New bill will allow harvesting of personal data for elections, experts say

Legislation currently going through the Oireachtas would create a “free-for-all” for organisations such as Cambridge Analytica to set up shop in Ireland and to influence voters and elections anywhere in the world with impunity, data protection experts have claimed.

It is alleged the firm harvested private information from the Facebook profiles of more than 50 million users without their permission in 2014, and that this ultimately enabled it to exploit the social media activity of millions of American voters ahead of President Donald Trump’s campaign in 2016.

Whistleblower Christopher Wyle alleged an academic, Aleksandr Kogan, through his firm Global Science Research, in collaboration with Cambridge Analytica, paid hundreds of thousands of Facebook users to take a personality test and agree to have their data collected through an app.

The Observer and Times claimed at the weekend that details from 50 million profiles were gathered without the knowledge of users as the thisisyourdigitallife app was able to collect data from the Facebook friends of the paid users.

Mr Wylie told the newspapers the personal information was used to build models “to exploit what we knew about them and target their inner demons”.

Data protection consultant Daragh O’Brien, managing director of Castlebridge, said the Data Protection Bill 2018 currently going through the Oireachtas created “a blanket permission for organisations of any kind harvesting personal data for ‘electoral activities’.”

“That term is not defined anywhere, so creates a free-for-all for organisations like Cambridge Analytica to set up shop here and influence voters and elections anywhere in the world with impunity and no possibility of sanction from the DPC. If we want Ireland to be the global capital of election manipulation, this is precisely how it is done,” he said.

The Bill passed the committee stage in the Seanad last month and will give effect to the new EU General Data Protection Regulation (GDPR) and an associated directive on policing matters.

Section 43 provides that “subject to suitable and specific measures being taken to safeguard the fundamental rights and freedoms of data subjects, the processing of personal data revealing political opinions shall be lawful” in a number of circumstances.

These include where the processing is carried out “in the course of election activities for the purpose of compiling data on people’s political opinions by a political party, by a body established by or under an enactment, or by a candidate for election to, or a holder of, elective political office.

Independent Senator Alice-Mary Higgins plans to table amendments to the legislation in the Oireachtas later this week.

Speaking earlier this month during the committee stage in the Seanad, she said: “We have seen the role played by companies such as Cambridge Analytica in the Brexit vote and Trump campaign. There is a real and present danger of private companies being contracted to influence and shape electoral outcomes.”

Mr O’Brien said it was “significant that Cambridge Analytica contracted with Facebook Ireland”.

“This puts the Data Protection Commissioner Helen Dixon in the front line of defending people’s right to fair and transparent electoral processes around the world. Her annual report had strong words.

“I look forward to them being matched with actions proportionate to the scale of the issues revealed in the last few days.”

Solicitor Simon McGarr, director of Data Compliance Europe, said section 43 of the Bill purported to create an exemption from the GDPR’s prohibition on processing data relating to political opinions.

“No consent would be required by the voters”, Mr McGarr said.

“It doesn’t limit itself to elections in Ireland, or Irish candidates or politics parties.

“The result would make Ireland a haven for profiling and non-transparent voter analysis in every election in the EU, driving a coach and four through the protections given to this sort of data in EU law and leaving Ireland open to significant fines if the Commission fines us for failing to comply with EU law.”

The Department of Justice said on Monday that section 43 “imposes safeguards on the processing of personal data; it does not allow for the sharing of such data”.

It said it was important that section 43 was not read in isolation and that section 33 of the Bill provided for a wide range of measures to be put into ministerial regulations under the Act to safeguard individuals’ rights.

Mr McGarr said a minister could not “make things legal which are illegal under European law”.

A spokesman for the commissioner said on Sunday the office had recommended that Facebook make changes after a 2011 audit and a 2012 re-audit, but the company did not update to its platform until April 2014.