Election tools from Meta that are meant to provide information to the voting public have been banned in Spain ahead of the European Parliament elections. The Spanish Data Protection Agency issued the order due to privacy concerns, noting that they vacuum up “unnecessary” personal data and may be in violation of the General Data Protection Regulation (GDPR).
Meta’s election tools accused of profiling Facebook and Instagram users
The Spanish DPA has banned the election tools for three months, with the order going into effect just ahead of the European Parliament voting period in June. The DPA’s statement on privacy concerns notes that the tools gather the name, IP address, age and gender of Facebook and Instagram users, without an indication that this much personal data could be tied to what political content voters view and interact with.
The election tools in question, the “Election Day Information” (EDI) and “Voter Information Unit” (VIU), were about to be launched just ahead of the EU elections. The primary function would have been to send reminders of voting deadlines to all eligible Facebook and Instagram users. The tools would have determined eligibility by scanning the user’s profile for their listed city of residence and IP address, though for this particular election the only requirement is to be a legal adult national of any EU member state.
Meta says that the election tools have been designed to be in compliance with GDPR rules and to respect user privacy, and that it disagrees with the Spanish DPA’s finding but will comply. The company’s interpretation of what constitutes “GDPR compliance” has long been at odds with regulators, however, as it has attempted to claim one exception after another to get out of informed consent requirements ever since the regulation went into effect six years ago. It is currently on its final challenge of this nature, adopting a “pay or OK” model that was recently dealt a blow by a European Data Protection Board (EDPB) finding.
The Spanish regulator said that Meta was collecting far too much data for the stated purpose of simply reminding users of eligibility for an upcoming election, and that it had not demonstrated a need to continue storing this data after the election. It also expressed concern about the lack of a mechanism for age verification beyond self-reporting, which could lead to it collecting the specially protected data of minors.
Not the first time Meta has provoked privacy concerns during an election
The Spanish regulator was able to act directly on the issue due to the inclusion of political views, which fall under the “special category” of protected data, and invoke an urgent need to address privacy concerns that could harm its citizens. GDPR procedures involving Meta generally flow through Ireland, where the DPA has proven to take an extremely long time reviewing cases. Though the order would apply only to Spain and no other countries ended up bringing similar action before the voting period began, Meta has opted to halt the EU-wide rollout of the election tools and will likely keep them on the shelf for the prescribed three months.
The election tools incident comes almost two years after Italy’s data watchdog took action against Meta ahead of its own parliamentary elections. In that case, the company was served with an urgent request from the Garante for information about the measures it was taking to curb political disinformation. Meta had published documents outlining its election security measures for numerous other countries at the time, but had not yet published one for Italy as those elections approached.
Meta also remains under an ongoing investigation by the European Commission, initiated in April of this year, that is exploring how it handles deceptive political content posted to its various platforms. The investigation has a special focus on “third countries” making use of Facebook, Instagram and other services to disseminate disinformation aimed at influencing elections. That investigation launched with notice that the Commission believes Meta’s mechanisms for flagging illegal content and for user redress of incorrect information are inadequate and not in compliance with Digital Services Act terms. Meta maintains that it has “well-established practices” for identifying and mitigating risks of this type on its platforms and for addressing related privacy concerns.
And of course all of these privacy concerns track back to the infamous Cambridge Analytica scandal of the 2010s, which dealt a massive blow to public trust in Facebook and directly fueled all manner of increased regulation and scrutiny directed at social media platforms. That single incident is likely responsible for pushing data privacy awareness into the mainstream, leading to consistent polling that indicates a majority of internet users want transparency about how their personal data is used and the ability to control who it goes to. That incident was thought to have provided a boost to the campaigns of Donald Trump and Ted Cruz in the US in 2016.