EU faces privacy complaint over CSAM microtargeting ads it ran on X
A micro-targeted advertising controversy that implicated European Union lawmakers in anti-privacy practices prohibited by laws they helped pass is the subject of a new complaint filed by an organization non-profit privacy defense organization, noyb.
The complaint against the European Commission’s Directorate-General for Migration and Home Affairs is filed today with the European Data Protection Supervisor (EDPS), which oversees EU institutions’ compliance with the bloc’s data protection laws. data.
noyb accuses the Commission of “illegal micro-targeting” on X (Twitter) in connection with a Commission legislative proposal aimed at combating child sexual abuse.
It says it also plans to file a complaint against of “special category” under the bloc’s General Data Protection Regulation (GDPR). These sensitive categories of personal data require the explicit consent of individuals for processing and it is not clear whether individual authorization was obtained from all users whose data was processed in this way (either by the Commission) before the advertisements target users of the microblogging platform.
“We are currently considering filing a complaint against X since the company and the European Commission are co-controllers of the advertising campaign in question,” a noyb spokesperson told TechCrunch. “The complaint against
The use of sensitive personal data for ad targeting purposes is also prohibited under the bloc’s recently rebooted digital regulation, the Digital Services Act (DSA).
Fines for GDPR violations can reach 4% of global annual revenue, while DSA violations can reach up to 6% of this amount. (Ironically, the Commission is responsible for overseeing X’s compliance with the DSA, so if anyone continues to file complaints against the tech company, this could – in theory – lead to an EU fine for advertisements… 🙈)
noyb supports a Dutch plaintiff who he says saw an article on X by the Commission’s Home Affairs division (which is still live on the platform at the time of writing), claiming that 95% of Dutch people said that detecting online child abuse is more important or as important as their right to privacy in line.
Targeting details associated with the Commission’s ad campaign are available through the public ad transparency tools that the DSA requires platforms like X to provide. So, in a way, Noyb’s complaint shows that European transparency laws work.
noyb also argues that the controversial ad statistic is “misleading” – citing media reports which suggests that the data is based solely on opinion polls conducted by the Commission which it claims did not mention the negative effects of the proposed message analysis.
“Even though online advertising is not illegal per se, the European Commission has targeted users based on their political opinions and religious beliefs,” Noyb wrote in a press release. “Specifically, ads were only shown to people who weren’t interested in keywords like #Qatargate, Brexit, Marine Le Pen, Alternative für Deutschland, Vox, Christian, Christian-phobia or Giorgia Meloni.”
It is not clear why Commission staff members chose these particular ad targeting settings for the campaign. Last monththe commissioner in charge of the Internal Affairs division has repeatedly claimed not to know.
noyb goes on to note that the Commission has previously raised concerns about the use of personal data for micro-targeting purposes – describing the practice as “a serious threat to a fair and democratic electoral process”.
“It appears that the European Commission has attempted to influence public opinion in countries like the Netherlands in order to undermine the position of the national government in the EU Council. Such behavior – especially in combination with illegal microtargeting – poses a serious threat to the EU legislative process and completely contradicts the Commission’s recommendations. intention to make political advertising more transparent” he said, referring to another EU legislative proposal to regulate political advertising.
“noyb requests the EDPS to fully investigate this matter in accordance with the EU GDPR,” Noyb added. “Given the seriousness of the violations and the large number of people affected, noyb also suggests that the EDPS imposes a fine.”
Commenting in a statement, Maartje de Graaf, data protection lawyer at not said: “It is astonishing that the European Commission does not respect the law that it helped to institutionalize only a few years ago. Additionally, X claims to prohibit the use of sensitive data for ad targeting purposes, but does nothing to actually enforce this prohibition.
“The European Commission has no legal basis to process sensitive data for the purposes of X-targeted advertising. No one is above the law, and the European Commission is no exception,” added Felix Mikolasch, a another data protection lawyer at X. noyb, in a second supporting statement.
The privacy group is probably best known for a series of strategic complaints against adtech giants like Meta – where noyb wrote a series of successful challenges during the last years. But this time, the aim is to confuse the European Commission, accusing the bloc’s executive body of exploiting ad targeting tools in a way that undermines citizens’ rights.
Like us reported last monthThe advertising controversy over microtargeting arose after internet users spotted adverts that the Commission’s home affairs division was running on X in an attempt to drum up support for the (also controversial) legislative proposal for CSAM analysis.
The Commission’s draft CSAM proposal contains powers that could lead to ordering messaging platforms to analyze the content of all users’ missives in order to detect child pornography, even in cases where the content of the messages is encrypted by end-to-end (E2EE).
This is a highly controversial proposal that has been criticized by legal expertsprivacy and security researchers, civil society groups and the EDPSamong others – with the fear that this will push platforms to apply mass surveillance to European citizens and compromise the security of E2EE by forcing companies that have received detection orders to deploy client-side analysis.
EU lawmakers in the European Parliament united to oppose Commission proposal on CSAM analysis — recently suggesting an alternative approach this would remove the disputed analysis. MEPs support their proposal, which would limit the CSAM detection order to individuals or groups suspected of sexual abuse of children; and only allowing CSAM analysis on non-E2EE platforms (among a series of suggested revisions), would be more effective in combating child sexual abuse while respecting the freedoms that citizens of democratic countries are entitled to to wait for.
It is unclear where the CSAM dossier will end up, as the EU protocol requires a loop of negotiations between EU co-legislators in the Council, with the Commission also involved in these so-called trilogue talks which aim to reach agreement on a final text.
But in the meantime, the EU executive faces tricky questions about the methods its aides used to promote its proposal. And last month it admitted to launching an investigation into whether any rules had been broken following the micro-targeted X ad campaign.
During a hearing at the European Parliament last monthYla Johansson, the bloc’s internal affairs commissioner responsible for the CSAM analysis proposal, defended the advertising campaign she said her office had run – saying it was normal for the bloc to use digital advertising tools to promote his bills. However, she acknowledged it was right for the bloc to investigate whether there had been a breach of the rules.
But with the internal investigation, the Commission is essentially proposing to do its own homework. This is why noyb’s complaint to the EDPS — which could lead to the opening of an external investigation by its data controller — seems important.
The EDPS has the power to sanction EU institutions, including the Commission, if he confirms violations of the rules. These powers include the possibility of imposing fines. It can also exercise investigative and remedial powers, such as issuing orders to bring operations into compliance with the GDPR – or imposing a ban on processing.
If the EU were found to be in breach of its rules, the reputational damage would also serve as a powerful deterrent against any future temptation to use anti-rights behavioral targeting tools to drive its legislative agenda.
Asked about the Commission’s internal investigation into the ads, a spokesperson told TechCrunch:
We are aware of reports regarding a campaign carried out by the Commission services on the X platform. We are currently carrying out an in-depth review of this campaign. As regulators, the Commission is responsible for taking appropriate measures to ensure compliance with these rules by all platforms. Internally, we provide regularly updated guidance to ensure that our social media managers are aware of the new rules and that external contractors also fully implement them.
The Commission did not provide any details on the deadline for concluding its internal investigation.
