UK General Election 2017: How EU law will hit British politicians' Facebook fight

At the heart of all of this is one word: consent

A key Data Protection principle is consent – or absent consent, the idea that communication align to (reasonable) expectations. Consent, in commercial context, also has a use-by date: if I consent to receive communications in 2014, it is unlikely to be reasonable that my consent still stands in 2017 if, in the intervening years I have not interacted at all with the sender.

Moreover, electronic communications, including text and email, are governed by the far stricter regime of the Privacy and Electronic Communications Regulations – requiring opt-in consent (a positive choice), as opposed to opt-out (a failure to say no) – making my continuing receipt of these emails debatable.

Nor does it end there. Other commercially available databases, including those managed by Facebook and companies that specialise in lifestyle survey and geodemographic data hold massive amounts of data which can be used to estimate my current political inclinations and to nudge me in the right direction. Have I given adequate consent for this data to be used for political purposes? Is the use of statistical algorithms to influence my politics permitted?

The answer to both these questions is likely “no”. So, too, is the answer to a third: is this processing taking place in a facility where it is permitted? The Data Protection Act clearly requires processing of data to take place in countries and using data processors that comply with EU Data Protection principles. For obvious reasons, many US companies do not meet these requirements.

And while Facebook has previously attempted to argue that having a European HQ in Dublin exempts it from having to comply with “local” data protection regulations, that position was comprehensively slapped down in 2015.

The Information Commissioner is very definitely concerned that data may be used to influence election outcomes. Even before the election was called, Information Commissioner, Elizabeth Denham announced an inquiry into how political parties used data in 2015.

Since then, she has written to “all major political parties reminding them of their obligations when contacting potential supporters during the General Election campaign”, and invited them to a briefing session on updated guidance on political campaigning. Guidance has also been issued to the public in respect of what political parties can – or cannot do with their data.

Under the Data Protection Act, organisations using analytics must have adequate systems in place for letting individuals know how their data is being used, and providing them with the means to opt out. That, though, is just this year. As already noted, the GDPR will impact data protection in 2018, not least in the area of complex algorithms, where individuals will gain additional rights to challenge automated processing that “produces a legal effect or a similarly significant effect on the individual.”

Consent to the use of somebody’s data not only requires a clear, affirmative action under the GDPR but it must be verifiable – a record must be maintained of how and when consent was granted – a considerable undertaking that the UK businesses are only now addressing. How Britain’s political parties are addressing or will address the need to built such a crucial piece of critical technology infrastructure remains to be seen.

Also, individuals have the right to withdraw consent at any time.

Say the parties already, somehow, have your data but you wont want to be sliced and diced and be followed around the internet, what then for parties?

Here, parties can fall back on the DPA as GDPR will grant similar rights to organisations to store an individual’s data but not to process it any further.

The fines for breach of GDPR are considerable: 4 per cent of worldwide turn over or €20m (£16.9m) – whichever is higher. The ICO can currently levy fines of up to £500,000 (€591,205).

Perhaps party lawyers on either side are even now testing the water for loopholes: because, it could be argued, automated processing and the use of big data in the context of elections may have a significant aggregate effect overall – but a minimal effect on individual voters.

We shall see. Perhaps, despite all the hype, the major political parties really are doing none of the above. But there's a lot of smoke around: and smoke is often a good indicator of fire somewhere. The bottom line, as the Information Commissioner has been very keen to point out, is that such activity IF it were to take place would be walking a fine line between legality and illegality. ®