution of the election and offers voters who need it assistance in getting to polling stations. This information was either shared with individuals when they sought to join the party, cf. Act No. 77/2000, Article 20, Paragraphs 1-3 or before they requested to join, cf. the same Act, Article 20, Paragraph 4.

Regarding how the marketing complied with Article 28 of Act No. 77/2000, the party's response says the processing did not entail marketing according to the article. The party refers to comments, accompanying Article 28 in the parliamentary bill to Act No. 77/2000, and Regulation No. 36/2005, on the restricted registry, and states that political parties' communication with their members does not fall within the definition of marketing. The information the party shared with its members via Facebook before the last parliamentary election was not for the purpose of raising money or to encourage recipients to become members of the party. It was merely information to those who already were members about activities they had already sought to participate in. The party states that it is imperative that policy does not equate political parties' communication with their members with parties seeking to recruit new members, i.e. advertising themselves to people who have not decided to join them. This would result in party members who are on Registers Iceland's restricted register not receiving notifications from the party about its activities and about the execution of elections. In Opinion No. 1/2017 of the Article 29 EU Working Party, it is furthermore stated that in those member states where an opt-out regime has been established regarding marketing phone calls, the rule of existing business relationships takes priority over registration on a restricted list. It should therefore be safe to conclude that the communication of parties, including political parties, with their members, about matters, including the activities of the parties, does not count as marketing activities that may be banned on the basis of the provision for a restricted register, cf. Article 28(2) of Act No. 77/2000.

Finally, it states that the notifications sent to members via Facebook clearly stated where they were from, in accordance with Article 28(4) of Act No. 77/2000. It is the opinion of Sjálfstæðisflokkur that Article 28(5) does not apply as the party member register was not shared with Facebook or others for the purposes of marketing.

 

III.

The second part of the DPA's investigation

1.

Investigation expanded and case re-opened

 

With letters dated 4 March 2019, the DPA notified Framsóknarflokkur and Sjálfstæðisflokkur that the investigation had been expanded. With letters dated the same day, the DPA furthermore notified Flokkur fólksins, Miðflokkur, Píratar, Samfylking, Viðreisn and Vinstrihreyfing - grænt framboð that the investigation had been re-opened in regard to them. The letters detail what led to the expansion. In view of new information that had emerged from the review of the British Information Commissioner's Office, in the media, from the European Data Protection Supervisor and the European Data Protection Board, the DPA considered there was reason to ask the political parties, that ran for the parliamentary elections in 2016 and 2017, further questions. The questions were as follows:

1. What personal data regarding voters did the political parties possess in the two years before the parliamentary elections in 2016 and 2017, i.e. from 29 October 2015 to 28 October 2017, where were the data obtained and for what purpose.

2. Whether the political parties informed individuals, pursuant to item 1, of the processing of their personal data, where the data were obtained and for what purpose.

3. Whether the political parties had used social media platforms to target messages at voters, all or a defined group, or to reach them by other means, in the two years prior to the parliamentary election in 2017 and if so, then how.

4. Whether the political parties used or worked with advertising agencies and / or data handlers (data brokers, data analysts, ad thech companies) for the purpose of targeting messages at voters, all or a defined group, or to reach them by other means through social media platforms, in the two years before the parliamentary elections in 2017.

5. What other services, if any, the political parties purchased from social media platforms, advertising agencies and data handlers (data brokers, data analysts, ad tech companies) in the two years before the parliamentary elections in 2017.

6. How much money did the political parties spend on purchasing the services of social media platforms, advertising agencies and data handlers (data brokers, data analysts, ad tech companies) in the period in question.

2.

Correspondence

The political parties' responses, further detailed below, gave the DPA cause to ask further questions and these were sent by letter on 12 April 2019 to Framsóknarflokkur, Sjálfstæðisflokkur and Vinstrihreyfing – grænt framboð, on 9 May 2019 to Miðflokkur, Píratar, Samfylking and Viðreisn and to Flokkur fólksins on 2 December 2019. The questions varied, depending on what the content of previous letters gave rise to, but substantially had to do with the following:

1. Whether members' e-mail addresses and phone numbers had been used to target messages or advertisements at them on social media platforms during the period in question.

2. What use members of the political party in question had consented to of their e-mail addresses and phone numbers.

3. What social media platforms were used and what methods or means were used to communicate information to voters through social media.

4. Which advertising agencies and / or data handlers (data brokers, data analysts, ad tech companies) had been used for sharing information from the political party on social media, what kind of service had been purchased from them and, if relevant, was a processing contract made.

5. Whether target group analysis of some kind was done for the purposes of sharing information with defined groups via social media and what did this entail.

6. Whether a data marketplace was used.

7. Information on all variables and / or groups defined and how advertising or messages were targeted at each particular group.

8. Whether all the material the political party published or others published on their behalf on social media in the period in question had clearly been labelled as emanating from that political party.

Despite the DPA's clear request for detailed clarification of the variables and / or groups defined and how advertisements or messages had been targeted at each defined group, most of the political parties still responded with references to certain instances by way of example. With respect to this, the DPA sent new letters, dated 12 June 2019 to Framsóknarflokkur, Miðflokkur, Píratar, Samfylking, Sjálfstæðisflokkur and Vinstrihreyfing – grænt framboð, reiterating the request for a full enumeration of all variables and / or target groups defined and used and what kind of advertisements or messages had been targeted at each particular group and on what social media platform. The DPA received responses from all of the above mentioned political parties before the end of August 2019.

With letters dated 19 December 2019, the DPA requested information on whether the political parties had made processing contracts, according to Article 13 of Act No. 77/2000, with the social media platforms they had used before the parliamentary elections in 2016 and 2017. The political parties all responded that they had not and some referred to Facebook appearing as the controller in relation to most of the services the platform offered.

3.

Political parties' responses

According to the information received by the DPA, all the political parties used personal data to reach defined groups on social media in the period in question. As discussed above, the DPA requested that the political parties provide a full enumeration of all variables and / or groups defined and what kind of advertisements or messages had been targeted at each and every defined group. The main aspects from the political parties' replies, which vary in detail, are as follows:

1. Flokkur fólksins

The response from Flokkur fólksins confirms the party used Facebook to get messages to voters and used the variables Iceland and age (age 18-65+).

Their total cost for the services of Facebook was 141,539 ISK in the two year period in question.

2. Framsóknarflokkur

The Framsóknarflokkur's response confirms the party used Facebook to send advertisements to groups of registered users of the platform. Sahara advertising agency managed the party's main page on Facebook and the party constituency groups' pages. Management of the party subsidiary groups' pages was in the hands of individual party members. General methods that Facebook offers were used. Depending on the response each entry received on the party's Facebook pages, different aims were defined, i.e. the messages were targeted at different groups. Voters' interests were not defined but the following variables were used: Icelandic, location (e.g. constituency and municipality), gender and age (e.g. ages 18-30, 45-65+, 18-65+). The party also shared advertisements with those who had shown an interest in the party's marketing material and visited the party's website. The same applied to those who had liked the page and the data provided with the Framsóknarflokkur's response shows that the messages were also targeted at their friends. 

It also states that, in addition to running 520 member e-mail addresses on Facebook in the run-up to the election in 2017 as detailed in Chapter 2, Part II above, the party ran an additional 2,300 member e-mail addresses before the same election. Messages were then shared with those on the e-mail list and groups further defined by location, age and gender. The messages on Facebook also appeared on Instagram, where the same approach was used.

