UK General Election 2017: How EU law will hit British politicians' Facebook fight
Narrow swings, big data
The internet is buzzing with claims about the role of data and use of algorithms by politicians to swing votes.
Whether data played so important a part in campaigns from 2015 General Election to the EU referendum and how far data will shape the outcome of the upcoming snap General Election is interesting, but – ultimately – less interesting than whether such practices are lawful.
Even more interesting is the possibility, in the UK at least, that the lawfulness of such practices will affect practices by parties going out electioneering in the coming days.
That’s because at least some of the advantage that could be gained by any of the parties through data analysis will be eliminated when the European Union’s General Data Protection Regulation (GDPR) enters into UK law next May. That could impact the election after this, which will likely be fought in 2022.
Historically, use of data has been limited, but intelligent. Canvassing of voters identifies whether members of a household have a clear preference for the coming election – Tory, Labour, LibDem, Green and so on – or Don't Know/Won't Say.
In some systems, weak preferences are also elicited, resulting in hours of “fun” down at the local pub as election geeks (now rebranded as analysts) debate how to interpret such categories and what weight to allocate to each.
This data helped to focus party efforts: to target further communication and to “knock up” firm voters on the day.
The latter, at one time, was effected – ever so quaintly – by the use of “shuttleworths”: multi-sheet carbon forms that allowed successive updated copies for each street to be torn off and given to party election workers as a list of doors to knock on.
Hardly high-tech: but some parties did it better than others – and in more marginal seats, it probably meant the better-organised party sometimes beat the less organised.
Given that UK elections are winner-takes-all affairs in individual constituencies, more serious is the proposition, first advanced by direct marketers in the 1960s and 1970s, that a very small number of electors actually determine the outcome for the entire country.
In 2015, for instance, a change of heart by just shy of 900 people might have given the UK an entirely different result. The Conservative overall majority of 12 would have been overturned had just seven seats swung the other way: and the overall majority in those seven seats – including Gower and in Derby North where the party squeaked in by 27 and 41 votes respectively, grabbing these seats from Labour. A “close run thing” indeed.
There’s a lot in play in the current general election.
The Conservative party has targeted 150 opposition party seats – 129 of which are Labour. The smallest, Chester, has a majority of 93 votes and would require a swing of 0.09 per cent.
With such narrow gains in play, concerns over political parties – on either side – using big data to swing elections arise. Because given what an old-style political campaign can achieve with pencil and clipboard, how much more can be done with access to massive data sets about individual hopes, fears and attitudes, and sophisticated targeting of messages, determining not just who to contact, but in what format, with what message, and even, notionally, over whose signature. One potential voter for the Conservatives, for instance, might appreciate a personal last minute appeal from Theresa May, while another might prefer their rhetoric to emanate from Boris Johnson. The LibDems might discover that a certain voter may be persuaded sooner by Vince Cable than by Tim Farron.
Is this happening? Reports say the Conservative party employed a strategy adviser in 2015 who employed big data tactics: “Using vast databases, commercial market research, complex questionnaires and phone banks... to map the fears and desires of swing voters, and design highly personalised messaging that would appeal to them.”
It is reported, too, that both the Leave and Remain campaigns used the services of analytics firm NationBuilder in 2016.
Nothing to see here, according to a re-assuring piece in this publication, in which academics explain how it's all hype and overblown and – if it did happen – good for democracy anyway. Perhaps they protest too much. After all, if this data science is really so flimsy, how come banks and supermarkets and mobile phone companies have invested so much in it over the years? They cannot all be deluded.
And are these clever academics really claiming that big data could not potentially swing just a few crucial votes – say for example when just a few in two key constituencies need be swung?
And surely, there must be a law against this sort of thing? To an extent, there is. Traditional canvassing, involving face-to-face contact, direct conversation between voter and party worker, potentially triggers Data Protection Act concerns – but only minimally so. The purposes for which data is being collected are reasonably clear, and limited in scope. Individuals can, indeed, opt out of having their data processed by party machines – although in my direct experience, almost all parties are equally bad when it comes to managing the opt-out process.
For instance, I have, for several years, been in regular receipt of emails from leading Conservatives: the reason for this largely irrelevant communication is, as far as I can tell, because I once, many years ago, filled out an online survey managed by that party, and agreed to receive follow-up communications.
At the heart of all of this is one word: consent
A key Data Protection principle is consent – or absent consent, the idea that communication align to (reasonable) expectations. Consent, in commercial context, also has a use-by date: if I consent to receive communications in 2014, it is unlikely to be reasonable that my consent still stands in 2017 if, in the intervening years I have not interacted at all with the sender.
Moreover, electronic communications, including text and email, are governed by the far stricter regime of the Privacy and Electronic Communications Regulations – requiring opt-in consent (a positive choice), as opposed to opt-out (a failure to say no) – making my continuing receipt of these emails debatable.
Nor does it end there. Other commercially available databases, including those managed by Facebook and companies that specialise in lifestyle survey and geodemographic data hold massive amounts of data which can be used to estimate my current political inclinations and to nudge me in the right direction. Have I given adequate consent for this data to be used for political purposes? Is the use of statistical algorithms to influence my politics permitted?
The answer to both these questions is likely “no”. So, too, is the answer to a third: is this processing taking place in a facility where it is permitted? The Data Protection Act clearly requires processing of data to take place in countries and using data processors that comply with EU Data Protection principles. For obvious reasons, many US companies do not meet these requirements.
And while Facebook has previously attempted to argue that having a European HQ in Dublin exempts it from having to comply with “local” data protection regulations, that position was comprehensively slapped down in 2015.
The Information Commissioner is very definitely concerned that data may be used to influence election outcomes. Even before the election was called, Information Commissioner, Elizabeth Denham announced an inquiry into how political parties used data in 2015.
Since then, she has written to “all major political parties reminding them of their obligations when contacting potential supporters during the General Election campaign”, and invited them to a briefing session on updated guidance on political campaigning. Guidance has also been issued to the public in respect of what political parties can – or cannot do with their data.
Under the Data Protection Act, organisations using analytics must have adequate systems in place for letting individuals know how their data is being used, and providing them with the means to opt out. That, though, is just this year. As already noted, the GDPR will impact data protection in 2018, not least in the area of complex algorithms, where individuals will gain additional rights to challenge automated processing that “produces a legal effect or a similarly significant effect on the individual.”
Consent to the use of somebody’s data not only requires a clear, affirmative action under the GDPR but it must be verifiable – a record must be maintained of how and when consent was granted – a considerable undertaking that the UK businesses are only now addressing. How Britain’s political parties are addressing or will address the need to built such a crucial piece of critical technology infrastructure remains to be seen.
Also, individuals have the right to withdraw consent at any time.
Say the parties already, somehow, have your data but you wont want to be sliced and diced and be followed around the internet, what then for parties?
Here, parties can fall back on the DPA as GDPR will grant similar rights to organisations to store an individual’s data but not to process it any further.
The fines for breach of GDPR are considerable: 4 per cent of worldwide turn over or €20m (£16.9m) – whichever is higher. The ICO can currently levy fines of up to £500,000 (€591,205).
Perhaps party lawyers on either side are even now testing the water for loopholes: because, it could be argued, automated processing and the use of big data in the context of elections may have a significant aggregate effect overall – but a minimal effect on individual voters.
We shall see. Perhaps, despite all the hype, the major political parties really are doing none of the above. But there's a lot of smoke around: and smoke is often a good indicator of fire somewhere. The bottom line, as the Information Commissioner has been very keen to point out, is that such activity IF it were to take place would be walking a fine line between legality and illegality. ®