Opinion of the European Economic and Social Committee on ‘Proposal for a regulation of the European Parliament and of the Council amending Regulation (EU, Euratom) No 1141/2014 as regards a verification procedure related to infringements of rules on the protection of personal data in the context of elections to the European Parliament’

(COM(2018) 636 final — 2018/0328 (COD))

(2019/C 110/14)

Rapporteur-general:

Marina YANNAKOUDAKIS

Referral	European Parliament, 1.10.2018 Council, 24.10.2018
Legal basis	Article 304 of the Treaty on the Functioning of the European Union
Section responsible	Employment, Social Affairs and Citizenship
Bureau decision	16.10.2018
Adopted at plenary	12.12.2018
Plenary session No	539
Outcome of vote (for/against/abstentions)	109/2/3

1.   Conclusions and recommendations

1.1.

The EESC supports the European Commission’s position in the need for this regulation in view of the recent events with the Facebook/Cambridge Analytica case concerning the alleged unlawful processing of personal data.

1.2.

The EESC recognises that in today’s world technological developments, social media and the storing of personal data by companies throughout the EU are a given. The need for these tools is not questioned as we move in a global high tech word. The challenge is to move in this area in a way that protects the citizens of the EU, allows transparency and freedom of their fundamental human rights.

1.3.

Data use and social media have fundamentally changed the way political parties campaign in elections, allowing them to target potential voters. This development has resulted in a greater push in social media as a form of influencing people’s voting intentions. The EESC would expect the Authority for European Political Parties and European Political Foundations (1) (the ‘Authority’) to look at areas where data infringement might take place and suggest ways to stop this and put checks and balances in place to secure data protection and use of data is within well-defined parameters.

1.4.

The EESC supports the objectives of the proposal, agreeing that democracy is one of the fundamental values on which the EU is founded; and to ensure the functioning of a representative democracy at the European level, the treaties determine that the citizens of the EU are directly represented at the European Parliament (EP).

1.5.

This representation takes the form of elected members from either political parties or individuals in Member States standing for election. The election platform has developed over the past decade with a greater role being played by social media. This development now needs to be addressed by the European Commission (EC) and the Authority with its increased staffing is one way of ensuring personal data is protected and not misused for political gain. In addressing this, the priority is to ensure the elections are played on a level playing field and no one group can gain advantage by the use of data.

1.6.

However, to ensure the Authority functions correctly there have to be secure parameters as to its powers and competences. At present, the Data Protection Authorities (DPAs) of the Member States are there to ensure that there is no misuse of data by political parties. The terms of cooperation between the Authority and national DPAs need to be defined properly. In addition, the DPAs in many Member States face limited resources and the Commission should consider their funding to enable them to work with the Authority.

1.7.

The EESC had flagged up the possible problems for misuse of data in its opinion on Personal data protection (2) and in this opinion addressed the areas of concern.

1.8.

The EESC supports the additional staffing of the Authority with the view that this staffing will be better positioned to work with Member States through the DPAs to ensure that data protection infringements are properly investigated and where found sanctions applied.

1.9.

The EESC recognises that the procedures for the elections of the EP are Member State governed within the EU framework. The EESC also expects that infringements of data protection rules be brought to the attention of the Authority either by the DPAs or by individual parties.

2.   Background to the opinion

2.1.

Recent events have shown the risks for citizens of being targeted by mass online disinformation campaigns with the aim of discrediting and delegitimising elections. Peoples’ personal data are also believed to have been illegally misused to affect the democratic debate and free elections.

2.2.

In May 2018, the General Data Protection Regulation (GDPR) came into force, setting strong rules on the processing and protection of personal data. It covers all European and national political parties and other actors in the electoral context including data brokers and social media platforms.

2.3.

Ahead of the 2019 elections to the European Parliament, the European Commission has proposed a number of focused changes to Regulation (EU, Euratom) No 1141/2014 of the European Parliament and of the Council of 22 October 2014 on the statute and funding of European political parties and European political foundations (3), which aim to ensure that the elections take place under strong democratic rules and in full respect of the European values of democracy, rule of law and respect of fundamental rights.

