Many British MPs’ websites are relying on the GDPR’s “public task” basis to collect users’ data via their constituency websites, according to an Indivigital analysis.
“Public task” — a term which isn’t mentioned under the GDPR but appears in guidance provided by the Information Commissioner’s Office (ICO) — is one of six lawful bases under which organizations can collect and process data on data subjects (others include “consent” and “legitimate interest”).
While many private organizations have opted to request consent to lawfully collect or process their users’ data, public officials are seemingly relying on a little spoken of clause in The Data Protection Act 2018 that suggests they can collect data if it’s in the “public interest,” which is partly defined by clause 8 of The Data Protection Act 2018 as “[promoting] democratic engagement.”
The ICO has expressed “concern” about the provision, and defined it as “very wide,” in evidence submitted to the Public Bill Committee. The amendment was initially proposed in March 2018 by Margot James MP.
Clause 8 states, “processing of personal data that is necessary for the performance of a task carried out in the public interest…includes processing of personal data that is necessary for… an activity that supports or promotes democratic engagement.”
According to the GDPR’s Article 6(e), the “public interest” basis is lawful if “processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.”
Margot James originally stated the amendment was proposed with the intention of covering “a range of activities carried out with a view to encouraging the general public to get involved in the exercise of their democratic rights.”
She stated the activities referred to could include “communicating with electors, campaigning activities, supporting candidates and elected representatives, casework, surveys and opinion gathering and fundraising to support any of those activities.”
MPs are sending data to Facebook, YouTube, Google and Twitter
To determine how many MPs are utilizing the “public task” basis, we analyzed the websites of 18 MPs who attended the 1st committee debate on The Data Protection Bill 2018. Our analysis found “public task” referenced in 8 out of 18 privacy policies.
Following a search on Google, we identified at least an additional 100 MPs using the “democratic engagement” provision as a basis for collecting and processing data (this was relatively easy to discover as the legal terminology utilized is duplicated between MP’s privacy policies).
From our analysis we also discovered some MPs’ websites are:
- Failing to anonymize their visitors’ IP addresses before sending them to Google’s servers;
- Failing to embed YouTube videos through the “no-cookie” URL (which waits for a user’s click before setting third-party cookies);
- Collecting data through forms without declaring the purposes for collecting data;
- Hosting Facebook like and share buttons; and
- Failing to disclose all of the third parties setting cookies on their users’ devices.
By incorporating like buttons — and other third-party content — onto their web pages, MPs are also complicit in the data collection practices they’ve spent months criticizing Facebook over. One MP’s website, IanMurrayMP.co.uk, set over 110 third-party cookies.
Of the 18 websites, 15 are serving or setting third-party content and cookies from YouTube, Google, Facebook or Twitter (Daniel Zeichner is the only MP of those analyzed who restricts third-party content from being served via his website).
Collecting data to promote democratic engagement
The “democratic engagement” clause is specifically referenced in the privacy policies of a number of MPs, including Victoria Atkins.
Is it possible, based on this clause, to argue that MPs collecting data on behalf of Facebook, YouTube and Twitter is “[promoting] democratic engagement”?
That appears to be the basis on which MPs are relying to ensure sending data on their visitors to Facebook, YouTube and Twitter is in compliance with the GDPR.
Facebook recently outlined in an announcement the range of data it collects when its content is requested from a third-party website. While it’s clear on what data is collected, it’s less clear on how it collates this data for its own purposes.
In other words, while data on what websites a user visits is unlikely to qualify as personal data, in conjunction with a unique identifier and other data, it could be used to infer a user’s physical or behavioral traits (see this report from 2013).
According to the ICO, “public task” is applicable if “the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.”
While it’s possible to envisage public authorities like HMRC will have a lawful basis to process personal information under “public task,” it’s unclear why this basis should extend to Members of Parliament and their offices collecting data for, and sharing it with, platforms like Facebook, YouTube and Twitter, particularly in the context of marketing activities.
As an example, the ICO states, “a University might rely on public task for processing personal data for teaching and research purposes; but a mixture of legitimate interests and consent for alumni relations and fundraising purposes.”
“This office processes constituents’ data under the lawful basis of public task or legitimate interest, depending on the matter raised by the constituent. In instances where this lawful basis is not sufficient and explicit consent is required, a member of the office will contact you to establish your consent.
“We may use your data to contact you with a non-political newsletter under the lawful basis of public task. Additionally, if we have your consent, we may use your data to contact you with a political newsletter.”
According to the ICO, organizations should also state a lawful basis for each data processing activity.
Many of the privacy policies on MPs’ websites also fail to disclose the range of third-party cookies being set on users’ devices while some of the websites host forms without explicitly stating the range of purposes the data collected will be used for.