Furthermore, a total of 18 campaigns were run with Google before the election in 2017. These were six YouTube campaigns, nine Google display campaigns and three search word campaigns. Target groups were defined by age, gender and region. The party also sought to reach groups of people by their interests, e.g. those who had shown an interest in following news sites, finance, business sites and technology.

The party purchased a target group analysis from Zenter ehf. and a survey from MMR where respondents' background variables were used. The party also made an agreement with the advertising agency Hvíta húsið before the parliamentary election in 2017 regarding various aspects, including the creation of advertisements, publications, strategy, analysis of opinion polls etc. Hvíta húsið was not involved, however, with advertising on behalf of the party on social media platforms.

Despite the above statement, that Hvíta húsið did not have anything to do with the publication of advertisements on social media platforms, the party notes that the company, along with another company, The Engine, was involved in the publication of messages on YouTube.

Regarding cost, the party spent 6,496,198 ISK in total on the services of social media platforms and sponsorships on social media platforms in the two year period in question.

3. Miðflokkur

The Miðflokkur's response details the party's use of Facebook's advertising system for the publishing of advertisements on Facebook and Instagram. Facebook's inbuilt settings were used to create target groups. Advertisements were then directed at different target groups, which were defined by information individuals had themselves declared on Facebook's system. Variables used to create these target groups were Icelandic, gender, age (e.g. ages 25+, 45+, 25-55) and location (Reykjavík, Kragi [the area around Reykjavík], population centres outside Reykjavík). In some instances, it was specified that advertisements should not be targeted at those who were interested in the Independence party [Sjálfstæðisflokkur]. The party used the company Innut to define target groups for Facebook's advertising system and to create an advertisement distribution plan on its behalf. 

The party's response specifies that it had shared advertisements with those who had liked the Facebook page of the party chair, those who looked like those who had liked his page, those who looked like those who had liked the party website and those who looked like farmers (i.e. lookalike audiences).

The party also used name, residence and birthday on the electoral roll to create a custom audience list on Facebook. The variables used were farmers (people with postcodes in rural areas) and people younger than 25.

The party furthermore used inbuilt demographic, interest and education settings on Facebook to create a specific target group to which it directed only messages related to the changed location of Landspítali [The National University Hospital of Iceland] and information from the party's health policy. The variables used to create this group were Icelandic, location, age (18-65+), interests (medicine). Occupations in health were also used, such as pediatrician, cardiologist, anesthesiologist, neurologist, aesthetic surgeon and dermatologist.

In addition, the party published election banners and videos on Google Ads for two target groups, i.e. men and women of specific ages.

Furthermore, it is stated that the cost for services of social media platforms, data handlers (data brokers, data analysts, ad tech companies) and advertising agencies was 1,320,000 ISK for the two year period in question.

4. Píratar

In Píratar's response, the party says it used Facebook and sought to approach a defined group of individuals with tailored advertisements. The party can only confirm the use of two variables, i.e. people located in Iceland and age (ages 18-35 and 18-65+).

The party used the advertising agency Maurar ehf. and the consultancy Ofvitinn ehf., which consulted on the publishing campaign on social media platforms.

The party spent 30,561,050 ISK on advertisements in the two year period in question, which also includes printing costs. Further details of costs can be seen in the party's annual statutory accounts.

5. Samfylking

The response of Samfylking confirms the party used Facebook and Instagram to direct messages at certain target groups.

The following are examples of variables used to create target groups: gender, age (e.g. ages 20-34, 25-60, 40-65), location (e.g. municipalities and constituencies) and interests (e.g. human rights, development aid, the EU, UNICEF, democracy, animals, politics, elections, gender equality, public transport, Office of the United Nations High Commissioner for Refugees, the City of Reykjavík and cafes). The party also shared advertisements with the followers of the party on Facebook, their friends and friends of people who had interacted with the party's website, with and without further variables, e.g. age and gender.

The following are examples of target groups: (a) Male and female, 20 years and older in Reykjanesbær and surrounding area (b) Women, 25-64 years old, in urban areas, interested in human rights, development aid, the EU, UNICEF, UN Women, democracy and animals. It should be noted that the first target group is fairly typical but the second based on more detailed variables than was the norm.

The party used the company Webmom to place advertisements on Facebook and to target groups the company believed appropriate, based on its experience, knowledge and conversations with the party. The company had thus not been instructed to target messages at certain groups or individuals on social media platforms but rather had been entrusted with reaching the general public.

The party states that it spent 46,107,939 ISK on purchasing services from social media platforms, data handlers (data brokers, data analysts, ad tech companies) and advertising agencies in the two year period in question.

6. Sjálfstæðisflokkur

 

The Sjálfstæðisflokkur's response states that the party targeted information at voters, variably to all or to certain groups, with the methods offered by social media platforms. The party has Facebook pages which are general for the party countrywide. In addition, national associations, constituency committees, representative committees, local party associations and other party units have pages on Facebook. Management of these pages is in the hands of the chairs of the associations, committees and units but the party's central office manages the party's nationwide Facebook page.

When news or advertisements are to be shared on Facebook, a decision is made whether it should be shared with certain target groups and if so, which groups. The party does not use other target groups than those offered by Facebook. Content from the party's website, such as advertisements, videos, photos, articles and graphic material is usually shared on the party's Facebook page and the party has paid for increased distribution (boost) of the content.

The following are examples of variables used to create target groups: residence (e.g. municipality and constituency), age (e.g. ages 16-35, 17-26, 43+), gender, families (e.g. parents of children of nursery and primary school age) and interests (e.g. finance, economics, business, science, education, innovation, politics, health, interior design, furniture, retail, clothing, music, sports, entertainment, exercise, wellbeing, social affairs and technology).

In some instances, certain groups were focused on with further variables, e.g. age and location, or without them. For example, those who had liked the party's Facebook pages and their friends, those who looked like those who had liked the party's pages, those who had, according to Facebook's definition, liked something linked to Facebook Messenger and those whose first language was Polish or had lived abroad.

In some instances, advertisements were not targeted at specific groups with further variables, e.g. age and location, or without these. For example, those who according to Facebook's definition were interested in leftwing politics.

The following are examples of target groups: (a) Everyone in Garðabær, Hafnarfjörður, Kópavogur, Mosfellsbær and Seltjarnarnes, 18 and older. (b) Everyone in Garðabær, Hafnarfjörður, Kópavogur, Mosfellsbær and Seltjarnarnes 18 years + with a focus on those interested in the Polish army, Polish, “ég elska Pólland” [“I love Poland”], Gdansk, culture in Poland, Warsaw and those who had lived in Poland, in accordance with Facebook's definition. It should be noted that the first target group is relatively typical whereas the second is based on more detailed variables than was generally the norm.

The party's response states that it has an Instagram page and has published advertisements on that platform. Instagram is owned by Facebook and it is possible for an advertisement bought on Facebook to also appear on Instagram. The party usually does this. Advertisements on Instagram were therefore directed at exactly the same target groups as those on Facebook.

