EU’s Proposals on the Transparency and Targeting of Political Advertising

Isaac Bedi considers the Council’s recent adoption of its Proposal on the Transparency and Targeting of Political Advertising and its implications for providers

29 December 2022

Why the European Commission adopted a proposal on the transparency and targeting of political advertising?

The European Commission’s proposal on transparency and targeting of political advertising, as amended by the Council of Europe’s adoption of its general approach to the proposals (the “Proposal”) was introduced in order to address “concerns that the internal market is not currently equipped to provide political advertising to a high standard of transparency to ensure a fair and open democratic process in all Member States”. The Commission has stated that the intention of the Proposal is to ensure harmonisation on political advertising standards across Member States. However, it cannot be ignored that these reforms have been introduced in the wake of the controversial targeted advertising practices used in the 2017 US election of Donald Trump and the UK’s 2016 Brexit referendum the year prior.

The use of citizens’ personal data by companies like Cambridge Analytica to influence voter behaviour through targeted advertising evidently raised significant concerns over the independence of the democratic process, and it was not long after these controversial outcomes that the European Commission announced the Proposal as part of its Democracy Action Plan. In the Council’s amendments to the Proposal, it noted that “political advertising can be a vector of disinformation in particular where the advertising does not disclose its political nature, and where it is targeted and amplificated”. The timing is these Proposals is also no mistake, given the Commission will be keen to ensure that these measures are in place for its own Parliamentary elections in 2024.

The Proposals will apply to both:

  • Political Advertising Services: meaning providers of political advertising services, but excluding online intermediary services (as defined in the Digital Services Act (“DSA”)) (hereafter “Providers”); and
  • Political Advertising Publishers: meaning organisations that broadcast or otherwise make available the advertisement through any medium (hereafter “Publishers”).

The Proposals will also introduce additional measures for Data Controllers that are involved in targeting or amplification (please see below), including the prohibition of processing individuals special category data for these purposes without their consent.

How ‘political advertising’ is defined in the proposal?

The Proposals note that one of its key objectives is to harmonise what is currently a fragmented set of regulations amongst Member States, the starting point of which is to introduce a clear and robust definition of political advertising.

Political Advertising is defined in the Proposal as:

“the preparation, placement, promotion, publication or dissemination, by any means, of a message:

  • by, for or on behalf of a political actor, unless it is of a purely private or a purely commercial nature; or
  • which is liable and designed to influence the outcome of an election or referendum, a voting behaviour or a legislative or regulatory process at Union, national, regional or local level”

This definition is considerably wide, including any advertisements which may be liable to influence voter behaviour. However, when examined against other Member States definition of political advertisements, it could be considered as narrowing the scope somewhat. For example, under the Communications Act 2003, the definition of political advertising under section 321(3) includes advertisements which may “influence public opinion on a matter which, in the United Kingdom, is a matter of public controversy”, which arguably encompasses a far greater scope than simply influencing voter behaviour.

In fact, the definition of political advertising was clarified by the Council’s revisions to the Proposals, which introduced Article 2(a), noting that Member States should take into account the content, language, context and objective of the advertisements message and ensure that “a clear and substantial link should exist between the message and its potential to influence the outcome of an election or referendum, voting behaviour or a legislative or regulatory process”.

Ultimately, it seems the scope has been left purposefully open to ensure Member States regulatory bodies can effectively regulate advertisements they deem to be political in nature.

Who will this proposal apply to and what are their key obligations?

The Proposal imposes a number of additional obligations on both Providers and Publishers to ensure transparency in their dealings. The Proposal does not apply to online intermediary services under the DSA who simply host or transmit the content (which aligns with the exemption from liability provisions under the DSA), unless they receive remuneration for doing so, albeit that the DSA itself contains its own transparency requirements for advertising generally.

The Proposal builds on the EU Code of Practice on Disinformation by implementing its recommendations for strengthening the code of practice on disinformation, including efficient labelling of political advertisements and restrictions on the use of micro-targeting techniques. Whilst only the voluntary signatories to the updated 2022 Code of Practice on Disinformation will be bound by its obligations, the Proposal intends to impose similar obligations on Providers and Publishers more generally.

The key obligations on Providers and Publishers are:

Reference

Obligation

Responsibility

Declaration of political advertising services

Providers shall request that their sponsors, and those acting on their behalf, declare whether the services constitute political advertising services and shall ensure that the contracts executed between the parties specify how the Proposal has been complied with and require the sponsor or Provider to provide the necessary information in a complete and accurate manner and without undue delay.

Providers

Information Retention

Providers must retain the information they collect on the advertisement, the services provided, the remuneration received (including benefits) and the identity of the sponsor for at least 5 years.

Providers must also communicate this information to Publishers and include information on the remuneration or benefits received in their annual financial statements.

Providers

Transparency Requirements

Each political advertisement must include, in a ‘clear, salient and unambiguous way’, a statement that it is a political advertisement, the identity of the sponsor (or the entity ultimately controlling the sponsor) and a transparency notice to enable the wider context of the political advertisement to be understood or a clear indication of where its aims can be retrieved.

