Introduction
We have all heard of the Cambridge Analytica scandal. But can we confidently say we know exactly what personal data political parties hold on us? Or how this data was used in the run up to the UK’s general election on July 4th? Whilst data-driven campaigning has become a relatively well-understood practice, we should not rest when it comes to demanding higher transparency standards from our political parties for their use of our personal data. A key tool to this end is understanding and effectively exercising our data subject rights.
A word on data-driven campaigning
In the run up to July 4th, what time of day were you most receptive to opening the door or picking up the phone to a political candidate? Which political candidate might you have listened to for longer? Political parties already knew this about you, and much more, because they invest in data-driven campaigning.
Broadly speaking, data-driven campaigning (‘DDC’) refers to the harnessing of personal data to promote and grow political campaigns and target swing voters. As a practice, it long predates technology; since 1708 general election campaigners in Britain have maintained records on the people they hoped to persuade by writing down what people share during their canvassing efforts and noting down addresses. It is a useful tool for avoiding wasting energy and money in safe seats a party is unlikely to win. Yet DDC was controversially catapulted to the scene following the Cambridge Analytica scandal in 2018, a news event shocking the world in which 87 million people’s records were unlawfully scraped from Facebook. This data led to an advertising campaign on the back of sophisticated voter profiling techniques that helped swing voters in various political campaigns, including the 2016 US presidential election and the Brexit referendum.
Since then, nonetheless, DDC has become a relatively understood and regulated practice, and one that democracy can arguably stand to gain from. Yet six years on from Cambridge Analytica, questions can still be raised around how well-informed we are as a population about this practice. Specifically, can we confidently say we understand the extent to which our personal data is collected by political parties in the UK? The extent to which it is bought and used? How this is being done and what the harms are?
So, was I targeted in the run up to July 4th?
The more sophisticated a political party’s data-driven campaign is, the more likely that party processed your personal data to successfully target you ahead of an upcoming election. Indeed, prior to the general election on the 4th of July the UK had increased the spending budget that political parties could use in their campaigning efforts, making July’s election the most expensive general election to date since spending regulation began in 2000.[1] It is important therefore to not underestimate a party’s power to use data as a political investment. The answer to whether you were targeted by a political party in the lead up to the 4th of July, therefore, is most likely: yes, you were. But to what extent? A useful starting point to this question is to look at which sources of personal data political parties legally have access to, and what this data looks like.
Where are UK political parties getting my personal data from?
The full electoral register and the marked register
Political parties are entitled to receive a copy of the full electoral register, containing information such as your name, address, national insurance number, nationality and age. It is worth mentioning that other bodies are also given access to the full electoral register, such as local authorities seeking to discharge their duties relating to, for example, checking your entitlement to council tax discount or housing benefit. Political parties can furthermore purchase so-called ‘marked register’ data, which informs them whether or not you voted at a given election.
Publicly available data and data they collect directly from you
Other sources of personal data that political parties have access to in the UK include publicly available data. Political parties also have access to the personal data contained within their party membership database, as well as information they collect from you if you complete a survey for them or otherwise interact with them.
Data bought from data brokers
Political parties also gain access to your data by buying it from data brokers – companies that collect your personal data from social media and then sell this onwards. For the majority of individuals, this is perhaps the least-intuitive source of personal data that political parties have access to with regards to what they might reasonably expect.
Which of my personal data do they hold?
The work of Professor Kate Dommett and her team – presented in the book ‘Data Driven Campaigning and Political Parties’ published in March 2024 – helps us understand the kind of personal data that political parties possess.[2]
The data that people can intuitively and reasonably expect parties to hold on them are those in the first two columns; namely, data found on public registers and data that we freely disclose about ourselves. In the last two columns we see data obtained through monitored data – we could also call this observed data – and inferred data, arguably data that would be much less reasonably expected by the average individual. This data is more intrusive to our privacy, comprising information such as ‘psychometrics’, ‘likelihood to have children’ and ‘purchase history’.
