Protecting Democratic Processes in the Digital Age: A Roundtable on Electoral Data Protection

As Kenya approaches its next electoral cycle, a critical conversation is unfolding about how to protect personal data while ensuring transparent and credible elections. In July, the Tatua Digital Resilience Centre participated in a muktistaleholder roundtable discussion on data protection and its role in protecting democratic voting during elections.

The relationship between data and electoral integrity is not new, and elections have always depended on accurate, reliable information to function effectively. Throughout history, the quality of electoral data has determined not just election outcomes, but the legitimacy of the democratic processes involved. From voter registration records to ballot counting procedures, disputes over digital and paper data handling have sparked legal battles that have reshaped entire political systems.

In Kenya’s 2007 elections, controversies arose over discrepancies in voter registration data and polling station tallying sheets, with questions about inflated voter rolls and mismatched figures significantly contributing to the post-election conflicts that emerged. The dispute centred on fundamental data integrity issues: Were the voter registers accurate? Did the tallying forms reflect actual votes cast? These paper-based data challenges led to the establishment of the Kriegler Commission, which found significant flaws in the electoral process and data management.

The problem of voter data handling is not localised to Kenya alone; globally, similar patterns have been observed. The 2000 U.S. presidential election in Florida hinged on ballot data interpretation, and hanging chads, butterfly ballots, and voter intent became legal battlegrounds that ultimately decided the presidential outcome. Similarly, in Venezuela’s 2004 recall referendum, disputes over voter registration lists and signature verification data led to prolonged legal challenges and the need for international mediation efforts.

The digital space has amplified these longstanding challenges while creating entirely new categories of risk. Let’s consider key global examples that have shaped our understanding of modern electoral data risks:

• The Cambridge Analytica scandal revealed how Facebook data from 87 million users was harvested and used to influence the 2016 U.S. presidential election and Brexit referendum through sophisticated psychological profiling and targeted messaging. 
• In Brazil’s 2018 presidential election, WhatsApp became a key battleground where misinformation campaigns used personal contact lists to spread false information through trusted family and friend networks. 
• Kenya has also had its fair share of troubling cases. During the 2017 elections, there were significant concerns about the integrity of the biometric voter verification system, with technical failures and allegations of data manipulation contributing to the Supreme Court’s decision to nullify the presidential election results. The court specifically cited irregularities in the electronic transmission of results and questioned the security of the electoral technology systems.

Yet, despite these challenges, today’s elections heavily rely on more personal data than ever before. From voter registration systems that collect biometric information to sophisticated digital campaign strategies that micro-target voters with personalised messages, the electoral process has become deeply intertwined with data processing. While some technological advances have enhanced electoral efficiency and voter engagement, others have created new vulnerabilities that threaten the integrity of democratic processes.

The roundtable, which included representatives from key public interest groups and election monitoring bodies, focused on one fundamental question: How do we monitor and protect data privacy in elections while maintaining the transparency essential for democratic accountability?

Understanding Voter Rights in the Digital Age

Under Kenya’s Data Protection Act 2019, citizens have clear and comprehensive rights regarding their personal data, including the right to consent, access, rectification, and erasure. However, the electoral context creates unique complexities between citizens’ data protection rights and the rights of political candidates. For instance, in many countries now electoral bodies now use biometric systems for voter verification. Additionally, political parties and candidates have the right to collect some voter data for campaign outreach and even use digital platforms for political advertising. 

The challenge becomes even more complex when we consider the fact that the a lack of clarity on where political parties must not source voter data. Currently, parties may obtain citizen information through official voter rolls, membership drives, purchased consumer data, or even by inferring preferences from social media behaviour. Each of these collection methods raises different privacy concerns and regulatory questions.

Technologies Behind Modern Campaigns

One of the most eye-opening discussions we examined is the sophisticated data-driven techniques now of the digital space.  

• Among the most common techniques used by politicians today is microtargeting, which allows campaigns to send personalised messages based on inferred voter preferences gathered from online platforms. 
• Psychometric profiling is another common technique that uses observed behaviours to predict personality traits and voting preferences. 
• Campaigns also use geotargeting and geofencing to enable location-based political messaging, while strategies like A/B testing help them optimise their communication strategies.

To illustrate how sophisticated these techniques have become, consider this example: A voter in Nairobi frequently shares articles about healthcare policy on Facebook, shops for children’s school supplies online, and has app location services that track regular visits to a particular neighbourhood. This person might be profiled as a parent concerned about education and healthcare. A political campaign could leverage this inferred information to micro-target the voter with personalised ads showing a candidate visiting local schools or discussing healthcare improvements for families, while simultaneously sending completely different messages about economic policy to their neighbour based on that person’s distinct digital footprint.

This level of personalisation means that two voters living on the same street might receive entirely different campaign promises and messaging, making it nearly impossible for citizens to have informed discussions about what candidates actually stand for, which is a fundamental requirement for healthy democratic discourse.

These techniques, combined with the proliferation of technologies like tracking pixels, cookies, and campaign apps, create an environment where voters’ digital footprints are constantly monitored and analysed. The concerns then transcend beyond privacy and become about the manipulation, echo chambers, and the violation of fair electoral process.

