This opinion article was written by Valentina Pavel, a Mozilla Fellow at Privacy International and member of the Association for Technology and Internet, based in Romania. Opinion articles do not reflect the views of Global Voices.
When the news broke that Cambridge Analytica  had harvested millions of Facebook users’ personal data — and then used that information to influence elections — the fallout was swift. The UK-based data mining firm closed its doors, Facebook faced global scrutiny, and people around the world learned how easily democratic elections could be hacked by abusing voters’ personal data.
In the time since the scandal broke, you would think that democracies in Europe would have used all the tools at their disposal — including the General Data Protection Regulation (GDPR)  — to prevent similar wrongdoings in the future.
But the Regulation offers some “flexibilities” for how it is integrated into national law, allowing Member States to introduce some of their own rules. In some cases, rather than protecting individuals’ rights, these exceptions limit freedom of expression, erode privacy, and abet the spread of disinformation. This lack of uniformity in applying GDPR rules could lead to differences in the level of protection of personal data within Member States, including in the context of elections.
The GDPR, which went into force in May 2018, establishes a set of EU-wide rules for the collection, processing and storing of people's personal data.
Alongside other provisions, the rules generally require private companies and organizations to obtain individuals’ consent before collecting their personal data (such as name, email, phone number and other personal and contact information). The GDPR also enhances people's rights, enabling citizens to request a copy of their data.
Although the GDPR is an EU Regulation , national governments were allowed to set some of their own provisions into national law, paving the ways for some of the exemptions for political parties that are described here.
For example, in Romania, lawmakers have introduced an exemption that allows political parties and organisations to process personal data without consent and without protective measures against potential abuses, creating a sort of “wild west” of personal data. For example, the national post office, a public body, has begun offering  political parties information about elderly people, enabling political parties to target them with personalised information during the electoral campaign.
Romanian lawmakers have also introduced excessive limits on the use of personal data for journalistic purposes, in a move that could interfere with investigative journalism and prevent public interest stories from being revealed.
We have yet to see the effects of this problematic exemption. But even before this exemption was introduced, data protection authorities showed that they could use the GDPR as a tool to silence the media.
In the RISE Project case , the Romanian Data Protection Authority approached journalists who were reporting on a politician's possible ties to a fraudulent company. The Authority asked the journalists for information about their sources and threatened them with large fines. A complaint  has been filed with the European Commission, but no action  has been taken.
Similar rules in other countries
Romania is not the only EU country where political parties have less restrictions for processing personal data. In Spain, the law allows political parties to collect personal information from public sources such as websites and social media. This problematic exemption has been raised  with the European Commission since November last year, but six months on no concrete action has been taken by the EU body.
Spanish local elections took place at the end of April and voters will again go to the polls in late May for European elections. Privacy International’s research  has shown that there are questions as to whether political parties’ use of personal data comply with the requirements  set out by the Spanish Data Protection Authority.
In the UK, the law still permits political parties to process personal data revealing political opinions without obtaining users’ consent. We already know how sensitive this can be — even before Cambridge Analytica, there was Emma’s Diary, a baby care blog that sold  personal data belonging to more than one million people to political parties. This is why, despite the provision in the UK law, political parties have been urged  to publicly commit not to use the exemption provided in the law to target voters.
What do these exceptions mean for citizens?
Previous abuses of personal data indicate that these exemptions could lead to the following outcomes:
More voter manipulation: Romania’s exemption essentially legalizes Cambridge Analytica’s practices. As a result, political parties can release misleading advertisements that prey on users’ personal anxieties, and influence them to vote for (or against) certain candidates. Around the world, we have seen how online disinformation has played an outsized role in elections for the past few years. These mistakes from the past should provide justification for regulators to step in and prevent more abuses from happening, but this has not yet taken place.
Threats to individual privacy and security: If a political party or advertiser has your personal data, when they get hacked, so do you. By allowing these groups to collect and store vast amounts of personal data without safeguards, millions of Europeans will become more vulnerable to data breaches and security incidents.
Less access to information: In a world of pervasive tracking where tailor-made messages can be targeted at voters, developing a truly informed opinion can be difficult. How can you think critically when you learn only bits and pieces of the story and only receive messages that are designed specifically for your ears to hear? How can there still be free and informed dialogue?
There’s never been a more important time to implement data safeguards: Disinformation has reached new heights, and the EU parliamentary elections are in a few weeks time. It is critical to fix these harmful exceptions before the elections and before damage is done.
On 26 May, EU voters should pressure their parliamentary candidates to put privacy high on their agendas and preserve democratic processes. After the vote, when the new European Commissioners will be appointed, voters should ask them to firmly enforce GDPR and privacy protections.
Loose data processing provisions for political parties can weaken our democracies. The European Commission must do its job by ensuring that GDPR rules are consistent throughout Europe and that everyone's data is protected.