Publicly Available Data Points | Disclosed Data Points | Monitoring Data Points | Inferential Data Points |
Age | Age | Email open rate | Age |
Gender | Gender | Event attendance | Likelihood to be persuadable |
Marital Status | Phone Number | IP address | Likelihood to be a supporter |
Address | Address | Geographic location | Income |
Party Registration | Party identification | Internet service provider | Psychometrics |
Turnout history | Attitudes to key issues | Browser information | Attitudes to key issues |
Postal code | Vote intention | Liked pages | Vote intention |
Location voted at | Email address | Purchase history | Likelihood to have children |
Profiling
If a political party collects enough of your personal data they can target you by way of profiling you. This can be extremely useful to the party, allowing them to gain insight on what matters to you, what kind of political messages to send to you and in what tone and how to advertise to you on your social media pages, to name a few examples. This in turn undoubtedly has power to influence your vote towards or against a certain party.
Professor Dommett cautions that we should be wary of projecting fear about political parties’ use of our personal data for profiling us, as she believes this is not as sophisticated as we would think. She writes that from her research she observed a significant lack of resources and efficiency with regards to the technology that political parties have access to. Yet it must be argued that this lack of resources would not impact bigger political parties in the UK, especially given the increased spending budget. For reference, political parties during the 2024 general election had a limit of just over £72,000 to spend per constituency that they contested. Should a party have chosen to contest all 632 seats in Britain, this would have translated to a budget of just over £46m.[3] It is still arguable, therefore, that we should in no way relax when it comes to the potential for political parties in the UK to profile us in sophisticated ways for their political ends.
Is profiling lawful?
Profiling is lawful, subject to certain safeguards. According to UK data protection legislation in Articles 12, 13 and 14, and reinforced by the Information Commissioner’s Office, political parties must inform you that they are collecting and processing your personal data, they must stipulate which categories of data this includes and how they will use it, and they must inform you when they carry out profiling. This information must be packaged in the form of a clear and easy-to-read privacy notice.
What might this look like? To provide some examples, the Labour Party’s Profiling Privacy Notice[4] explains that it uses your personal data to profile you not simply just to find out how likely you are to support the Party, but also to find out how likely you are to support other political parties, to answer the door or pick up the phone at particular times of the day.
The Conservative Party’s Privacy Notice[5] explains that it uses its profiling of you to determine what selective material it should send you, as well as whether it will be successful in appealing to you for financial support.
The Liberal Democrats Party’s Privacy Notice[6] explains that it profiles you to try to find out whether you share the values of the Liberal Democrats and if so whether you should receive their communications, as well as to find out which issues matter the most to you.
The passages above are underpinned by the principles of proportionality and necessity, which dictate that profiling in the lead up to a general election may lawfully occur should this fact be communicated in a sufficiently clear way to the data subject. Yet there are problems to this safeguard. Namely, can we expect the average individual to have read a political party’s privacy notice regarding how they are being profiled? Without this safeguard, it is much less likely that the individual could reasonably expect they are being profiled by means of data obtained from their social media account, for example.Yet it is not unreasonable to guess that the average person – profiled by the above political parties – has not read different political party’s privacy notices.
There is also concern surrounding informed consent, one of the main pillars of consent under the UK GDPR. When political parties obtain data from data brokers, these data brokers are likely to have obtained that data through websites, among other sources. The lawfulness of this collection would have required the pushing of cookie banners on individuals who might have been misled by dark patterns such as there only being an ‘accept cookies’ option, or who might not have read them out of frustration or lack of time.
What are the harms?
William Chan, data ethics expert at IGS, recently penned an article on the connection between data and democracy. He writes:
In particular, ethical use of data is not merely about compliance; it is also about using data in a way that honours the values that matter morally, including democratic values. So, when we say that organisations should be responsible for how they use data, this implies that they should be responsible for the impact of their data practices on democratic values as well.[7]
Arguably, DDC can have a very positive impact on democratic values. It can promote democratic engagement by ensuring political messages reach individuals and thereby encourage them to participate in elections and have their say. Indeed, Recital 56 of the EU GDPR implicitly recognises this positive impact, providing that ‘where in the course of electoral activities, the operation of the democratic system in a Member State requires that political parties compile personal data on people’s political opinions, the processing of such data may be permitted for reasons of public interest’.
Following a voter turnout (amongst registered voters) of just 59.9%[8] across the UK in the recent July election – the lowest voter turnout since 2001 – it is evident that improving this rate is of great importance, and DDC can stand to play an important role.
