The EUs Proposal on the Transparency and Targeting of Political Advertising
This article examines the proposals made and adopted by the Council, and how they will apply to service providers and sponsors, and the GDPR implications
The Council of the European Union’s (the “Council”) recent adoption of the European Commission’s (the “Commission”) proposal on transparency and targeting of political advertising is aimed at addressing the concerns raised by citizens and Member States over the ability of private organisations and advertisers to influence voter behaviour and corrupt the democratic process, as well as to increase the transparency surrounding the sponsors of political advertisements and the campaigns to which they relate.
This article examines the proposals made by the Commission, and subsequently adopted by the Council, and how they will apply to service providers and sponsors, as well as the effect on data controllers’ current obligations under GDPR and the equivalent measures proposed in the UK.
The Commission’s proposal on transparency and targeting of political advertising, as amended by the Council (the “Proposal”) was introduced in order to address “concerns that the internal market is not currently equipped to provide political advertising to a high standard of transparency to ensure a fair and open democratic process in all Member States”. The Commission has stated that the intention of the Proposal is to ensure harmonisation on political advertising standards across Member States. However, it cannot be ignored that these reforms have been introduced in the wake of the controversial targeted advertising practices used in the 2017 US election of Donald Trump and the UK’s 2016 Brexit referendum the year prior.
The use of citizens’ personal data by companies like Cambridge Analytica to influence voter behaviour through targeted advertising evidently raised significant concerns over the independence of the democratic process, and it was not long after these controversial outcomes that the Commission announced the Proposal as part of its Democracy Action Plan. In the Council’s amendments to the Proposal, it noted that “political advertising can be a vector of disinformation in particular where the advertising does not disclose its political nature, and where it is targeted and amplificated”. The timing of these Proposals is also no mistake, given the Commission will be keen to ensure that these measures are in place for its own Parliamentary elections in 2024.
The Proposals will apply to both:
- Political Advertising Services: meaning providers of political advertising services, but excluding online intermediary services (as defined in the Digital Services Act (“DSA”)) (“Providers”); and
- Political Advertising Publishers: meaning organisations that broadcast or otherwise make available the advertisement through any medium (“Publishers”).
The Proposals will also introduce additional measures for data controllers that are involved in targeting or amplification (please see below), including the prohibition of processing individuals’ special category data for these purposes without their explicit consent.
The Proposals note that one of its key objectives is to harmonise what is currently a fragmented set of regulations amongst Member States, the starting point of which is to introduce a clear and robust definition of political advertising.
Political Advertising is defined in the Proposal as:
“the preparation, placement, promotion, publication or dissemination, by any means, of a message:
a) by, for or on behalf of a political actor, unless it is of a purely private or a purely commercial nature; or
b) which is liable and designed to influence the outcome of an election or referendum, a voting behaviour or a legislative or regulatory process at Union, national, regional or local level”
This definition is considerably wide, and would cover any advertisements which may be liable to influence voter behaviour. However, when examined against other Member States definition of political advertisements, it could be considered as narrowing the scope somewhat. For example, under the Communications Act 2003, the definition of political advertising under section 321(3) includes advertisements which may “influence public opinion on a matter which, in the United Kingdom, is a matter of public controversy”, which arguably encompasses a far greater scope than simply influencing voter behaviour.
In fact, the definition of political advertising was clarified by the Council’s revisions to the Proposals, which introduced Article 2(a), noting that Member States should take into account the content, language, context and objective of the advertisements message and ensure that “a clear and substantial link should exist between the message and its potential to influence the outcome of an election or referendum, voting behaviour or a legislative or regulatory process”.
Ultimately, it seems the scope has been left purposefully open to ensure Member States regulatory bodies can effectively regulate advertisements they deem to be political in nature.
The Proposal imposes a number of additional obligations on both Providers and Publishers to ensure transparency in their dealings. The Proposal does not apply to online intermediary services as defined under the DSA, who simply host or transmit the content (which aligns with the exemption from liability provisions under the DSA), unless they receive remuneration for doing so. The DSA itself contains its own transparency requirements for advertising generally.