The party says it has not collaborated with companies in the advertising market that are defined in the way referred to in the DPA's questions, i.e. advertising agencies and / or data handlers (data brokers, data analysts, ad tech companies). The party worked with Jónsson & LeʼMacks, which is a traditional domestic branding and communication agency. Jónsson & LeʼMacks oversaw the publication of advertisements on Google with Google display web banners for both election campaigns. Three target groups were used, which the advertising agency defined, i.e. men in Iceland, women in Iceland and everyone 18 years and older. The advertising agency also oversaw the publication of advertisements on YouTube for the election campaign in 2017. Three target groups were used, which the advertising agency defined, i.e. men in Iceland, women in Iceland and everyone 18 years and older.

With regards to cost in the two year period, the party understands the DPA's question to refer to costs for the use of social media platforms but not traditional television and newspaper advertisements. In the first period, the end of the year 2015, advertisements were purchased on Facebook for 190,000 ISK, in 2016 for 1.8 million ISK and the part of the period that falls within the year 2017, almost 3.4 million ISK. These figures might change very slightly as answers were not received from some party units and committees but these are mostly small and with little activity on social media platforms or do not maintain a page on such platforms.

Also, in the period in question, advertisements were purchased on Google display web banners for 270,000 ISK in 2016 and 620,000 ISK in 2017; an additional 620,000 ISK was spent on buying the distribution of videos on YouTube in 2017 but none in 2016. Furthermore, no services were purchased from data handlers (data brokers, data analysts, ad tech companies) but the services of an advertising agency was purchased to produce material for social media platforms for about 2.2 million ISK in 2016 and about 2.4 million ISK in 2017.

Sjálfstæðisflokkur notes that the above figures are all inclusive of VAT.

7. Viðreisn

Viðreisn states in its response that the party used Facebook, Instagram, Google and YouTube to share messages with voters, both all and certain groups. This was done with advertisements, status updates, photos and videos.

Examples of the variables the party used to create target groups to direct messages at voters on Facebook, and thereby also on Instagram and Messenger, are as follows: location (municipality and constituency), age (e.g. ages 18-40, 20-25, 30-55), gender and interests (such as the EU, Gay Pride, animals and electric cars). The party also shared advertisements with those who had liked its Facebook page.

The following are examples of target groups: (a) Women 18-40 years in Iceland. (b) Location (Reykjavík, the greater Reykjavík area, Borgarnes, Vesturland, Selfoss, Suðurland), age (18-65+), education (university students, university graduates, people with Master's and Doctorate degrees etc.), interests (innovation, start-ups and self-employed people), employers (small businesses, business owners and self-employed people) and professional title (executive director, chairman, project manager, finance manager, chief executive officer, founder and owner, executive manager and owner etc.). It should be noted that the first target group is fairly typical but the second based on more detailed variables than was generally the case.

The party noted in its response that web banners featuring pictures of candidates, slogans and / or the party logo were shared through the Google Ads system, including on YouTube and other platforms that offer advertising through that. The party used the following variables: location (Iceland), age (18+) and language (Icelandic, English and Polish).

The party used Hugsmiðjan to design a promotional campaign based on the party's target group analysis which in turn was based on the election research of the University of Iceland Social Science Research Institute and opinion polls. The conclusions were used to design digital media advertisements for the party.

The party states that 6.2 million ISK was spent on purchasing the services of social media platforms, data handlers (data brokers, data analysts, ad tech companies) and advertising agencies in the two year period in question.

8. Vinstrihreyfing – grænt framboð

The response of Vinstrihreyfing – grænt framboð states that the party purchased advertisements from Facebook to reach voters during the period in question. The advertisements were of a general nature, such as sponsored status updates, events and videos.

The variables used to create target groups on Facebook were: Iceland, more detailed location (municipality and constituency), age (e.g. ages 15-30, 18-45, 18-65+), gender, parenthood and interests (such as environmental issues, leftwing politics, elections, education and politics). Advertisements were specifically not shared with those who had liked the party's Facebook page. In total, the party defined 23 groups.

The following are examples of target groups: (a) Everyone 18-65 years + in a 25 kilometre radius from Selfoss. (b) Male and female, 18-65 years + countrywide, interests (such as Austurland, education, electron microscopes, leftwing politics, social affairs, environmental protection, politics). It should be noted that the first target group is fairly typical but the second based on more detailed variables than was the norm.

The party used MediaCom as an intermediary with the media for advertisements, including media websites but the company did not direct advertisements at target groups on behalf of the party.

The party office and party subsidiaries spent a total of 10,825,441 ISK on promotional material and its production in the run-up to the 2016 parliamentary elections and 9,549,316 ISK in 2017. The cost is therefore 20,374,757 ISK in total for the period. In addition, the party's main and subsidiary offices spent a total of 681,397 ISK on advertisements on Facebook.

4.

Correspondence with advertising agencies and data handlers

On 17 February 2020, the DPA wrote to the twelve advertising agencies and / or data handlers (data brokers, data analysts, ad tech companies) the political parties used, as detailed in their responses above. The letters detailed the political parties' responses and with reference to the investigation principle of administrative law it was requested that the advertising agencies and / or data handlers (data brokers, data analysts, ad tech companies) in question confirmed or corrected their part, as appropriate. A  short period of time was granted for responding to the DPA letter, which was followed up by a phone call and reiterated by e-mail.

Responses from [Hugsmiðjan, Innut, MediaCom],^[1] Sahara, Hvíta húsið, Jónsson & LeʼMacks and Webmom all confirm the political parties' descriptions. Sahara states in its response that at the time in question, Regulation (EU) 2016/679 had not come into force and that Facebook had therefore not had any limitations on the inputting of data, such as lists of e-mail addresses. Today this is not so and the relevant terms need to be ticked where companies and individuals confirm that they have been granted permission from the relevant list, such as from a customer and so on.

MMR notes in its response that the advertising agency Hvíta húsið purchased a special data analysis from the company's database in October 2017. This special data analysis contained information on the general public's support of political parties according to MMR's opinion poll. The conclusions were shown in table format by demographic background. The special data analysis was purchased for the use of Framsóknarflokkur.

The Engine stated that the company had been under new management since mid-2018 and that it does not have any information on having worked for Framsóknarflokkur.

With regard to Zenter, the company stated in its response that it conducted a traditional survey for Framsóknarflokkur but had not performed a target group analysis. Zenter maintains in its response that this is likely to stem from a misunderstanding of the concept “target group analysis” and that this is possibly what the party calls the traditional survey that was conducted. It also says that the conclusion of the survey demonstrated what kinds of groups the party might find followers in, such as by gender, age and location.

Responses were not received from […] Maurar […] and Ofvitinn.

IV.

Facebook reminder button

After the DPA received information about a reminder button appearing to some Facebook users in Iceland and not to others, reminding them to vote in the parliamentary election on 28 October 2017, the Authority decided to send a letter to Facebook to gather information on this. The DPA requested information from Facebook in Ireland, by e-mail on 20 May 2019, on whether Facebook had decided to display the reminder button and for what purpose or whether someone else had requested this service from Facebook and how Icelandic Facebook users' personal data had been used to decide who was shown the reminder button.

The DPA received a reply from Facebook by e-mail on 3 June 2019. In its response, Facebook says that Facebook itself placed the reminder button at the top of the newsfeed of Icelandic Facebook users on 28 October 2017. The purpose was to inform and encourage users to exercise their democratic rights. This is part of supporting an informed and responsible Facebook community and a similar button has often been used around elections, lately before the elections for the European Parliament.

