The European Center for Digital Rights, NOYB, filed a complaint against the European Commission with the European Data Protection Supervisor on Thursday (November 16th) over the use of microtargeted ads on Xu to promote its regulation on the disclosure of child sexual abuse material online.
NOYB filed a lawsuit against the European Commission’s Directorate-General for Migration and Home Affairs, alleging that the ads breach the EU’s General Data Protection Regulation (GDPR).
NOYB also noted that the use of microtargeted ads is contrary to the Commission’s intentions for greater advertising transparency.
The file, which aims to detect and remove online child sexual abuse material, has already drawn criticism in its original form, which would have given judicial authorities the power to ask communications services such as WhatsApp or Gmail to scan people’s private messages to find offensive content.
Microtargeting
As well as Euractiv reportedDutch newspapers de Volkskrant discovered in October that the EU executive launched a micro-targeting campaign in September at X to promote its proposal in countries that did not support the text in the EU Council of Ministers.
Ads were shown in certain countries and not to all users, depending on the information collected about them. These are the Netherlands, Sweden, Belgium, Finland, Slovenia, Portugal and the Czech Republic, and the ads have been viewed more than four million times.
According to the article, the ads are not shown to those interested in privacy, or are Eurosceptic, and even those interested in Christianity are left out.
Now NOYB specified that the ads were not shown to those interested in “keywords such as #Qatargate, Brexit, Marine Le Pen, Alternative für Deutschland, Vox, Christian, Christian-phobia or Giorgia Meloni”.
However, political orientation and religious beliefs are considered sensitive data under the GDPR, the EU’s data privacy regulation, and their special regime is further strengthened by the Digital Services Act (DSA), an EU law enforced by the Commission.
Maartje de Graaf, data protection lawyer at NOYB, said it was “astounding that the European Commission is not following the law it helped institutionalize just a few years ago”.
Another data protection lawyer at NOYB, Felix Mikolasch, noted that the Commission “has no legal basis for processing sensitive data for targeted advertising on X. No one is above the law, and the EU Commission is no exception”.
In October, a Commission spokesperson told Euractiv that they were “conducting a thorough review” of the campaign, adding that “as a regulator, the Commission is responsible for taking appropriate measures to ensure compliance with these rules by all platforms”.
They also “provide regularly updated guidance to ensure our social media managers are aware of the new rules and that outsourcers also apply them fully”.
Data breach
In October, the European Data Protection Supervisor (EDPS) told Euractiv that they had approached the Commission as part of a “so-called pre-investigation procedure, requesting information regarding the described use of micro-targeted ads, to be provided by October 20”.
The body specified that this “does not constitute the opening of an official investigation.”
The EDPS has now told Euractiv that they have received the European Commission’s response to their request for information and are in the process of reviewing it, with the aim of gaining a comprehensive understanding of the feedback. The watchdog will determine the next steps and take any action it deems appropriate following the review process.
NOYB informed Euractiv that they had planned to file a complaint even before the EDPS preliminary investigation began, but taking the necessary steps took time.
As NOYB also pointed out, advertising guidelines social media platform X (formerly known as Twitter) also takes into account sensitive categories such as religious beliefs or political affiliation, which should not be targeted by the site. However, the ad post is still available on X.
De Graaf said that “X claims to prohibit the use of sensitive data for ad targeting, but does nothing to actually enforce that prohibition.”
A Commission spokesperson also noted in October that platforms cannot “show targeted ads based on sensitive user data” under the DSA, which has also applied to X since mid-August.
According to NOYB, they are “currently evaluating whether to file charges against X for facilitating the illegal use of sensitive data for political micro-targeting.”
Concerns about microtargeting emerged as the Commission set out to make online political advertising more transparent, with a relevant file reaching an agreement last week between the European Parliament, the Council and the Commission, following inter-institutional negotiations known as trilogues.
(Edited by Luca Bertuzzi/Zoran Radosavljević)
