Elections and web scraping: navigating the Dutch DPA's guidelines

Auteur

Martijn Loth

Associé

Amsterdam

AP guidance on data processing during elections

In its recent letter to political parties dated 28 March 2024 on the processing of personal data in European Parliament elections, the AP reminded the parties about its checklist for party political data processing. This sets out seven steps:

Assess necessity - the first step is to ascertain whether it is necessary to process personal data for the proposed campaign activity and to explore whether a less intrusive method of campaigning is possible.
Ensure sufficient expertise - given that microtargeting is a legally complex issue, the AP recommends ensuring there is expertise within the party on the use of personal data, for example by appointing a Data Protection Officer (DPO) or an external expert.
Differentiate between party members and non-members – this distinction between members and non-members is relevant as Article 9(2)(d) GDPR provides for an exception to the processing prohibition on special data for party members under certain conditions.
Controller or processor? - a political party must assess the role it plays in the processing of personal data, especially when using marketing agencies or social media.
Be cautious with public information - large amounts of personal data may be collected from public sources, for example by web scraping. The AP emphasises that scraping data from the internet to create profiles and attribute political opinions to individuals must comply with the GDPR.
Ensure compliance - the AP recommends informing the entire campaign team about privacy regulations, including those on the candidate list, as candidates may undertake campaign activities independently. Furthermore, the AP advises only engaging companies that can demonstrate their datasets containing personal data have been lawfully collected.
Privacy rights - finally, the AP reminds parties that they are obliged to give effect to data subject rights.

The AP's letter further emphasises that, given the prohibition on processing special categories of personal data, such as data on political opinions, it is hard to imagine that files containing personal data on certain (alleged) political opinions of individuals, which are provided by third parties, have been lawfully collected. In the context of microtargeting, the AP advises conducting a Data Protection Impact Assessment (DPIA) before carrying it out or engaging a third party to do so.

AP guidance on web scraping

Following guidance from several other European regulators, in May 2024, the AP published guidance on web scraping. Titled 'Scraping is almost always illegal', the AP's stance on web scraping is made quite clear. The AP's view is that there is rarely a legal basis for scraping and further processing of personal data. Although consent is theoretically possible, in practice, it is difficult or almost impossible to identify and seek consent beforehand from every individual whose data is being scraped. The AP emphasises that when individuals themselves put their personal data online, it cannot be inferred that they are giving consent to their data being scraped and/or processed after scraping.

If the legal basis of consent is not available, it is likely that the only other potential lawful basis will be legitimate interest. The guidance repeats the AP's much-criticised strict interpretation of when an interest can be classed as legitimate which rules out a purely commercial interest. The AP explicitly states that it will maintain this position until the European Court of Justice's ruling on the preliminary questions regarding the definition of a legitimate interest (C-621/22).

To help organisations including political parties assess whether their legitimate interests outweigh those of the data subjects, the AP lists a number of important considerations:

Scope and nature of data processing - the AP assumes that the broader the scraper searches, the greater the intrusion into the privacy of the data subjects. This means that the intrusion is greater as more sources are consulted and over time the database is replenished by repeated scraping.
Data subject expectation - this will depend on how the data has been made available. For example, data subjects who have publicly shared political opinions on an online forum can reasonably be expected to anticipate their data might be processed by others. Therefore, they are less likely to feel an intrusion of privacy when others use this data.
Consequences for data subjects - according to the AP, the consequences for data subjects weigh heavily in the balancing test, with profiling of individuals having a greater impact than performing statistical analysis.
The role of safeguards - the consequences for data subjects can be mitigated in various ways by implementing additional safeguards. Examples of additional measures include extra transparency, removing or anonymising personal data as soon as possible, and adhering to internet standards. However, implementing additional safeguards will not always be enough to change the balance of interests between the controller and the data subject.

In addition to having a lawful basis for processing personal data, an exemption to the prohibition on processing special data may also be required. This will include where the data relates to political opinions. According to the AP, special data may easily be involved when social media profiles are being scraped. Here again, the AP takes a strict approach, saying that if it is not certain that the data being processed excludes special category data, all the data will be treated as though it is special data and an Article 9 exemption from the general prohibition on processing will be required.

Finally, the AP lists some examples of situations in which web scraping may be lawful and in which it is not. Scraping may be lawful in the following cases:

public news websites, in order to provide relevant current affairs
scraping own web pages by web shops, eg customer reviews, for communication with their own (potential) customers
public online forum on information security, to highlight security risks for one's own organisation.

Scraping is unlawful in the following cases:

internet to create profiles of data subjects for reselling purposes
private social media accounts or private forums
social media accounts of data subjects - even if they are public - to use the information collected to determine whether or not a data subject will receive a requested insurance policy.

ChatGPT Taskforce on scraping

In May 2024, the ChatGPT Taskforce published its first report, distinguishing between five different stages in assessing the lawfulness of data processing in the context of ChatGPT, with web scraping being part of the first stage. Unlike the AP, the Taskforce does seem to leave room for legitimate interest as a legal basis for the processing of personal data by web scraping. The Taskforce emphasises that the reasonable expectations of data subjects should be taken into account in the legitimate interest assessment, and that adequate safeguards play a special role in reducing undue impact on data subjects. As such, adequate safeguards may change the outcome of the balancing test in favour of the controller. According to the Taskforce, such safeguards could be technical measures, defining precise collection criteria and ensuring that certain data categories are not collected or that certain sources (such as public social media profiles) are excluded from data collection. In addition, the Taskforce emphasises that measures should be in place to delete or anonymise personal data that has been collected via web scraping before the training stage.

The Taskforce explicitly recognises that scraped data may include special categories of personal data and that, in the situation where large amounts of personal data are collected via web scraping, a case-by-case examination of each data set is not realistic. However, the safeguards mentioned above can contribute to meeting the requirements of the GDPR according to the Taskforce. Examples of such measures are filtering special categories of personal data, applying it to both data collection (for example, selecting criteria for what data is collected) and immediately after data collection (deleting data). As such, and even when special personal data is also processed, the Taskforce seems to leave room for legitimate interest as a basis for processing personal data in the context of scraping.

Key takeaways

In conclusion, the limited interpretation by the AP of 'legitimate interest' results in a lack of lawful basis for scraping in most cases in the Netherlands, especially where it concerns scraping in the context of political campaigning and microtargeting. Additionally, the prohibition on processing special categories of personal data usually extends to other personal data as well if the processing of special category data cannot be excluded.

Consent as a lawful basis for scraping is difficult in practice, as it is almost impossible to obtain explicit consent beforehand. According to the AP, there could be a lawful basis for scraping if the personal data has been manifestly made public by the data subject, such as through the publication of a blog containing political views or religious beliefs. At European level, however, there seems to be more room for lawful scraping, now that the ChatGPT Taskforce has explicitly mentioned legitimate interest as a possible lawful basis for web scraping, provided that the controller integrates adequate safeguards to protect and limit the processing of personal data.

The AP's scraping guidance provides more detail around its cautioning the political parties to be careful about using public data in political campaigns where that data is captured through scraping. It's possible that the EDPB will produce definitive guidance on the subject but until it does, or pending an ECJ decision, web scraping to obtain personal data for political campaigning or microtargeting purposes in elections is arguably more problematic in the Netherlands than in most other EU Member States.