Real Risks to Misuse of Personal Data to Violate Electoral Integrity

The roundtable highlighted how data misuse violates the digital rights of citizens in addition to democratic electoral processes. Specific threats discussed include:

• Foreign Influence and Manipulation: The same data collection mechanisms that enable targeted advertising can be exploited by foreign actors seeking to influence election outcomes. When combined with AI-generated content that can create realistic fake news with familiar faces and voices, the potential for manipulation becomes particularly concerning.
• Voter Coercion and Surveillance: Personal data exploitation can enable surveillance of voting patterns and facilitate voter intimidation or coercion, undermining the principle of free and secret voting.
• Unequal Access and Unfair Advantage: Better-resourced campaigns have greater access to sophisticated data analytics and targeting tools, potentially creating an uneven playing field. Additionally, incumbents may have unfettered access to government-held citizen data, constituting an abuse of state resources.
• Security Vulnerabilities: The adoption of advanced data systems and biometric technology creates significant security vulnerabilities, with documented breaches affecting millions of voters worldwide.

The other side of the coin: We still need data transparency 

While there is a clear need for better data protection to limit the opaque ways that campaigns and state-backed political parties collect and use data to manipulate electoral processes, we cannot overlook the other side of the coin. Stricter data protection could lead to inaccessible political data essential for public analysis and election monitoring. We run the risk of governments and tech platforms using data privacy arguments in bad faith to deny citizens and observers access to important electoral information. 

The tension between the need for better data protection and the need for openly accessible electoral data is a critical challenge that must be addressed to achieve democratic elections while maintaining transparency for monitoring. Open elections data, including voter registration processes, boundary delimitation, political party registration, and election management decisions, is the foundation of credible elections. Yet, some of this data contains personally identifiable information like campaign donation records, voter lists, and candidate registration details, which owners have the right to withdraw consent and demand their privacy be maintained. 

So where do we draw the line? The discussions concluded that establishing a comprehensive monitoring framework could help observers and advocacy groups to understand which areas to call for data protection and which ones to push for more transparency. As such, we ended the conversation with a commitment to collaboratively build a framework and consider the following key issues during the process:

• Scope and Focus: Should data protection monitoring be integrated into existing election observation efforts, or should it be an independent monitoring process? The consensus leaned toward a hybrid approach that could be tailored to specific contexts and resources.
• Stakeholder Expansion: Traditional election monitoring focuses on electoral management bodies, candidates, and voters. Data protection monitoring requires engaging with a broader scope of stakeholders, including data protection authorities, marketing firms, data brokers, social media platforms, technology vendors, and telecommunications companies.
• Technical Capacity: Effective monitoring requires not just legal expertise but also technical capabilities to analyse digital campaigning techniques, assess political advertising, and understand data flows. This might involve OSINT (Open Source Intelligence) techniques, anonymous interviews with campaign consultants, and direct observation of data processing practices.
• Methodological Innovation: Monitoring approaches might include more creative approaches like creating unique phone numbers and email addresses to track how they’re used by campaigns, analysing political ad libraries, reviewing election contestants’ data protection policies, and conducting legal framework analyses.

Other recommendations that emerged from the discussions include:

• Establishing clear coordination between the Office of the Registrar of Political Parties (ORPP) and the Office of the Data Protection Commissioner (ODPC) to develop mandatory disclosure guidelines for political parties’ data practices
• Building partnerships with data protection authorities to ensure ongoing monitoring and enforcement
• Creating public awareness campaigns about election data practices and voter rights, together with national data protection bodies and authorities 
• Developing guidelines on personal data use for candidates and campaigns, specific to local political and cultural contexts

What’s the Way Forward?

Reflecting on this roundtable, what strikes me most is how the protection of personal data in elections isn’t just a technical or legal issue but a fundamental backbone to the health of our democracy. When voters’ digital behaviours and data are secretly profiled, manipulated, and weaponised against them, or when the electoral process itself becomes opaque due to digital complexity, the very foundation of democratic choice is undermined. To be honest, I left the discussion with more questions than answers and the chilling thought, “has my voting decision ever been informed by facts or was I secretly manipulated to think someone is the best candidate? 

Truly, the work ahead is challenging and requires bridging the gap between election laws and data protection regulations, building new technical capacities within civil society, and creating accountability mechanisms for an increasingly complex digital electoral ecosystem. But it’s work that’s essential if we want to ensure that digital technologies support rather than threaten democratic participation. We have a responsibility to ensure that democracy evolves hand-in-hand with the digital space, especially when you remember that election decisions impact not just us but future generations. 

Tatua continues to monitor developments in digital rights, recognising their fundamental importance to civil society and other human rights. We remain committed to tracking these issues and providing updates as the landscape evolves. This blog represents part of our ongoing effort to inform and empower civil society organisations in navigating the complex challenges introduced by digital technologies. 

Our services are always available via the following contact channels: 

Location: Highway Heights, Kilimani

Digital Security helpline: Call, WhatsApp, Signal: +254 110 730 730

Email: Support@tatua.digital

Mailing list: https://tatua.digital/mailman/listinfo

24/7 helpdesk: https://support.tatua.digital/