The European Union’s executive body is facing an embarrassing privacy scandal after it was confirmed on Friday that a Commission ad campaign on X (formerly Twitter) breached the EU’s own data protection rules.
The finding, by the EU’s oversight body the European Data Protection Supervisor (EDPS), relates to a microtargeted ad campaign that the Commission ran on X back in fall 2023 that processed the sensitive data (political views) of citizens to microtarget ads.
The ad campaign was intended to sway opinion around a controversial EU legislative proposal to force messaging apps to scan people’s communications for CSAM (child sexual abuse material). Critics have warned the EU plan risks a raft of democratic rights, threatens end-to-end encryption, and is itself legally unsound. But the Commission has ploughed on regardless — garnering some reputational knocks. And now this big privacy slapdown.
The finding that the EU breached its own data protection rules follows a November 2023 complaint by regional privacy rights non-profit noyb. Its complaint against the Commission’s Directorate General for Migration and Home Affairs accused the department of “unlawful micro-targeting”. Per noyb, the EU’s data supervisor’s findings confirm that the EU acted unlawfully — although the EDPS has only issued a reprimand (no fine).
In a press release announcing the outcome of the complaint, Felix Mikolasch, a data protection lawyer for the non-profit, wrote: “Since Cambridge Analytica it is clear that targeted ads can influence democracy. Using political preferences for ads is clearly illegal. Nevertheless many political players rely on it and online platforms take almost no action. Therefore, we welcome the decision of the EDPS.”
noyb’s complaint highlighted how the Commission’s ad campaign on X sought to indirectly promote the CSAM regulation in a bid to sway opinion among citizens in the Netherlands — targeting users in the country who weren’t interested in keywords such as: #Qatargate, brexit, Marine Le Pen, Alternative für Deutschland, Vox, Christian, Christian-phobia or Giorgia Meloni.
Such keywords may be associated with people who hold certain (right-wing) political views — making the processing a proxy for political views, which are classed as sensitive (or special category) data under EU data protection laws. The bloc’s legal standard for processing sensitive personal data lawfully requires obtaining people’s explicit consent beforehand — which the Commission did not do.
The EU previously told TechCrunch that the ad campaign was “designed and implemented through a framework contract with a contractor”. It also said its contract with the contractor included “data protection safeguards” aimed at ensuring compliance with the relevant regulations — arguing it was X that accepted the campaign and “could be expected to implement it in accordance with the platform’s terms and conditions and the applicable legal rules, in particular the GDPR [General Data Protection Regulation]”.
So, in other words, the Commission has sought to blame X for any unlawful ad targeting. (NB: noyb has a separate complaint against X over this political processing which remains under investigation by data protection authorities. But in light of the EDPS’ finding of unlawful processing taking place on X we’ve reached out to the social media firm for a response).
The Commission also previously said it “did not intend to trigger the processing of special categories of personal data” — stressing at that point (May 2024) that such processing “should not have happened”.
It added at the time that it had taken steps to ensure “existing rules were reminded to all services”. And, per noyb, the reason that the EDPS has only issued a reprimand — not a fine — is because the Commission stopped the practice. So it looks unlikely we’ll see any more controversial EU microtargeting any time soon.
There is also a new college of commissioners in place now — so Ylva Johansson, the home affairs commissioner who was in charge of the CSAM proposal under the last mandate when the offending ad campaign was run, is no longer in post to receive the EDPS slap.
While — earlier this year — the Commission was still querying whether or not sensitive data had been processed by the campaign, the EDPS’ decision cements that such processing both happened and was unlawful.
The finding should have implications for noyb’s still open complaint against X, and other similar complaints over microtargeting on sensitive data. (And given how such ad technologies typically work there’s a higher chance these sorts of complaints could lead to actual GDPR fines — where penalties can reach up to 4% of global annual turnover.)
“We have many more cases on political microtargeting in the Member States,” noted Mikolasch. “Many political parties engage in the same illegal practice. We hope the EDPS decision will be a guiding light for national authorities that currently investigate such practices.”
We reached out to the Commission for a response to the EDPS’ decision and spokeswoman, Patricia Poropat, acknowledged our request but at the time of writing it had not provided a statement.
We’ve also put questions to the EDPS and to Ireland’s Data Protection Commission, the authority that’s likely to lead on investigating X’s microtargeting. And will update this report if they respond.