The Proposal builds on the EU Code of Practice on Disinformation (“Code”) by implementing its recommendations for strengthening the Code, including efficient labelling of political advertisements and restrictions on the use of micro-targeting techniques. Whilst only the voluntary signatories to the updated 2022 Code will be bound by its obligations, the Proposal intends to impose similar obligations on Providers and Publishers more generally.
The key obligations on Providers and Publishers are:
How does the Proposal complement the EU GDPR?
In addition to the obligations placed on Publishers and Providers, the Proposal also seeks to implement additional obligations on data controllers to address concerns over the use of personal data in the promotion or targeting of political advertisements. In particular, concerns were raised after the Cambridge Analytica scandal where individuals’ personal data had been used as part of the micro-targeting practices and techniques adopted by campaigns to influence voter behaviour. The Commission subsequently raised concerns that the current GDPR provisions do not adequately protect data subjects from these practices, with the Proposal seeking to implement an additional layer of protection for data subjects against being targeted by political advertisements on the basis of their personal data.
The Proposal seeks to implement the guidance on targeting of social media users into mandatory obligations for data controllers who are involved in targeting and amplification techniques, defined as:
- Targeting Techniques: “techniques that are used to address a political advertisement, usually with tailored content, only to a specific person or group of persons, based on the processing of personal data”;
- Amplification Techniques: “optimisation techniques, including ad delivery techniques, that are used to increase the circulation, reach of visibility of a political advertisement based on the processing of personal data and which may serve to deliver the political advertisement only to a specific person or group of persons”
The obligations include a general prohibition on the use of targeting or amplification techniques which involve the processing of special category data, except where the data subject has given explicit consent. The Council’s revisions to the Proposal introduced the additional requirement that consent be given separately and specifically for the purpose of political advertising. Similarly, the Council’s revisions introduced a ban on the processing of personal data in respect of targeting and amplification techniques for data subjects at least one year under the voting age in the relevant Member State.
Where data controllers intend to process non-special category personal data in respect of targeting and amplification techniques, they are required to:
- implement and make publically available an internal policy describing the techniques used to target individuals or amplify content (and maintain this policy for at least 5 years from the last use of the techniques);
- keep records on the use of targeting and amplification and the sources of personal data; and
- provide any additional information necessary to allow the individual concerned to understand the logic and techniques, including at a minimum the specific groups targeted, the parameters used to determine whom the advertisement is disseminated to and the categories and sources of personal data used, all using the form set out in Annex II of the Proposal.
Publishers using targeting and amplification techniques must include this information and a link to its internal policy in the transparency notice, as well as a reference to effective means to support individuals in exercising their rights under GDPR, including a specific link to an interface allowing them to withdraw consent.
Whilst the prohibition on the processing of special category data for targeting and amplification practices without individuals explicit consent may make it more difficult for both advertisers and analysts to implement targeted advertising practices on their audience, in practice this may not alter the position significantly, given that these organisations would be unlikely to be able to rely on a lawful basis for the processing of special category data for these purposes under the current GDPR requirements. However, the Proposal does seek to deter the use of subversive or insidious advertising practices involving individuals’ personal data through the transparency and consent requirements outlined above.
Sanctions for Non-Compliance
The Proposal had originally left it unclear as to exactly what fines will be applicable for breaches of the Proposal, noting it was for Member States to apply their own rules in respect of the level of administrative fines for infringements, excluding fines for breaches of the Article 12 obligations on data controllers, which will be set at the level of current GDPR fines (i.e. up to £17,500,000 or 4% of annual global turnover, whichever greater).
However, the Council’s revisions to the Proposal introduced clear levels of financial sanctions which were based on the economic capacity of the infringing organisation. The maximum fines under the Proposal are subsequently:
- 4% of the annual income or budget of the sponsor or Provider as applicable and whichever is the highest; or
- 4% of the annual worldwide turnover of the sponsor or Provider in the preceding financial year.
The level of fine will be decided on a case-by-case basis, taking into account the gravity of the infringement, intention of the infringer, any actions taken to mitigate damage, the previous infringement record and the degree of cooperation with the competent authority. Interestingly, it is noted that infringements will be deemed particularly serious where they occur in the last month before an election of referendum.
