European Parliament under investigation over election data sharing

Legislature used a third-party firm thought to be at the centre of electoral controversy in the UK and US

European Union Parliament Flags

The European Data Protection Supervisor (EDPS), the EU’s data protection authority, has launched an investigation into an EU institution over alleged improper sharing of personal data.

The European Parliament has been under investigation by the EDPS since February 2019, the authority announced on Thursday. The investigation will focus on the relationship the European Parliament has with the US software company NationBuilder.

To raise awareness and engagement with the 2019 parliamentary elections, the European Parliament was tasked with organising a campaign which they conducted through a site called thistimeimvoting.eu. Around 329,000 individuals handed their personal information over to the site, with data being processed by NationBuilder on behalf of the European Parliament.

NationBuilder’s services have been the centre of electoral controversy for a number of years now. The US firm offers a service with a number of optional features that can be turned off by the client, but its fair use by political bodies is shrouded in uncertainty.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

"EU data protection law doesn't prevent EU controllers from using processors outside the EU," said Eleonor Duhs, director of technology, outsourcing and privacy at law firm Fieldfisher. "But they do need to ensure that personal data from the EU is protected in accordance with EU standards when it is transferred abroad. 

"Whatever the outcome of this investigation there is a very real threat to our democracies posed by online manipulation of the electorate,"  she added. "This raises important questions about privacy but also about fundamental rights more generally, for example, freedom of expression, freedom of thought and the right to participate in public affairs and engage in public debate."

In light of the Facebook and Cambridge Analytica scandal, "it will be important for the EDPS as a supervisory authority to show that the European Parliament is not immune from enforcement action," said Emma Erskine-Fox, technology and IP associate at UK law firm TLT.

In 2017, a UK judge ordered the UKIP party to hand over details of how it used and processed data collected during its Brexit referendum campaign.

The party was accused of using NationBuilder’s “match function” which could allegedly allow a party to match their data with social media profiles without the account owner aware that it was happening.

It has also been reported that Donald Trump, Theresa May and Boris Johnson all used NationBuilder’s “powerful campaigning software” to secure political power.

Advertisement - Article continues below

The European Parliament first used NationBuilder in 2018 in what it called a pilot program to spread awareness of a campaign across the EU, it told Bloomberg. It said it would only use basic functions provided by the software company such as the content management system, but even if that was the case, transferring data outside and back into the EEA, particularly in the US, is "tricky at the best of times," said Erskine-Fox.

"This is because of the need to ensure the personal data is protected in the same way as it would be in the EEA," she said. "The issue is further complicated by various ongoing challenges in the Court of Justice of the European Union (CJEU) which could result in mechanisms traditionally used to ensure this level of protection being declared invalid."

The European Parliament adopted a resolution to protect the parliamentary elections from data misuse in March 2019. The EDPS’ investigation will continue, saying "data protection plays a fundamental role in ensuring electoral integrity and must therefore be treated as a priority in the planning of any election campaign”.

"The EU parliamentary elections came in the wake of a series of electoral controversies, both within the EU Member States and abroad, which centred on the threat posed by online manipulation," said Wojciech Wiewiórowski, assistant EDPS. "Strong data protection rules are essential for democracy, especially in the digital age."

Advertisement
Advertisement - Article continues below

The European Parliament has been hit with two separate reprimands from the EDPS, one for using NationBuilder and another for failing to publish a compliant privacy policy for the thistimeimvoting website within the deadline set by the EDPS.

Related Resource

Trends in modern data protection

A comprehensive view of the data protection landscape

Download now

In addition to investigating the relationship between the European Parliament and NationBuilder, the EDPS will also continually check the European Parliament’s data processing policies after it recently revised its intentions to keep the data from thistimeimvoting until 2024.

Advertisement - Article continues below

The EDPS said the results of these checks could lead to additional findings.

"The EDPS expects the EU institutions, offices, bodies and agencies to lead by example in ensuring that the interests of all those living in the EU are adequately protected when their personal data is processed," said the EDPS. "This requires increased cooperation and more effective understanding between the EDPS and the EU institutions it supervises."

Featured Resources

Digitally perfecting the supply chain

How new technologies are being leveraged to transform the manufacturing supply chain

Download now

Three keys to maximise application migration and modernisation success

Harness the benefits that modernised applications can offer

Download now

Your enterprise cloud solutions guide

Infrastructure designed to meet your company's IT needs for next-generation cloud applications

Download now

The 3 approaches of Breach and Attack Simulation technologies

A guide to the nuances of BAS, helping you stay one step ahead of cyber criminals

Download now
Advertisement

Recommended

Visit/data-insights/data-management/354423/eu-us-data-transfer-tools-used-by-facebook-ruled-legal
data management

EU-US data transfer tools used by Facebook ruled legal

19 Dec 2019
Visit/backup/33385/arcserve-udp-9240dr-review-beef-up-your-backups
backup

Arcserve UDP 9240DR review: Beef up your backups

4 Apr 2019

Most Popular

Visit/operating-systems/25802/17-windows-10-problems-and-how-to-fix-them
operating systems

17 Windows 10 problems - and how to fix them

13 Jan 2020
Visit/security/data-breaches/354611/misconfigured-security-command-exposes-250-million-microsoft-customer
data breaches

Misconfigured security command exposes 250 million Microsoft customer records

23 Jan 2020
Visit/microsoft-windows/32066/what-to-do-if-youre-still-running-windows-7
Microsoft Windows

What to do if you're still running Windows 7

14 Jan 2020
Visit/hardware/354584/windows-10-and-the-tools-for-agile-working
Sponsored

Windows 10 and the tools for agile working

20 Jan 2020