Referendum apps may be sharing data illegally

Net Results: Firms must not break law on app permissions and data they gather

Some detective work by Buzzfeed writer Laura Silver this week revealed that two of the apps developed for the referendum No campaign may share details about Irish app users to a range of right-wing international groups.

Those groups potentially include US gun lobby group the National Rifle Association (NRA), which has insisted the answer to gun deaths in the US is . . . arming more people with guns.

"Save the 8th's My8 app and the LoveBoth app were developed by the same Washington, DC–based company, Political Social Media LLC, which specialises in building digital campaigning tools for conservative, religious and anti-abortion groups," Silver wrote.

Though No campaigners have insisted there’s no connection between the two groups, the apps are hosted by separate companies, both registered to Political Social Science. And the two apps are built on a “near-identical template” and “share near-identical terms of service for users”.

Along with consenting to share data with conservative groups of their personal choice if they wish, users must agree to terms that allow Political Social Media – which was involved in both the Trump and Brexit campaigns – to give their data to groups Political Social Media "believe have similar viewpoints, principles or objectives as us".

Silver writes: "This means data can be shared not just between the two ostensibly separate Irish anti-abortion groups, but also with previous clients such as the NRA, the Trump presidential campaign, the Republican National Committee, and the Susan B Anthony List, a major US anti-abortion group. In the UK, the network includes the Conservative Party and main pro-Brexit campaign, Vote Leave."

Neither of the No campaign groups responded to her repeated requests that they clarify if they had shared user data with such groups.

Although anti-abortion campaigners in the US are often aligned with the pro-gun lobby on the broader conservative agenda (I know, logic fails), it probably will discomfit many app users here to find their data may well be distributed to the NRA or Brexit groups.

Yet discomfiture is less of an issue here than illegality under European law.

According to data privacy expert Daragh O Brien, managing director of Dublin information management company Castlebridge Associates, sharing data in this way, especially to entities in the US, is "illegal full stop, partly given the nature of the data and because of the category of the data". Personal information and data about religious and political beliefs are given particularly strong EU protections.

Lack of transparency

"There's also a lack of transparency as to who the data controller and data processor is. This is insufficient transparency under existing data protection legislation, and particularly under GDPR [the EU's stringent General Data Protection Regulation, which comes into effect on Friday]," he says.

The GDPR places strict management obligations on any company, anywhere in the world, handling the data of anyone located in the EU, and allows significant fines to be imposed on organisations that mishandle data.

O Brien says, “The way this data is being handled is already prohibited. But another question is, what happens to that data at midnight on Friday?”

In addition, in order to transfer data from EU-based individuals into the US, an organisation right now must either be registered as compliant with the US/EU data transfer agreement Privacy Shield, or be using precisely worded, compliant “model contracts”.

A search of the Privacy Shield website’s list of companies using the agreement does not include Political Social Media LLC. O Brien said perhaps the company has opted for model contracts, but noted that in his experience of working with not-for-profits, this is rarely understood as a requirement.

“It is so far down the list of priorities of those in the not-for-profit sector, particularly those who promote an ideology and are rushing to get a campaign up and running on limited resources,” he says.

Data protection law

But this isn't just a matter affecting small groups. Fine Gael learned all of this in 2011 when it decided to host its party website in the US, then found this breached EU data protection law because of similarly sensitive types of data being gathered and held abroad.

As for Political Social Media LLC, even if this organisation uses model contracts, its demand that EU-based app users give it blanket permission to pass along their personal data to unspecified groups, especially political or religious groups in the US, is illegal.

O Brien cautions that, in general, Irish groups cannot take an off-the-shelf US campaign approach and apply it here, because of greater data and privacy protections in the EU.

These basic points are relevant to all groups, individuals and organisations of any political, religious, social, corporate, government or other persuasion.

Just because you can build an app or website that can gather data, doesn’t mean you can do whatever you want with app permissions or the data gathered. It doesn’t matter that you created some type of consent agreement. The agreement must be compliant with EU law.