Abstract
On 19 September 2019, the Data Protection Authority of the Åland Islands (in Finland) published its findings on the data processing audit for the autonomous region’s parliamentary election special internet voting procedure. It claimed that there were faults in the documentation provided by the processor, which in turn meant that the election’s integrity could not be guaranteed without further precautions from the government of the Åland Islands. Since the European Union’s General Data Protection Regulation (GDPR) entered into force in May 2018, it has set new critical requirements for remote electronic voting projects. Yet, to date, no specific guidance nor research has been conducted on the impact of GDPR on remote electronic voting. Tacking stock of two recent internet voting experiences in the Åland Islands and France, this paper aims at identifying and understanding these new requirements. More specifically, based on these two case studies it analyses four different challenges on the processing of personal data in remote electronic voting under the GDPR: the definitions and categories of personal data processed in online voting projects; the separation of duties between data controllers and data processors; the secure processing of (sensitive) personal data, including the use of anonymisation and pseudonymisation techniques; as well as post-election processing of personal data, and possible limits to (universal) verifiability and public access to personal data.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
All translations from the original reports in Swedish by the author, using an online tool.
- 2.
According to Krimmer et al. (2019: 9): “In Åland, it is not the government itself, but a particular agency, ÅDA, which is acting as the procurement agent being in charge of the procurement process with the Government as the “real” customer”.
- 3.
All translations from the original reports in French by the author.
- 4.
For the applicability of European data protection law there is no need for actual identification of the data subject: it is sufficient that the person concerned is identifiable.
- 5.
Under the GDPR, “processors must maintain a record of all categories of processing activities to demonstrate compliance with their obligations under the regulation” (art. 30.2). Processors are also required to implement appropriate technical and organisational measures to ensure the security of processing (art. 32), to appoint a Data Protection Officer (DPO) in certain situations (art. 37), and to notify data breaches to the controller (art. 33.2).
- 6.
Which is necessary to “to guarantee that all votes have been cast by eligible voters and that only the appropriate number of remote electronic votes per voter gets counted” (Scytl 2019: 38).
- 7.
Recital 26 of the GDPR explicitly includes a scenario where it is foreseeable that further data recipients, other than the immediate data user, may attempt to identify the individuals (EU Agency for Fundamental Rights and Council of Europe 2018: 91).
- 8.
Contrary to good practice (Council of Europe 2017c: 9.b), in France once a voter has cast an i-vote, they cannot cast a second vote in person to cancel it.
- 9.
Universal verifiability refers to “tools which allow any interested person to verify that votes are counted as recorded” (Council of Europe 2017b: 56).
- 10.
That is so even if an “appeal shall be sent to a competent Provincial Administrative Court within 14 days from the confirmation of the election results” (Election Act for Åland, Section 102).
References
Act on the Autonomy of Åland (2010)
Åland Data Protection Authority: DNR T1-2019 (2019a). https://www.di.ax/anslagstavla/dnr-t1-2019. Accessed 03 Aug 2020
Åland Data Protection Authority: Resultat och beslut av den beslutade Dataskyddstillsynen gällande personuppgiftsbehandling i Lagtingsvalet, särskilt fokus I-valet Dnr T1-2019 (2019b). https://www.di.ax/anslagstavla/dnr-t5-2019. Accessed 03 Aug 2020
Åland Data Protection Authority: Rapport om Säkerhetsåtgärder i E-valet samt svar från Scytl (2019c). https://www.di.ax/anslagstavla/rapport-om-sakerhetsatgarder-e-valet-samt-svar-fran-scytl. Accessed 03 Aug 2020
Article 29 Data Protection Working Party: Opinion 4/2007 on the concept of personal data (2007). https://www.clinicalstudydatarequest.com/Documents/Privacy-European-guidance.pdf. Accessed 03 Aug 2020
Article 29 Data Protection Working Party: Opinion 05/2014 on Anonymisation Techniques (2014). https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2014/wp216_en.pdf. Accessed 03 Aug 2020
Court of Justice of the EU: Scarlet Extended SA v Société belge des auteurs, compositeurs et éditeurs SCRL (SABAM) (2011)
CNIL: Délibération n° 2010-371 du 21 octobre 2010 portant adoption d’une recommandation relative à la sécurité des systèmes de vote électronique (2010). https://www.legifrance.gouv.fr/affichTexte.do?cidTexte=JORFTEXT000023124205&categorieLien=id. Accessed 03 Aug 2020
CNIL: Sécurité des systèmes de vote par internet: la CNIL actualise sa recommandation de 2010 (2019a). https://www.cnil.fr/fr/securite-des-systemes-de-vote-par-internet-la-cnil-actualise-sa-recommandation-de-2010. Accessed 03 Aug 2020
