Explanatory Memorandum to COM(2018)636 - Verification procedure on infringements of data protection rules in the context of European elections - Contribution to the Leaders’ meeting, September 2018

Please note

This page contains a limited version of this dossier in the EU Monitor.




1. CONTEXT OF THE PROPOSAL

Reasons for and objectives of the proposal

Democracy is one of the fundamental values on which the European Union is founded. To ensure the functioning of a representative democracy at the European level, the Treaties determine that the citizens of the European Union are directly represented in the European Parliament.

Political parties fulfil an essential role in a representative democracy, creating a direct link between citizens and the political system, thereby enhancing the legitimacy of the system. According to Article 10 of the Treaty on European Union, 'political parties at European level contribute to forming European political awareness and to expressing the will of citizens of the Union'. Article 12(2) of the Charter of Fundamental Rights of the European Union expresses the same principle.

In February 2018, the Commission issued a Recommendation1 on enhancing the European nature and efficient conduct of the 2019 elections to the European Parliament, addressed to Member States and to European and national political parties. It included calls on European political parties and national parties to increase transparency on their respective affiliation and links and called on those political parties to help raise citizens' awareness on the issues at stake at Union level and on how they intend to address them during the upcoming legislature.

In the EU, data protection is a fundamental right and the General Data Protection Regulation2 sets strong rules to protect this fundamental right. In particular, personal data must be processed lawfully and fairly.

Online communication has the potential of allowing closer and direct interaction between political actors and European citizens. At the same, it brings an increased risk of unlawfully processing personal data of citizens in the electoral context. A number of recent events show that abuses of data protection rules can affect the democratic debate and free elections, including elections to the European Parliament.

In 2018, the Facebook/Cambridge Analytica case concerning the alleged unlawful processing of user personal data acquired from Facebook by the company Cambridge Analytica raised serious concerns on the impact of data protection infringements on electoral processes. Investigations are ongoing in relation to this particular case, inter alia by the UK Information Commissioner’s Office, the data protection supervisory authority which is leading the European investigation in cooperation with other European data protection supervisory authorities. The Commission is in close contact with the data protection supervisory authorities and is following this process closely. The U.S. Federal Trade Commission has opened an investigation in the case. A series of hearings took place in the European Parliament on the case and its impact on individuals’ personal data in the Union.

Regulation No 1141/2014 of the European Parliament and of the Council of 22 October 2014 on the statute and funding of European political parties and European political foundations3 was introduced to increase the visibility, recognition, effectiveness, transparency and accountability of European political parties and their affiliated political foundations. In the light of this Regulation, European political parties and foundations satisfying a number of conditions were offered the opportunity to become European legal entities by registering at European level, thereby obtaining access to European financial support. These conditions include the respect, both in their programme and activities, of the values on which EU is founded – listed in Article 2 of the Treaty on European Union: respect for human dignity, freedom, democracy, equality, the rule of law and respect for human rights including the rights of people belonging to minorities. An independent Authority for European political parties and foundations ("the Authority") was created, for the purpose of registering, monitoring and, if necessary, imposing sanctions on European political parties and foundations, including to consider cases where such entities allegedly fail to respect these fundamental European values.

However, the existing rules do not allow to effectively dissuade and sanction abuses of data protection rules which may affect the democratic debate and free elections.

In order to ensure that the elections to the European Parliament take place under strong democratic rules and in full respect of the European values of democracy, rule of law and respect of fundamental rights, the Commission is proposing a targeted amendment to Regulation No 1141/2014. It aims to allow financial sanctions on European political parties or foundations that use infringements of data protection rules to deliberately influence or attempt to influence the outcome of elections to the European Parliament.

The proposal will also enable the Authority to operate in a smooth and effective manner, by ensuring that it has its own allocation of staff and that its Director becomes the appointing authority. This should allow the Authority to fully fulfil its tasks, including the new ones foreseen in this proposal, and to do so in an independent way. In parallel, in order to respond to the calls of the Authority for an increased number of staff and in view of the Authority's key role in the period closely preceding the elections to the European Parliament, the Commission is ready to immediately make available the 6 additional staff requested by the Authority, on a detachment basis, which will end once the permanent staffing arrangements would be in place.

The procedure for the elections to the European Parliament is in each Member State governed by its national provisions. Political parties fulfil an essential role in a representative democracy, creating a direct link between citizens and the political system. National and regional political parties put forward candidates and organise electoral campaigns. National authorities are in charge of monitoring the elections at national level. European political parties organise complementary campaigns at European level, including those for lead candidates for the role of President of the European Commission.