Nonetheless, voter turnout in and of itself is not merely a consequence of voters being encouraged to have their say. It also a result of the degree of trust the public holds in government, which is in no way helped if the handling of personal data by political parties seeking number 10 is ambiguous. A lack of proper understanding about how personal data is handled by political parties may very well increase public cynicism, leading to lower voter turnout rates, and in turn a government that is less representative of the citizens it serves.
Furthermore, DDC acts as a tool to spread messages to a defined group – those who are most likely to be either supporters of the party or swing-voters. This discriminated targeting can lead to political messages not reaching marginalised groups, as well as the creation of echo-chambers in the groups it does reach.
It is also worth noting that political parties are businesses running on private pockets. Indeed, we see this when we look at the legal bases that political parties rely upon to legally process personal data. Political parties in the UK rely on Article 9(2)(g) UK GDPR to process personal data that reveals your political beliefs – a legal basis allowing for processing for purposes of ‘substantial public interest’. Yet a similar provision is not always used when it comes to selecting a legal basis under Article 6 UK GDPR to process non-sensitive personal data, which is also used for profiling purposes.[9]
For example, the Labour Party uses a mix of two legal bases: ‘public task’ – the typical legal basis in Article 6(1)(e) UK GDPR that public authorities such as the NHS use to process personal data for providing healthcare, but also ‘legitimate interests’ – the legal basis in Article 6(1)(f) UK GDPR that private companies utilise to process personal data for their private business interests. The Liberal Democrats solely use ‘legitimate interests’. The Conservative Party does not share this information on its privacy notice.
This demonstrates that while DDC is often positively linked to democracy, we cannot presume that the sole and inherent purpose behind DDC is in the public interest of enhancing democracy. Business motives – and the individuals bankrolling political parties in the UK – play a strong role.
Moreover, the unequal playing field with regards to financial budgets highlights the unequal playing field between parties during elections. The bigger the party, the more data they can afford to buy, and the easier for them to target individuals and spread their own political message.
Holding political parties to a higher standard of transparency
The average individual does not likely tend to comb through a privacy notice or appropriately engage with a cookie banner. Given the impact that this has on informed consent and the reasonable expectations of individuals, as well as the other harms that arise such as echo chambers and discrimination, we see that the danger of DCC is not one that has been entirely mitigated after the Cambridge Analytica scandal. It is still important to hold political parties in the UK to a higher standard of transparency regarding how they process people’s data to their political ends, including how they undertake profiling activities.
To this end, it is arguable that a higher burden should be placed on political parties to re-think how they reach data subjects, so as to more appropriately empower them both in their knowledge and in their rights. This will help ensure political parties not only fulfil their duties as decision-makers about how our personal data is used to target us in politics, but also to discharge their duties as enablers of our privacy rights.
Our rights as data subjects
A population that understands its rights and knows how to effectively exercise them is one that is in a better position for holding the data-driven campaigning of political parties in the UK to account. Below are some salient rights to this end; namely, the right to accuracy, the right to access, the right to object and restrict processing, the right to be forgotten and the right to be informed.
Right to accuracy
Article 16 UK GDPR enshrines the data subject’s right to have their personal data be accurate.[10] Interestingly, in 2020, Open Rights Group (‘ORG’) conducted a research campaign to encourage people to make data subject access requests to political parties across the UK. The results suggested how inaccurate profiling by UK political parties may be. ORG wrote:
A number of those who received DSAR responses from political parties were then asked how accurate they felt their DSAR responses were on the whole. 57% agreed most with the statements ‘The results of my political Subject Access Requests were mostly inaccurate’ or ‘The results of my political Subject Access Requests were completely inaccurate’. Only 3% agreed most with the statement ‘The results of my political Subject Access Requests were completely accurate’.[11]
It is likely that this problem arises from the fact that the sources of the personal data that the political parties process varies; whilst some sources are reliably accurate, such as the electoral register which is updated every month with local authorities in England, Scotland and Wales carrying out an annual canvass to ensure it is correct and complete, other sources are less so. How can data pulled from social media and sold by a data broker to a political party be verified for its accuracy?
Addressing this shortcoming is of crucial importance, as an ineffective right to accuracy leads to a decreased safeguard against the harms that profiling can create, such as the marginalisation of certain groups and the creation of echo chambers, as addressed above. By exercising our right to accuracy, we hold political parties to account with regards to finding means to overcome this issue and satisfy this right.
