EPISODE 2: PERSONAL DATA AND PRESIDENTIAL ELECTION

20/04/2022

UGGC Avocats proposes to decipher the presidential campaign through the prism of intellectual property and personal data, at the rate of an episode every 15 days.

Episode 2: Personal data and presidential elections

For the second episode of its series devoted to the presidential elections, the intellectual property team of UGGC Avocats looks back at the launch by the CNIL of an “Elections Observatory” which is aimed at both those responsible for processing personal data (i.e. political parties and their candidates) and those affected by such processing (i.e. the voters)[1].

In an electoral context, personal data are likely to reveal the political opinion of the persons concerned and can therefore be qualified as sensitive data[2] resulting in the application of stricter rules.

The processing of sensitive data is in principle prohibited[3], with the following exceptions:

  • “the data subject has given his/her explicit consent to the processing of such personal data for one or more specific purposes (…) ;
  • the processing is carried out, in the course of their legitimate activities and subject to appropriate safeguards, by a foundation, association or other non-profit-making body with a political, philosophical, religious or trade-union aim, provided that the said processing relates exclusively to the members or former members of the said body or to persons who have regular contacts with it in connection with its purposes and that the personal data are not communicated outside the said body without the consent of the persons concerned[4] ».

The news of the last months offers us some examples of violation of the above mentioned provision.

The first concerns the former vice-president of a political party who allegedly misused a membership file for electioneering purposes to promote the candidate of another political party he had just joined.

Many members would indeed have received an e-mail at the contact address they had provided when they joined the political party and in which they were invited to vote for a candidate other than the one nominated by the party of which they are members.

The president of the political party concerned has indicated that he has referred the matter to the CNIL, as a result[5].He would have specified, on this occasion, that “only the executives of the movement have a personal and secured access to this database”.[6].

To our knowledge, the CNIL has not communicated publicly on this referral, and a priori, no sanction has yet been pronounced against the former vice president of the political party.

Nevertheless, based on the information available and without prejudging the possible sanctions imposed by the CNIL, it should be remembered that under the RGPD, the processing of personal data is only lawful if it complies with the purposes to which the persons concerned have consented[7] ; especially when it comes to sensitive data[8].

In this case, the data of the members of the political party were collected at the time of their registration and are used for communication operations, for the management and the relations of the party with its members[9].

These data can be qualified as sensitive data, insofar as they allow at least indirectly to reveal the political opinion of the persons concerned.

Consequently, the file of members of the political party could not, in any case, be used for electoral canvassing purposes for a candidate other than the one invested by the said party (and moreover by a person who had become external to the party), in the absence of the members’ consent.

In doing so, the use of the membership file for electoral canvassing purposes for a candidate other than the one nominated by the party does not seem to be authorized and contrary to the GDPR.

The CNIL could therefore be required to impose an administrative fine on the former vice president of the political party.

It should also be remembered that the misuse of a file is a criminal offence punishable by five years’ imprisonment and a fine of 300,000 euros[10].

A second problematic example of processing sensitive data can also be mentioned.

It is the one realized within the framework of the service proposed by the application Elyze – which consists in proposing to its users to find the candidate who corresponds best to them, on the basis of the information they have given at the time of their registration and of their answers to questions on social issues[11].

In the first version of the app, each user was asked to provide the following information: date of birth, gender, zip code, as well as the user’s political views, which constitute sensitive data under Article 9 GDPR.

The CNIL was informed by several users that the application did not provide sufficient guarantees with regard to the nature of the personal data collected and processed.

However, to our knowledge, the CNIL has not imposed any sanctions – presumably because, in its current version, the functioning of the application presents less risk of contradiction with the RGPD than the previous version: the application no longer keeps the personal data of its users; the database has been deleted; and there is no longer a collection form prior to using the application.[12].

Pour prévenir les compoTo prevent the above-mentioned behaviors and allow voters to exercise their rights, the CNIL has sent letters to political parties and officially declared candidates in order to make them aware of the stakes involved in the protection of personal data, particularly in the context of communication and electoral prospecting operations[13].

The CNIL has also made available to voters

  • A summary of their rights under the RGPD, recalling in particular that they have the right to object to the use of their personal data for electoral prospecting purposes [14] ;
  • A platform for reporting practices that data subjects consider to be contrary to the GDPR[15].

However, it should be remembered that an alert is not equivalent to a complaint. Indeed, it is not subject to an individual investigation. It only allows the CNIL to monitor and identify problems relating to the protection of voters’ personal data in order to carry out checks on the entities reported.

On the basis of these controls and in the event of a proven breach, the CNIL may give formal notice to a political party or a candidate to comply with the regulations in force or impose sanctions[16].

CThese sanctions can be made public, which can damage the image of a political party or its candidate and ultimately lower its popularity rating.

Next episode, in 15 days ….

The intellectual property team of UGGC Avocats

Tags: personal data, presidential campaign, sensitive data, voters, political parties, candidate, political opinion, canvassing, election strategy.

[1] CNIL, Presidential election 2022: CNIL’s action plan to protect voters’ data, February 16th, 2022 https://www.cnil.fr/fr/presidentielle-2022-le-plan-daction-de-la-cnil-pour-proteger-les-donnees-des-electeurs.

[2] Article 9-1 of the GDPR.

[3] Already mentioned

[4] Article 9 of the GDPR.

[5] “Christian Jacob refers to the CNIL after Guillaume Peltier sent an email to members of the Republicans”, Le Monde, January 13th, 2022, https://www.lemonde.fr/politique/article/2022/01/13/christian-jacob-saisit-la-cnil-apres-l-envoi-par-guillaume-peltier-d-un-courriel-aux-adherents-des-republicains_6109330_823448.html

[6]G. Philipps, Elyze, the Tinder of the presidential election, and the management of political personal data, France culture, January, 21st, 2022, https://www.franceculture.fr/numerique/elyze-le-tinder-de-la-presidentielle-et-la-gestion-des-donnees-personnelles-politiques.

[7] Article 6-1 of the GDPR.

[8]Article 9-2 of the GDPR..

[9] Article 4 of the legal notice of the party “Les Républicains” available at the following address https://republicains.fr/mentions-legales/.

[10] Article 22Article 226-21 of the penal code

[11]G. Philipps, Elyze, the Tinder of the presidential election, and the management of political personal data, France culture, January, 21st, 2022, https://www.franceculture.fr/numerique/elyze-le-tinder-de-la-presidentielle-et-la-gestion-des-donnees-personnelles-politiques.

[12] Already mentionned.

[13] See in particular CNIL, What files can be used for political communication? , November 27th, 2019, https://www.cnil.fr/fr/quels-fichiers-peuvent-etre-utilises-des-fins-de-communication-politique.

[14]CNIL, Voter Rights, November 27th, 2019,https://www.cnil.fr/fr/les-droits-des-electeurs

[15] To access the reporting platform, follow the link below: https://demarche.services.cnil.fr/signalement-elections/.

[16] Article 83-5 of the GDPR: under the GDPR, the amount of monetary penalties can be up to €20 million or in the case of a company up to 4% of annual worldwide turnover.