2.4.

In particular, the proposed changes would allow sanctioning of European political parties or foundations that influence or attempt to influence the elections via an infringement of data protection rules. Sanctions would amount to 5 % of the annual budget of the European political party or foundation concerned. The sanction will be enforced by the Authority. In addition, those found to be in breach would not be able to apply for funding from the general budget of the European Union in the year in which the sanction is imposed.

2.5.

The proposal also sets out a procedure to verify whether a data protection breach identified by a national data protection supervisory authority has been used to influence the outcome of EP elections, involving a ‘committee of independent eminent persons’ acting at the request of the Authority. The committee of independent eminent persons is established by Article 11 of the Regulation. It is composed of six experts that are appointed but not employed by the EC, EP and Council.

2.6.

To ensure the Authority is sufficiently staffed to carry out its duties in an independent and effective manner, it is furthermore proposed to add seven staff members (to the current staff of three, which includes the director).

3.   General comments

3.1.

The EESC supports the objectives of the proposal and agrees that democracy is one of the fundamental values on which the EU is founded. To ensure the functioning of a representative democracy at the European level, the treaties determine that the citizens of the EU are directly represented at the EP. As such, it is vital that its citizens are able to exercise their democratic right without let or hindrance. Any interference with the free choice during the election process is undemocratic and unacceptable.

3.2.

The EESC recognises the increased use of personal data in election campaigns. In the 2017 UK election more than 40 % of advertising spent by campaigners was spent on digital campaigns. This being the case, the attraction of personal data to target certain groups is understandable. However, it is not acceptable that personal data be shared without the person’s knowledge, and this is a fundamental abuse of human rights.

3.3.

The development of the web, the speed of information being transmitted and the global implications require a strong approach to the security of data stored. The GDPR sets robust rules for this. In particular, personal data must be processed lawfully and fairly. As it stands, political parties can legitimately use data under the GDPR rules, within certain parameters. The development of political canvasing has become more reliant on social media. To try to stop this completely would not necessarily serve the democratic process as it would limit political parties’ possibilities to inform potential voters of their manifesto.

3.4.

The EESC recognises Member State sovereignty in the election process and the Commission has to work within said Member State sovereignty. The EU cannot legislate the sanctioning of national political parties as this is a Member State competence. Therefore, the EU can only propose measures to sanction European-level political parties. To do so, the Commission proposes an amendment of the Regulation that governs their statute and funding. This will give the Authority teeth in its conclusion when misuse has been proved.

4.   Specific comments and recommendations

4.1.

The EESC recognises that the Authority is currently understaffed. The director and its two staff members already have a very high workload and the upcoming European elections will put even more pressure on them. The EESC therefore supports the proposal to staff the Authority in a permanent way and to confer the powers of an appointing authority on the director of the Authority, as it is essential that it has enough manpower to monitor the elections properly.

4.2.

Data use and social media have fundamentally changed the way political parties campaign in elections, allowing them to target potential voters. This development has resulted in a greater push in social media as a form of influencing people’s voting intentions. The EESC would expect the Authority to look at areas where data infringement might take place and suggest ways to stop this and put checks and balances in place to secure data protection and use of data is within well-defined parameters.

4.3.

The EESC suggests that greater clarification is needed to constitute what is an attempt to influence the elections via an infringement of data protection rules. The setting up of a working group consisting of Member State DPAs and the Authority should be examined, with an aim of establishing best working practice between both the Authority and the DPAs as data protection has no borders within the EU.

4.4.

The director of the Authority is appointed via the procedure as stated in Article 6(3) of the Regulation. He/She is independent and not accountable to the EU institutions. He/She does have to submit an annual report to the European Commission and the European Parliament, and it might be prudent to give the EP the power to question this report and to vote on it. This would ensure that the Authority has some accountability and that the process is more transparent.

---

(1)  www.appf.europa.eu

(2)  OJ C 248, 25.8.2011, p. 123.

(3)  OJ L 317, 4.11.2014, p. 1.