EU ad campaign broke bloc’s privacy rules
The European Commission’s data protection oversight body has found that an advertising campaign by the bloc on X (formerly Twitter) in the fall of 2023 breached its privacy regulations. A regional privacy rights nonprofit noyb, which launched the complaint, said the campaign had illegally used “political micro-targeting.”
According to noyb’s statement on Friday, the EC tried to sway opinion and “indirectly promote” to users in the Netherlands a controversial chat control regulation proposal. The Commission targeted politically liberal and left-leaning users on X in a bid to “flip” public sentiment.
The 2022 CSAM (child sexual abuse material) draft law has attracted criticism among digital rights activists for potentially forcing messaging apps to conduct mass online surveillance in a bid to find and report child abuse material. In June the EU Council temporarily withdrew voting on the legislation, according to reports.
Noyb (named after the phrase None of Your Business) said that the Commission’s strategy involved using “proxy data” to target specific groups while deliberately excluding conservative audiences by targeting users who had no interest in keywords like Qatargate, Brexit, Marine Le Pen, Alternative für Deutschland, Vox, Christian, Christian-phobia or Giorgia Meloni. Noyb highlighted that the targeted data included sensitive political opinions without explicit consent from users, which is restricted under EU regulations.
“Using political preferences for ads is clearly illegal,” noyb’s data protection lawyer Felix Mikolasch said. He added that many political entities exploit such tactics while online platforms often do little to curb these practices.
According to noyb, the European Data Protection Supervisor (EDPS) confirmed that the EU had acted unlawfully though it only issued a reprimand without a fine as the practice ceased.
The EU previously argued on tech website TechCrunch that X was liable as it should have implemented the campaign according to the rules. It also previously told the publication that it “did not intend to trigger the processing of special categories of personal data.”
“We take note of the [EDPS] decision on the Commission’s campaign to raise awareness about the Commission’s legislative proposal to prevent and combat child sexual abuse material online. We will now assess the EDPS decision,” Commission Spokesperson Patricia Poropat told TechCrunch.