The button in this instance informed users that it was election day and referred them to the Government of Iceland's website for further information. Users were then invited to share that they had voted. According to Facebook's response, the button was set so that it appeared to all Icelandic Facebook users who had acquired the right to vote, i.e. 18 years and older. Information on age came from users upon their registration on Facebook and information on location is information users register on their pages or information gathered through their IP addresses.

As to why only some Facebook users belonging to the above group saw the button while others did not, it says various reasons may explain this, e.g. that those who did not see the button used older models of computers or phones or had not updated their versions of the Facebook app. It could also be caused by internet connections being slow.

The button had not been requested by an external party but Facebook had informed the Icelandic Ministry of Justice before setting it up. The Ministry had provided information on the relevant Icelandic Government website, which was linked to the button.

According to the above, Facebook did not undertake a target group analysis of Icelandic voters when the platform used the button on election day in the parliamentary elections in 2017. However, it is clear that by making the button accessible to most Icelandic Facebook users, it could influence election participation in Iceland and furthermore monitor users sharing that they had voted. Based on the available criteria, it is difficult to determine whether, and if so what effect the button had on the outcome of the parliamentary election in 2017 but judging by the fact that over nine out of ten adults in Iceland use the platform,^[2] it may be assumed that the button may have had an effect.

Facebook headquarters within the EEA are located in Ireland and the Irish Data Protection Commission is therefore the leading regulatory authority of Facebook and it is therefore within its jurisdiction to look into whether Facebook's activities are in accordance with the provision of regulation (EU) 2016/679, cf. Chapter VII.

In connection with the Irish parliamentary elections on 8 February 2020, the Irish Data Protection Commission notified Facebook that the button raised questions relating to transparency regarding the data subject, especially as Facebook users could not know how their personal data were collected when using the button and how they would then be used by Facebook. Following this, Facebook presented proposals for improvement to the Irish Data Protection Commission with regard to this issue. As there was not sufficient time to execute those proposals before the election, Facebook decided not to display the button. Facebook has also confirmed in the media that the platform will not show the button to its users in the EU while the case is being examined by the Irish Data Protection Commission. The DPA is closely following the progress of the case with the Commission, in accordance with its role, cf. Chapter VII of the Regulation.

V. 

The DPA's Opinion

1.

The application of personal data protection legislation and the scope of the case

 

As stated above, the main goal of this opinion is to provide guidelines and make proposals for criteria when political parties use social media platforms to target messages at voters and the processing of personal data relating to this. Account will be taken of the above information, which the Authority gathered on how political parties used social media platforms before the parliamentary elections in October 2016 and October 2017. The guidance and proposals are based on current data protection legislation, i.e. Act No. 90/2018 on Data Protection and the Processing of Personal Data, cf. also Regulation (EU) 2016/679. Pursuant to the Act's Article 4(1), its scope is the processing of personal data wholly or partly by automated means and processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system, cf. also Article 2(1) of the Regulation. Personal data means any information relating to an identified or identifiable natural person (data subject), i.e. information which directly or indirectly can identify a natural person, cf. Article 3(2) of the Act, cf. Article 4(1) of the Regulation, and processing is any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, cf. Article 3(4) of the Act, cf. Article 4(2) of the Regulation. It is therefore clear that the use of data on users' activities on social media platforms entails the processing of personal data which falls within the DPA's authority, cf. Article 39 of the Act. This Opinion also covers sending messages to target groups by means other than social media platforms.

The party responsible for ensuring the processing of personal data complies with Act No. 90/2018 is the controller. Pursuant to Article 3(6) of the Act, this is a natural or legal person, public authority or other body which determines, alone or jointly with others, the purposes and means of the processing of personal data, cf. Article 4(7) of the Regulation. When political parties use social media platforms in the way described above or send messages to target groups by other means, they are the controllers of the processing this entails. In this context, it should be noted that social media platforms are also controllers of the processing in question. Advertising agencies and data handlers (data brokers, data analysts, ad tech companies) may also, in certain contexts, be controllers. The above is based on the judgement of the Court of Justice of the European Union, dated 29 July 2019, in the case of Fashion ID, No. C-40/17. The judgement states that the responsibility of each controller is limited to the processing operation that they determine the purpose and means for. It should be noted, however, that the facts of the case are different from those subject to this investigation.

In addition to guidelines and proposals, according to the above, the DPA has summarised the main conclusions on how political parties' use of social media platforms before the elections in 2016 and 2017 complied with the then in force Act No. 77/2000 on The Protection of Privacy as regards the Processing of Personal Data, cf. Chapter 3 below. In that context, it should be noted that this Act included substantially comparable provisions to those detailed above with regard to scope, definitions of concepts and the authority of the DPA, cf. Article 2(1), (2) and (4), Article 3(1) and Article 37 of the Act. It is clear that the subject of this investigation regards the processing of personal data pursuant to the Act, that the political parties were the controllers and that the scope of the DPA's authority covered the processing.

2.

Requirements for the processing of personal data

In order for the processing of personal data to be lawful, it must conform to one of the conditions cited in Article 9 of Act No. 90/2018, cf. Article 6(1) of Regulation (EU) 2016/679. It should be noted that political parties' use of social media platforms to target messages at voters may be regarded as a form of marketing, i.e. for the purpose of influencing people's opinions so that they are more likely to support the party. The processing of personal data for marketing purposes has been considered lawful on the basis of Article 9(6) of the Act, cf. Article 6(1)(f) of the Regulation, which stipulates that processing of personal data can be lawful if it is necessary for the purposes of the legitimate interests pursued by the controller or by a third person, except where such interests or fundamental rights and freedoms of the data subject override it. The processing can also be authorised on the basis of Article 9(1) of the Act, which stipulates that processing can be lawful if the data subject has given consent to the processing of their personal data, cf. Article 6(1)(a) of the Regulation. It should be noted that these two legal basis can also apply to political parties' processing of data on their own members. The former is considered sufficient in the instance of regular processing of data, such as the use of the member register to target messages about the party's activities at party members. Processing beyond this may, however, need to be based on consent.

If working with sensitive personal data, legal basis pursuant to Article 9 of Act No. 90/2018, cf. Article 6(1) of the Regulation, is not sufficient. One of the additional requirements must also be fulfilled pursuant to Article 11(1) of the Act, cf. Article 9(2) of the Regulation. It is clear that data derived from users' activities on social media platforms, such as what they have liked, has been used for the purpose of targeting messages at voters. Such derived personal data can give indication of political opinions. As stated in Article 3(a) of Act No. 90/2018, cf. Article 9(1) of Regulation (EU) 2016/679, data on political opinion are sensitive and their processing must adhere to Article 11 of the Act, cf. Article 9(2) of the Regulation. In particular, Article 11(1)(1) of the Act could apply, which states that processing of sensitive data can be lawful if the data subject has given explicit consent to the processing, cf. also Article 9(2)(a) of the Regulation, is relevant.

It should be noted that regarding political parties' processing of data on their own members, it may be lawful on the basis of Article 11(1)(4) of Act No. 90/2018, which stipulates that processing of sensitive data can be lawful if it is carried out in the course of the legitimate activities of a foundation, association or any other not-for-profit body with a political aim, on condition that the personal data are not disclosed outside that body without the consent of the data subject, see also Article 9(2)(d) of Regulation (EU) 2016/679. Clearly, this provision applies to political parties' traditional processing of their own member's data. Processing beyond that may, however, have to be based on explicit consent.

