Data driven election campaigning and India's proposed data protection framework
Close engagement with the electorate is a necessary tactic to win elections. The last decade has seen a shift in the strategies for election campaigning, from mere doorstep canvassing to using data analytics tools to understand voter sentiment. Online browsing patterns are combined with publicly available electoral databases to create data points of age, caste, religion, political beliefs etc. which are used to develop better advertising and marketing techniques to provide targeted information to the voters. The entry of third parties such as data brokers and data analysts has made the practice of election campaigning rather opaque. Apart from concerns around micro targeting and free will, political manipulation and its impact on democracy, these activities raise serious questions around the legality of personal data processing for such micro targeting activities. The Cambridge Analytica incident and the accompanied questions around the misuse of personal data disclosed through social media have resulted in several data protection authorities clambering to issue guidance on the use of personal data for election activities. Even though studies on privacy harms of data driven elections are minimal, the research is still heavily set in the context of the United States and the resultant harms due to their lax data protection measures. Research on data driven elections in Germany has highlighted the impact of strong data protection provisions on the rights of the citizen. This essay will examine if the proposed data protection framework of India is equipped to deal with the shift towards data driven elections by focusing mainly on the automated nature of decision making and the accompanied profiling for targeted communication.
How does data-driven election campaigning work?
The shift towards data driven elections assumes that comprehensive knowledge of the voter’s political preferences and belief will aid in developing an effective communications strategy. For example, a particular voter’s view on the policy of immigration can be analysed based on the data gathered. If the voter has indicated negative attitudes towards the policy, targeted communication related to the candidate’s intentions of curbing undocumented immigration can be sent to that particular voter. Hence, the campaign depends on figuring out new or different sources of data that will allow political parties to analyze the preferences of the voters. Large amounts of data about individuals is gathered. Basic details regarding the voters, such as names, addresses, age, are usually available in most countries as part of their election laws. Details regarding the individuals’ opinions, preferences, concerns etc. can be gathered from data that is considered “publicly available” through social media websites or datasets obtained from data brokers. Data can also be gathered using cookies, social plugins, and other tracking technologies. This is subsequently used to profile and then predict their preferences for internal strategic campaign discussions, or to send targeted political advertisements based on their preferences. Studies have shown how personality traits, political views and other characteristics can be inferred from facebook likes. However, the range of such micro-targeting can differ and may not be as simple as the one highlighted in the above-mentioned example.
The process of personal data processing
Personal data processing begins with clearly identifying the main objective/ purpose of processing. The purpose of processing has to be specific and cannot be vague or ambiguous in nature to ensure that the data points collected are not excessive in comparison to the main purpose. Then the personal data and sensitive personal data categories that are required to achieve those purposes are identified. It is essential that each data point collected is directly related to the purpose of processing. Based on the personal data categories that need to be collected, the lawful ground of processing based on applicable legislation has to be identified. Once the lawful ground and the main purpose of processing is identified, the retention period and subsequent destruction methods for the personal data collected will have to be determined.
Data driven election campaigning and key considerations for data protection legislations
The legality of personal data processing in these data driven elections is dependent on the data protection laws of every country. In Canada and Australia, political parties are exempted from the application of the data protection law. However, private entities that provide services to political parties will need to comply with the overarching privacy framework. Neither the General Data Protection Regulation of the EU nor India’s proposed data protection framework make a distinction between political parties and private entities providing services to such political parties. In short, in India the application of the proposed legislation extends to political parties as well as to the private entities that might be involved in the process. In addition to mere application of data protection laws, some of the key provisions that need to be analyzed within the context of targeted communication for election campaigning are the legal grounds for processing personal data, notice requirements, approach towards publicly available personal data, data principal rights (specifically, rights against automated decision making and right to object) and oversight over the data processing.
Privacy notice
Privacy notice is supposed to be provided to the data principal prior to data collection so that the data principal understands the details of the processing that will be undertaken after they disclose their data. In India (like in most countries), electoral rolls of constituencies are public documents. Political parties can gain access to these lists in accordance with the Registration of Electoral Rules, 1960. The information on the electoral rolls provides the analysts with access to the individual’s name, their father’s name, voter ID, location, and age. Details about their socio-economic status can be obtained through land records, BPL lists etc. Additional details can be obtained through third parties such as low level mobile operators (people who sell sim cards), banks and other data brokers. Both GDPR and the proposed data protection framework of India require notice to be provided to the individual when personal data is not directly collected from the individual.
In the context of election campaigning, compliance with the legal requirement to provide such a notice will have to be examined within the larger context of the secrecy around campaign strategies. Since the notice will require specific details regarding the processing, chances are this could potentially reveal their campaign strategy. In such a case, either they may simply omit compliance with the privacy notice or not provide sufficient details in the notice – both of which will be a violation of the requirement. Regardless, since the primary purpose is profiling for the purpose of targeted communication,the transparency fallacy of providing adequate explanations of automated decision-making systems can extend to the initial privacy notice itself. These concerns are exacerbated in the Indian context due to the absence of the requirement of providing the data principals with details regarding the automated decision-making systems. In the absence of knowledge regarding such operations, data principals will not be able to exercise their corresponding data principal rights. It is important to note that, if such data can be used to send targeted communication, similar datasets of the voters can also be abused to discriminate based on their political affiliations and other preferences. Hence, clear and enforceable guidelines on drafting of the privacy notice is highly encouraged.
