If you live in the European Union or work with clients who do, you have likely come across the law known as the General Data Protection Regulation, better known as the GDPR. But do you know what it actually contains? Here, we break down the key tenets of the GDPR and why they matter when voting online.
The Origins and Purpose of the GDPR
While the law itself was passed in 2016 and went into effect in 2018, the GDPR has a basis in European human rights law dating back decades. To be more specific, Article 8 of the European Convention on Human Rights, passed in 1953, specifically states that every person has “the right to respect for [their] private and family life, [their] home and [their] correspondence.” To paraphrase, citizens have the right to be left alone, especially with regards to their private lives and communications with others, something more easily enforceable in the pre-internet age.
When digitalization took hold at the tail end of the 20th century and the internet expanded in scope, citizens could now perform a number of tasks and communicate exclusively online. However, an issue arose: citizens were increasingly giving out personal information online, whether directly or indirectly, in order to complete these tasks. By the late 2000s, citizens were now providing way more data than necessary, whether through their typed texts or their device characteristics, and losing track of it.
The GDPR was formulated as a response to this phenomenon by setting up safeguards against the unwarranted large-scale collection, storage, and processing of personal data without a clear legal basis or explicit consent of data subjects. As articulated in the second paragraph of the GDPR, “the protection of natural persons with regard to the processing of their personal data should…respect their fundamental rights and freedoms” and “their right to the protection of personal data.” With “personal data” being “any information relating to an identified or identifiable person,” the overall goal of the GDPR was to not only put in place restrictions on what organizations could and could not do with data processing but also give citizens more sovereignty over their data and how it is used.
The Ins and Outs of the GDPR
Although any company with connection to the EU should be as familiar as possible with the GDPR, the law itself is 88 pages and quite dense. As such, in this section we will do two things: cover the main rules of the regulation and explain what organizations, especially those interested in voting online, need to do in order to properly follow these rules.
1. Organizations must be transparent and fair in the collecting of personal data
Transparency is not only the hallmark of a trustworthy election, it is also a cornerstone of the GDPR. When an organization seeks to collect and process data about individuals, it must make it as clear as possible to these individuals how and for what purpose the organization is obtaining and using this data. In organizing digital elections, a key reason for collecting personal data would be to enter voters into the system as part of a voter list (also called a roster or roll). If you do wish to collect and process data for this purpose, it is first a matter of critical importance that you not only clearly articulate to voters about what data you need, such as names or phone numbers, but also why you need it and how you will use it.
This tenet of the GDPR is also related to the idea of “lawfulness,” something which begins with the idea of consent. According to the GDPR, consent must be clearly and “freely given” by a subject and documented by the organization collecting personal data in order to demonstrate compliance. Users may also withdraw their consent at any time, and organizations must make any part of a contract dealing with the provision of personal data “clearly distinguishable” from other items in the contract. While it is also “lawful” to process personal data in order to fulfill a contract or for legal reasons in lieu of explicit consent, it is paramount to obtain explicit consent from individuals when conducting smaller-scale activities, such as intra-organizational elections.
2. Data can only be used for the purpose specified to data subjects
The core of this rule is what the GDPR defines as “purpose limitation,” meaning that data is not allowed to be “further processed in a manner that is incompatible” with the “initial purpose” of the data collection. This builds off of the first tenet by making sure that companies not only make the purpose of data processing clear to clients, but also refrain from using any obtained data for purposes other than what was specified in any agreement.
To take online voting as an example, if you are using personal data from voters to create a digital list of voters which will then be entered into an online voting system as part of setting up the system, that is the only purpose for which the data may be collected and used. Even if it may be interesting from an analytics standpoint, you are not allowed to use said personal data to gather insights on voter behavior, build a typical “voter profile” from that data, or use that data to aid in any sort of marketing.
3. You can only collect and use as much personal data as necessary for a task
As discussed in the previous section, it is easier than ever for citizens to give out sensitive information over the internet and some actors have taken advantage of that fact. Consequently, the GDPR states that personal data acquired for a task must be “limited to what is necessary for the purposes for which they are processed.”
For example, in running a digital election where voters may use their emails to receive notices or their government-issued digital IDs to access ballots, administrators would need data such as names, email addresses, and personal ID numbers in order to properly set up the election system. However, even if you can get other data from these eligible voters, such as their addresses, phone numbers, IP addresses, or hobbies, you are not allowed to collect, store, or use this information since it is not required to complete your task of setting up the system.
4. Data must be kept accurate and up-to-date
In order to ensure that all who are eligible to vote in an election may do so, a key task for government bodies is to maintain a frequently-updated list of voters which include their names, addresses, and any other information required by law. Naturally, as citizens move between cities, pass away, or change their names, it is of the utmost importance for these rosters to be kept as up-to-date as possible. The GDPR frames this as an issue of accuracy, adding that “personal data that are inaccurate…[must be] erased or rectified without delay” and that citizens have a “right to rectification” of any “inaccurate” information about them.