The Transparency notice must include the identity of the sponsor, the period during which the advertisement is intended to be published, information on the aggregated amounts spent or other benefits received in the production, promotion and publication of the advertisement, an indication of the elections or referendums to which the advertisement is linked and a statement as to whether targeting or amplification techniques have been used – all in the form of Annex 1.

Publishers shall ensure this information is published alongside the advertisements and keep the transparency notices for a period of 5 years.

Providers and Publishers

Notification Requirements

Publishers must put in place notification mechanisms allowing individuals to report to them where they believe advertisements do not conform to the Proposal.

In the final month before an election or referendum, Publishers which also constitute very large online platforms under the DSA shall address any notification received that is linked to the election or referendum within 48 hours.

Publishers

Requests from National Authorities

Providers must provide the information in the above articles to the relevant national authorities within 10 working days upon request.

In the final month before an election or referendum, Providers shall address provide the requested information within 48 hours.

Providers

Requests from Interested Entities

Providers must also transmit the information in Article 6 to interested entities upon request and without cost.

Interested entities are:

· vetted researchers in accordance with Article 31 DSA;

· members of a civil society organisation whose statutory objectives are to protect and promote the public interest and are authorised under national or union law;

· authorised political actors under national law;

· national or international electoral observers accredited in a Member State; and

· journalists.

This operates in a similar way to Data Subject Access Requests under GDPR, whereby Providers can reject requests where they are manifestly excessive or unfounded or charge a fee for compliance.

Providers

Targeting and Amplification Techniques

Please see below.

Data Controllers.

How does this proposal complement the EU GDPR?

In addition to the obligations placed on Publishers and Providers, the Proposal also seeks to implement additional obligations on Data Controllers to address concerns over the use of data subject’s personal data in the promotion or targeting of political advertisements. In particular, concerns were raised after the Cambridge Analytica scandal that individuals’ personal data had been used as part of the micro-targeting practices and techniques adopted by campaigns to influence voter behaviour. The Commission subsequently raised concerns that the current GDPR provisions do not adequately protect data subjects from these practices, with the Proposal seeking to implement an additional layer of protection for data subjects against being targeted by political advertisements on the basis of their personal data.

The Proposal seeks to implement the guidance on targeting of social media users into mandatory obligations for Data Controllers who are involved to targeting and amplification techniques, defined as:

  • Targeting Techniques: “techniques that are used to address a political advertisement, usually with tailored content, only to a specific person or group of persons, based on the processing of personal data”;
  • Amplification Techniques: “optimisation techniques, including ad delivery techniques, that are used to increase the circulation, reach of visibility of a political advertisement based on the processing of personal data and which may serve to deliver the political advertisement only to a specific person or group of persons”

The obligations include a general prohibition on the use of targeting or amplification techniques which involve the processing of special category data, except where the data subject has given explicit consent. The Council’s revisions to the Proposal introduced the additional requirement that consent be given separately and specifically for the purpose of political advertising. Similarly, the Council’s revisions introduced a ban on the processing of personal data in respect of targeting and amplification techniques for data subjects at least one year under the voting age in the relevant Member State.

Where Data Controllers intend to process non-special category personal data in respect of targeting and amplification techniques, they are required to:

  • implement and make publically available an internal policy describing the techniques used to target individuals or amplify content (and maintain this policy for at least 5 years from the last use of the techniques);
  • keep records on the use of targeting and amplification and the sources of personal data; and
  • provide any additional information necessary to allow the individual concerned to understand the logic and techniques, including at a minimum the specific groups targeted, the parameters used to determine whom the advertisement is disseminated to and the categories and sources of personal data used, all using the form set out in Annex II.

Publishers using targeting and amplification techniques must include this information and a link to its internal policy in the transparency notice, as well as a reference to effective means to support individuals in exercising their rights under GDPR, including a specific link to an interface allowing them to withdraw consent.

Whilst the prohibition on the processing of special category data for targeting and amplification practices without individuals express consent may make it more difficult for both advertisers and analysts to implement targeted advertising practices on their audience, in practice this may not alter the position significantly, given that these organisations would unlikely be able to rely on a lawful basis for the processing of special category data for these purposes under the current GDPR requirements. However, the Proposal does seek to deter the use of subversive or insidious advertising practices involving individuals’ personal data through the transparency and consent requirements outlined above.

Which sanction will apply in case of non-compliance?

The Proposal had originally left it unclear as to exactly what fines will be applicable for breaches of the Proposal, noting it was for Member States to apply their own rules in respect of the level of administrative fines for infringements, excluding fines for breaches of the Article 12 obligations on Data Controllers, which will be set at the level of current GDPR fines (i.e. up to £17,500,000 or 4% of annual global turnover, whichever greater).

However, the Council’s revisions to the Proposal introduced clear levels of financial sanctions which were based on the economic capacity of the infringing organisation. The maximum fines under the Proposal are subsequently:

  • 4% of the annual income or budget of the sponsor or Provider as applicable and whichever is the highest; or
  • 4% of the annual worldwide turnover of the sponsor or Provider in the preceding financial year.

