EDPS closes investigation into European Parliament’s 2019 election activities
The European Data Protection Supervisor (EDPS) has closed its investigation into the European Parliament’s use of a US-based political campaigning company to process personal data as part of its activities relating to the 2019 EU parliamentary elections. The contract between the European Parliament and NationBuilder came to a natural end in July 2019 and all data collected has been transferred to the European Parliament’s servers, the EDPS announced today.
Wojciech Wiewiórowski, EDPS, said: “Data protection plays a fundamental role in ensuring electoral integrity and must therefore be treated as a priority in the planning of any election campaign. With this in mind, the EDPS will continue to monitor the Parliament’s activities closely, in particular those relating to the 2024 EU parliamentary elections. Nevertheless, I am confident that the improved cooperation and understanding that now exists between the EDPS and the Parliament will help the Parliament to learn from its mistakes and make more informed decisions on data protection in the future, ensuring that the interests of all those living in the EU are adequately protected when their personal data is processed.”
As part of its campaign activities for the 2019 EU parliamentary elections, the European Parliament set up a website called thistimeimvoting.eu, aimed at promoting public engagement. During the campaign, the website collected personal data from over 329,000 people, which was processed on behalf of the Parliament by US political campaigning company NationBuilder. Taking into account previous controversy surrounding this company, the EDPS launched an investigation in February 2019, in order to determine whether the Parliament’s use of the website, and the related processing of personal data, complied with the rules applicable to the EU institutions, set out in Regulation (EU) 2018/1725.
The investigation into the European Parliament’s use of NationBuilder resulted in the first ever EDPS reprimands issued to an EU institution. The European Parliament responded by implementing EDPS recommendations, including informing individuals of their revised intention to retain personal data collected by the thistimeimvoting website until 2024. The EDPS visited the European Parliament in November 2019, to check its data retention procedures, and confirmed the deletion of data from over 260,000 users who had not accepted the updated privacy policy.
Cooperation and understanding between the EDPS and the European Parliament improved over the course of the investigation, culminating in the end of the Parliament’s contract with NationBuilder and a commitment from the European Parliament to lead by example in the protection of personal data during the next EU Parliamentary elections campaign in 2024. The EDPS, meanwhile, will continue to closely monitor the activities of all EU institutions, including the European Parliament, in order to maintain the highest levels of compliance with the relevant data protection rules.
Background information
The rules for data protection in the EU institutions, as well as the duties of the European Data Protection Supervisor (EDPS), are set out in the new Regulation (EU) 2018/1725. These rules replaced those set out in Regulation (EC) No 45/2001 in December 2018.
The EDPS is an increasingly influential independent supervisory authority with responsibility for monitoring the processing of personal data by the EU institutions and bodies, advising on policies and legislation that affect privacy and cooperating with similar authorities to ensure consistent data protection. Our mission is also to raise awareness on risks and protect people’s rights and freedoms when their personal data is processed.
Wojciech Wiewiórowski (EDPS), was appointed by a joint decision of the European Parliament and the Council on to serve a five-year term, beginning on 6 December 2019.
Personal information or data: any information relating to an identified or identifiable natural (living) person. Examples include names, dates of birth, photographs, video footage, email addresses and telephone numbers. Other details, such as IP addresses and communications content - related to or provided by end-users of communications services - are also considered as personal data.
Privacy: the right of an individual to be left alone and in control of information about his or herself. The right to privacy or private life is enshrined in the Universal Declaration of Human Rights (Article 12), the European Convention of Human Rights (Article 8) and the European Charter of Fundamental Rights (Article 7). The Charter also contains an explicit right to the protection of personal data (Article 8).
Processing of personal data: According to Article 4(1) of Regulation (EU) No 679/2016, processing of personal data refers to “any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction." See the glossary on the EDPS website.
The powers of the EDPS are clearly outlined in Article 58 of Regulation (EU) 2018/1725.