EDUCATE
How to Run a GDPR-Compliant Election
Online Voting and Data Protection
It has been six years since the European Unions’ General Data Protection Regulation (GDPR) was adopted on 27 April 2016. By the end of the month, we will celebrate four years since it entered into force (May 25, 2018). The GDPR set the beginning of a trend in the regulation of personal data in Europe, and many countries all over the world have started following a similar path in their personal data regulations.
Notwithstanding, six years of the GDPR may have not been enough to overcome all the hurdles of this regulation. In this regard, several questions on how to properly implement the GDPR remain — and the field of elections is no exception. In this post we provide a brief account on how to ensure that the processing of personal data in an election complies with the highest data protection standards.
GDPR: The Basics
According to the GDPR, personal data “means any information relating to an identified or identifiable natural person” (art. 4(1) GDPR). In practice, any data may end up being personal data if they reveal something about an individual. In an election, it is always necessary to process personal data about voters (in the electoral roll), about candidates (in the ballots, in campaign materials, etc.), about election administrators (polling staff, members of elections committees, etc.) and about election observers and auditors. All their data is personal and therefore falls under the scope of the GDPR. We generally refer to these individuals as Data Subjects.
In this regard, processing their data means “any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means” (art. 4(2) GDPR). Therefore, creating a list of voters in the electoral roll is processing personal data, marking the voters who have voted is processing personal data, and even just checking who has voted is processing personal data. Likewise, setting up a ballot with personal data about candidates is considered data processing, and so is publishing information about the members of a polling station or committee.
When it comes to this processing, many organisations can be involved. The organization running the election, for example, is considered a Data Controller under the GDPR, since it sets “the purposes and means of the processing of personal data” (art. 4(7) GDPR). In the case of online voting, many organizations need to rely on a third party to provide the voting technology. In this case, the online voting provider is considered a Data Processor under the GDPR. Nevertheless, Data Controllers remain accountable for any processing done by a Data Processor under their instructions.
How to Run a GDPR-Compliant Election
The GDPR sets a set of basic principles for the processing of personal data:
Personal data shall be:
processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);
collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes […] (‘purpose limitation’);
adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);
accurate and, where necessary, kept up to date […] (‘accuracy’);
kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed […] (‘storage limitation’);
processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’)
art. 5.1 GDPR
These principles have clear implications when it comes to organizing an election. First, and in order to process personal data, it is necessary to have the consent of the Data Subjects (or another legitimate ground, such as a legal obligation). The processing of their data must be transparent: all Data Subjects should be aware of which personal data is being processed, why, and how. They should understand what is happening with their data. These principles also impose an obligation of accountability on Data Controllers and Data Processors — they should be able to demonstrate that they are processing the personal data lawfully and in line with the GDPR.
The data processed as part of the election also need to be the minimum data necessary for running it. The categories of data chosen for processing must be necessary to achieve the declared overall aim of the processing operations: running the election. Data must be processed securely, ensuring its confidentiality as well as its integrity and availability, and it has to be accurate. Some ways in which the data can be processed securely include encryption and through the use of pseudonyms. Furthermore, the data cannot be processed with a different goal than running the election (purpose limitation), and it should be deleted as soon as the election results are out and the period to file complaints and appeals has been exhausted — unless the law provides that it should be stored for longer periods (storage limitation).
To make sure that you comply with these principles, some of the factors that you can take into account when relying on a GDPR-compliant online voting provider include:
- Their product: has the product been designed and developed with the principles of “privacy by design” and “privacy by default” in mind? Do they only process the data that is absolutely necessary to run the election? Is their processing of personal data secured? Can they ensure that data will be deleted at the end of the election?
- Their processes: Do they have a privacy policy that you can use to inform the data subjects about how their data is going to be processed? Do they maintain a Record of Processing Activities? Can they support you in fulfilling a Data Protection Agreement that specifies the categories of personal data processed by the online voting system? Do they know how to handle requests from the Data Subjects or to report security breaches? Do they have an up-to-date back-up policy?
- Their team: Have they appointed a Data Protection Officer? Are their teams trained on data protection regulations (including all their employees, like Software Developers and Project Managers)?
In 2020 we published an article with some lessons learned from implementing GDPR-compliant elections in Europe. If you are interested, you can find the article with more information here.
This post is about the GDPR, but I am not in an EU country — should I care?
Yes, you should care about the GDPR! The territorial scope of the GDPR is not limited to the processing of personal data in an EU member State. According to article 3.2, the regulation also applies to the processing of personal data of any Data Subjects in the EU — regardless of whether they are EU citizens.
This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:
(a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
(b) the monitoring of their behaviour as far as their behaviour takes place within the Union.
art. 3.1 GDPR
Therefore, if in your election votes may be cast from an EU country: the GDPR does apply to you as well.
This article was written by Adrià Rodríguez Pérez, Public Policy Researcher at Scytl.
