Do Dutch political parties follow people on the Internet?

August 3, 2021

Almost half of the political parties in the Netherlands used tracking cookies on their own websites, which they used to target potential voters elsewhere on the Internet (microtargeting). With such tracking cookies the parties usually process special personal data. This is only permitted with the explicit consent of those involved. But this is not the case, research by Privacy Company shows.

Since the Cambridge Analytica scandal, political microtargeting has become a sensitive topic. The Dutch Personal Data Authority (Autoriteit Persoonsgegevens (AP)) has therefore named elections and microtargeting as a specific area of attention for its supervision from 2020 to 2023. According to the AP, lawful, proper, and transparent processing is important to ensure free elections in an open society. The unlawful building up of very specific profiles of voters and using these profiles to influence people's political preferences in a very targeted way therefore constitutes an important risk.  

It is not clear whether the AP conducted a general investigation into the use of microtargeting in the last general election. Privacy Company did. The results are below. The supervisor published a total of two actions towards political parties. The AP has imposed a fine on the PVV Overijssel because of the failure to report a data breach. The violation does not concern microtargeting, but the sending of a newsletter by e-mail, and is therefore not included in this blog. Prior to the elections (on 16 February 2021), the AP published a manual [in Ductch] on privacy in election campaigns.

Privacy Company has investigated the compliance of all political parties running for election in 2021 with the two most important rules of the manual of the AP.

It concerns the following rules:

  • The parties must have a basis, i.e. an exception to the processing prohibition for personal data that may concern political opinions. Express consent is the most obvious possibility.
  • The parties must follow the rules of the European Data Protection Board (EDPB) of Supervisors on transparency, considering the complex relationship between parties involved in online tracking.

The research shows that almost half of the political parties placed commercial tracking cookies on their own websites without permission during the campaign for the Lower House elections. This concerns six parties with a combined total of 30 seats in the House and ten parties that failed to win a seat. All websites of the 37 political parties involved were visited, screenshots were made, and various pages were visited. During these visits, consent for tracking was never given. All network traffic was recorded. An analysis was then made of which parties placed tracking cookies and from which companies these cookies originated. The influential American e-zine Politico published a story based on the results of this research. 

After the elections, Privacy Company carried out further investigations at the 16 parties that used commercial trackers without the consent of the data subjects. They were informed of the results of the investigation, informally requested to remove (or have removed) all unlawfully collected personal data and received a formal request (Art. 17 GDPR) to remove (or have removed) the researcher's personal data. None of these parties formally responded to the deletion request, which automatically leads to a high risk for data subjects. 

With online tracking, the website owner and the tracker are in any case jointly responsible for the collection of personal data. This is clear from judgements of the European Court of Justice. This can only be different if the tracker is a processor of the website holder. But for the exercise of the right of inspection and removal, this does not make much difference: in both cases, the website owner must provide an explanation to the data subject, even if he is technically unable to comply with the request himself.

Half of the parties written to did not provide any substantive response, not even after a reminder e-mail was sent one month after the original request, explaining to the parties that the legal deadline to respond had expired. Five of the parties addressed took the opportunity to remove the relevant tracking from the site and/or to forward the removal request to the trackers that were active on their website. None of these forwarded requests led to a formal response indicating what action had been taken to remove the personal data.

From the contact with the sixteen political parties that violated the rules of the AP, it became clear that by no means all parties consciously violate the law. They are not familiar with the information of the AP, and they find the subject, due to the combination of technology and legal questions, very complicated. 

Effective supervision requires more than just information. Enforcement is necessary. Enforcement does not mean that website owners must be fined as soon as a large advertisement party does not cooperate. In such cases, it is more obvious that an investigation into the non-cooperating advertising parties should be started, so that the rights of visitors to many websites are better protected. Website owners who do not respond at all to requests from data subjects will probably only respond after direct action by the AP. 

Tips for website owners to avoid the above problems:

  1. Be careful when inserting external content in your website such as videos or social media links. This external content can lead to the visitor to your website being tracked for commercial purposes, without you, as website owner, wanting or even knowing about it. You can then unintentionally be jointly responsible under the GDPR for the collection of personal data.
  2. For the tracking that you do consciously include in your website, you must do more than just implement in a consent question. Data subjects must also be able to withdraw their consent. Moreover, the advertising networks must help you when data subjects request access or removal. You must make agreements about this.
  3. Check whether the parties that track visitors on your website cooperate with requests from those involved. The AP can enforce against both website owners and trackers if a data subject files a complaint. As the AP is not the lead regulator for most large ad networks (that will usually be the Irish regulator), it is likely that the AP will focus on the website owner.

Privacy Company is happy to help with questions about online tracking, e-privacy, rights of data subjects and how processors can be involved.