The amending Regulation, together with the Commission guidance on the application of Union data protection law in the electoral context4, the Commission Recommendation on election cooperation networks, online transparency and protection against cybersecurity incidents and fighting disinformation campaigns in the context of elections to the European Parliament5 and a Commission Communication on Securing free and fair European elections6 adopted on the same day, forms part of a security package. It is a contribution from the European Commission to the Leaders' meeting in Salzburg on 19-20 September 2018.

The Recommendation encourages data protection supervisory authorities in compliance with applicable Union and national law, to inform immediately and proactively the Authority for European political parties and European political foundations of their decisions finding that a European political party, a European political foundation or another natural or legal person has infringed applicable rules on protection of personal data. This information should be provided where it follows from that decision, or where there are otherwise reasonable grounds to believe, that the infringement is linked to political activities by a European political party or European political foundation in the context of elections to the European Parliament. The Recommendation also encourages Member States to apply appropriate sanctions on political parties and foundations at national and regional level for cases of infringements of rules on the protection of personal data being used with a view to influencing or attempting to influence the elections to the European Parliament.

The focused changes to Regulation No 1141/2014 should be in place before the 2019 elections to the European Parliament.

Consistency with other Union policies

Since 25 May 2018, the General Data Protection Regulation7 applies in all EU Member States. It sets high data protection standards that are fit for the digital economy and make organisations processing data – including European political parties and the European political foundations – more accountable and more responsible in how they deal with personal data.

In its Recommendation of 14 February 20188 on enhancing the European nature and efficient conduct of the 2019 elections to the European Parliament, the Commission called on the competent national authorities to identify best practices in the identification, mitigation and management of risks to the electoral process form cyber-attacks and disinformation. In April 2018, the Commission organised a meeting with the electoral commissions of Member States to discuss, exchange best practices and raise awareness among national authorities of the issues of security, disinformation campaigns and the enforcement of electoral rules online.

In April 2018, the Commission published a Communication on “Tackling online disinformation”9, which defined the roles and responsibilities of relevant stakeholders and formulated a set of actions, including strengthening the Commission's strategic communications response to disinformation.

This proposal is consistent with the Commission's proposal10 for a Regulation concerning the respect for private life and the protection of personal data in electronic communications (e-Privacy Regulation) that reviews the existing e-privacy Directive11 which will enhance transparency and widen the scope of protection beyond traditional telecom operators to include internet-based electronic communication services and which should be promptly adopted by the co-legislators.


2. LEGAL BASIS, SUBSIDIARITY AND PROPORTIONALITY

Legal basis

The proposal is based on Article 224 of the Treaty on the Functioning of the European Union, which states that "the European Parliament and the Council, acting in accordance with the ordinary legislative procedure, shall lay down the regulations governing political parties at European level referred to in Article 10 i of the Treaty on European Union and in particular the rules regarding their funding" as well as on Article 106a of the Treaty establishing the European Atomic Energy Community12.

Subsidiarity

Since the existing Regulation provides for an EU-level system, including a specific European legal personality for parties and foundations and funding from the EU budget, any shortcomings in this system can only be remedied through EU legislation. Action by Member States alone is therefore not a relevant option.

The proposed focused changes therefore fully comply with the principle of subsidiarity. The EU level is the only one at which rules governing the statute and funding of European political parties and European political foundations can be laid down. In setting out possible reform measures, the Commission has been careful to reflect the principles contained in Protocol No. 2 to the Treaties.

Proportionality

As explained in Section 5, the targeted measures proposed do not go beyond what is necessary to achieve the long-term objective of developing and strengthening European democracy and the legitimacy of the EU Institutions.

The proposal complies with the principle of proportionality. The proposed sanctions are built on the regime set by Regulation 1141/2014, establishing proportionate sanctions. The proposed measures ensure that there is no double penalisation of the same behaviour: infringements of data protection rules will be penalised by the competent data protection supervisory authorities established by the General Data Protection Regulation. The behaviour sanctioned by this proposal is the taking advantage of infringements of data protection rules to deliberately influence or to attempt to influence the elections to the European Parliament. The Authority will not impose sanctions on infringements of data protection rules as such.

Choice of the instrument

Only a Regulation can amend an existing Regulation.

3. RESULTS OF EX-POST EVALUATIONS, STAKEHOLDER CONSULTATIONS AND IMPACT ASSESSMENTS

Stakeholder consultations

In preparing the current proposal, the Commission took into account the calls expressed during the debates and hearings in the European Parliament regarding the Facebook/Cambridge Analytica case, which concerned allegations of use of Facebook’ users’ data by Cambridge Analytica and its impact on the protection of individual’s personal data in the Union (hearings of 4 June 2018, 25 June 2018 and 2 July 2018).

