Opinion on political parties’ use of social media before parliamentary elections – Guidance and proposals
The Icelandic Data Protection Authority has investigated political parties’ use of social media before the parliamentary elections in 2016 and 2017. In an Opinion given in the case, the DPA addresses political parties’ processing of personal data for the purpose of defining target groups and directing advertisements at them. The Opinion regards the eight political parties which are represented in the Icelandic Parliament, Alþingi.
All the political parties processed personal data for the purpose of reaching out to defined groups during the period in question. All the parties used Facebook and most of them used other social media as well, such as Instagram and YouTube. Furthermore, some of the parties bought advertisements from the advertising platform Google Ads.
In the case of two political parties, only information on people’s age and location were used. Other political parties defined groups more precisely in light of their interests according to social media. Information on people’s interests was either provided by the users themselves or defined by the social media platform in light of the users’ activity on the platform, e.g. on the basis of what they liked, shared or showed interest in. Thus, some political parties directed customised messages at specific groups of voters who, in light of the profiling, were either considered likely to vote for them or believed to be undecided (swing voters).
Some of the variables that the political parties used to target voters were based on a rather intrusive review. Members of the political parties in question, as well as voters in general, received very limited information about the processing and how it was carried out.
Moreover, e-mail addresses of the members of two political parties were uploaded into an interface provided by Facebook. The e-mail addresses were linked to data processed by Facebook and subsequently, advertisements were directed at those party members on that basis. Based on information published on Facebook’s website, it can be concluded that the aforementioned data are encrypted in the advertiser’s browser and that Facebook therefore never sees the original data.
The Opinion of the Icelandic DPA contains conclusions on the legitimacy of the processing in question according to previous legislation, which was in force in the run-up to the elections 2016 and 2017. The DPA also gives guidance and proposals on the use of personal data on social media platforms in relation to elections, in order to ensure that the current law, based on the General Data Protection Regulation, is adhered to in practice. Furthermore, the DPA’s Opinion addresses a button that appeared to some Facebook users in Iceland with a reminder to vote in the parliamentary elections of 2017.
It is emphasized in the Opinion of the Icelandic DPA that political parties’ processing of members’ and voters’ sensitive personal data, e.g. on political views, must be based on the data subject’s explicit consent. Furthermore, special importance is given to the political parties’ duty to provide the required information about the processing to the data subjects and to ensure transparency.