WHY POLITICAL PARTIES CAN SEND YOU MESSAGES WITHOUT YOUR CONSENT

Emmanuel Kwasi Gadasu
Emmanuel Kwasi Gadasu
CEH || CDPS || CIPM || CIPP-E || MSc IT and Law || Data Privacy Consultant || Information Security Trainer || Programmer || IT Trainer ||
September 21, 2024

I have seen quite a few numbers of Social Media posts where persons who have received text messages from the main political parties in Ghana: the NDC and the NPP have raised serious concerns and questioned the audacity of the parties to dare send them messages. They have called on the Data Protection Commission (DPC) to exercise its mandate under the Section 2 of the Data Protection Act 843 to protect them.

2. Object of the Commission. The object of the Commission is to

(a) protect the privacy of the individual and personal data by regulating the processing of personal information, and (b) provide the process to obtain, hold, use or disclose personal information.

You are not alone in receiving these messages. I have personally received such messages from both flagbearers; with the Sender IDs JohnMahama and DrMBAWUMIA.

I am excited as a professional in the field of data protection for the reason that Ghanaians are now aware of their privacy rights enshrined in Article 18(2) of the 1992 Constitution of Ghana and under the Data Protection Act 843 (Sections 32, 33, 35, 39, 40, 41, 42, 43, and 44). This sends the signal to other companies that processes personal data of people that they (the people) know their right and can therefore not be taken for granted!

From the very many concerns raised on Social Media that I have come across, these are the summary of the concerns raised by recipients:

1. how did the political parties get their phone number in the first place?
2. they have not given their CONSENT to receive messages from political parties
3. has the Electoral Commission (EC) of Ghana shared their phone numbers with the political parties without their CONSENT?

It is important to arm ourselves with the following definitions as they pertain to data protection to help readers comprehend this write up.

Data Subject

A data subject is an identifiable natural person whose personal data is being collected, stored, or processed.

Data Controller

A data controller is the entity (company, political party, etc) or person that determines the purposes and means of processing personal data. They are responsible for ensuring that data is processed in compliance with data protection laws and for protecting the rights of data subjects.

Data Processor

A data processor is an entity or person that processes personal data on behalf of the data controller, following the controller’s instructions. They do not own the data or decide how it is processed but must ensure that their processing activities comply with the contractual obligations set by the data controller and applicable laws.

Processing

Processing refers to any operation or set of operations performed on personal data, such as collecting, storing, modifying, transmitting, or deleting it. It encompasses both automated and manual handling of data, covering a wide range of actions performed on personal information.

Consent

To consent is to give permission for something to happen or agreement to do something. It must be freely given, specific, informed, and unambiguous agreement by a data subject for the processing of their personal data. For consent to be valid under data protection laws, it must be an active opt-in and revocable at any time by the data subject.

Most people have the erroneous understanding that CONSENT is the only basis by which a data controller (i.e. political party) can process your personal information. There are other legal bases by which your personal data can be processed by the political parties.

The following are the legal bases by which an entity including political parties (data controllers) could use (process) your personal information. Note this is evident in most of the data protection laws across the world – GDPR, CCPA, POPIA, DPDP, etc.

1. Consent

Processing is lawful if the data subject has given explicit, informed, and unambiguous consent for specific purposes. This requires a clear opt-in process, and the individual must be able to withdraw consent at any time. The consent must be freely given without any pressure or coercion.

2. Contractual Necessity

Processing is necessary when it’s required to fulfil a contract with the data subject, or to take steps before entering into a contract. This legal basis applies, for example, when providing services, delivering goods, or managing employment contracts. The data processed must directly relate to the contractual obligations.

3. Legal Obligation

Processing is lawful if it’s necessary for compliance with a legal obligation to which the data controller is subject. This basis applies when a law requires the processing of personal data, such as tax reporting or employment laws. It does not cover obligations imposed by a contract, but only those required by statutory or regulatory laws.

4. Vital Interests

Personal data can be processed if it’s necessary to protect the vital interests of the data subject or another person, typically in life-threatening situations. This basis is often used in emergencies where consent cannot be obtained, such as medical emergencies. It is limited to urgent and serious situations involving the protection of life or health.

5. Public Interest

Processing is lawful if it is necessary for performing a task carried out in the public interest or in the exercise of official authority vested in the data controller. This basis is often used by governmental bodies, public authorities, or organizations acting in the public’s interest, such as electoral registers or public health initiatives. It requires a legal basis, such as laws or regulations, to justify the public interest task.

6. Legitimate Interests

Processing is lawful if it’s necessary for the legitimate interests pursued by the data controller or a third party, provided those interests are not overridden by the data subject’s rights and freedoms. This basis requires a balancing test between the controller’s interest and the individual’s privacy rights. It’s commonly used in scenarios such as direct marketing, fraud prevention, or employee monitoring, as long as the impact on privacy is minimal.

From a data protection perspective, a political party can send SMS to citizens on the following legal bases:

1. Consent

Explicit Consent: The most straightforward and GDPR-compliant legal basis is obtaining explicit consent from individuals. Citizens must actively agree to receive SMS communications from the political party, typically through an opt-in process where they provide their mobile numbers and consent to such messages.