Such debates and hearings brought to light that the use of misleading and manipulative techniques of micro targeting, aiming at unfairly influencing the result of polls, are closely connected to the question of illegal transfer and processing of personal data. EU rules already ensure the effective protection of personal data.

Impact assessment

This proposal is not accompanied by a specific impact assessment. It is not expected to have wider significant economic, social and environmental impacts. The proposed changes build on the existing verification and sanctions regimes established by Regulation No 1141/2014.

Fundamental rights

Article 2 of the Treaty on European Union (TEU) provides that “The Union is founded on the values of respect for human dignity, freedom, democracy, equality, the rule of law and respect for human rights, including the rights of persons belonging to minorities. These values are common to the Member States in a society in which pluralism, non-discrimination, tolerance, justice, solidarity and equality between women and men prevail.

Article 10(1) and (2) TEU provide that “The functioning of the Union shall be founded on representative democracy” and that “Citizens are directly represented at Union level in the European Parliament”. Subparagraph 4 of the same provision stipulates: “political parties at European level contribute to forming European political awareness and to expressing the will of citizens of the Union”. Articles 11 and 12 of the Charter of Fundamental Rights of the EU enshrine the right to freedom of expression and of association. Article 7 of the Charter of Fundamental Rights of the European Union reads that “Everyone has the right to respect for his or her private and family life, home and communications”. Article 8 of the Charter of Fundamental Rights of the European Union reads that “(1) Everyone has the right to the protection of personal data concerning him or her. (2) Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified. (3) Compliance with these rules shall be subject to control by an independent authority.”

The amendments which are the subject of this proposal pursue the objectives of these provisions, and are compatible with and give effect to the fundamental rights guaranteed by Articles 7, 8 and 12 of the Charter.

4. BUDGETARY IMPLICATIONS

In order for this proposal to be effective, as it adds tasks to the Authority, there needs to be a more permanent staffing arrangement for the Authority. The budgetary implications are detailed in the Legislative Financial Statement attached to this proposal. More permanent staffing provisions should be made through the redeployment of existing resources, and will require the modification of the establishment plans of the contributing Institutions. Therefore, these elements should be included in the forthcoming Amending Letter to Draft Budget 2019. Given the size of the Authority, a separate establishment plan in not necessary, but a footnote detailing the size and nature of the staffing shall be entered in the Section I – European Parliament.

5. OTHER ELEMENTS

Detailed explanation of the specific provisions of the proposal

In order to sanction financially European political parties or foundations using infringements of data protection rules to deliberately influence or attempt to influence the outcome of elections to the European Parliament, the Commission proposes the following targeted changes to the Regulation:


It is proposed to create a verification procedure related to infringements of rules on the protection of personal data which would require the Authority to trigger an opinion of the committee of independent eminent persons, shortly after a decision by a competent data protection supervisory authority. The committee's opinion – to be delivered within a short deadline set by the Authority – would assess whether such infringement was used to deliberately influence or attempt to influence the outcome of elections to the European Parliament. The triggering of this new procedure does not prevent the triggering of the procedure of verification of compliance with registration conditions and requirements set out in the Article 10 of the Regulation for cases of manifest and serious breaches by the European political parties or foundations of the values on which the Union is founded. The new procedure would be introduced by the insertion of a new Article 10a.

To ensure such procedure can be triggered at any moment, including close to the date of elections to the European Parliament, it is proposed to clarify that the time limitations of the procedure of verification of compliance with registration conditions and requirements set in Article 10 do not apply to it, by amending the third sub-paragraph of Article 10(3).

Article 11, on the committee of independent eminent persons, will be amended to expressly refer to the opinion on the influencing of the outcome of elections to the European Parliament.

A new ground for financial sanctions will be added in Article 27 in the case the opinion of the committee of independent eminent persons finds that a European political party or a foundation has deliberately influenced or attempted to influence the outcome of elections of the European Parliament by taking advantage of an infringement of the applicable rules on protection of personal data.

This new ground will be added to the list of infringements which prevent a European political party or foundation to apply for funding from the general budget of the European Union in the year when the sanction was imposed. This will be done by amending Article 18.

Since the new verification procedure is triggered by a decision of a competent data protection supervisory authority, it is proposed to allow for the review of the sanction if the competent data protection supervisory authority’s decision is repealed or where a remedy against such decision has been successful, by adding a new paragraph in Article 27.

Finally, in order to enable the Authority to operate in an independent and effective manner, the Commission is proposing the Authority to be staffed in a permanent way and to confer the powers of an appointing authority on the Director of the Authority, by amending paragraph 5 of Article 6.