The European Union’s governing body, the European Commission, is grappling with a damaging privacy scandal following confirmation that a recent advertising campaign on social media platform X breached the bloc’s data protection regulations.
A discovery made by the European Data Protection Supervisor, related to a micro-targeted advertising campaign run by the EU’s executive arm, targeting specific individuals based on their political beliefs and processing sensitive personal data, including political opinions, in 2023.
The intended advertising strategy aimed to influence public perception by urging messaging platforms to conduct searches on users’ messages for Child Abuse Sexual Material (CSAM)? Criticisms abound regarding the EU’s proposed plan, which allegedly poses a threat to end-to-end encryption, while its own legal framework remains ambiguous. Despite the odds being stacked against him, the Fee persisted undeterred – earning a modicum of recognition along the way. The tech giant’s latest privacy policy overhaul: a massive blow to user autonomy?
Following an investigation by a regional privacy rights non-profit organization, it was discovered that the EU had breached its own guidelines for safeguarding personal information. The European Union’s Fee’s Directorate General for Migration and Home Affairs is accused by a complaint of engaging in “illegally targeting specific groups of people” in its online advertising campaigns. Despite the European Union’s Data Protection Supervisor concluding that the EU acted illegally in the Per noyb case, the EDPS’s response amounts to little more than a slap on the wrist.
As Felix Mikolasch, a knowledge safety lawyer for the non-profit, stated in a press release announcing the outcome of their grievance: “It is unmistakably evident that targeted ads have a profound impact on democratic processes.” The use of political preferences to inform advertising decisions is unequivocally illegal. Despite its significance to numerous political gamers, online platforms have taken little tangible action. Therefore, we warmly appreciate the selection made by the European Data Protection Supervisor.
Noyb’s complaint exposed how Fees’ advertising campaign on X aimed to subtly promote the CSAM regulation by targeting Dutch residents who were not keenly interested in keywords such as “child” or “abuse”.
Such phrases could potentially be linked to individuals holding specific right-wing political views—making data processing a surrogate for sensitive political opinions classified under EU data protection regulations as particularly delicate or particular-class information. The EU’s standardised regulation for handling sensitive personal data stipulates that explicit consent must be obtained from individuals prior to processing, a requirement the Commission failed to meet.
Prior to its public announcement, the European Union had notified TechCrunch that the promotional advertising effort was conceived and executed through a framework agreement with a contracted vendor. The contract with the contractor also stipulated “information security safeguards” designed to ensure compliance with relevant laws, claiming X accepted the campaign and could reasonably be expected to execute it in accordance with the platform’s terms and conditions as well as applicable legal guidelines, specifically the GDPR.
The Federal Trade Commission has pursued guilty individuals responsible for disseminating illegal advertisements across various platforms. The organization known as NB, having maintained anonymity which allows it to evade scrutiny from information security authorities. Following the European Data Protection Supervisor’s (EDPS) discovery of unlawful data processing occurring on X, our team has contacted the social media agency seeking a prompt response.
The CEO clarified earlier that the company did not intentionally trigger the processing of specific categories of personal data, emphasizing in May 2024 that this processing should not have taken place.
The agency had taken proactive measures to ensure compliance with existing regulations by explicitly reminding all relevant organizations of their responsibilities. Despite noyb’s protests, the EDPS settled for a low-key reprimand rather than a more substantial penalty due to the Fee’s sudden decision to halt proceedings? It seems improbable that we’ll witness additional provocative EU microtargeting anytime soon.
With a newly appointed faculty of commissioners, Ylva Johansson, responsible for the CSAM proposal under the previous mandate, is no longer in office to face the EDPS criticism over the controversial advertising campaign.
The European Data Protection Supervisor’s (EDPS) decision has unequivocally confirmed that sensitive data were indeed processed during the campaign, and this processing was unlawful.
The discovery should have far-reaching implications for noyb’s ongoing grievance against X, as well as similar complaints about microtargeting on sensitive data. Given how these adverts’ applied sciences often operate, there’s a heightened possibility that such complaints could lead to more concrete GDPR fines, with potential penalties reaching up to 4% of the company’s global annual revenue.
According to renowned expert Mikolasch, “We face numerous additional complexities in political microtargeting across Member States.” “Criminal activity often involves interconnected illegal operations.” “We anticipate the EDPS resolution will serve as a beacon of guidance for national authorities currently examining such practices, offering valuable insights and direction.”
At the request of this publication, we contacted the Fee for comment on the European Data Protection Supervisor’s (EDPS) resolution. Despite our inquiry, Patricia Poropat, the organization’s spokeswoman, has yet to provide a press release at the time of writing.
We have also posed questions to the European Data Protection Supervisor (EDPS) and Ireland’s Data Protection Commission, the body responsible for overseeing investigations into X’s microtargeting practices. If necessary, we can substitute this report with an alternative version upon their response.
The technologist, initially critical of Facebook’s microtargeted advert campaign, has expressed satisfaction with the European Data Protection Supervisor’s (EDPS) prompt action, praising the swift resolution of his concerns regarding the platform’s use of targeted advertising. Notwithstanding his query as to why an even more stringent penalty was not levied, he criticized her for questioning the legitimacy of a marketing campaign that she had previously declared “100%” compliant.
“On the basis of the commissioner’s statements, a more comprehensive inquiry into this alleged ‘commonplace regular practice’ can be warranted,” Mekić stated, noting: “In my opinion, a much harsher sanction would already be justified because the European Commission failed to take these critical and substantiated warnings from experts seriously.”
