The new Law on Data Protection and Digital Rights (LOPD), recently enacted in Spain, includes a highly controversial provision allowing political parties and organizations to collect and use personal data revealing political views of individuals. The LOPD aims at adapting the national legal framework to the EU’s General Data Protection Regulation (GDPR), which became fully applicable on May 25, 2018.
The controversial article was introduced as a last-minute amendment to the bill, which was voted unanimously on October 18 by the House of Representatives (Congreso de los Diputados). By then, the contentious article had largely gone unnoticed by the public opinion. Shortly after that, however, concerns that political parties might get broad leeway to process sensitive personal data were widely reported in the mainstream media. Nonetheless, the Spanish Senate definitively approved the law on November 21 – including the controversial section. The text is expected to be officially published shortly. The text approved is available here.
The relevant provision is Article 58 bis, titled “Use of technological means and personal data in electoral activities.” It establishes that “[t]he collection of personal data related to political opinions of individuals carried out by political parties in the framework of their electoral activities will be protected by the public interest only where adequate guarantees are offered.” In addition, it states that “political parties, coalitions and electoral groups may use personal data obtained in web pages and other public access sources for carrying out political activities during the electoral period.” Moreover, “[t]he sending of electoral advertising by electronic means or messaging systems and the hiring of electoral advertising in social networks or equivalent media will not be considered as direct marketing activity or communication.” (This is obviously meant to escape from the opt-in consent required by the ePrivacy Directive when it comes to unsolicited communications for the purposes of direct marketing). The article ends by requiring that the said promoting activities should clearly disclose their electoral nature and that the recipients should be granted an easy and free-of-charge way to exercise their right to object.
It is not surprising that such a provision has raised fears of serious interferences with private life by political organizations, particularly after the Cambridge Analytica crisis and the reported malicious use of personal data in social media during election campaigns in different countries.
Proponents of the article state that, in fact, it was devised to limit the use of personal data by political parties, and to offer appropriate guarantees to data subjects. However, the actual language of the final approved text hardly comports with such a purpose. It is true that a recital in the preamble to the GDPR refers to the possibility that processing of personal data in the context of electoral activities may be protected by the public interest. Recital 56 states “[w]here in the course of electoral activities, the operation of the democratic system in a Member State requires that political parties compile personal data on people's political opinions, the processing of such data may be permitted for reasons of public interest, provided that appropriate safeguards are established.” However, no justification whatsoever is provided by the LOPD to conclude that such a processing is indeed required by the operation of the democratic system in Spain. In fact, it’s hard to see that that might be the case at all. Thus it can hardly be deemed a direct transposition of the GDPR. The fact of requiring adequate guarantees is not satisfactory either, as they are not identified in any way – though one may think of the general guarantees provided by the GDPR.
The explicit permission to gather personal data from web pages and other public sources – which are not defined – is likewise hard to justify on the grounds of public interest. In the same vein, the possibility of sending electoral advertising by electronic means or messaging systems and the hiring of electoral advertising in social networks or equivalent media is certainly frightening, once we know that political parties are allowed to collect personal data related to individuals’ political opinions.
Of course, it remains to be seen how political parties will avail themselves of this new piece of legislation in practice. And, notwithstanding the language of the article, its interpretation, particularly by the Spanish Data Protection Authority will surely be restrictive (as it has already noted). Nonetheless, the whole purpose of the provision, at least in its final form, seems misguided and potentially dangerous. No matter how it could be assuaged by means of interpretation, it is arguably a norm that runs afoul of the GDPR – and might also be unconstitutional, as the Spanish Constitutional Court may declare if it is brought before it.