Protecting personal data during elections – the Council of Europe's new guidelines on the processing of personal data for the purposes of voter registration and authentication
in June 2024 the Council of Europe adopted its Guidelines on the protection of individuals with regard to the processing of personal data for the purposes of voter registration and authentication. PI welcomes these very comprehensive Guidelines which complement a previous set of recommendations outlining the safeguards for the Processing of Personal Data by and for Political Campaigns.
Elections and political campaigns are increasingly mediated by digital technologies. These technologies rely on collecting, storing, and analysing personal information to operate. They have enabled the proliferation of tailor-made political advertising. The recent proliferation of AI technologies is enabling ever more sophisticated content creation and manipulation in the context of elections.
In parallel, governments are continuing to invest in digital technologies for the running of elections. These digital technologies are inherently data-intensive. Notably, several states are turning to biometric registration of voters and e-voting, ostensibly to curtail fraud and vote manipulation. This modernisation often results in the development of nationwide biometric databases. Such databases contain and are used for processing large amounts of personal data, and thus require heightened safeguards and protection. Often, increased reliance on technologies for purposes of voter registration and verification goes hand in hand with the involvement of private companies, which provide and often run the technologies processing data at population scale. Generally, the privatisation of public tasks and responsibilities can be deeply problematic if deployed without the necessary safeguards. The risks are exponentially higher in the electoral context, particularly where the use of technical products or services provided by a company is made essential to the voting exercise.
It is in this context that in June 2024 the Council of Europe adopted its Guidelines on the protection of individuals with regard to the processing of personal data for the purposes of voter registration and authentication.
These guidelines were adopted by the Consultative Committee of the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (known as Convention 108) following a thorough process of consultation in which PI participated.
PI welcomes these very comprehensive Guidelines which complement a previous set of recommendations outlining the safeguards for the Processing of Personal Data by and for Political Campaigns.
In the following sections, PI summarises some of the most innovative aspects of these Guidelines.
Scope
The Guidelines apply to entities managing voter registers and voters lists, namely national and regional Electoral Management Bodies (EMBs) and other similar authorities. EMBs play a crucial role in the running of elections and in doing so, as PI noted in its technology, data and elections checklist, they have significant responsibilities (as data controllers) to ensure their activities are compliant with data protection standards.
The Guidelines provide practical advice to EMBs about how systems of voter registration and authentication should comply with applicable data protection standards.
Sharing of personal information
The Guidelines insist on limitations to the sharing of personal information in voters list by stating that: “[t]he sharing of voters’ lists should be limited to what is necessary for engaging with the electorate in election campaigns with clear prohibitions and appropriate sanctions for using the data for any other purposes.” The further require that “[p]ersonal data contained in official voter registers and lists are not to be further processed or shared with third parties without express authorisation in law. Names and addresses from the official voters list should not be combined with other sources of personal data processed by political parties or other campaign organisations to create profiles of voters, including for micro-targeting purposes” (paragraph 4.1.9.)
Data security
Given the significant risks data breaches of electoral registries pose to entire populations, the Council of Europe Guidelines recommend EMBs take specific measures on data security, such as carrying out risk assessments and putting in place "appropriate security measures for each processing of voter registration data, and its processing environments both at rest, in use and in transit" (paragraph 4.3.2.)
Biometric data and related technologies
The Guidelines raise concerns about the risks to privacy and democratic rights posed by “the integration of automated forms of biometric identification into existing voter registration databases”. PI agrees with the Council of Europe's contextual analysis for the rise of such technologies: “the pervasive problem of “techno-solutionism”; (often false) narratives in some countries about voter fraud and impersonation; and the power of a global biometrics industry that aggressively promotes new forms of voter registration and authentication”.
In fact, so concerned is the Council of Europe by the risks posed that it strongly recommends against automated biometric forms of identification for voters by insisting that they “should only be introduced if other existing (legacy) forms of identification and authentication have been demonstrably shown to be inadequate, inaccurate and/or contrary to the rights of the individual” (paragraph 4.7.6.) The burden is then on governments (and EMBs) to demonstrate the strict necessity of introducing biometrics in the election process. If introduced, the Guidelines list a series of legislative safeguards and limitations that must apply to biometrics in the election process, all predicated upon existing applicable data protection principles.
PI also welcomes the clear, unambiguous statement that “no biometric data should ever be shared with political parties, political candidates, campaign organisations, or other third parties. Only the EMB or processors on their behalf should have access to the biometric data processed for voter registration.” (paragraph 4.7.10.)
Role of private companies
PI has long expressed concerns that governments increasingly rely on private companies to run or support the technologies necessary for electoral processes. Generally, the privatisation of public tasks and responsibilities can be deeply problematic if deployed without necessary safeguards. The risks are even higher in the electoral context, particularly where the use of technical products or services provided by a company are made essential to the voting exercise. Once such technologies are adopted, they can generate dependency from governments, not least because they are costly to replace and/or private companies maintain control over the know-how to run and update those technologies.
The new Guidelines seek to mitigate some of these risks by requiring developers and manufacturers of biometric technologies to apply the highest data security measures and by “testing their systems to eliminate disparities, particularly according to ethnicity, age and gender” (paragraph 4.7.11), as well as conducting human rights impact assessments “prior to the commencement of the data processing” (paragraph 4.7.12.)
Given the significant degree of opacity and lack of accountability that underpins many of the public-private partnerships in this field, it is particularly welcomed that the Guidelines recommend that “[a]ll documentation relating to the procurement process engaging a third party for the provision of biometric technology required to process personal data should be made publicly available. Private companies providing such election technology should waive commercial confidentiality and make their technologies fully auditable to enable wide understanding of the functions and capabilities of the system. Contracts for the provisioning of electoral technology should give explicit details of the company’s access to data and provide for corresponding safeguards to ensure security and proper management of the data.” (paragraph 4.7.13.)
Implementation and follow up
By putting the emphasis on the role of EMBs, the Council of Europe Guidelines fill a significant gap in the understanding of how data protection standards apply in the context of the running of modern, data-driven elections.
PI recommends national authorities, including legislators, implement these guidelines promptly.