In addition to legal basis pursuant to the above, the processing of personal data must at all times meet all the principle requirements of Article 8(1) of Act No. 90/2018, cf. Article 5(1) of Regulation (EU) 2016/679, i.a. that the data should be processed lawfully, fairly and in a transparent manner in relation to the data subject; be collected for specified, explicit, legitimate and objective purposes and not further processed in a manner that is incompatible with those purposes; be adequate, relevant and limited to what is necessary in relation to the purpose of the processing; and that the data must be kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed. The controller shall be responsible for, and be able to demonstrate compliance with, the provisions, cf. Article 8(2) of the Act, cf. Article 5(2) of the Regulation.

The fundamental requirements in question are further defined in provisions in Chapters III and IV of Act No. 90/2018, cf. more detailed provisions in Chapters III and IV of Regulation (EU) 2016/679, which stipulate various obligations the controller must adhere to. In relation to their responsibility for the requirements being adhered to, provision in Article 25 of the Act and Article 28 of the Regulation stipulate that they must make a processing contract with the processor, i.e. a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller, cf. Article 3(7) of Act No. 90/2018, cf. Article 4(8) of the Regulation. In relation to the requirement of fairness, there is also the obligation to provide an option of objecting to direct marketing, cf. provision on the Registers Iceland's restricted register in Article 15(3) of Act No. 140/2019 on the Registration of Individuals, as well as the data subject's right to object at any time to processing of their personal data for marketing purposes, pursuant to Article 21(2) of the Regulation. Requirements to ensure the transparency of the processing include informing the data subject of the processing of personal data. This requirement applies regardless of whether personal data were collected from the data subject or not, cf. Article 17(2) of the Act, cf. Articles 13 and 14 of the Regulation., and is particularly relevant regarding the processing subject to this investigation. The DPA does not consider the exceptions to the requirement, pursuant to the provisions mentioned above, cf. also Article 23 of the Regulation, to apply in this case.

3. 

Act No. 77/2000 and elections 2016 and 2017

The previous Act No. 77/2000 entailed comparable obligations to those detailed above. To be precise, legal basis for processing personal data was stipulated in Article 8 of the Act, including the basis of consent, cf. Article 8(1)(1), as well as the basis of legitimate interests overriding the data subject's basic rights and freedoms, cf. Articel 8(1)(7). In addition, the Act stated that data on political opinion were sensitive personal data, cf. Article 2(8)(a) of the Act, and that the processing of such data would have to meet one of the cited additional requirements. Among them were the data subject's consent, cf. Article 9(1)(1) of the Act, as well as the processing forming part of the legitimate activities of a non-profit organisation, including ideological organisations, on the condition that the data would not be transferred without the data subject's consent, cf. Article 9(1)(5). Principle requirements, stipulated in Article 7(1) of the Act, had to be met at all times and the requirements above, pursuant to Article 8 of Act No. 90/2018, were among them. It was not specified though that the controller should at all times be able to demonstrate that the principle requirements were being fulfilled, which has therefore been emphasised now. The controller's obligation to make a processing contract with the processor was however stipulated in Article 13 of Act No. 77/2000. In addition, the general right to object to direct marketing was entailed in the principle requirement of fairness in Article 7(1)(1) of the Act and Registers Iceland's restricted register was discussed in Article 28(2) of the Act. The fairness requirement was considered to include transparency of the processing. This requirement was further defined in Articles 20 and 21 of the Act, which provided the obligation to inform the data subject when receiving personal data from the data subjects themselves as well as when data were obtained from a third party. Certain exceptions were stipulated from the obligation to inform but none which may be considered to apply to the processing subject to this investigation. 

In view of the above, the DPA comments:

1. The e-mail addresses of members of two political parties, i.e. Framsóknarflokkur and Sjálfstæðisflokkur, were run through Facebook's interface. This entailed linking the e-mail addresses to information available on Facebook and sending advertisements to party members on that basis. The e-mail addresses in question were acquired by the parties from members themselves. However, it should be noted that according to information available on Facebook, regarding the arrangement of the processing in question (custom audiences), the data seem to be encrypted on the user's browser before they are sent to Facebook. Furthermore, data are not collected in relation to which individuals belong to the target groups in question. Nothing has been stated, on behalf of these parties, about party members being informed about the possibility of this processing but pursuant to Article 20(1)(3) of Act No. 77/2000, controllers were obliged, when data were gathered from the data subject themselves, to inform them of recipients or categories of recipients of the data, if necessary, so that they could protect their legitimate interests. The processing was likely not foreseeable when the data were gathered from party members. The requirement of transparency entailed in Article 7(1) of Act No. 77/2000, as stated above, is also relevant in this context. It is a matter of particular concern whether this requirement was adhered to and the same would apply under the current Act No. 90/2018 and Regulation (EU) 2016/679. In view of this, guidelines on this issue are provided in Chapter 4.1 of this Opinion.

2. Article 28 of Act No. 77/2000 contained provision for marketing activities and targeted mail. It can be assumed from the answers of all the political parties, that it was clear from where their messages originated, as was stipulated in Article 28(4). Some of the political parties also seem to have informed their members upon registration that their data would be used to send them messages. However, none of the political parties seem to have checked whether recipients of target mail were on the Registers Iceland's restricted register so it would not be received by those who had registered, cf. Article 28(2). It is a matter of concern whether this was needed, as the communication in question was with the parties' own members and the issue then is whether it may be considered part of the traditional activities of political parties. A comparison with the restricted register would also, in view of the circumstances, have been difficult as the individuals in question were members of target groups on social media platforms, which were defined by means other than the members register, as the parties in question did not have register available of these individuals. The issue here is whether the rules of the restricted register applied to marketing on social media platforms but it is clear that this was a new type of marketing which was not anticipated when the rules were written. Additionally, the DPA's conclusion in case No. 2010/497 states that target mail for the purpose of gathering support for a political party counts as marketing according to Act No. 77/2000. Guidelines in this regard are provided pursuant to the current Act No. 90/2018, cf. Regulation (EU) 2016/679, in Chapter 4.2.4 of this Opinion, as well as in the DPA's proposals in Chapter 4.3.

3. As described above, all political parties used personal data to reach voters on social media platforms in the period in question. All used Facebook to create target groups and the information from the case indicates that they all used so-called core audiences and some also their own custom audiences and / or lookalike audiences, as further discussed in Chapter 4.2.2 below. Most of the political parties also used other social media platforms, such as Instagram and YouTube. The parties' answers indicate that it varies how far they went in creating target groups. In the case of two parties, Flokkur fólksins and Píratar, data on age and nationality were used so that information could be targeted at those who had reached the voting age of 18 years, and those who were Icelandic. Other political parties defined groups with more precision, based on their areas of interest on social media platforms. The areas of interest were either registered by users themselves or determined by the social media platform based on the users' behaviour on the platform (e.g. what they liked or were interested in). Some political parties thus targeted messages to certain groups of voters which they seem to have considered either likely to vote for them or swing voters. An example is specifying that messages shall not appear to voters who lean in a certain political direction. It appears voters received limited information on how this processing was performed. According to this, the provisions of Act No. 77/2000 on transparency and information, were particularly tested, as are the same provisions in current Act No. 90/2018 and Regulation (EU) 2016/679. Guidelines on information and transparency in this regard are provided in Chapter 4.2.3 of this Opinion. Furthermore, Chapter 4.3 contains the DPA's proposals in this regard.

