Personal data use in UK referendum


Cambridge Analytica, the data company used by both Leave.EU and Vote Leave during the UK referendum on EU membership, have refused to comment on how they used personal data during the referendum campaign. Indeed, the only public knowledge on their use of data has come from research by individuals.

Will the Commission explore the use of personal data by Cambridge Analytica throughout the campaign, so as to verify that it did not breach EU law?

Furthermore, what proposals is the Commission developing in order to protect personal data and prevent it from being used by such companies to control the outcomes of future elections and referenda?


Directive 95/46/EC [1] on the protection of personal data has been transposed in the national order of the Member States. The Directive applies to processing of personal data by private and public entities. Contrary to competition law area the Commission has no direct power vis-à-vis private operators processing personal data. The Commission as guardian of the Treaties retains its usual power to engage in infringements proceedings against Member States.

The national data protection authorities are responsible at national level for monitoring and enforcing the national rules transposing Directive 95/46/EC, including in cases of breaches of data protection provisions. The data protection authorities must act with complete independence in exercising the functions entrusted to them and each such authority must be endowed with investigative powers and with effective powers of intervention. In addition, enforcement of the national rules should also be ensured through national courts.

The EU General Data Protection Regulation (GDPR)[2] essentially updates and modernises the principles already enshrined in the current 1995 Data Protection Directive and it will apply as of 25 May 2018. It focuses on reinforcing individuals’ rights, strengthening the EU internal market, ensuring stronger enforcement of the rules and streamlining international transfers of personal data. The GDPR is the expression of a balanced approach which ensures that data protection rights of individuals are protected whilst ensuring the free flow of data within the EU. Ensuring consistent application of the GDPR and proper familiarisation with the new legal framework is first and foremost the responsibility of the data protection authorities of the Member States.

[1]  Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, OJ L 281 , 23/11/1995, p. 31.

[2] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), OJ L 119, 4/5/2016, p. 1.