On 19 April 2019, the Italian Data Protection Authority, or Garante Privacy, announced the approval of a new measure (Register of measures n.  96 of 18 April 2019) that is soon to be published in the Official Gazette, which establishes rules that govern voter data use on the part of political parties, movements, committees, candidates, supporters, and other related categories. Below you will find an English language summary of the press release published by the Garante which is accessible here.

The measure comes in light of both the May 26 European elections and the GDPR and specifically focuses on the use of “political and electoral communication messages sent to users of social networks (such as Facebook and Linkedin) or other messaging platforms (such as Skype, Whatsapp, Messenger), reaffirming that such use must comply with data protection rules as demonstrated by recent cases of massive profiling of voters,”considering such adherence to be paramount in avoiding electoral interference and to protect the democratic process.

The measure specifically references the importance of consent, the usability of data, information to citizens and penalties/sanctions.

Data that can be used without consent

To contact voters and send electoral communications, political parties and other related entities are free to use the data contained in municipal electoral lists without obtaining prior consent.

This also goes for the data of members of political parties and movements with whom the above-mentioned subjects have regular contact as well as other public lists and registries held by public bodies which are freely accessible.

Data that can only be used with prior consent

Informed consent is required for the use of telephone numbers found in telephone directories to make calls or send text messages and e-mails.

Consent is also required to process data available on the Internet such as data that can be found on social network and messaging profiles, forums and blogs, automatically collected data (web scraping), data published online in provider subscriber lists, and for corporate, commercial and associative information published on websites, and data collected in the course of business and professional activities. Consent is furthermore required for the use of data that has been collected for specific initiatives which include but is not limited to petitions, campaigns, referendums, etc.

Data that cannot be used

Data collected or used in activities of institutional nature (for example, residency, civil status, electoral lists previously used in polling stations, registered members of professional associations, etc.) may never be used as may not data concerning public offices and public contests made available online for other purposes.

Information to citizens

Individuals shall necessarily always be informed of the use of their personal data and when data is collected directly from the voter such information must be given at the time it is collected.

Data subjects must be informed within a reasonable timeframe which should not exceed one month. In the case providing information would involve a disproportionate effort, the relevant parties, committees, etc. may refrain from disclosure if appropriate measures are taken to protect the rights and freedoms of citizens. This can be done by using public means of information.

Sanctions

Violations of data protection rules as per the GDPR may involve severe sanctions and due to the changes introduced to EU Regulation 1141/2014 on the statute and funding of European political parties and European political foundations, if the European Authority for European Political Parties and Political Foundations is made aware of a decision by a national DPA from which it is concluded that infringement is linked to activities aimed at influencing or attempting to influence the outcome of the European elections, it is obliged to initiate a verification procedure, which could include financial penalties amounting to 5% of the annual budget of the political party/organisation.