It's been almost a year since the EU's executive announced it would propose rules for political ads transparency in response to concern about online microtargeting and big data techniques making mincemeat of democratic integrity and accountability.
Today it's come out with its proposal. But frankly it doesn't look like the wait was worth it.
The Commission's PR claims the proposal will introduce "strict conditions for targeting and amplifying" political advertising using digital tools -- including what it describes as a ban on targeting and amplification that use or infer "sensitive personal data, such as ethnic origin, religious beliefs or sexual orientation".
However the claimed 'ban' does not apply if "explicit consent" is obtained from the person whose sensitive data is to be exploited to better target them with propaganda -- and online 'consents' to ad targeting are already a total trashfire of non-compliance in the region.
So it's not clear why the Commission believes politically vested interests hell-bent on influencing elections are going to play by a privacy rule-book that almost no online advertisers operating in the region currently do, even the ones that are only trying to get people to buy useless plastic trinkets or 'detox' teas.
In a Q&A offering further detail on the proposal, the Commission lists a set of requirements that it says anyone making use of political targeting and amplification will need to comply with, which includes having an internal policy on the use of such techniques; maintaining records of the targeting and use of personal data; and recording the source of said personal data -- so at best it seems to be hoping to burden propagandists with the need to create and maintain a plausible paper trail.
Because it is also allowing a further carve-out to allow for political targeting -- writing: "Targeting could also be allowed in the context of legitimate activities of foundations, associations or not-for-profit bodies with a political, philosophical, religious or trade union aim, when it targets their own members."
This is incredibly vague. A "foundation" or an "association" with a political "aim" sounds like something any campaign group or vested interest could set up -- i.e. to carry on the "legitimate" activity of (behaviorally?) targeting propaganda at voters.
In short, the scope for loopholes for political microtargeting -- including via the dissemination of disinformation -- looks massive.
On scope, the Commission says it wants the incoming rules to apply to "ads by, for or on behalf of a political actor" as well as "so called" issue-based ads -- aka politically charged issues that can be a potent proxy to sway voters -- which it notes are "liable to influence the outcome of an election or referendum, a legislative or regulatory process or voting behaviour".
But how exactly the regulation will define ads that fall in and out of scope remains to be seen.
Perhaps the most substantial measure of a very thin proposal is around transparency -- where the Commission has proposed "transparency labels" for paid political ads.
It says these must be "clearly labelled" and provide "a set of key information" -- including the name of the sponsor "prominently displayed and an easily retrievable transparency notice"; along with the amount spent on the political advertisement; the sources of the funds used; and a link between the advertisement and the relevant elections or referenda.
However, again, the Commission appears to be hoping that a few transparency requirements will enforce a sea change on an infamously opaque and fraud-filled industry -- one that has been fuelled by rampant misuse and unlawful exploitation of people's data. Rather than cutting off the head of the hydra by actually curbing targeting -- such as by limiting political targeting to broad-brush contextual buckets.
Hence it writes: "All political advertising services, from adtech that intermediate the placement of ads, to consultancies and advertising agencies producing the advertising campaigns, will have to retain the information they have access to through the provision of their service about the ad, the sponsor and the dissemination of the ad. They will have to transfer this information to the publisher of the political ad -- this can be the website or app where the ad is seen by an individual, a newspaper, a TV broadcaster, a radio station, etc. The publisher will need to make the information available to the individual who sees the ad."
"Transparency of political advertising will help people understand when they see a paid political advertisement," the Commission further suggests, adding: "With the proposed rules, every political advertisement – whether on Twitter, Facebook or any other online platform – will have to be clearly marked as political advertisement as well as include the identity of the sponsor and a transparency notice with the wider context of the political advertisement and its aims, or a clear indication of where it can be easily retrieved."
It's a nice theory but for one thing plenty of election interference originates from outside a region where the election itself is taking place.
On that the Commission says it will require organisations that provide political advertising services in the EU but do not have a physical presence there to designate a legal representative in a Member States where the services are offered, suggesting: "This will ensure more transparency and accountability of services providers acting from outside the Union."