Conditions for Consent: The consent must be freely given, informed, specific, and unambiguous. Individuals should be able to withdraw consent at any time, and the process for doing so must be simple and clear.

2. Legitimate Interests

Legitimate Interests of the Political Party: Political parties may argue that sending SMS to citizens aligns with their legitimate interest to communicate with voters or promote democratic engagement, particularly during election campaigns. However, this basis requires a Legitimate Interests Assessment (LIA) to ensure that the party’s interests do not override the rights and freedoms of the individuals receiving the messages.

Balancing Test: The party must demonstrate that the communications are necessary for its purpose and that citizens’ privacy rights are not unduly impacted. Additionally, there must be an easy way for citizens to opt-out of further communication.

3. Public Interest

Tasks in the Public Interest: Some political communications can fall under tasks carried out in the public interest, such as promoting democratic participation or informing citizens about electoral processes. This legal basis may apply if the messages are essential to a public function or directly linked to democratic engagement.

4. Contractual Necessity

Service Information: In cases where citizens have signed up for membership or services with the political party, and SMS messages are necessary to fulfil contractual obligations, the party can rely on this legal basis. This would cover situations such as sending membership-related updates.

Other Considerations:

Transparency and Privacy Notices: Political parties must provide clear privacy notices detailing how personal data, including phone numbers, is collected, stored, and used. They should inform citizens of their rights, including the right to withdraw consent or object to processing.

Opt-Out Mechanism: Regardless of the legal basis, every SMS must provide a clear and easy way for recipients to opt out of receiving further messages.

Since the political parties have not sought the CONSENT of the individuals before sending the SMS, legitimate interest will be the primary legal bases for sending political SMS under data protection laws, with the party needing to ensure that they fully comply with the relevant provisions to avoid breaching data protection laws.

The next matter to deal with is how did the political parties get your number to send you the SMS? There are two potential sources from which political parties could get your personal data from the electioneering processes in Ghana:

1. By Law 2. Through the Registration Process
2. By Law

There two provisions in CI 91 that gives the Electoral Commission the power to share your Voters registration Details with the political parties: CI 91 regulation 5 (e) and regulation 22 (1) (2).

The registration Officer is mandated by CI 91 5(e) to provide the political parties with the details of those registered by what is commonly known as EOD: End of Day. The CI 91, regulation 5(e) states:

5. A registration officer shall

(e) at the end of each registration day of the national registration period make available to the political parties the names, ages, dates of birth, sex and residential addresses of the applicants registered at the centre and those whose registration have been challenged; and

In Regulation 22 of CI 91, it provides as follows:

22. Compilation of provisional register of voters

(1) The Commission shall, not later than three months from the end of the registration period, compile a provisional register of voters in the country, stating the name, age, sex, residential address and showing the photograph of each person whose application for registration was accepted at a registration centre.

(2) At the end of the compilation of the provisional register as provided in subregulation (1), a copy of the provisional register shall be given to each registered political party in the form determined by the Commission.

This means that by law, the Electoral Commission is mandated under CI 91 to provide all the registered political parties a copy of the provisional electoral register.

2. Through the Registration Process

During the Voter registration process, representatives of the political parties are present to also collate the names of people whose names have been enlisted in the Voters Register independently.

Although your phone number is captured in the system, this is not mandatory for registration hence some EC officers may choose to ignore it during the registration process. In most cases at the registration centres, the Political Party Representatives take phone numbers of the voters. Your residential address captured which is mandatory.

So, not only do the political parties have your phone number to send you SMS, but they can even pay you a visit in your residence because they have it and they can easily identify you because they have your picture!

If the EC has not officially given them your phone number as dictated by CI 91, how did they get it then? Maybe you might have offered it to them during the registration process or they could through other means get your phone number since they have your name!

Now the most important question is: are the political parties in violation of the Data Protection Act 843 in sending you SMS without your consent? As established, CONSENT is not the only legal basis for the political parties to send you SMS.

They may rely on their legitimate interest to inform you as a Ghanaian Registered Voter to inform you about their flagbearers vision, policies, etc to convince you to vote for them.

Ghanaians will decide on 7th December 2024 whether to RESET or UPGRADE and each side need to market their flagbearer to the voters including you! However, in sending their messages to you, they need give you the opportunity to OPT-OUT of receiving further messages from them! They will be in compliance of the Data Protection Act 843 even without your consent if they send you SMS with the option to OPT-OUT!

I wish all of us a peaceful Election 2024! Vote to either RESET or UPGRADE Ghana. Your Vote Is Your Power!

Author: Emmanuel K. Gadasu

(CEH, CDPS, CIPM, CIPP/E, BSc IT, MSc IT and Law, LLB*)

The writer is a Data Protection and Cybersecurity Consultant, Practitioner and Trainer! You can reach him for further comments by Call/WhatsApp/Telegram +233 24391 3077 or via email: ekgadasu@gmail.com.

LinkedIn: https://www.linkedin.com/in/emmanuelgadasu/

Facebook: https://web.facebook.com/emmanuel.gadasu/