[ad_1]
The European Union’s executive body is facing an embarrassing privacy scandal after it was confirmed on Friday that the Commission’s advertising campaign on X (formerly Twitter) breached EU data protection rules.
The finding by the EU watchdog, the European Data Protection Supervisor (EDPS), relates to a micro-targeted advertising campaign that the Commission ran on
The aim of the ad campaign was to influence opinion on a controversial EU legislative proposal to force messaging apps to scan people’s communications for child sexual abuse material. Critics have warned that the EU plan risks a wide range of democratic rights, threatens universal encryption, and is itself legally unsound. But the commission continued to operate regardless, and suffered some blows to its reputation. Now that’s the big privacy policy.
The finding that the EU had breached its own data protection rules follows a complaint filed by regional non-profit Privacy Rights in November 2023. noyb. Her complaint against UNHCR’s Directorate General of Migration and Home Affairs accused the department of “unlawful micro-targeting.” However, the EU data supervisor’s findings confirm that the EU acted unlawfully – even though the EDPS only issued a reprimand (without a fine).
In a press release announcing the outcome of the complaint, Felix Mikulach, a data protection lawyer at the nonprofit, wrote: “Since Cambridge Analytica, it has been clear that targeted advertising can influence democracy. Using political preferences for ads is clearly illegal. However “Many political players rely on it, and online platforms take almost no action. Therefore, we welcome the EDPS’ decision.”
Noebe’s complaint highlighted how the Commission’s advertising campaign on #Qatar, Brexit, Marine Le Pen, Alternative for Germany, Vox, Christianity, Christianophobia or Georgia Meloni.
These keywords may be associated with people with certain (right-wing) political opinions – making the processing a proxy for political opinions, which is classified as sensitive (or special category) data under EU data protection laws. The bloc’s legal standard for lawfully processing sensitive personal data requires obtaining explicit consent from people in advance – which the Commission has not done.
EU previously told TechCrunch that the ad campaign was “designed and implemented through a framework contract with a contractor.” It also said that its contract with the contractor included “data protection guarantees” aimed at ensuring compliance with relevant regulations – arguing that it was X who had accepted the campaign and “was expected to implement it in accordance with the terms and conditions of the applicable statute and rules”. Legal rules, in particular the General Data Protection Regulation (GDPR).
In other words, the Commission sought to blame X for any unlawful advertising targeting. (Note: noyb has a separate complaint against
The Commission also previously said that it “does not intend to give effect to the processing of special categories of personal data” – stressing at that point (May 2024) that such processing “should not have taken place”.
It added at the time that it had taken steps to ensure “all services are reminded of the current rules”. In any case, the reason EDPS only issues a reprimand — not a fine — is because the commission stopped the practice. So it seems unlikely that we will see more controversial microtargeting in the EU any time soon.
There’s also a new set of commissioners in place now – so Ylva Johansson, the Home Affairs Commissioner who was in charge of the CSAM proposal under the last mandate when the offending ad campaign was run, is no longer in office to be slapped with EDPS.
While – earlier this year – the Commission was still inquiring about whether or not sensitive data had been processed by the campaign, the EDPS decision confirms that such processing occurred and was unlawful.
This discovery should have implications for noyb’s still-open complaint against X, and other similar complaints about the microtargeting of sensitive data. (Given how these advertising technologies typically work, there is a greater possibility that these types of complaints could result in actual fines under the GDPR – penalties can be up to 4% of total global annual sales.)
“We have many cases of political microtargeting in member states,” Mikuláš noted. “Many political parties are engaging in the same illegal practice. We hope that the EDPS decision will serve as a guiding light for national authorities currently investigating such practices.
We have reached out to the Commission for a response to the EDPS decision and its spokesperson, Patricia Porobat, acknowledged our request but had not provided a statement at the time of writing.
We have also posed questions to the EDPS and the Irish Data Protection Commission, the authority likely to lead the investigation into the micro-targeting of X. This report will be updated if they respond.
[ad_2]