European Data Protection Supervisor
European Data Protection Supervisor

EDPS investigates European Parliament’s 2019 election activities and takes enforcement actions

EDPS investigates European Parliament’s 2019 election activities and takes enforcement actions

28/11/2019
28
Nov
2019

EDPS investigates European Parliament’s 2019 election activities and takes enforcement actions

The European Data Protection Supervisor (EDPS) is carrying out an investigation into the European Parliament’s use of a US-based political campaigning company to process personal data as part of its activities relating to the 2019 EU parliamentary election, the Assistant EDPS announced today.

Wojciech Wiewiórowski, Assistant EDPS, said: “The EU parliamentary elections came in the wake of a series of electoral controversies, both within the EU Member States and abroad, which centred on the threat posed by online manipulation. Strong data protection rules are essential for democracy, especially in the digital age. They help to foster trust in our institutions and the democratic process, through promoting the responsible use of personal data and respect for individual rights. With this in mind, starting in February 2019, the EDPS acted proactively and decisively in the interest of all individuals in the EU to ensure that the European Parliament upholds the highest of standards when collecting and using personal data. It has been encouraging to see a good level of cooperation developing between the EDPS and the European Parliament over the course of this investigation.”

Election campaigns are currently the subject of considerable scrutiny. The EDPS is actively engaged in seeking solutions to the challenges of online manipulation in elections while the European Parliament itself adopted a resolution to protect the European elections from data misuse in March 2019. Data protection plays a fundamental role in ensuring electoral integrity and must therefore be treated as a priority in the planning of any election campaign.

One of the European Parliament’s campaign activities for this year’s EU parliamentary elections was to promote public engagement through a website called thistimeimvoting.eu. The website collected personal data from over 329,000 people interested in the election campaign activities, which was processed on behalf of the Parliament by the US company NationBuilder. Taking into account previous controversy surrounding this company, the EDPS opened an own-initiative investigation in February 2019, in order to determine whether the Parliament’s use of the website, and the related processing operations of personal data, were in accordance with the rules applicable to the EU institutions, set out in Regulation (EU) 2018/1725. This investigation is ongoing.

The investigation into the European Parliament’s use of NationBuilder resulted in the first ever EDPS reprimand issued to an EU institution: a contravention by the Parliament of Article 29 of Regulation (EU) 2018/1725, involving the selection and approval of sub-processors used by NationBuilder. A second reprimand was subsequently issued by the EDPS, after the Parliament failed to publish a compliant Privacy Policy for the thistimeimvoting website within the deadline set by the EDPS. In both instances, the European Parliament acted in line with EDPS recommendations.

EDPS actions are not limited to reprimands. The EDPS will continue to check the Parliament’s data protection processes, now that the European Parliament has finished informing individuals of their revised intention to retain personal data collected by the thistimeimvoting website until 2024. The outcome of these checks could lead to additional findings. The EDPS intends to finalise this investigation by the end of this year.

The EDPS expects the EU institutions, offices, bodies and agencies to lead by example in ensuring that the interests of all those living in the EU are adequately protected when their personal data is processed. This requires increased cooperation and more effective understanding between the EDPS and the EU institutions it supervises.

Background information

The rules for data protection in the EU institutions, as well as the duties of the European Data Protection Supervisor (EDPS), are set out in the new Regulation (EU) 2018/1725. These rules replace those set out in Regulation (EC) No 45/2001. The EDPS is an increasingly influential independent supervisory authority with responsibility for monitoring the processing of personal data by the EU institutions and bodies, advising on policies and legislation that affect privacy and cooperating with similar authorities to ensure consistent data protection. Our mission is also to raise awareness on risks and protect people’s rights and freedoms when their personal data is processed.

Wojciech Wiewiórowski (Assistant EDPS), was appointed by a joint decision of the European Parliament and the Council on 4 December 2014 to serve a five-year term.

Personal information or data: any information relating to an identified or identifiable natural (living) person. Examples include names, dates of birth, photographs, video footage, email addresses and telephone numbers. Other details, such as IP addresses and communications content - related to or provided by end-users of communications services - are also considered as personal data.

Privacy: the right of an individual to be left alone and in control of information about his or herself. The right to privacy or private life is enshrined in the Universal Declaration of Human Rights (Article 12), the European Convention of Human Rights (Article 8) and the European Charter of Fundamental Rights (Article 7). The Charter also contains an explicit right to the protection of personal data (Article 8).

Processing of personal data: According to Article 4(1) of Regulation (EU) No 679/2016, processing of personal data refers to “any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction." See the glossary on the EDPS website.

The powers of the EDPS are clearly outlined in Article 58 of Regulation (EU) 2018/1725.