How exactly it will require (and enforce) that stipulation isn't clear.
Another problem is that all these transparency obligations will only apply to "political advertising services".
Propaganda that gets uploaded to online platforms like Facebook by a mere "user" -- aka an entity that does not self-identify as a political advertising service -- will apparently escape the need for any transparency accountability at all.
Even if they're -- y'know -- working out of a Russian trollfarm that's actively trying to destabilize the European Union... Just so long as they claim to be 'Hans, 32, Berliner, loves cats, hates the CSU'.
Now if platforms like Facebook were perfectly great at identifying, reporting and purging inauthentic activity, fake accounts and shadey influence ops in their own backyards it might not be such a problem to leave the door open for "a user" to post unaccountable political propaganda. But a whole clutch of whistleblowers have pointed out, in excruciating detail, that Facebook at least is very much not that.
So that looks like another massive loophole -- one which underlines why the only genuine way to fix the problem of online disinformation and election interference is to put an end to behavioral targeting period, rather than just fiddling around the edges. Not least because by fiddly with some tepid measures that will offer only a flawed, partial transparency you risk lulling people into a false sense of security -- as well as further normalizing exploitative manipulation (just so long as you have a 'policy' in place).
Once online ads and content can be targeted at individuals based on tracking their digital activity and harvesting their personal data for profiling, it's open season for opaque InfluenceOps and malicious interests to workaround whatever political ads transparency rules you try to layer on top of the cheap, highly scalable tools offered by advertising giants like Facebook to keep spreading their propaganda -- at the expense of your free and fair elections.
Really what this regulation proposes is to create a large admin burden for advertisers who intend to run genuinely public/above board political campaigns -- leaving the underbelly of paid mud slingers, hate spreaders and disinformation peddlers to exploit its plentiful loopholes to run mass manipulation campaigns right through it.
So it will be interesting to see whether the European Parliament takes steps to school the Commission by adding some choice amendments to its draft -- as MEPs have been taking a stronger line against microtargeting in recent months.
On penalties, for now, under the Commission proposal, 'official' advertising services could be fined for breaking things like the transparency and record-keeping requirements but how much will be determined locally, by Member States -- at a level the Commission says should be "effective, proportionate and dissuasive".
What might that mean? Well under the proposal, national Data Protection Authorities (DPAs) will be responsible for monitoring the use of personal data in political targeting and for imposing fines -- so, ultimately, for determining the level of fines that domestic rule-breaking political operators might face.
Which does not exactly inspire a whole lot of confidence. DPAs are, after all, resourced by the same set of political entities -- or whichever flavor happens to be in government.
The UK's ICO carried out an extensive audit of political parties data processing activities following the 2018 Cambridge Analytica Facebook data misuse scandal -- and in 2020 it reported finding a laundry list of failures across the political spectrum.
So what did the EU's (at the time) best resourced DPA do about all these flagrant breaches by UK political parties?
The ICO's enforcement action at that point consisted of -- checks notes -- issuing a series of recommendations.
There was also a warning that it might take further action in the future. And this summer the ICO did issue one fine: Slapping the Conservative Party with a £10,000 penalty for spamming voters. Which doesn't really sound very dissuasive tbh.
Earlier this month another of these UK political data offenders, the Labour Party, was forced to fess up to what it dubbed a "data incident" -- involving an unnamed third party data processor. It remains to be seen what sanction it may face for failing to protect supporters' information in that (post-ICO-audit) instance.
Adtech generally has also faced very little enforcement from EU DPAs -- despite scores of complaints against its privacy-eviscerating targeting methods -- and despite the ICO saying back in 2019 that its methods are rampantly unlawful under existing data protection law.
Vested interests in Europe have been incredibly successful at stymieing regulatory enforcement against invasive ad targeting.
And, apparently, also derailing progress by defanging incoming EU rules -- so they won't do anything much to stop the big-data 'sausage-factory' of (in this case) political microtargeting from keeping on slicing 'n' dicing up the eyeballs of the citizenry.