4. As described above, most political parties worked with advertising agencies and / or data handlers (data brokers, data analysts, ad tech companies), e.g. by purchasing some kind of target group analysis and / or by tasking them with targeting marketing at unspecified groups, determined, then, by the company in question. The only processing contract available is Sjálfstæðisflokkur's contract with Facebook regarding the party using its members' e-mail addresses to send messages to them on the platform. However, aspects of joint responsibility needed to be considered regarding the legal relationship between political parties and social media platforms. This also applied when advertising agencies and data handlers (data brokers, data analysts, ad tech companies) made independent decisions concerning processing. It is therefore clear that it was not necessary to make a processing contract in all instances where external party's assistance was sought. It is also clear that in the application of the current Act No. 90/2018 and Regulation (EU) 2016/679, the same issues would need to be resolved in relation to processing contracts as were according to Act No. 77/2000. Guidelines on this are provided in Chapter 4.2.5 of this Opinion.

 

4.

Looking to the future - Act No. 90/2018 and Regulation (EU) 2016/679

In view of the great democratic interests entailed in elections, it is important that clear procedures are formed regarding political parties' use of social media platforms to deliver messages to voters. The processing of personal data that takes place on such platforms is still being formed and not everything can be foreseen in that regard. However, the DPA considers it necessary to provide guidelines and make proposals in view of the experience. On the one hand, the focus is on political parties' direct use of member registers, e-mail addresses and phone numbers, discussed in Chapter 4.1 below. On the other hand, the focus is on the definition of target groups in general, discussed in Chapter 4.2. Finally, six main proposals are summarised in Chapter 4.3.

4.1.

The use of member registers, e-mail addresses and phone numbers

In general, the relationship between a political party and its registered members is considered to be such that political parties have legitimate interest in using registered members' personal data to target messages at them before an election. Furthermore, it is not considered to limit the basic rights and freedoms of party members, as long as they themselves provide the data for this clearly defined purpose and on the basis of adequate information from the relevant political party. When a political party transfers sensitive personal data on party members to a social media platform, the processing operation must be based on the consent of the data subject, according to Article 11(1)(1) of Act No. 90/2018, cf. also Article 9(2)(a) of the Regulation. 

Article 13(1) of Regulation (EU) 2016/679 stipulates the controller's obligations when personal data are collected from a data subject. They include that the controller informs the data subject about the identity and the contact details of the controller; the contact details of the data protection officer, where applicable; the purposes of the processing for which the personal data are intended as well as the legal basis for the processing; the legitimate interests pursued by the controller or by a third party unless the interests or freedom of the data subject need to be protected; and the recipients or categories of recipients of the personal data, if any.

According to Article 13(2) of the Regulation the controller must also, at the time when personal data are gathered, provide the data subject with further information to ensure fair and transparent processing, including the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period; the existence of the right to request from the controller access to and rectification or erasure of personal data or restriction of processing concerning the data subject or to object to processing, as well as the right to data portability; the existence of the right to withdraw consent at any time, without it affecting the lawfulness of the processing based on consent before its withdrawal; and the right to lodge a complaint with a supervisory authority.

In view of the above, political parties must keep the following in mind:

1. It must be clear upon registering party member's personal data, such as e-mail addresses, what the purpose of the registration is. Members must also be informed upon registration, how the data will be used, for example whether e-mail addresses will only be used to send the person in question an e-mail or whether it will also be used to reach the person in question by other means, such as through social media platforms. This applies whether the data are encrypted or not. It should be noted in this respect that when information on e.g. e-mail addresses is used to send messages to individuals on social media, the information is received by certain, named individuals. therefore, it clearly entails processing of personal data. 

2. In order for information to party members to be considered adequate and consent suitably informed, it must be clear who can use their personal data to target messages at them, for example whether it is only a particular local organisation or the overall organisation of the political party.

3. Political parties must be able to demonstrate party members' consent and what information they were given before consenting, in accordance with the controller's responsibilities stipulated in Article 8(2) of Act No. 90/2018, cf. Article 5(2) of Regulation (EU) 2016/679.

4. The general principles of the personal data protection legislation must always be adhered to and adequate information provided on intended use of party members' personal data and recipients of the personal data, if any. Furthermore, it must be ensured that the data are only used in accordance with members' legitimate expectations. If the controller intends to process the data for another incompatible purpose, after information was provided in relation to the original consent, the processing must be based on an adequate legal basis according to the law and further information provided, e.g. by e-mailing the members in question.

5. Furthermore, if the processing is not part of regular activities of political parties, their members must always be provided with a real option to object to it, in a clear and plain manner. It must also be ensured that all messages sent to members, on the basis of the information provided, be these by e-mail, social media, such as Facebook, or by other means, specify clearly where they come from and provide a plain option for members to object to the processing. The DPA can provide guidance on issues in that regard, if necessary. 

6. Should political parties make a contract with a processor, e.g. an advertising agency, about the processing of their members' personal data, they must verify that the processor can provide sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of Regulation (ESB) 2016/679 and ensure the protection of the rights of data subjects. The processing by a processor must be based on a contract which fulfils the requirements of Article 25(3) of Act No. 90/2018 and Article 28(3) of the Regulation.

 

4.2.

The use of personal data to reach defined groups on social media platforms

In general, it may be assumed that political parties have a legitimate interest in targeting advertisements and messages at voters on social media platforms in the run up to elections. In assessing whether voters' basic rights and freedoms are infringed upon, the general principles of personal data protection legislation and the information provided must be considered. Voters must receive clear and accessible information about their personal data being processed for this purpose, including the variables used. If this is not sufficiently adhered to, the general rights of voters, to their personal data being processed according to the personal data protection legislation, are infringed. 

If the variable in question is that a person leans to certain political views, e.g. because they have liked the website of a particular political party, it must be assumed that sensitive personal data is being processed. The person in question must then have given their unequivocal consent for the processing. Given that over nine out of ten adults in Iceland use Facebook and that all the political parties used that platform, it must be looked at how this is carried out at Facebook.

4.2.1.

Facebook's terms

Registering on Facebook on 19 February 2020, a user had to declare their name, surname, phone number or e-mail address, date and year of birth, gender and finally to create a password for access. Having given this personal data, the user was invited to press the button “register”. Above the button, it says that by pressing it, the user is agreeing to the terms of the platform and a link may be clicked which brings the user to the terms. The user is then invited to familiarise themselves with how Facebook collects, uses and shares the user's personal data by clicking a link that refers to Facebook's data policy.

The data policy lists the legal basis on which Facebook undertakes its processing of personal data. It says that Facebook bases it on the user's consent, which can be withdrawn at any time. The user is again invited to click a link which refers them to a page stating that the user's consent covers the processing of sensitive personal data, such as political opinions, which the user shows interest in on the platform, if a user shares that information on their wall or among their life events.

It is a matter of concern whether the consent, as presented on behalf of Facebook, is in accordance with the provisions of Regulation (EU) 2016/679. In this regard, the DPA refers to the fact that the Irish Data Protection Commission is currently reviewing two complaints regarding the legitimacy of Facebook's processing of personal data in relation to the terms and data policy. One issue under review is whether the legal basis on which Facebook processes users' personal data meets the requirements of the Regulation. A second issue under review is the legitimacy of the processing of personal data, which are deduced from users' activities and behaviour on the platform, thereby attempting to reach users with targeted advertisements. The Irish Data Protection Commission is the leading regulatory authority with regard to Facebook's activities and therefore within its jurisdiction to resolve issues such as these.

