LONDON — From Brexit to Donald Trump's election and even the rise of France's Emmanuel Macron, data-based campaigning has fueled the most disruptive political changes of recent years.

But the data revolution in politics is about to hit serious trouble.

When Europe enforces sweeping new privacy rules from May 25, many political parties will have to re-examine how they use data to win elections, or risk exposing themselves to legal attacks from data protection authorities.

While the EU's privacy overhaul, the General Data Protection Regulation (GDPR), originates in Brussels, its reach is effectively global, as other countries are adjusting their own data protection rules to keep doing business with the trading bloc. That means tougher oversight for political campaigns from Lisbon to London, with much tighter rules on how voters' data can be collected, used and stored.

In a sign of a larger backlash to come against data in politics, Facebook announced Saturday the suspension of Cambridge Analytica, a data analytics firm, for having improperly stored data on as many as 50 million voters. On both sides of the Atlantic politicians rained criticism on Facebook, which was the data firm's platform of choice for collecting data and targeting voters.

The information could be used to more effectively target door-to-door campaigns.

But the crackdown on Cambridge Analytica, which helped Donald Trump get elected U.S. president, was just a start.

Once GDPR is a reality, parties will have to reconsider how they collect even basic information about voters. In other words, email lists are about to become a potential liability. And nowhere in Europe is the heat being felt more keenly than in Britain, where many parties have embraced digital campaigning tools, and where local elections in early May are to be the last race in which current techniques are allowed.

"Political parties have collected — certainly in the Conservative Party's case — over a million email addresses, I suspect the number will be similar in the Labour Party," said Craig Elder, who led the Conservatives' digital strategy during a 2015 general election, and now runs Edmonds Elder, a digital consultancy.

"The level of consent that was collected at the time was compliant with the legislation of the day, but it may not be compliant with GDPR, which makes different demands around transparency, accountability and responsibility for personal data," he added.

From boasts to damage control

The popularity of data in campaigning has kept pace with the expansion of social media across the globe. Parties rushed to hoover up stores of data on everything from voters' emails to their income and political leanings, often by contracting the work to data experts. The information could then be used to more effectively target door-to-door campaigns, suppress votes for rival candidates via antagonistic messaging on social media or fine-tune online campaigns in support of candidates.

Britain’s data protection authority, the Information Commissioner’s Office, warns in its guidance that “vague or blanket consent” is not enough.

Alexander Nix, the boss of Cambridge Analytica and a guru of micro-targeting, is now under pressure in Britain over accusations that he used his techniques to drum up support for Brexit. He boasted in 2016 about his firm's ability to target voters based on their so-called "psychographic" profiles to a great degree of accuracy.

Such "micro-targeting" allowed campaigns, including Trump's, to reach tiny groups, or even individual voters, on Facebook according to their interests, locations and general psychological disposition. Nix has denied any role in the Brexit campaign, but did acknowledge during questioning by U.K. MPs that inciting "fear" was part of his firm's targeting arsenal.

Both British parties are big clients for political data firms. In 2017 the Tories allocated £2 million for digital campaign spending, 70 percent to Facebook, according to "Betting the House," a book about the race. Labour spent hundreds of thousands of pounds on Facebook advertising, according to a party official.

But under the new EU regulations, which the U.K. is implementing despite Brexit, the provisions that allow for data collection on a vast scale are to be reined in. People must provide a "positive opt-in" as well as stating clear and specific consent, separate from other terms and conditions, on the use of their personal data — if no other lawful means of processing that data is available.

Britain's data protection authority, the Information Commissioner's Office, warns in its guidance that "vague or blanket consent" is not enough. Nor should groups of any type make consent to sharing data a precondition for using their services, it says.

Such rules could hollow out the email lists of political parties and threaten the quality of the data sources they use, according to MPs and former campaign insiders from the two major U.K. political parties.

Elder thinks the new rules could threaten the parties' email lists. The Conservatives grew their email address database from 300,000 people to 1.5 million in 2015 — with much of the information collected about voters in marginal seats.

A Facebook advertisement offering people the chance to find out how much their income tax would be cut while collecting their email address, postcode and salary was used to great effect by the Tories in that election, which secured David Cameron an unexpected majority.

Labour also collected vast amounts of data through its National Health Service baby number website offering people the chance to find out how many babies had been born before them on the NHS in return for their email address and date of birth.

Both were completely up front and in line with data protection rules at the time, according to Elder. But he thinks changes to the law will make things “much more difficult.”

With the U.K.’s data watchdog and a committee of British MPs separately probing data practices of past elections, further reforms could follow.

The Conservatives did not respond to POLITICO's request for a comment. In a statement a Labour Party spokesman said the party was "currently going through a rigorous process" of ensuring it was fully compliant with GDPR.

"This includes establishing information asset registers, reviewing and strengthening data security and establishing and confirming the legal basis for the data we hold and process as a political party, which includes both consent from individuals and statutory entitlement," the statement said.

Conservative MP Simon Hart, a member of the digital, culture, media and sport select committee, which is currently looking at the use of data in recent elections, warned the opt-in process was "probably going to result in an awful lot of people who are just historically on databases disappearing."

That is just to start. With the U.K.'s data watchdog and a committee of British MPs separately probing data practices of past elections, further reforms could follow.

Outside sources

It's not just data collected by political parties themselves that could be threatened by GDPR regulations, according to figures involved in the campaigning industry.

"Political parties use all sorts of data for campaigns. Core data comes from the electoral roll and is supplemented by canvassing records and data they can purchase from external suppliers or model themselves," according to Patrick Heneghan, former executive director of the Labour Party.

"The major impact of GDPR is likely to be around the availability of external data sources. The new enhanced requirements about consent are most likely to impact on the availability and quality of external data sources and therefore will have some impact on the ability to target as precisely as now," he said.

Elder is less concerned. The third-party companies political parties buy data from “seem to be doing a pretty good job of keeping themselves in line with GDPR ahead of its arrival," he said.

Also in the crosshairs: algorithms, analysis, data-matching and profiling of people’s personal information, which has become an important part of political campaigning over the last few years.

U.K. Information Commissioner Elizabeth Denham has been conducting a year-long investigation into the use of data analytics and micro-targeting of voters which is due to report back in May.

As well as attempting to "pull back the curtain" to explain what happens to people's personal data in the context of political advertising, she recently told a select committee she was actively seeking to find out if there were any contraventions of the current regulations in the Data Protection Act.

While acknowledging the use of data analytics and social media in campaigning could be "a good thing," she told MPs it needed to be made more "transparent." She also suggested there should be control and regulation around how political campaigning is happening on social media.

Ian Lucas, another member of the digital committee, said the next few months would be crucial in addressing what he called a lack of transparency on the use of social media in campaigning.

"Facebook is quite important in elections already, in 2015, the [European Union] referendum and 2017, Facebook was used a huge amount compared to 2010," he said.

"We have had three very important elections where this has been at the forefront and nobody has had a clue about how the information is being disseminated," he said.