CNIL: Délibération n° 2019-053 du 25 avril 2019 portant adoption d’une recommandation relative à la sécurité des systèmes de vote par correspondance électronique, notamment via Internet (2019b). https://www.legifrance.gouv.fr/affichTexte.do?cidTexte=JORFTEXT000038661239. Accessed 03 Aug 2020
Code électoral, France (2019)
Council of Europe: Recommendation CM/Rec(2017)5 of the Committee of Ministers to member States on standards for e-voting (2017a). https://search.coe.int/cm/Pages/result_details.aspx?ObjectId=0900001680726f6f. Accessed 03 Aug 2020
Council of Europe: Explanatory Memorandum to Recommendation CM/Rec(2017)5 of the Committee of Ministers to member States on standards for e-voting (2017b). https://search.coe.int/cm/Pages/result_details.aspx?ObjectId=0900001680726c0b. Accessed 03 Aug 2020
Council of Europe: Guidelines on the implementation of the provisions of Recommendation CM/Rec(2017)5 on standards for e-voting (2017c). https://search.coe.int/cm/Pages/result_details.aspx?ObjectId=090000168071bc84. Accessed 03 Aug 2020
Duenas-Cid, D., Krivonosova, I., Serrano, R., Freire, M.., Krimmer, R.: Tripped at the finish line: the Åland Islands internet voting project. In: Krimmer, R., et al. (eds.) Electronic Voting. Fifth International Joint Conference, E-Vote-ID 2020. Springer, Cham (2020)
Election Act for Åland (2019)
EU Agency for Fundamental Rights and Council of Europe: Handbook on European data protection law - 2018 edition (2018). https://fra.europa.eu/sites/default/files/fra_uploads/fra-coe-edps-2018-handbook-data-protection_en.pdf. Accessed 03 Aug 2020
European Commission: Free and Fair elections. Guidance Document. Commission guidance on the application of Union data protection law in the electoral context (2018). https://ec.europa.eu/commission/sites/beta-political/files/soteu2018-data-protection-law-electoral-guidance-638_en.pdf. Accessed 03 Aug 2020
International Covenant on Civil and Political Rights (1966)
International IDEA: International Obligations for Elections. Guidelines for Legal Frameworks (2014). https://www.idea.int/sites/default/files/publications/international-obligations-for-elections.pdf. Accessed 03 Aug 2020
Krimmer, R., Duenas-Cid, D., Krivonosova, I., Serrano, R., Freire, M., Wrede, C.: Nordic Pioneers: facing the first use of Internet Voting in the Åland Islands (Parliamentary Elections 2019) (2019). https://doi.org/10.31235/osf.io/5zr2e. Accessed 03 Aug 2020
Lécuyer, Y.: Le droit a des élections libres. Council of Europe, Strasbourg (2014)
OSCE/ODIHR: Republic of France Parliamentary Elections, 10 and 17 June 2012. Needs Assessment Mission Report (2012a). https://www.osce.org/files/f/documents/7/5/90763.pdf. Accessed 03 Aug 2020
OSCE/ODIHR: Republic of France Parliamentary Elections, 10 and 17 June 2012. Election Assessment Mission Final Report (2012b). https://www.osce.org/files/f/documents/7/7/93621.pdf. Accessed 03 Aug 2020
OSCE/ODIHR: France Presidential and Parliamentary Elections, 2017. Needs Assessment Mission Report (2017c). https://www.osce.org/files/f/documents/0/8/311081.pdf. Accessed 03 Aug 2020
Protocol (no. 1) to the Convention for the Protection of Human Rights and Fundamental Freedoms (European Convention on Human Rights, ECHR) (1952)
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, GDPR) (2016)
Sénat: Rapport d’information fait au nom de la commission de lois constitutionelles, de légisation, du suffrage universel, du Règlement et d’administration générale (1) sur le vote électronique (2014). https://www.senat.fr/rap/r13-445/r13-4451.pdf. Accessed 03 Aug 2020
Sénat: Rapport d’information fait au nom de la commission de lois constitutionelles, de légisation, du suffrage universel, du Règlement et d’administration générale (1) sur le vote électronique (2018). http://www.senat.fr/rap/r18-073/r18-0731.pdf. Accessed 03 Aug 2020
Scytl Secure Electronic Voting, S.A.: Åland’s I-voting Project. Clarification of the Audit Report by the Åland Data Protection Authority (2019). https://www.di.ax/sites/default/files/attachment/pinboard-message/data_protection_audit_clarifications_v3.0.pdf. Accessed 03 Aug 2020
TechLaw Sweden AB: Granskning av säkerhetsåtgärder hos Scytl (2019). https://www.di.ax/sites/default/files/attachment/pinboard-message/rapport-aland-scytl-190916_0.pdf. Accessed 03 Aug 2020
Universal Declaration on Human Rights (1948)
Acknowledgments
This work has received funding from the European Commission under the auspices of PROMETHEUS Project, Horizon 2020 Research and Innovation action (Grant Agreement No. 780701).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2020 Springer Nature Switzerland AG
About this paper
Cite this paper
Rodríguez-Pérez, A. (2020). My Vote, My (Personal) Data: Remote Electronic Voting and the General Data Protection Regulation. In: Krimmer, R., et al. Electronic Voting. E-Vote-ID 2020. Lecture Notes in Computer Science(), vol 12455. Springer, Cham. https://doi.org/10.1007/978-3-030-60347-2_11
Download citation
DOI: https://doi.org/10.1007/978-3-030-60347-2_11
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-60346-5
Online ISBN: 978-3-030-60347-2
eBook Packages: Computer ScienceComputer Science (R0)