The answers of some of the political parties stated that the messages that appeared on Facebook also appeared to users of Instagram. It should be noted that according to Facebook's terms and data policy, these also apply to Instagram.

4.2.2.

The creation of a profile – Microtargeting

According to Article 3(10) of Act No. 90/2018 profiling is any kind of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements, cf. also Article 4(4) of Regulation (EU) 2016/679. 

In comments, accompanying the Article in the parliamentary bill that became Act No. 90/2018, it is stated that these data may be e.g. electronic footprints, such as personal data routinely collected on the Internet. A profile can also be created from data shared on social media platforms, such as Facebook, i.e. age, residence, interests, education and hobbies. Profiles may be used for recruiting members to various organisations and for political propaganda and influencing activities. It furthermore states that profiles are especially used to create target groups. Taking this into account, it may be assumed that the processing of personal data on social media platforms, such as by the political parties in the run up to the elections in 2016 and 2017, entails the creation of profiles.

Microtargeting has been discussed in this context. It refers to technology which relies on data analysis for the purpose of finding individuals' hobbies or interests and, based on that, creating targeted messages directed at specific individuals. The technology also makes it possible to predict the effect of the targeted messages, sent directly to the individuals in question. Personal data are analysed to create profiles for the purpose of categorising people by their interests and characteristics. Statistical technology is then used to create identifiable data and predict future behaviour.

It is not clear at this point whether the political parties, in the run up to the elections in 2016 and 2017, created messages that were targeted at certain individuals based on profiles. However, it is clear that advertising material was created, which specific groups of people were considered to be susceptible to, and social media platforms, Facebook in particular, were consulted in order to identify individuals who, in view of profiles, were considered to belong to these groups. More specifically, variables were used, which were created by social media platforms based on people's online behaviour and were regarded as being indicative of their interests.

It is clear that some of these variables entailed a somewhat intimate analysis. It is also safe to assume that with increased technological development it will become easier to define groups based on even more detailed variables based on profiles. 

By way of explanation, the procedures Facebook offers in this regard are as follows:

1. Core audiences

This method makes it possible for the advertiser to handpick a specific target group for an advertisement or advertising campaign on the basis of various characteristics, including age, gender, location, interests and behaviour.

2. Custom audiences

This method entails that advertisers create a profile on Facebook for the individuals they already have data on. Data from the advertisers are used and linked to information on Facebook. The most common method is to upload a list of e-mail addresses; phone numbers can also be uploaded. Based on information from Facebook's website, these data are encrypted in the advertisers' browser so Facebook never sees them. The data are then deleted.

3. Lookalike audiences

This method entails that advertisers create a profile for interests, similar to the interests of those within their own target group. A similar group is then created on the basis of their own target group and characteristics of the individuals that make up that group (location, age, gender, interests etc.) are chosen by the advertisers to create a larger group of individuals that share the same characteristics but are not connected to the advertisers on Facebook.

 

4.2.3.

Information and transparency

When personal data are gathered on a social media platform, it is clear that for the most part users themselves give these data to the medium, such as age, location, education and interests, but they are also based on the user's activities on the platform, such as what they like, share or are interested in. The data are then gathered by the social media platform by linking personal data, which users themselves declare, with their activities on the platform to place them in a target group, e.g. a group that is interested in a certain type of politics. With this new method of processing personal data, the general principle of transparency must be considered, which entails the controller's responsibility to provide information to the data subject so that they may protect their rights and guard their own interests. If the social media users do not receive adequate information and therefore do not understand how and why political parties may want to approach them on social media platforms, they cannot exercise their rights, e.g. the right to oppose the processing of their personal data.

Regarding the collecting of personal data from the data subjects themselves, the general principle of transparency is further detailed in Article 13 of the Regulation (EU) 2016/679, which has already been discussed in relation to how political parties gather data from their members. The Article also applies when individuals provide information about themselves to a social media platform. When political parties decide to utilise variables based on such data, in order to send individuals messages on social media platforms, it is a matter of concern whether they share the responsibility of providing adequate information with the social media platform as the data are handed to the platform. This issue has, however, not been resolved and may be considered in a pan-European setting.

It should be noted that, regardless of the above, political parties must consider what information is provided to users on the social media platforms they utilise to reach voters. Political parties must bear in mind that, as variables become more detailed and especially when they are based on users' activities on the platform, as well as their friends' activities and those who look like them, the requirement to provide information is increased. Therefore, it is not sufficient that social media users receive information about what personal data are processed, they also need to be informed on how personal data are collected, for example, because users declare an interest in a certain event. Users must also be informed about how personal data are used and for what purpose.

It is clear that information, regarding the processing of personal data on social media platforms, is provided according to an arrangement that Facebook and other social media platforms decide. Political parties cannot assume that the social media platforms provide information to users in accordance with Act No. 90/2018 on Data Protection and the Processing of Personal Data and Regulation (EU) 2016/679.

Facebook's terms state that by using the platform the user agrees that paid advertisements, that are considered to appeal to them, may be shown to them. Facebook uses user's personal data, such as interests, to decide what advertisements to show them. In Facebook's terms, as well as in their data policy, it is possible to click a link that refers the user to further information, where it is outlined how further variables determine how advertisements are generally targeted at users, such as variables based on the user's activities on Facebook, including pages they and their friends have liked. In their data policy, it is also possible to click a link that takes the user to a similar discussion about the variables that determine what advertisements they see. Finally, users can, when they see advertisements on Facebook's newsfeed, press three little dots in the right hand corner of the advertisement. This gives the option “Why am I seeing this?”. There is then a suitable explanation, such as that the advertiser is trying to reach users that Facebook believes are interested in what is being advertised.

As discussed above, Facebook's terms are being reviewed by the Irish Data Protection Commission.

4.2.4.

The right to object

In addition to rules on information and transparency, Article 21(2) of Regulation (EU) 2016/679 stipulates that when personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of their personal data for such marketing, which includes profiling to the extent that it is related to such direct marketing. Pursuant to Article 21(3), where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.

In this context, it should be noted that according to Article 15(3) of Act No. 140/2019 on the registration of individuals, direct marketing is not permitted to target those who are registered in the Registers Iceland's restricted register. This principle is unchanged from the older legislation, cf. Article 28(2) of Act No. 77/2000. When the principle was enacted, social media platforms were not taken into consideration as they did not exist. It could prove difficult to use the restricted register in marketing on such platforms and it might therefore be natural to clarify the provision in question so that it does not apply to the new type of marketing, which entails sending messages on social media platforms. In addition, the DPA considers that when the advertiser knows which individuals receive the messages, e.g. on the basis of e-mail addresses linked to personal identification, the processing should be based on consent rather than a comparison with the restricted register. Furthermore, the DPA emphasises the importance of the right to object to direct marketing pursuant to the aforementioned provision in Regulation (EU) 2016/679. See Item 3 in Chapter 4.3 below.

4.2.5.

Processing contracts – the responsibility of advertising agencies and other data handlers

Article 25(1) of Act No. 90/2018 provides that where processing of personal data is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of Regulation (EU) 2016/679 and ensure the protection of the rights of data subjects, cf. Article 28(1) of the Regulation. Furthermore, Article 25(3) of the Act provides that processing by a processor shall be governed by a contract, cf. Article 28(3) of the Regulation.