From the drafting, it appears competent authorities will have a choice as to whether they issue maximum fines by reference to organisations’ income or budget or annual worldwide turnover, albeit it is unclear why this distinction has been made. It may be that the Proposals seek to account for the fact that many Providers that fall within the scope of this regime are small advertisers and subsequently linking the level of sanctions to their income or budget seems more proportionate. However, this approach was not adopted under GDPR, where the majority of data controllers are also smaller organisations.
Ultimately, as has been the case under GDPR, different competent authorities will approach these Proposals with different levels of enforcement. It will remain to be seen exactly how punitive fines under this regime will be.
The Council has now agreed its general approach for the negotiation of the Proposal with the European Parliament. The negotiations are expected to start shortly once the European Parliament has voted on the Proposals. The Proposals outlined the need for the changes to be effective ahead of the 2024 European Parliament elections. However, it is also noted that the Proposals shall apply 12 months after the publication in the Office Journal of the European Union, meaning it is likely that both the European Council and Parliament progress this promptly to ensure these timescales are met.
Approach from the UK
Following the controversial advertising campaigns utilised as part of the Brexit referendum in 2016, there were significant calls for increased transparency in political advertising within the UK. In the UK, the Advertising Standards Agency (“ASA”) regulates advertising practices through the Code of Non-Broadcast Advertising (“CAP Code”) and the broadcast equivalent (“BCAP Code”). Political advertisements are currently banned under the BCAP Code and the Communications Act 2003, but instead parties are able to advertise using party political broadcasts which are not deemed advertisements under the BCAP Code. However, political advertisements are exempt from the CAP Code, creating a lacuna under English law for advertisements which are not broadcast on radio or television, but may be available on other platforms. The ASA openly stated that whilst they agree that political advertisements should be regulated, as a non-statutory regulator funded by advertisers, they were unable to effectively regulate in this area without the backing of political parties and campaigners. Subsequently, it was for government to legislate in this area.
This legislation came in the form of the Elections Act 2022 (“EA 2022”), which implements the outcomes of the 2019 consultation entitled Transparency in Digital Campaigning. The EA 2022 intended to implement similar transparency requirements for political advertisements as those imposed under the Proposals.
In summary, under the EA 2022:
- transparency requirements are introduced for paid-for or other electronic material, including requirements that the name and address of the promoter, or ultimate promoter, be included as part of the material or, if not reasonably practicable, in a location which is directly accessible from the electronic material;
- paid-for electronic material constitutes material which is paid for (through any type of remuneration or benefit) for the purposes of influencing the public to given or withhold support from a registered party, current or future candidate, the holding of a referendum or the outcome of a referendum;
- other electronic material constitutes non-paid for material where the promoter is a registered party, recognise third party, current or future candidate or referendum or recall petition campaigner and which relates to promoting the electoral success of a registered party, current or future candidate or referendum or petition outcome;
- for both paid for and other electronic material, it is immaterial whether the material expressly mentions the name of the party, candidate or referendum. It is also noted that these provisions shall not apply to the re-publication of the material, provided it is not materially altered; and
- it is a criminal offence, punishable by a summary conviction and fine, for material which does not comply with the above transparency requirements. In the case of companies, individuals responsible for the breach may also be guilty of an offence.
However, whilst the EA 2022 received Royal Assent this year, the provisions relating to transparency and political advertising are yet to come into force, with no date specified for their introduction. Even in their current form, they do not go as far as the Proposals in terms of obligations on Providers and Publishers, only requiring that the identity of the promoter be included in the material itself.
In respect of targeting and amplification techniques, there is yet to be any equivalent measures as those outlined under the Proposals. The Information Commissioner’s Office has issued Guidance for the use of personal data in political campaigning, but this does not implement any material provisions in respect of safeguarding individual’s personal data from these techniques. The UK is currently considering alterations to its data protection regime generally, which may involve similar restrictions on the use of personal data for targeting and amplification purposes. However, until full details of this regime are outlined, the protections afforded to individuals under the Proposals will not be transposed in English law.
Leave a Comment