Contact Reform Act

[Baron Alexandreu Davinescu]

The Secretary of State recently pointed out that some people might not be aware of the current system, which was set up to respect personal privacy but also allow campaigning.  He also gave his opinion about current best practices:

I do still think that the best way to send unintrusive electoral communications and respect a citizen's right to privacy is through the Chancery, but I must comply with the law.

Maybe it is time to simply make the two-per-party Chancery forwards into the sole official way to do things?

[Sir Lüc]

I guess there's several points that come to mind:

1a. Unless I'm mistaken, I should say the Chancery's electoral comms forwarding service is nowhere in statutory law and essentially only available at election time, under the rules governing each individual election.

1b. If parties can just access the same mailing list themselves via D.8.5, why is the Chancery's electoral comms forwarding service even a thing, given that it is subject to rate limits, to the SoS having to get around to sending the mailers himself, and to the occasional controversy about (eg.) pictures disappearing and sending times?

2. What happens to parties that register/deregister? Are all parties deregistered and unable to access the D.8.5 mailing list on Dissolution, until they re-register? What happens to a deregistered party that uses data from the mailing list? (This ties into another area of urgent reform, which is party registration)

3. I guess my main issue with the current legislation is that nowhere in the law is the right of citizens to opt-out actually protected, and nothing mandates parties to inform citizens of this fact, nor to always use the most recent version of the database reflecting the most updated state of the contact preferences (both concerning which email address to use, and if a citizen is open to being contacted at all). Either way, informing all parties every time a citizen changes their preferences is definitely an undue burden on the Chancery.

[Baroness Litz Cjantscheir, UrN-GC]

I will not repeat the points I have already raised in response to the Secretary of State's original post on this matter, but I will follow up by saying the following.

First, the Secretary of State must comply with the law, but what I think has been forgotten in this discussion is that "the law" also includes the UK and EU GDPR legislation. The current database clearly contains the personal data of citizens who live in the EU and the UK, and my assumption is that the Secretary of State also resides within the EU. This means the GDPR applies in practice, regardless of Talossa's own internal status or legislation.

Part of the GDPR is that consent to share personal data can never be given unknowingly. Consent must be specific, informed, and freely given. The burden lies with the data controller, in this case the Secretary of State, to be able to demonstrate that each data subject was informed and freely gave consent for a specific type of data sharing. If there is any uncertainty about this, or if the Secretary of State believes that citizens may not have been fully aware of how their data was being shared, then the correct legal position is to assume consent was not given and the data should not be shared.

If a citizen consented for their data to be used by the Chancery to forward electoral communications, that cannot be taken to mean they also consented for their email address to be disclosed to third parties. We have no clear record that they opted in to such sharing as described in El Lex D.8.5.4.

Therefore, the core issue is whether the Secretary of State (allegedly) breaches GDPR obligations by complying with his interpretation of El Lex, or whether he recognises that GDPR, as binding law on anyone processing the data of EU or UK residents, must take precedence over Talossan law in matters of personal data protection. My own position remains that opt-in consent cannot be validly given if the data subject was not fully aware of how their information would be used.

Another concern is the potential for data misuse under the current system. As it stands, I could theoretically register a party tomorrow and, as a party leader, gain access to the database. There is nothing to prevent me from saving that information in an unencrypted spreadsheet on a personal laptop and keeping it indefinitely. Worse still (and there have been incidents of this in the past), I could then send a group email using the "To" field instead of "BCC", exposing every recipient's address to everyone else on the list. At that point, every person could download or copy those addresses and store them however they liked, completely outside the control of the Chancery. That would constitute a serious data breach under GDPR principles, and those affected would have little to no effective recourse.

Thus, getting back on the topic at hand, my ideas for reform would be twofold.

• Bring Talossan law in line with GDPR requirements.
  This would remove the conflict between the two systems. There should be clear opt-in and opt-out choices, with data subjects properly informed about how their information will be used, stored, and shared. Data should be encrypted, password protected, and automatically deleted after a set period. Citizens should also have the right to see what data is held about them and who has viewed or shared it.
• Limit party leaders' access to personal data.
  Ideally, leaders should not be able to see individual citizens' details. A shared email system could be created, such as citizens [at] talossa (dot) com, which distributes messages to consenting recipients without revealing their contact information. Bouncebacks or automatic replies could be routed to a no-reply address to avoid exposing anyone's data. This would achieve the same purpose of communication without compromising privacy or compliance.

My two bence on a quiet Saturday morning, 

-- Litz