The level of fine will be decided on a case-by-case basis, taking into account the gravity of the infringement, intention of the infringer, any actions taken to mitigate damage, the previous infringement record and the degree of cooperation with the competent authority. Interestingly, it is noted that infringements will be deemed particularly serious where they occur in the last month before an election of referendum.

From the drafting, it appears competent authorities will have a choice as to whether they issue fines calculated by reference to organisations income or budget or annual worldwide turnover, albeit it is unclear why this distinction has been made. It may be that the Proposals seek to account for the fact that many Providers that fall within the scope of this regime are small advertisers and subsequently linking the level of sanctions to their income or budget seems more proportionate. However, this approach was not adopted under GDPR, where the majority of data controllers are also smaller organisations.

Ultimately, as has been the case under GDPR, different competent authorities will approach these Proposals will different levels of enforcement. It will remain to be seen exactly how punitive fines under this regime will be.

What are the next steps and the likely timeframes? Is there any transition period?

The Council has now agreed its general approach for the negotiation of the Proposal with the European Parliament. The negotiations are expected to start in the New Year once the European Parliament has voted on the Proposals. The Proposals outlined the need for the changes to be effective ahead of the 2024 European Parliament elections. However, it is also noted that the Proposals shall apply 12 months after the publication in the Office Journal of the European Union, meaning it is likely that both the European Council and Parliament progress this promptly to ensure these timescales are met.

Has the UK taken a similar initiative, or could there be a potential divergence on this issue?

Following the controversial advertising campaigns utilised as part of the Brexit referendum in 2016, there were significant calls for increased transparency in political advertising within the UK. In the UK, the Advertising Standards Agency (“ASA”) regulates advertising practices through the Code of Non-Broadcasting and Broadcasting Advertising Codes (“CAP Codes”). Political advertisements are currently banned under the Broadcasting CAP Code and the Communications Act 2003, but instead parties are able to advertise using party political broadcasts which are not deemed advertisements under the CAP Code. However, political advertisements are exempt from the Non-Broadcasting CAP Code, creating a lacuna under English law for advertisements which are not broadcast on radio or television, but may be available on other platforms. The ASA openly stated that whilst they agree that political advertisements should be regulated, as a non-statutory regulator funded by advertisers, they were unable to effectively regulate in this area without the backing of political parties and campaigners. Subsequently, it was for government to legislate in this area.

This legislation came in the form of the Elections Act 2022, which implements the outcomes of the 2019 Consultation entitled Transparency in Digital Campaigning. The Elections Act intended to implement similar transparency requirements for political advertisements as those imposed under the Proposals through its Digital Imprint provisions.

A full outline of the Elections Act is beyond the scope of this Article. However, in summary:

  • the Elections Act introduces transparency requirements for paid-for or other electronic material, including requirements that the name and address of the promoter, or ultimate promoter, be included as part of the material or, if not reasonably practicable, in a location which is directly accessible from the electronic material;
  • paid-for electronic material constitutes material which is paid for (through any type of remuneration or benefit) for the purposes of influencing the public to given or withhold support from a registered party, current or future candidate, the holding of a referendum or the outcome of a referendum;
  • other electronic material constitutes non-paid for material where the promoter is a registered party, recognise third party, current or future candidate or referendum or recall petition campaigner and which relates to promoting the electoral success of a registered party, current or future candidate or referendum or petition outcome;
  • for both paid for and other electronic material, it is immaterial whether the material expressly mentions the name of the party, candidate or referendum. It is also noted that these provisions shall not apply to the republication of the material, provided it is not materially altered; and
  • the Elections Act makes it a criminal offence, punishable by a summary conviction and fine, for material which does not comply with the above transparency requirements. In the case of companies, individuals responsible for the breach may also be guilty of an offence.

However, whilst the Elections Act received Royal Assent this year, the provisions relating to transparency and political advertising are yet to come into force, with no date specified for their introduction. Even in their current form, they do not go as far as the Proposals in terms of obligations on Providers and Publishers, only requiring that the identity of the promoter be included in the material itself.

In respect of targeting and amplification techniques, there is yet to be any equivalent measures as those outlined under the Proposals. The Information Commissioners Office has issued Guidance for the use of personal data in political campaigning, but this does not implement any material provisions in respect of safeguarding individual’s personal data from these techniques. The UK is currently considering alterations to its data protection regime generally, which may involve similar restrictions on the use of personal data for targeting and amplification purposes. However, until full details of this regime are outlined, the protections afforded to individuals under the Proposals will not be transposed in English law.

This article was written by Isaac Bedi and first published on Lexis®PSL on 23 December 2022.

Key contact

A photo of David Varney

David Varney Partner

  • Data Protection and Cybersecurity
  • Technology and Communications
  • Outsourcing
 

Subscribe to news and insight

Burges Salmon careers

We work hard to make sure Burges Salmon is a great place to work.
Find out more