Norwegian DPA: Political Parties Must Obey Privacy Rules During Campaigns
Political parties must be guided by data protection rules during election campaigns, the Norwegian data protection authority said Thursday.
Sign up for a free preview to unlock the rest of this article
Privacy Daily provides accurate coverage of newsworthy developments in data protection legislation, regulation, litigation, and enforcement for privacy professionals responsible for ensuring effective organizational data privacy compliance.
Many political parties send targeted messages before elections, and such targeting often relies on personal information such as age and gender, the DPA said. The messages usually come through social media, phone calls, SMS or door-to-door visits. Targeting isn't necessarily illegal or problematic, but it must respect people's privacy, the agency said.
Parties' processing of personal data must be lawful, fair and transparent, the watchdog said, and they must give people clear information about what data they're collecting, where it's sourced, for what purposes it has been collected, and which third parties have access to it.
Targeting a political message without information about the data used to do so may be illegal, the DPA said. Using phone numbers and information about age and residence to send political messages via SMS requires a legal basis to be lawful. It's up to the parties to assess whether sending the message is necessary for the purpose and, if so, whether the interest in sending it outweighs the intrusion into people's privacy.
"It is basically forbidden to use information about the political opinions of non-members without valid consent," said the DPA, according to an unofficial translation. It defined political opinion as a "special category" of personal data, which also includes profiling and analyses related to how individual voters are likely to vote.
In-depth microtargeting of messages related to individuals' mental states or weaknesses may violate privacy principles and could be illegal, it said.
Political parties shouldn't register personal data about voters with whom they have been in contact without obtaining informed consent or another legal basis, the DPA said. The parties must have data processing agreements in cases where third parties process personal data on their behalf.
Parties must also limit the collection and use of personal data to what is necessary to achieve the purpose. Many parties have data protection officers who can address public questions about privacy issues, the DPA noted.