When political parties seek the assistance of advertising agencies / processors, with instructions on which groups advertising and messages should be targeted at and in what way, it is clear that a processing contract must be made with the parties in question, in accordance with the above.

As referred to above, it is likely that, pursuant to Act No. 90/2018, political parties and social media platforms have joint responsibility regarding the processing of the personal data discussed here and processing contracts are therefore not needed. The same applies when advertising agencies and / or data handlers (data brokers, data analysts, ad tech companies) independently determine the purpose and method used in the processing of personal data. In the instance of two controllers, legal basis for the transfer of personal data between them needs to be considered, e.g. consent and providing adequate information. The controllers should also ensure with a contract, that their own responsibilities are fulfilled in a transparent manner, in accordance with Regulation (EU) 2016/679, especially regarding the application of data subjects' rights and the controllers' duty to inform.

As discussed above, the DPA sent a letter to the advertising agencies and / or data handlers (data brokers, data analysts, ad tech companies) that worked for the political parties in the period in question. The DPA requested, with reference to the investigation principle of administrative law, that the advertising agencies and / or data handlers (data brokers, data analysts, ad tech companies) in question confirmed their part or corrected, as applicable.

This investigation focused on social media platforms and the responsibility of political parties, but there may later be cause for looking more closely into the part advertising agencies play in relation to processing of personal data, such as discussed here.

4.3.

Main proposals no the use of personal data on social media platforms in relation to elections

With regard to the controller's responsibility to inform data subjects and make processing contracts, the DPA reiterates that political parties' processing of sensitive personal data, such as data revealing political opinions, must be based on the data subject's explicit consent for the processing. The consent must be informed and clear about how and who may use the relevant personal data and for what purpose. This entails a strict obligation to inform the data subject, which also applies when processing general personal data on the basis of legitimate interests.

In view of this, and all of the above, the DPA makes the following main proposals for the use of personal data on social media platforms in relation to elections:

1. That political parties and relevant government bodies work together on common procedures, in collaboration with the DPA, which focus in particular on the controller's obligation to inform, in order to ensure transparency in the processing of personal data on social media platforms in relation to elections. Also, that these procedures be introduced to political parties' employees and all those that work for them, including advertising agencies and data handlers (data brokers, data analysts, ad tech companies).

2. That political parties set themselves a code of conduct that supports the correct application of Regulation (EU) 2016/679, cf. Articles 40 and 41 of the Regulation.

3. That political parties include a link on their advertisements on social media platforms directing users to their websites, where there should be accessible and clear information on what personal data the party uses, how they are used and for what purpose. Furthermore, that there also be guidance on how social media platform users can contact the political parties for further explanation and how they can exercise their right to object.

4. That the DPA, the Ministry of Justice and the national election committee organise a promotional campaign to inform the general public on the processing of personal data that takes place on social media platforms in relation to elections.

5. That the Act on Parliamentary Elections No. 24/2000 be reviewed in relation to the marketing of political parties, with an emphasis on their use of social media platforms in the run up to elections.

6. That advertising agencies and data handlers (data brokers, data analysts, ad tech companies) pay heed to the viewpoints discussed here, especially the controller's obligation to inform.

The DPA emphasises that, should political parties decide to make a contract with a processor, such as an advertising agency, for the processing of personal data on voters, they must verify that the processor can provide sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of the Regulation (EU) 2016/679 and ensure the protection of the rights of data subjects. The processing, on the part of the processor, must be based on a contract that fulfils the requirements of Article 25(3) of Act No. 90/2018 and Article 28(3) of the Regulation.

 

 

VI.

Final words – thoughts

Good election participation is desirable in every democratic state. It is therefore good to encourage voters to make use of their right to vote. However, the introduction of social media platforms has created new threats regarding personal data protection on account of political parties using new methods to process personal data for the purposes of revealing their political emphases to voters. The technological developments of the last decade have been tremendously fast and led to voters not being aware that their personal data are being used to reach them with political messages.

[The European Data Protection Supervisor (EDPS) is concerned about these developments and has for this purpose published Opinion] No. 3/2018 on the use of personal data to influence individuals online. In the conclusion of the Opinion it says that such control on the Internet poses a threat to modern societies as the Internet establishes specific communities of people and individuals do not have equal access to information. This leads to individuals finding it more difficult to share their experiences and to understand each other. This can undermine democracy, as well as other basic rights and people's freedom. It says that the root of the problem is i.a. irresponsible, illegal and unethical use of personal data. Transparency is essential but not sufficient and it is important to apply the European Union's personal data protection legislation to the fullest, alongside general principles on elections and the diversity and freedom of the press.

In the British Information Commissioner Offices' report, published 11 July 2018, Democracy disrupted? – Personal information and political influence, it is stated that political parties and political powers in Britain and elsewhere have used personal data and highly developed processing technologies to reach individual voters for the purposes of influencing them to vote a certain way. This is a type of profiling of voters in general, e.g. on the basis of their use of social media, and use of these profiles to design messages to individual voters.

Finally, in the meeting of the EDPB on 25 September 2018, the European Union's Minister of Justice introduced measures to ensure free and fair elections, both on account of the upcoming European Parliamentary elections in 2019 and the then upcoming parliamentary elections in at least 13 of the nation states of the Union. The Union's measures in this area were presented in view of matters that had arisen in European states in the preceding years, including Cambridge Analytica abusing personal data in relation to the national referendum of Britain's exit from the European Union (Brexit) in 2016.

In these instances, it has emerged that there is a great threat of citizens of European states being targeted, mainly on social media platforms, in such a way that complex algorithms are used to target wrong, deceptive and profiled information at individuals without them being aware of it. The result may be that the trustworthiness and legitimacy of elections is undermined, in addition to there being an attempt to directly influence their results.

The same considerations apply in Iceland. It may even be argued that they apply more so here than elsewhere in Europe, in view of the widespread and uniform use of social media platforms here. The fact, that nine out of every ten adults in Iceland use the same social media platform, makes it easier than otherwise, for those who have the technical knowledge, to process information from discussion of current affairs and creates an ideal environment for illegitimate processing of personal data.

In the information environment in which we now live, there are many, not least young people, who do not read the printed press and in effect get all their information and news of what takes place in society from social media platforms. It is important that society and its institutions demand that political parties use the technology social media platforms offer responsibly. If personal data are used on social media platforms, in accordance with personal data protection legislation, the platforms will be able to play a constructive and positive role in the communication of information and should be able to encourage democratic participation and improve the capacity of voters to make choices on the basis of correct information. In order for this to be so, regulatory authorities must play their part effectively and ensure that the law is adhered to. In this way, they not only protect the constitutional right of individuals to personal privacy but also the democratic underpinnings of Icelandic society.

At the Icelandic Data Protection Authority 5 March 2020,

 

Björg Thorarensen
Chair

 

 

Aðalsteinn Jónasson                   Ólafur Garðarsson

 

Vilhelmína Haraldsdóttir                    Þorvarður Kári Ólafsson

 

 

---

[1] The Opinion was sent to the political parties before 10 o'clock on the morning of 6 March 2020. Following that, a confirmation was received from three advertising agencies and / or data handlers (data brokers, data analysts, ad tech companies) of the political parties' description. The advertising agencies and data handlers in question had sent letters which could be interpreted as confirmations of receipt but were intended as confirmations of the parties' descriptions.

[2] According to an MMR survey 12 July 2019.