If the usage of media in elections has changed, and the Election Commission took it upon itself to expand its scope for enforcing the model code of conduct beyond traditional media to Social Media, it should also have brought in restrictions in terms of how political parties, collect, link, process and use data, especially in the absence of a data protection framework in place in India.

Where voter lists were once a means of enabling candidates to canvass more votes more effectively, what has changed now is  the ability to link multiple datasets, and with that, combine information on voters to build a 360 degree profile about their income, caste, usage of government schemes, along with, potentially, their social media profiles to ascertain views on national, regional, religious and international issues. Datasets from private insurance schemes, mobile operators, banks, ecommerce companies, lending firms or even millions of apps can potentially be stolen or bought from data brokers and potentially even hackers. Even simpler: a political party app can potentially seek and gain access to entire mobile phone usage, with consent from unsuspecting individuals. Once databases/networks such as the Public Credit Registry, National Health Information Network and others are in place, more information will potentially be available for linking to profiles. This data can then be processed for profiling of citizens, in a manner that many state governments in India have sought to do, for example, in case of the State Resident Data Hubs for Odisha, Tamil Nadu, Madhya Pradesh, Delhi, Haryana, among others. As Shivam Shankar Singh, a former member of the BJP wrote, political parties are already using algorithms to map surnames of individuals to castes.

In 2013, Netcore founder Rajesh Jain, who worked with the BJP on its election campaign then, spoke about linking the Voter ID to mobile numbers and using it for microtargeting. With more data, microtargeting of voters can be very specific to an individual’s profile. This leads to a much sharper and personalized communication from political parties, and while more effective and personalized communication has its benefits, when it happens at scale, the potential for misuse is high. Think about it this way: if technology can enable political parties to target 900 million voters via mobile phones in a manner that is customized to each individual, it is impossible for the Election Commission to monitor the billions of messages for adherence to the model code of conduct. It becomes even tougher when communication can be from proxies. Misuse of data can impact the course of our democracy.

It’s not surprising that political parties want to link the Voters ID to Aadhaar. Linking of datasets makes citizens more vulnerable to misuse of profiling, and silo’ed, delinked and disconnected datasets help keep citizens more secure.

It’s worth mentioning that data held with governments isn’t necessarily very secure, as we have seen with innumerable leaks of Aadhaar related personal information. More pertinently, though, there’s the recent case of IT Grids Pvt Ltd, which was operating the Telugu Desam Party’s Sevamitra application. According to the FIR filed by the UIDAI’s Hyderabad Regional office, the company was allegedly in possession of 78 million Aadhaar records. The complaint alleged that IT Grids was illegally accessing and misusing Aadhaar number, Voter ID details including coloured photographs, and beneficiary details of various government services, and “data related to surveys conducted by the Government of Andhra Pradesh” for use in the Sevamitra app. Also, remember that in 2014, Modak Analytics scraped voter information from the Election Commission’s website.

The Election Commission needs to step in

The General Elections are over, but it’s unlikely that political communications will stop, and state elections will be upon us soon. Allowing candidates and parties to segment their voter base and communicating with them is important for democracy, but there need to be steps taken that this communication is transparent and fair, and the collection and usage of data is lawful and not violating the Fundamental Right to Privacy.

Here’s a framework for the Election Commission’s consideration when it comes to formulating the regulation of political usage of data:

1. Who is regulated:
1.1 Sources of data (from Banks to data registries)
1.2 Data brokers
1.3 Political parties and entities engaging in political communications (i.e. politically affiliated entities)
1.4 Marketing, PR, lobbying and advertising agencies
1.5 Platforms

2. How are they regulated (type of regulatory enforcement):
2.1 Transparency
2.2 Audits
2.3 Purpose limitation (in line with the Model Code of Conduct)
2.4 Sanctions

3. What are they regulated for (Stage of data usage):
2.1 Data collection
2.2 Data linking
2.3 Data processing
2.4 Communication

Transparency has already been enabled when it comes to political communication on social networks, with Google and Facebook both disclosing spends by political parties on advertising on their platforms.

Some Recommendations

1. Focus areas: In my opinion, the most effective enforcement would be at a political party and politically affiliated entity level, even though that is not where it should end. Platforms are just as important, thereby addressing both the source and the reception of political communications.

2. Auditing and transparency: political parties should be audited by the Election Commission for data collection practices, and data collection should be lawful.

3. Consent: Explicit consent for data collection, processing and profiling of citizens should be taken by political parties directly (and not through affiliates). Citizens should have the right to revoke consent, and delete their data. Data received by candidates and political parties from the voter rolls should only be used to seek consent for direct communication. Fresh consent should be necessary for data received from data brokers as well.

4. Data deletion: The Election Commission should have the right to have data obtained unlawfully deleted.

5. Transparency: What would perhaps be most empowering for citizens is if political parties are forced to create a dashboard that will allow each voter, privately, to ascertain what data they have about them, where it was sourced from, how they have been classified/categorized, and who their data has been shared with. It might perhaps be too much to ask for them to disclose what communication has been aimed at them, and how.

6. Data brokers: Data brokers who sell user data for profiling to political parties and/or politically affiliated entities, without consent, should be prosecuted.

7. Data segmentation: The Election Communication may make profiling as per certain sensitive parameters, such as caste based segmentation, illegal. Linking of official government data, such as that related to government schemes, or linking of sensitive personal information (like financial transactions or health records), might also be deemed illegal.

*

P.s.: Thanks to Rahul Sharma of IAPP for asking me to think about data protection from an elections standpoint