The European Union’s executive branch is grappling with a significant privacy controversy after it was revealed on Friday that an advertising initiative by the Commission on X (formerly Twitter) violated the EU’s own data protection regulations.
The revelation comes from the European Data Protection Supervisor (EDPS), which identified issues in a micro-targeted ad campaign conducted by the Commission on X during the fall of 2023. This campaign involved the processing of sensitive personal data—specifically political opinions—aimed at refining the target audience for the advertisement.
The purpose of this ad campaign was to influence public sentiments regarding a contentious EU legislative measure that would mandate messaging applications to scan users’ communications for CSAM (child sexual abuse material). Critics have pointed out that this proposal poses risks to various democratic rights, jeopardizes end-to-end encryption, and is fraught with legal challenges. Despite this backlash, the Commission continued with its plans, encountering several reputational setbacks, culminating in this substantial privacy violation.
The EDPS decision stems from a complaint filed in November 2023 by the privacy advocacy group, noyb. This complaint alleged that the Commission’s Directorate General for Migration and Home Affairs engaged in “unlawful micro-targeting.” According to noyb, the findings from the EU’s data regulator confirm that the EU acted outside the law, although the EDPS opted to issue only a reprimand with no financial penalties.
In a press release regarding the decision, Felix Mikolasch, a lawyer specializing in data protection for the nonprofit, stated: “Since the Cambridge Analytica incident, it has become evident that targeted advertising can sway democratic processes. Utilizing political inclinations for ad targeting is undeniably illegal. Yet, many political entities depend on it, with minimal accountability from online platforms. Thus, we welcome the EDPS’s ruling.”
Noyb’s complaint emphasized that the Commission’s ad campaign sought to subtly advocate for the CSAM regulation with the goal of influencing the views of Dutch citizens. It specifically targeted individuals in the Netherlands who showed no interest in keywords associated with certain political figures or movements, such as: #Qatargate, Brexit, Marine Le Pen, Alternative für Deutschland, Vox, Christian, Christian-phobia, and Giorgia Meloni.
These keywords are likely linked to individuals with specific (right-wing) political affiliations, causing the data processing to effectively serve as a proxy for political leanings, which are categorized as sensitive data under EU regulations. The legal framework governing the processing of sensitive personal data requires obtaining explicit consent from individuals prior to such actions, a consensus that the Commission failed to secure.
Previously, the EU informed TechCrunch that the ad campaign was “designed and executed via a framework contract with a contractor.” They asserted that this contract included “data protection safeguards” necessary to comply with applicable rules. The EU also contended that responsibility lay with X to implement the campaign according to its terms and conditions and applicable legal standards, particularly the GDPR [General Data Protection Regulation].
In essence, the Commission attempted to transfer blame to X for any unlawful ad targeting. (Note: noyb has a distinct complaint lodged against X concerning this political processing, which is still under review by data authorities.) Given the EDPS’s confirmation of unlawful processing on X, we have reached out to the platform for a statement.
The Commission previously indicated that it “did not intend to trigger the processing of special categories of personal data,” and stressed in May 2024 that such processing “should not have occurred.”
Additionally, the Commission stated at that time that it had taken measures to ensure that “existing rules were reiterated to all services.” Noyb has indicated that the reason the EDPS only issued a reprimand rather than a fine is that the Commission halted the practice. Thus, it appears unlikely that further contentious micro-targeting will occur from the EU in the near future.
There is also a new set of commissioners overseeing the proceedings now. Consequently, Ylva Johansson, the home affairs commissioner responsible for the CSAM proposal during the previous mandate under which the campaign was carried out, is no longer in the position to receive the EDPS’s rebuke.
Earlier in the year, the Commission was probing whether sensitive data had been processed through the campaign, but the EDPS’s ruling clarifies that such processing certainly occurred and was illegal.
This finding may have repercussions for noyb’s ongoing complaint against X and for other similar grievances concerning micro-targeting based on sensitive data. Given the operations of such advertising technologies, there is a heightened likelihood that these complaints could result in actual GDPR penalties, which can reach as high as 4% of a company’s global annual revenue.
“We have numerous additional cases related to political micro-targeting within Member States,” stated Mikolasch. “Many political parties engage in this same illegal behavior. We hope the EDPS’s decision will serve as a precedent for national authorities currently investigating similar practices.”
We reached out to the Commission for a response regarding the EDPS’s conclusions. Spokesperson Patricia Poropat provided a brief statement, indicating that the EU’s executive acknowledged the EDPS decision concerning its campaign to raise awareness about the legislation designed to combat child sexual abuse material online. The Commission indicated it would now evaluate the EDPS’s ruling.
We also directed inquiries to the EDPS and Ireland’s Data Protection Commission (DPC), which is likely to take the lead in investigating X’s micro-targeting activities, and will update this article if they respond.
Update: According to DPC spokesperson Risteard Byrne, “The DPC can confirm that we have received a complaint from the Dutch DPC regarding this matter and are coordinating with both the Dutch DPA and [noyb] to ascertain the full details of the complaint. Upon receiving these details, this office will begin examining the complaint to determine the progression of the case.”
In a statement, Danny Mekić, the technologist who first identified the Commission’s ad campaign and raised concerns regarding its use of micro-targeting, praised the EDPS’s “swift action,” expressing satisfaction with the outcome of the investigation. However, he questioned why “a more comprehensive penalty was not enforced,” referring to remarks made by Johansson following the release of his article, where she asserted the ad campaign was “100%” lawful.
“Given the commissioner’s statements, a broader investigation into this illegal so-called ‘standard practice’ would be warranted,” Mekić added, noting, “The European Commission failed to take such significant and substantiated signals from experts seriously.”
This report was updated to include additional comments.
Compiled by Techarena.au.
Fanpage: TechArena.au
Watch more about AI – Artificial Intelligence