In the same manner as national or local elections, it is an organization’s responsibility to work with their solution provider to ensure that all necessary organizational and voter data is as up-to-date and accurate as possible in online voting systems. Should it not be, it may affect the ability of an organization to fulfill its contract allowing the collection of data in the first place and may jeopardize its reputation.
5.You may only hold onto data for as long as necessary
One right which the GDPR mentions, in Article 17 specifically, is the “right to erasure.” This simply means that citizens who provide personal data to an organization or company are entitled to have that data deleted. Reasons why citizens have the right to demand the deletion of this data include the completion of the task to which they consented, withdrawing their consent to the use of their data, their data being “unlawfully processed,” or to comply with any legal requirements. In essence, the goal of such a rule is to enable citizens to make sure their data does not linger on the internet or in databases longer than absolutely necessary.
When voting online, the data of voters and organizations must also be handled in the same manner. If a voting event has concluded and the data collected is not expected to be used again (or any time soon), the data must be erased soon after and the overall time the data is held should be kept to a “strict minimum.” It is possible for data to be archived, according to Article 89, for “purposes in the public interest” or those which are “scientific…historical…or statistical,” but generally this would not apply to private organizational elections. Thus, it would be up to the solution provider and client to specify how long data should be stored as part of a Data Processing Agreement (or DPA), if an organization using solutions frequently wishes to allow data to be stored for longer.
6.Data must be stored, handled, and processed securely
This may seem like a given, but the GDPR also lays out the importance of maintaining “integrity and confidentiality” when handling personal data. In Article 32, it states that organizations must be able to, to the best of their abilities, encrypt & pseudonymize data, ensure the “resilience of processing systems and services,” get systems up and running again should they falter, and regularly test the effectiveness of measures to ensure integrity. As a follow-up measure, the next article mandates that any “personal data breach” be reported to a supervising authority within 72 hours to minimize any resultant damage.
Achieving this goal in online voting is never a one-person task, as with ensuring general security in companies. To begin, it is important that any employees involved in setting up online votes, whether on the client or provider side, should be well-versed in company policy regarding data handling. When possible, access to any personal data necessary for setting up a vote should be limited to only those expected to work with it, while any accounts set up using said data should employ two-factor authentication. Additionally, the GDPR mandates that personal data undergo “pseudonymisation” where possible, meaning replacing data points which clearly identify individuals with more vague ones for privacy.
7.Organizations must be able to demonstrate that they are following the above rules
This stipulation is more of a confirmation of all of the above, but the GDPR mentions that a “controller” must show that an organization is compliant with the regulation. As part of this, the GDPR mentions the role of a Data Protection Officer (DPO) or a Data protection responsible, as a starting point for ensuring compliance. While having a DPO is not mandatory for organizations which are not public authorities or operating on a large scale, it is advisable for all organizations to have at least one person designated to be a “data protection responsible” person “tasked with monitoring GDPR compliance.” This goes for online voting and beyond.
Why GDPR Compliance Matters in Elections and Beyond
Up to now, we have talked a fair amount about what the GDPR is, its rules, and how they apply to the handling of data when carrying out digital elections. In this final section, we would like to conclude by discussing why GDPR compliance matters not only for having a good reputation as an organization, but also for respecting the rights of individuals.
At the time of its passage, the GDPR was sui generis; no other governing body elsewhere had implemented comprehensive safeguards against the legally dubious and large-scale collection and processing of personal data. The response of some non-EU organizations was initially to block EU-based users from accessing their websites since compliance was a seemingly high hurdle. Yet now, five years after the GDPR came into effect, the GDPR is no longer standing alone but instead has inspired similar data protection laws across the world, including in five US states, South Africa, China, and Chile. To be kurt, companies not complying with the GDPR would be advised to not wait for the drive for data protection laws to “blow over” since they continue to grow in number in response to the GDPR.
Aside from the increasing popularity of data protection laws, the EU has also demonstrated that they will not hesitate to fine firms found to be breaching the GDPR, the largest of which to date being the €1.2 billion fine levied against Facebook for mishandling user data earlier this year. This is not to say that any firm can expect to face as steep of fines, as there are eleven factors which may affect the amount a company is fined, but it is good to be aware of the fact that penalties for non-compliance can be substantial.
Turning to the personal side, what we must always remember is that, while the names, numbers, and other bits of information on our screens may just look like data points to us, we are dealing with individuals just like us. These are people who, like us, have families, careers, interests, and a right to not have to worry about their sensitive personal information being used for inappropriate purposes. Whether we like it or not, in a digitized age we all become “data subjects” at some point, and GDPR compliance is an important measure by which we can make sure that we are treating clients, voters, or even anyone who visits our web pages with the same respect we expect when others handle our data.