Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
The European Union’s executive body was embroiled in an embarrassing privacy scandal on Friday after a Commission ad campaign on X (formerly Twitter) was confirmed to have breached EU data protection rules.
The finding by the EU’s supervisory body, the European Data Protection Supervisor (EDPS), concerns a microtargeted advertising campaign that the Commission implemented in autumn 2023 in X, which processed citizens’ sensitive data (political views) into microtargeted ads.
The advertising campaign aimed to change opinion around a controversial EU legislative proposal forcing messaging apps to scan people’s communications for CSAM (child sexual exploitation material). Critics have warned against the EU’s plan puts many democratic rights at riskthreatens end-to-end encryption and is legitimately itself unhealthy. But the Commission nevertheless collected a little reputational blows. And now a blow to this great privacy.
Finding that the EU has breached its own data protection rules a November 2023 complaint non-profit with regional privacy rights at night. The commission’s complaint against the Directorate General of Migration and Home Affairs accuses the department of “illegal micro-targeting”. However, the EU data watchdog’s findings confirm that the EU acted illegally – although the EDPS only issued a reprimand (no fine).
In a press release announcing the outcome of the complaint, Felix Mikolash, the nonprofit’s data protection attorney, wrote: “Since then Cambridge Analytica it is clear that targeted advertising can affect democracy. Using political preferences for advertising is clearly illegal. Nevertheless, many political players rely on it, and online platforms hardly take any action. Therefore, we welcome the decision of the EDPS.
noyb’s complaint highlighted how the Commission’s advertising campaign in X sought to indirectly promote the CSAM rules in order to change opinion among citizens in the Netherlands – by targeting users who are not interested in keywords such as in the country: #Qatargate, brexit, Marine Le Pen, Alternative for Germany, Vox, Christian, Christian-phobia or Giorgia Meloni.
Such keywords can be linked to people with certain (right-wing) political views – a proxy for political views that are classified as sensitive (or special category) data under EU data protection laws. The bloc’s legal standard for the lawful processing of sensitive personal data requires obtaining people’s express consent in advance – which the Commission did not do.
AB previously told TechCrunch that the ad campaign was “developed and implemented under a framework agreement with a contractor.” It also said its contract with the contractor contained “data protection safeguards” aimed at ensuring compliance with relevant regulations – claiming X was the recipient of the campaign and “could be expected to carry it out in accordance with the platform’s terms and conditions.” legal regulations, in particular GDPR (General Data Protection Regulation)”.
So, in other words, the Commission tried to blame Xi for any illegal advertising targeting. (Note: there is noyb separate complaint against X for this political process remains under investigation by data protection authorities. However, as the EDPS found that X was carrying out illegal processing, we contacted the social media firm for a response).
The Commission has also previously said it “does not intend to start processing special categories of data” – stressing that such processing “should not take place” at that time (in May 2024).
It added that it was taking steps to ensure “all services are reminded of the existing rules”. And according to noyb, the reason the EDPS only issued a reprimand – not a fine – was because the Commission stopped the practice. So it’s unlikely we’ll see more controversial EU micro-targeting anytime soon.
There is also a new college of commissioners now – so Home Affairs Commissioner Ylva Johansson, who was responsible for the CSAM proposal under the last mandate when the offensive advertising campaign was launched, is no longer in office to receive the EDPS slap. .
Although earlier this year the Commission was still questioning whether sensitive data was being processed by the campaign, the EDPS ruling confirms that such processing was both taking place and unlawful.
This finding should affect noib’s still open complaint against X and other similar complaints about micro-targeting of sensitive data. (And given how such ad technologies typically work, there’s a higher chance that such complaints could lead to actual GDPR fines — where fines can reach 4% of global annual turnover.)
“We have a lot more to do with political micro-targeting in Member States,” Mikolasch said. “Many political parties resort to the same illegal act. We hope that the EDPS decision will be a guiding light for national authorities currently investigating such practices.”
We have reached out to the Commission for a response to the EDPS’s decision, and spokeswoman Patricia Poropat accepted our request but had no comment at the time of writing.
We also put questions to the EDPS and the Irish Data Protection Commission, the body that will lead the investigation into X’s microtargeting. If they respond, they will update this report.
Reached for comment, Danny MekicA technologist who first saw the Commission’s ad campaign and raised concerns about its use of microtargeting welcomed the EDPS’s “swift action” – telling TechCrunch he was pleased with the outcome of the investigation. However, he asked why “a more far-reaching sanction was not imposed” – he pointed out Comments made by Johansson Following the publication of his disturbing article in which he claimed the ad campaign was “100%” legal.
“In this case, given what the commissioner said, a wider investigation into this illegal investigation, which is called ‘standard normal practice’, would be justified,” Mekic said, adding: “As far as I’m concerned, tougher sanctions will be applied. is right for not taking his important and well-founded signals seriously.”
This report has been updated with additional commentary
