In May of 2018 a new directive will take effect within the European Union that will have far reaching implications for campaigns. And for American companies conducting campaign activities in Europe, ensuring compliance will be a resource intensive process. In some cases, the new regulation may even close the door for companies that don’t want to spend the time and money to comply.  

The law is known as the General Data Protection Regulation (GDPR), and for proponents it’s meant to give control over personal data “back to European citizens and residents.” Key to the GDPR is that the responsibility for protecting data is shifted from the individual person (the “data subject”) to the data controller or data processor.

To the European Commission, personal data is “any information relating to an individual, whether it relates to his or her private, professional or public life.” That’s an expansive definition, which could encompass just about anything, including cloud services.

So under the GDPR, the responsibility – and liability – belongs to the data collector. If and when it’s not possible to show that all necessary action was taken to protect and process data in the proper way, significant sanctions can be levied, including fines up to 20 Million Euro or up to 4 percent of a company’s annual worldwide turnover.

The GDPR also expands some regulations that were already in place such as data portability and data protection. But there are many new provisions that are likely to exert a significant impact. The “right to erasure” is one example. This provision permits the data subject to ask for “erasure” of their personal data. From a technical point of view, this will pose a challenge in some instances.

American political consultants or companies willing to do business in the EU, shoud tread carefully under the GDPR. And they should take it seriously from that start, rather than waiting to see how the new law is enforced. Much of the business of campaigning nowadays is about data, and here the GDPR draws a line: data from EU citizens must stay in the EU.

Tech giants like Facebook and Google are already dealing with this requirement by creating data centers on the European continent. But smaller US (and soon even UK) companies will have a more resource intensive task.  

A few questions American political consultants and companies need to ask themselves in this new environment:

  • Are you sure no data will be used from or parked on servers outside the EU?
  • Are you willing to expend the resource to match what platforms like Facebook and Google are doing to comply with GDPR-standards in Europe?
  • When you are using voter data, have voters consented to the use of that data? There is no voter registration in the EU, so consent has to come in some other way.
  • When voters want their data erased, can you comply?
  • When you as a corporation are working with data in Europe, can you show you have taken data security seriously by having installed data protection measures, including a data protection officer?

The full impact of the GDPR remains to be seen, as does the seriousness with which it will be enforced once it goes into effect. It is clear that May 25, 2018 will mark the day there really is a pan-European privacy and data protection policy. All in all, an already difficult market will become more uniform, but not necessarily easier.

GDPR is already having an impact within campaigns. In recent elections some of the main parties made the decision to stop themselves from microtargeting or employing other data-driven (email) activities out of fear of privacy breaches.

The potentially invasive nature of targeting and analytics made news recently in the Netherlands after media reports connected the political efforts of Dutch eurosceptic Thierry Baudet, who heads the Forum for Democracy Party, to Cambridge Analytica. With newfound attention on microtargeting, it must be assumed this will lead to more scrutiny in coming elections.

Peter Noordhoek is a political analyst and trainer based in The Netherlands.