Issue link: https://maltatoday.uberflip.com/i/987221
4 maltatoday | SUNDAY • 27 MAY 2018 YANNICK PACE POLITICAL parties must get consent from citizens before profiling them in order for the practice to be legally compli- ant, the Office of the Infor- mation and Data Protection Commissioner has said. Touted as one of the tough- est internet privacy laws to date, the EU's General Data Protection Regulation (GDPR) came into force on Friday, and promises to give EU citizens more control over how their personal data is processed. Companies in Europe and across the globe have in the last months been scrambling to ensure that their internal and business practices are compliant with the new regu- lations. Fines for violating the new rules can go up to the higher of €20 million or 4% of the company's annual rev- enue. But it isn't just companies that store and use people's personal data, particularly in the digital age – information about citizens can be valuable to other entities too, like po- litical parties. The utility of data-based campaigning and politi- cal strategy has been a game changer in recent years, al- lowing those with the most accurate data to have a signifi- cantly better chance of success at the polls. The harnessing of big data and social media was one of the drivers of Barack Obama's 2008 election win and is widely believed to have brought about the election of Donald Trump as well as the results of the Brexit vote. "If parties are processing data related to people's political af- filiations, more stringent rules apply since the data is sensi- tive," David Cauchi, the head of compliance at the Office of the Data Protection Commis- sioner told MaltaToday. Under Article 9 of the GD- PR, the processing of so called "special categories of personal data" – which includes data re- vealing political opinions, reli- gious or philosophical beliefs, among others – is prohibited except in very specific circum- stances, unless the explicit consent of the individual is obtained. Effective campaign- ing is not, needless to say, one of the specific circumstances listed in the law. "Even if you are just col- lecting data about whether a person supports a particu- lar party, that is considered data about political opinions and needs to be treated with special care as per Article 9," Cauchi said. This means that any type of profiling carried out by po- litical parties, even simply re- cording IP addresses that visit the party's website or social media profile, requires "as a minimum" a cookie consent form on the website. "Visitors must give consent for their data to be collected, especially if it is then going to be used to target them and their peers based on their IP address." Both with party members and the general public, politi- cal parties should clearly state, upon collecting the data or at the start of the relationship, how they will be using indi- viduals' personal data and how long they will be keeping it, Cauchi said. The lines are also blurred between party and candidate, as people who allow their personal data to be used by a political party have not neces- sarily given that data to can- didates. "There needs to be a distinction between candidate and party and that people need to know exactly who is using their information," said Cauchi. Parties need to inform the data subjects if they intend to share personal data with third parties, including can- didates. "What we suggest is that if there is a chance of data moving to a different data controller, that there is a tick box whereby an individual can agree to processing also being done by a candidate," he said. Once a candidate comes to be in possession of personal information on potential vot- ers, even if they obtain that data legitimately, they can only use it for the purpose for which it was collected, unless they get consent to do other- wise. For instance, it is common for candidates and MPs to keep in touch with or target their constituents by sending a card or text message on a person's birthday. The infor- mation they use to do this will usually have been collected for a completely different pur- pose, and therefore in sending such cards or messages with- out consent candidates and MPs are in breach of the law. While parties are obliged to be as transparent as possible, Cauchi acknowledged the in- evitable likelihood that par- ties regularly process personal data obtained from a variety of sources, often without any legal basis. Under the GDPR, there are a number of rights that a person can exercise if he or she would like to know more about how his or her data is being processed. These include the right to access, rectify and erase the personal data being processed about them, as well as the right to object to processing and file a complaint with the Infor- mation and Data Protection Commission. Moreover, while the new regulations' introduction has thrust data privacy issues into the spotlight, Cauchi said that most of the aspects which applied to the processing of data by political parties were in the original Data Protec- tion Act and were laid out in a set of guidelines for political campaigning published by the IDPC before the last election. MaltaToday sought to find out what changes, if any, both parties would be implement- ing following the implemen- tation of the new regulations. Questions included whether a review had been ordered into the party's internal practices, including any data analytics; whether a data protection of- ficer had been employed by the party and whether they would continue to send out mailshots. Labour Party CEO Randolph Debattista replied that "Partit Laburista is taking all the nec- essary measures to be compli- ant with the new GDPR regu- lation" but did not elaborate. Replies from the National- ist Party had not yet been re- ceived by the time of going to print. Parties face hefty fines over electoral profiling without consent NEWS GDPR PRIVACY www.pa.org.mt PLANNING AUTHORITY The Planning Authority is carrying out a partial review of the Central Malta Local Plan for a 23,000m² site adjacent to the Mosta Technopark, in an area known as Tas-Sgħajtar. In 2006, the site, which forms part of a larger area was designated for development through the rationalisation exercise. Taking into consideration the surrounding land-uses, site constraints, and community and open space needs of the area, the Authority is proposing that the land will be zoned as a residential and commercial area with open landscaped spaces. The height limitation for this site is being retained as three floors with semi- basement, similar to the immediate existing residential development blocks in the surrounding areas. With a lack of public green open spaces in the newer residential areas of both Mosta and Naxxar, the Authority is proposing that within the site an area of 3,348m 2 is safeguarded for this purpose. The full policy proposal, maps, and the public submissions received during the first phase may be viewed on the Authority's website www.pa.org.mt/consultation. Individuals and organisations are being invited to send their submissions through the e-mail address: mosta.sghajtar@pa.org.mt. Submissions are to be received by the Authority by not later than the 2 nd July 2018. HAVE YOUR SAY (SECOND PHASE) OPEN PUBLIC CONSULTATION Site at Tas-Sgħajtar, Mosta Partial Review of the Central Malta Local Plan (2006) Political parties create voters' profiles through the use of streetleaders and by having access to the latest electoral register database