My Vote, My (Personal) Data: Remote Electronic Voting and the General Data Protection Regulation

Abstract

On 19 September 2019, the Data Protection Authority of the Aland Islands (in Finland) published its findings on the data processing audit for the autonomous region’s parliamentary election special internet voting procedure. It claimed that there were faults in the documentation provided by the processor, which in turn meant that the election’s integrity could not be guaranteed without further precautions from the government of the Aland Islands. Since the European Union’s General Data Protection Regulation (GDPR) entered into force in May 2018, it has set new critical requirements for remote electronic voting projects. Yet, to date, no specific guidance nor research has been conducted on the impact of GDPR on remote electronic voting. Tacking stock of two recent internet voting experiences in the Aland Islands and France, this paper aims at identifying and understanding these new requirements. More specifically, based on these two case studies it analyses four different challenges on the processing of personal data in remote electronic voting under the GDPR: the definitions and categories of personal data processed in online voting projects; the separation of duties between data controllers and data processors; the secure processing of (sensitive) personal data, including the use of anonymisation and pseudonymisation techniques; as well as post-election processing of personal data, and possible limits to (universal) verifiability and public access to personal data.