​Icelandic political parties' use of social-media data probed by watchdog

Icelandic political parties’ use of personal data from social-media platforms such as Facebook has come under scrutiny by the country’s data-protection authority, the agency’s head said in an interview.

The watchdog decided to reopen an investigation of political parties’ treatment of personal data following the Cambridge Analytica scandal, which revealed how data were harvested from Facebook users and used for targeted ads during the 2016 US presidential election and the UK’s Brexit referendum.

“Cambridge Analytica showed us how social media had been involved,” Helga Þórisdóttir said in a recent interview with MLex on the sidelines of a conference in Munich*. “How information from social media was used, how people were micro-targeted for their views and beliefs, so that was eye-opening for data-protection authorities.”

The Cambridge Analytica scandal that erupted in March 2018 — in which 87 million Facebook users had their data transferred to the UK data analytics firm for profiling and targeting individual voters — sparked investigations by data-protection authorities and calls for tougher rules around the world.

Regulators have been struggling with how to regulate social-media platforms and their potential impact on democratic elections, in addition to how companies such as Facebook track their users for marketing and advertising purposes.

EU legislators are still debating rules on tracking cookies and whether individuals must provide “informed consent” for the use of personal data for ads.

Iceland’s data-protection authority began an inquiry in 2018 of how political parties processed personal data in their own membership files, Þórisdóttir said. That audit was expanded to a “wider context” following the Cambridge Analytica scandal, she said.

“We decided to re-address the issue regarding the processing of personal data by the parties of those who were non-members, especially in the context of social media,” she said.

Þórisdóttir said the audit is still ongoing and involves all political parties that took part in elections in 2016 and 2017.

Data flows and Brexit

Þórisdóttir said uncertainty about the UK leaving the EU on Oct. 31 without a deal is a cause of concern for Iceland.

Iceland is part of the European Economic Area, which means that it’s not a member of the EU but has adopted many of the EU’s rules and regulations, including the General Data Protection Regulation. The Nordic island nation of 360,000 people also has a close trading relationship with the UK, with several financial institutions based in the capital Reykjavik.

Under the UK’s proposed withdrawal agreement with the EU, the flow of personal data would be maintained because the country has adopted the same strict data-protection rules as the other 27 EU countries. However, if the UK leaves without a deal, those data transfers would no longer be legal starting on Nov. 1.

“Iceland has a close relationship with the UK and how [Brexit] is concluded matters a lot for the companies and persons involved,” she said.

Under the GDPR, data flows from the EU to any non-EU country must be covered by certain "safeguards" to ensure that EU citizens’ data are adequately protected. These measures include standard model clauses, codes of conduct, and certification mechanisms, or an "adequacy agreement" with a third country.

Michael Gove, the UK minister in charge of no-deal planning, has said there was a "definite risk" the UK wouldn’t have a full agreement with the EU governing seamless data transfers, but said companies could take “mitigation measures”.

Such measures include “binding corporate rules,” in which a group of companies agree on GDPR-compliant standards. Companies can also add data-protection commitments to agreements with units, known as standard-contractual clauses.

UK ministers have said they would like the EU to start negotiating an adequacy agreement even if there’s a no-deal Brexit. However, several EU officials have said that reaching such an agreement isn’t a top priority for the bloc.

Iceland can’t strike its own agreement with the UK because it depends on the European Commission to conduct the talks. This may be frustrating for the country since the UK has one of the top data-protection authorities in Europe. Iceland has been providing information to its companies to minimize potential economic harm.

“For Iceland, the UK is a big export country. So, rules have to be adhered to,” Þórisdóttir said. “Because of this, the Icelandic DPA published earlier this year information on our website regarding Brexit. A lot has happened since then, and we are working on updates.”

“We all know the high standards that have been set in the UK when it comes to data protection,” Þórisdóttir said. “But as a country outside of the EU, you, always have to have some sort of arrangement with other countries in order to have the data flow between the countries.”

* "International Association of Privacy Professionals Data Protection Intensive: Deutschland 2019," Munich, Sept. 18-19, 2019