Lawful grounds for processing
Before initiating data collection, entities are expected to identify the lawful ground for such collection and processing based on the applicable legislation. As a result of the investigation initiated by the ICO and their code of practice on personal data usage in political campaigns, there is considerably more guidance around the appropriate lawful ground of processing from the jurisdiction of the EU. Such guidance will be useful for our analysis of the Indian law as we seem (or claim?) to have borrowed heavily from GDPR. Under GDPR, the most relevant grounds for processing personal data in the electoral context are the consent of the individual, compliance with a legal obligation or performance of a task carried out in the legitimate interest of one of the actors. India’s proposed data protection framework does include the lawful grounds of consent and processing based on legislation. However, in place of processing based on legitimate interest, the framework includes processing based on reasonable purposes. The feasibility of relying on the legal grounds of consent and processing based on reasonable purposes shall be examined below.
Consent
The standard for valid consent under the proposed framework remains the same as that of GDPR, i.e., it has to be free, informed, specific and capable of being withdrawn. Theoretically, of all the lawful grounds identified in data protection legislations, informed consent is by far the most ideal notion. It provides the individual with the best context driven control over disclosure and use of personal data. However, it might be necessary to re-examine the viability of complying with the high standard of consent for complex data processing operations such as the ones that enable data driven elections.
Free Consent
For consent to be “free”, the individual must have had real choice in providing their assent without fear of the negative consequences in the absence of such assent. An important metric to determine the same is to examine the relationship between the entity seeking consent and the individual providing consent. For example, the power imbalance between governments and citizens will make the former’s reliance on consent as lawful ground of processing questionable. In the case of processing for election campaigning, since most of the indirect data collection is undertaken through social media, and a case of power imbalance may be difficult to establish. “Free” will have to be examined in the context of the choices provided for in the relevant market and whether the services offered by other organisations in the similar market are deemed to be equivalent. The absence of real choice in the market coupled with the fact that in most instances individuals do not have a chance to negotiate the terms of processing with social media companies can result in unfair tying of services in the absence of transparent enforcement.
Informed and specific
Another important element of valid consent that indicates that the individual has autonomy over their personal data is their ability to comprehend a privacy policy and then give their assent to the processing. Even though the onus is on the individual to comprehend the policy, entities are required to provide details regarding the processing in clear and concise manner. In the electoral context, since micro targeting relies heavily on automated decision-making systems, the privacy notice should ideally include the operations of such a system in a comprehensible manner for the consent to be considered as “informed”.
GDPR’s notice requirements mandate data controllers to provide “meaningful information about the logic involved as well as the significance and the envisaged consequences of such processing for the data subject” in the event of profiling. A determination about whether a right to explanation can be provided has to be taken on a case by case basis. A realistic determination of the feasibility of simplifying the details of complex operations will have to be undertaken. Due to the complex nature of these operations, there are questions around what constitutes as meaningful information for the data subject to be considered as informed for the purposes of satisfying the conditions of valid consent. In India, the proposed data protection framework doesn’t require data fiduciaries to notify the existence of an automated decision-making system, let alone provide meaningful information regarding the logic involved and its significance on the data principal. In the absence of such a requirement, it is highly unlikely that profiling in the electoral context will satisfy the conditions of a valid consent. Relying on consent in the absence of real choice stemming from the lack of details around the processing will make consent meaningless and will just be an excuse to extract personal data from unsuspecting data principals.
Legitimate interest and publicly available personal data
Under GDPR, the lawful ground of legitimate interest can be exercised only if the entity’s interests are not overridden by the interests or the fundamental rights and freedoms of the data subjects. According to the Article 29 working party, for the balancing test to be carried out, the interest must be clearly articulated and a restricted approach should be taken while substantively analyzing the balancing test. Even in cases where organisations have a legitimate interest to know their customer’s preferences to target them with better advertisements and personalize their offers, it doesn’t mean that the balancing test will naturally fall in their favour. Since customer’s preferences can be used to create complex profiles that can reveal highly sensitive personal data, the controller’s interest may be overridden by the interests and rights of the data subject. India’s proposed data protection framework uses the term “reasonable purposes” in place of “legitimate interests”. The balancing test for exercising the lawful ground of legitimate interests under GDPR and the lawful ground of reasonable purposes in India is similar. However, the most vital difference, specifically in the context of processing for election campaigning, is the explicit inclusion of processing of publicly available personal data as one of the purposes under processing for reasonable purposes in the Indian framework.
