Netherlands

[NL] New guidelines on privacy rules for political parties during election campaigns

IRIS 2021-5:1/15

Ronan Ó Fathaigh

Institute for Information Law (IViR)

On 16 February 2021, the Autoriteit Persoonsgegevens (Dutch Data Protection Authority - AP) published important new Guidelines for political parties on the protection of privacy during election campaigns, including the use of political microtargeting. The Guidelines were published in the run-up to the Dutch parliamentary elections held on 15-17 March 2021. The European Commission also recently announced in the European Democracy Action Plan that it will examine “restricting” microtargeting in the political context, and propose legislation on political advertising in 2021 (see IRIS 2021-2/4).

The Guidelines begin by noting that political parties are increasingly using personal data (or hiring companies for this purpose) to reach their members, and send tailored online political messages, known as political microtargeting. The AP states that political parties are, of course, permitted to campaign digitally, but political parties must adhere to privacy rules. As such, the purpose of the Guidelines is to provide guidance to political parties engaging in online campaigning. 

The Guidelines set out a number of important issues. First, political parties should determine whether planned campaign activity requires the processing of personal data, and investigate whether a less-invasive method of campaigning is possible. Second, when engaging in political microtargeting, political parties should appoint a data protection officer or an external expert to oversee the use of personal data. Third, there are specific rules on the use of public information available online. The Guidelines state that political parties “cannot simply use information that people themselves put on the internet to send a political message to these people”. Importantly, the data processing operations on the Internet from where political parties intend to "scrape" this kind of data and make profiles, must comply with the General Data Protection Regulation (see IRIS 2018-6/7), even if the data is public. Crucially, processing personal data about a person’s political opinions is permitted only in specific circumstances, such as when a person has given explicit consent. Finally, the Guidelines state that when political parties engage companies in relation to political campaigning, parties should only engage with companies that offer guarantees that they are GDPR-compliant. Political parties are advised to determine whether data sets containing personal data have been lawfully collected, and companies must have this documented.

The AP concluded by stating that it monitors compliance with the GDPR by political parties, and that elections and microtargeting are a “special area of ​​attention” over the next three years.