On the note of subject access requests, Article 15 UK GDPR enshrines the right for people to access the information that an organisation holds on them. Submitting a subject access request to political parties in the UK is your right, and can be a useful tool for empowering your understanding which parties process your data, what this looks like, and for what purpose.
Right to object and to restrict processing
While the right of access empowers us to know what data organisations hold about us, control is granted by Articles 18 and 21 UK GDPR. More specifically, we are given the right to object at any time to the use of our personal data by a political party where they rely on the grounds of public interest or legitimate interests. As previously discussed, these are the main legal basis used by political parties in the UK and so this right will likely always apply. Whilst your objection is being considered, you have the right for the processing of personal data to be restricted.
Right to be forgotten
Article 17 UK GDPR empowers you to request that the political party delete the personal data that they hold on you.
Right to be informed
Last but definitely not least, Article 12 UK GDPR enshrines your right to be informed. Herein lies the core of the problem with the way political parties use our personal data to profile us: whilst this may be lawful so long as a legal basis applies and this processing is explained in a privacy notice in a transparent and easy to read way, the first requirement is easy to verify, but the second less so.
As seen above, whilst political parties do provide information surrounding their processing activities – including profiling – in their privacy notices, it is important to question the extent to which we can expect individuals to have read these privacy notices. Moreover, and crucial to an effective implementation of our right to be informed, is the matter of whether privacy notices truly paint a complete picture of the life cycle of the data that political parties collect. Do they reasonably explain which sources this is obtained from (or purchased from), which processors it is shared with and what these processors in turn do with it?
Returning to the Cambridge Analytica scandal, in which the illegal processing of personal data for profiling ends was carried out by a hired private firm, we are reminded that the burden is on political parties to carry out due diligence of all bodies with whom they share personal data with. This entails checking that appropriate legal bases are engaged and that all new processing activities are carried out in line with purposes compatible to those originally communicated to data subjects.
Political parties should also pay acute attention to the routes individuals are able take to enforce their data subject rights, ensuring that processors have the means to escalate requests in a timely manner.
All usage of individuals’ personal data under the controllership of political parties ought to be described exhaustively and transparently in their privacy notice. As such, the burden is on political parties to re-think their approach to privacy notices and decipher novel ways of keeping individuals informed.
Conclusion
Data-driven campaigning is not inherently bad, or by any means new. Yet we should not assume that its dangers were sufficiently addressed and mitigated with the Cambridge Analytica scandal. Given the extensive amount of knowledge that can come into the hands of political parties from its usage and their increasing campaign budgets, it is worth considering its multiple problems. Indeed, these problems range from the negative implications for democracy behind the creation of echo chambers and the marginalisation of groups to the legal shortcomings of reliance on cookie banners and privacy notices which give rise to cookie fatigue and which fly in the face of individuals’ reasonable expectations.
The most important checks and balances for making sure the benefits of data-driven campaigning do not take centre stage over the inherent harms lie in the proper understanding and effective exercise of data subject rights. Our data subject rights equip us to be active participants in pressuring political parties to be transparent and to proactively think of new ways they can keep us well informed. Ultimately, they empower us to have control over our personal data, and control over how this is used to shape our democratic society.
[1] https://www.theguardian.com/politics/article/2024/jun/06/political-spending-and-donations-what-are-the-rules-in-the-uk.
[2] https://www.youtube.com/watch?v=GCpQa9S-k9Q.
[3] https://www.instituteforgovernment.org.uk/explainer/election-spending-regulated-uk.
[4] https://labour.org.uk/privacy/privacy-notices/profiling-privacy-notice/.
[5] https://www.conservatives.com/privacy.
[6] https://www.libdems.org.uk/privacy/data-profiling.
[7] https://www.informationgovernanceservices.com/data-ethics-and-democracy/.
[8] https://www.theguardian.com/politics/live/2024/jul/06/keir-starmer-labour-cabinet-meeting-uk-general-election-conservatives-leadership.
[9] See also Section 8 of the Data Protection Act 2018 which clarifies the meaning of ‘public interest’ in Article 6 UK GDPR.
[10] See also Recital 71 EU GDPR wherein it is recognized that appropriate mathematical procedures should be implemented to ensure accuracy of data so as to minimize discriminatory effects on natural persons on the basis of political opinion.
[11] https://www.openrightsgroup.org/publications/who-do-they-think-we-are-report/.