Risks to unregulated personal data use and what stakeholders must-do during the 2020/21 electoral process.

The upcoming 2021 general election raises concerns of electoral malpractices and uncertainty through the misuse and abuse of personal data such as phone numbers, email addresses, political ideology and location data. Politicians now believe they can win elections if they just have better, more refined and more accurate data about the electorates.

The political use of personal data has become a feature and a valuable asset of political campaigns in Uganda since the 2016 general elections. Since then there is growing evidence that political campaigners believe that data matters for electoral success. Technology has and still is been a useful tool for political parties to present their agenda to the electorate and to mobilise a larger support base for their causes. The cost of communicating with voters can be substantially lower via this medium than via broadcast media, given the availability of free blog and video sharing platforms and social media apps.

However, the use of personal data through these digital platforms also raises a number of concerns in relation to human rights and democracy. State and non-state actors are collecting, analysing and using data in order to powerfully influence populations who are generally unaware of how their data is being processed. Without a comprehensive digital political campaigning legal framework as well as effective data protection safeguards in the country, it’s going to be a big threat to the credibility of the entire 2020/21 electoral process.

With the rampant manipulation of personal data tilting the scales towards wealthy political parties or actors who can control outcomes through collusion between media and politicians, or the buying of influence over public opinion in mysterious and complicated ways, it is clear that a fair and legitimate election process and its outcome are increasingly elusive, and democracy is at risk.

The now-defunct Cambridge Analytica has become a symbol of all that is intrusive and manipulative about data-driven elections.

In March 2018, a British political consulting firm Cambridge Analytica that combined misappropriation of digital assets, data mining, and data brokerage and data analysis with strategic communication during the United States of America electoral process, acquired and used personal data about Facebook users from an external researcher who had told Facebook that they were collecting it for academic purposes.

The personal data of up to 87 million USA Facebook users were acquired via the 270,000 Facebook users. By giving third-party permission to acquire their data, this gave the third party access to information on the user’s friends network; this resulted in the data of about 87 million users, the majority of whom had not explicitly given Cambridge Analytica permission to access their data, being collected.

In Kenya, Cambridge Analytica ran campaigns in secret during Kenya’s 2013 and 2017 elections. The Company worked with 360 Media limited to developed online campaigns portraying “Raila Odinga as a blood-thirsty individual who is also sympathetic to Al-Shabaab and having no development agenda,” whilst portraying the incumbent President Kenyatta as “tough on terrorism, and being good for the economy.” The Jubilee Party downplayed Cambridge Analytica’s role, saying it had hired the firm’s parent company, to assist with branding.

In Uganda presidential elections of 2011 and 2016, President Museveni delivered a pre-recorded message using an automated “robocall” system in which he asked millions of mobile phone users to vote for the “man in the hat,” his trademark headgear. The use of people’s mobile numbers by the NRM without their knowledge or permission raised ethical and privacy issues.

Conducting such large and unchecked data collection especially in the previous 2016 elections must also be viewed against the lack of data privacy law at the time to protect the information collected by different political actors resulting into infringements on the right to privacy with varying consequences.

Unfortunately, the Data Protection and Privacy Act 2019 enacted on the 25th of February 2019 designed to curtail this exploitation lacks the institutional and infrastructural framework for its effective enforcement.

In order to safeguard our privacy, data and democracy, all stakeholders have a role to play and thus recommend as follows;

  • Need for regulations which would redefine key data protection principles. These would help patch up the gaps in the principles in the mother laws by providing specific obligations to the data collector including offences where the data collector or processor does not meet the legal obligations.
  • Regulations should provide for parameters in cases of medical use of data as an exception to consent. At present, the law does not give parameters for this as an exception to consent and this is subject to abuse.
  • The Minister should make regulations that make it mandatory for data collector, processor or controller to report on compliance with the law. This should also include a requirement to report to data subjects in case of breach of data security put in place by the data collector, processor or control. These will enhance the existing accountability provisions in the DPPA.
  • Law should provide for withdrawing of consent where the data subject can choose to exercise his or her right to withdraw consent he or she issued for data to be collected. Such consent should not be subjected to what the authority or the data controller or processor thinks are the reason for withdraw.
  • Law should provide for general offences which would enable sanctioning aspects of the law that give duty and duty may not be met.
  • Provide for transitional provisions that would cater for data held by state and nonstarter actors before the coming into force of the law. All data should be consolidated in one place and data in private actor’s hands should be destroyed to ensure it is not abused

Way forward

As we head towards the 2021 general elections the Electoral Commission (EC) and the Ministry of ICT and National Guidance should ensure that any regulatory response must be as dynamic as the technological mischief it seeks to contain and therefore the following should be guaranteed;

  • All actors in the electoral process, from candidates, political parties, and the advertiser must be transparent with their data gathering practices in terms of how much data is used. This transparency is vital to understand how political campaigns work, who they work with, what tools they use and their data practices and in turn to ensure that there are appropriate limits in place.
  • The Data Protection and Privacy regulations must be enacted and any loopholes that can be exploited by political digital campaigns closed. The Ministry of ICT and National Guidance should issue a binding and enforceable code of conduct on the use of data in political campaigning.
  • Improving transparency and accountability for campaigning in digital and networked settings could include requiring a list of all the vendors and the products and services used for data-driven campaigns.
  • The electoral commission should protect elections from digital threats since they have the mandate needed to build up capacities (like data analysis capacity) to detect attempts aimed at manipulating the information environment, as well as improving its internal organization to make such units a fundamental part of their mission to protect the electoral process. This will go a long way in cubing voting suppression attempts.
  • The shift to digital campaigns constitutes a major disruption of political campaigning, and as such need to review the effectiveness of electoral rules in their current form. The relevant standards and principles should be updated to reflect the importance of digital campaigning. This should include an update of methods of monitoring: selection of media for monitoring (content monitoring); revision of spending monitoring, and transparency and data requirements for platforms and intermediaries.

At the centre, therefore, of efforts to combat electoral manipulation and discrimination in the 2021 general elections is the question of how personal data on individual voters is going to be processed, and whether or not it will be done legally and ethically because the quality of an election in democratic systems is judged by fairness and attention to due process to ensure freedom to choose.