Electronic voting and personal data protection: the new GDPR rules

The issue of e-voting is also about the protection of personal data, General Data Protection Regulation (GDPR) rules, and the measures needed to ensure privacy.

Electronic (eVoting) and online (iVoting) voting are among the most exciting technological innovations in participatory democracy in recent years. Through the use of advanced computer systems, it is possible to cast one’s vote electronically, with all the advantages that come with it in terms of convenience, speed, and security.

However, the adoption of this technology requires caution especially on the protection of voters’ personal data. In this article, we will explore the General Data Protection Regulation (GDPR) rules in relation to electronic voting, and see what measures need to be taken to ensure adequate privacy protection.

What is GDPR?

The GDPR is the European Data Protection Regulation that came into force on May 25, 2018, replacing the previous European Directive of 1995. Its main objective is to ensure a high level of protection for the fundamental rights and freedoms of individuals, particularly with regard to the processing of personal data. The GDPR applies to all organizations that process personal data, regardless of whether they are public or private, large or small. This means that any organization that collects, uses or stores personal data of individuals within the European Union must comply with the GDPR.

Electronic voting and data processing

In the case of digital voting, the processing of personal data takes on special importance. The information collected during the voting process may include sensitive voter data. For this reason, the GDPR establishes a set of rules and principles to be followed to ensure proper handling of personal data in the context of digital voting.

Transparency

One of the fundamental principles of the GDPR is that of transparency. Organizations that process personal data must adequately inform data subjects about how their personal data are collected, processed, and stored, as well as the security systems in place to prevent possible privacy breaches.

Data minimization

Another important principle of the GDPR is that of data minimization. Organizations that process personal data must collect only the information necessary to fulfill their purpose, and they must limit the amount of data processed to the bare minimum. In the case of digital voting, this means that only the data necessary to ensure voter identification should be collected, without overdoing it with superfluous or irrelevant information.

Security of personal data

The GDPR also requires that appropriate technical and organizational measures be taken to ensure the security of personal data. In the case of telematics voting, this means that secure and reliable computer systems must be used that are capable of preventing any cyber attacks or unauthorized intrusions. In addition, organizations must adopt procedures for backing up and restoring data in the event of technical problems or system malfunctions.

Finally, the GDPR provides for the right of data subjects to access their personal data, to request its rectification or erasure, and to object to its processing in certain cases. To ensure the effective application of GDPR rules in the context of digital voting, the privacy guarantors of EU member states have issued specific guidelines.

For example, the Italian data protection guarantor published a document in 2019 entitled. “Electronic voting: rules and guarantees for the protection of personal data”, in which the main privacy issues in the context of electronic voting are addressed. Among the recommendations in the document is to use verifiable end-to-end voting systems, which allow voters to verify that their vote has been counted correctly without revealing their vote to third parties.