In the context of election campaigning, if the lawful ground of legitimate interests is to be exercised under GDPR, the fact that personal data is publicly available is considered one of the many factors in conducting the balancing test. Under India’s proposed framework, processing publicly available personal data may be included as one of the stand-alone purposes under the lawful ground of processing for reasonable purposes. This can mean that entities are allowed to process personal data by virtue of it merely being public without regard to the overall objective of data processing. GDPR requires notice to be provided to the individual in case the data that is being processed is publicly available and has been collected from a source that is not directly the individual. The proposed framework, in its current form, may not require entities to provide individuals a privacy notice prior to initiating the processing of such publicly available personal data.
GDPR’s prohibition around processing special categories of personal data doesn’t extend to that personal data that has been manifestly made public by the data subject. However, the determination of what is manifestly made public is relatively restrictive. The Article 29 working party in its guidance for the law enforcement directive explains the phrase ‘manifestly made public’ as that data which the individual is aware of that will be available to everyone including the authorities. Hence using similar logic, in the context of social media, for information to be considered manifestly public the individual should have preempted the availability and use of their data for receiving targeted communications in the course of election campaigning. In its current form, the proposed framework doesn’t require entities to examine the context and purpose of initial disclosure before classifying personal data as “publicly available personal data” for the purposes of the legislation. There are no additional safeguards for such processing of publicly available personal data that reveals any other detail that can be considered as sensitive personal data. The lawful ground of processing personal data for reasonable purposes in the proposed data protection framework in its current form may be relied on for data driven election campaigning. However, further deliberation on the impact of its current treatment of publicly available personal data on the data principals is highly encouraged before the enactment of the Bill. Considering a free for all usage of publicly available personal data without taking into consideration the context behind such disclosure is counter intuitive to protecting personal data altogether.
Data principal rights
Apart from the privacy notice, exercising data principal rights are another method through which individuals can exercise control over their data. Some of the key data principal rights that are available to a data principal in India under the proposed data protection framework are right to access and confirmation, correction, erasure, data portability and the right to be forgotten. The existence of these rights is far better than the current framework under the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011. However, within the context of targeted communication for election campaigning, we seem to be missing two of the key rights included in GDPR – the right against automated decision making and the right to object.
Right against automated decision making
Since much of the micro targeting activities are solely automated decisions, an analysis of the data principal rights that apply directly to the situation is important. Article 22 of GDPR restricts the application of those solely automated decisions that have a legal or similarly significant impact on the data subjects. The Regulation permits such automated decisions only if additional safeguards such as including human intervention and providing the explanation of the decision to the data subject while providing the option to the data subject to challenge the decision are implemented. It's difficult to establish the existence of significant effects of such targeting as it is challenging to establish the cause and effect of such targeted communication i.e., the actions of the individual could have been influenced by many other reasons other than just the targeted communication. However, the inclusion of such a right and the accompanied analysis by the entity prior to initiation of data processing will give the data principal the added layer of protection that is currently absent in the Indian law.
Right to object
Under GDPR, if the entity relies on the lawful ground of processing for legitimate interests of the controller, the data subject also has the right to object to the processing of personal data. In case of the specific purpose of direct marketing, controllers will have to cease the processing operations once this right has been exercised by the data subject. Since most data driven election campaigning is based on direct marketing strategies, the existence of this right is important. The Sri Krishna committee justifies the absence of this right by relying on the data principal’s right to withdraw consent. However, it is important to take note that the data principal can withdraw consent only if the lawful ground for processing personal data is consent. The data principal will not be able to withdraw consent if the lawful ground of processing personal data for reasonable purposes is relied on.
Oversight
Just like with any other legislation, the efficacy of its application is determined by the nature of oversight that is provided. GDPR, along with setting up strict data protection requirements also requires member states to set up independent data protection authorities. These data protection authorities are empowered with strong investigative, corrective and guidance powers that provide them with the necessary power to enforce the obligations prescribed by the laws. Since election campaigning is, by its very nature, a political topic, it is essential that the entity providing oversight over such activities is free from external political influence. The proposed data protection framework in India sets up the Data Protection Authority of India whose investigatory, corrective and advisory powers are similar to its European counterparts. However, the procedure for appointment of the members of the Authority and the criteria of the selection committee raises questions around its perceived independence. The central government has been tasked with the power to appoint the members of the Authority on the recommendation of the selection committee which is composed of individuals only from the Executive branch of the government. Since election strategies directly influence the Executive, it is reasonable to be apprehensive regarding potential external influence.
Conclusion
Even though the proposed data protection framework has reference to most of the internationally accepted privacy principles, the obligations stemming from those principles have not been modified to address the changing landscape of personal data processing. The absence of key data principal rights and relaxed protection provided to publicly available personal data reflects lack of conversation around the complexities surrounding contextual disclosures, further processing of personal data, profiling etc. It is admitted that international guidance around election campaigning and data protection has stemmed from the advisory powers of the data protection authorities. However, the absence of codification of crucial data protection obligations may run afoul to the spirit of safeguarding privacy of the individuals that was enshrined in the Puttaswamy judgement. It is imperative that the joint parliament committee currently deliberating the provisions of the proposed framework introduce some of these obligations in the primary legislation itself.
Reviewed by Arindrajit Basu and Pallavi Bedi.