A micro-targeted advertising controversy that has implicated European Union lawmakers in anti-privacy practices prohibited by laws they had a hand in passing is the subject of a new complaint by the nonprofit Privacy Rights. noyb.
The complaint against the European Commission’s Directorate General for Migration and Home Affairs is filed today with the European Data Protection Supervisor (EDPS), which oversees EU institutions’ compliance with the bloc’s data protection laws.
Nawib accuses the Commission of “unlawful micro-targeting” on X (Twitter) in relation to the Commission’s legislative proposal aimed at combating child sexual abuse.
It says it is also considering filing a complaint against These sensitive categories of personal data require explicit consent from subjects to processing and it is not clear that individual permission was obtained from all users whose data was processed in this way (either by X or by the Commission) prior to advertisements targeting users of the microblogging platform.
“We are currently considering filing a complaint against X since the company and the EU Commission are joint observers of the advertising campaign in question,” a noyb spokesperson told TechCrunch. “The complaint against
The use of sensitive personal data for ad targeting purposes is also prohibited under the bloc’s recently rebooted digital rulebook, the Digital Services Act (DSA).
Fines for GDPR violations can be up to 4% of global annual turnover, while DSA breaches can be up to 6% of the same. (Ironically, the Commission is responsible for overseeing
Noib supports the Dutch complainant who says he saw him Published on X by the Commission’s Internal Affairs Department (which is still on the platform at the time of writing) with 95% of Dutch people allegedly saying that detecting online child abuse is more or as important as their right to privacy online.
The targeting details associated with an affiliate ad campaign are available via generic ad transparency tools which the DSA requires platforms like X to provide. So, in a way, Noib’s complaint shows that EU transparency laws are working.
Noib also argues that the statistics in the controversial ad are “misleading” – citing Media reports Which suggests that the data is based solely on opinion polls conducted by the Commission, which it says failed to mention the negative effects of the proposed messaging survey.
“Although online advertising is not illegal per se, the EU Commission has targeted users based on their political views and religious beliefs,” Noib wrote in a press release. “Specifically, ads were only shown to people who were not interested in keywords like #Qatargate, Brexit, Marine Le Pen, Alternative for Germany, Vox, Christianity, Christianophobia or Giorgia Meloni“.
It is not clear why committee staff chose these specific ad targeting criteria for the campaign. Last month, the commissioner in charge of the Internal Affairs Department repeatedly claimed that he did not know.
Noib goes on to point out that the Commission has previously raised concerns about the use of personal data for micro-targeting – describing the practice as a “serious threat to a democratic and fair electoral process.”
“It appears that the EU Commission has tried to influence public opinion in countries such as the Netherlands in order to undermine the position of the national government in the EU Council. Such behavior – especially in combination with unlawful micro-targeting – constitutes a serious threat to the EU legislative process and is in complete contradiction to the Commission’s decisions.” . Intent to make political advertising more transparent“, referring to another European Union legislative proposal aimed at regulating political advertising.
“noyb “EDPS is requested to fully investigate this matter in accordance with the EU General Data Protection Regulation,” Noib added. “Given the seriousness of the violations and the large number of those affected, noyb It also indicates that EDPS imposes a fine.
Commenting on this, Maartje de Graaf, data protection lawyer at: Noib said: “It is astonishing that the European Commission does not follow the law it helped institutionalize just a few years ago. Furthermore, X claims to prohibit the use of sensitive data to target ads but does nothing to actually enforce this prohibition.
Felix Mikuláš, another data protection lawyer at X, added: “The EU Commission has no legal basis for processing sensitive data for targeted advertising on X. No one is above the law, and the EU Commission is no exception.” noyb, in the second supporting statement.
The privacy group is perhaps best known for a series of strategic complaints against ad tech giants like Meta — with noyb mounting a series of successful challenges in recent years. But this time it aims to misrepresent the European Commission, accusing the bloc’s executive body of taking advantage of ad technology targeting tools in a way that violates citizens’ rights.
As we reported last month, the microtargeting ad controversy arose after web users discovered ads the committee’s Internal Affairs Division was running on X in an attempt to drum up support for the (also controversial) legislative CSAM survey proposal.
The Commission’s draft CSAM proposal includes powers that could lead to messaging platforms being ordered to scan the contents of all users’ messages to detect child sexual abuse material, even in cases where the message contents are end-to-end encrypted (E2EE).
It’s a highly controversial proposal and has been criticized by legal experts, privacy and security researchers, civil society groups and EDPS, among others – with concerns that it could prompt platforms to implement mass surveillance on European citizens and undermine E2EE security by forcing companies to be served with orders. Detection for client side scan deployment.
EU lawmakers have united in the European Parliament in opposing the Commission’s proposal for a CSAM scan – recently proposing an alternative approach that would remove the controversial screening. MEPs discuss their proposal, which would limit CSAM discovery to individuals or groups suspected of child sexual abuse; Only allowing CSAM to be cleared on non-E2EE platforms (among a range of proposed revisions), would be more effective in combating child sexual abuse while respecting the freedoms that citizens in democratic countries have a right to expect.
It is not clear where the CSAM file will end up because the EU protocol requires a negotiating loop in the EU’s co-legislators in the Council, with the Commission also participating in so-called tripartite talks aimed at reaching agreement on a final text.
But at the same time, the EU executive faces awkward questions about the methods its staff used to promote its proposal. Last month, it admitted it had opened an investigation to determine whether any rules had been broken as a result of the micro-targeted ad campaign on X.
At a hearing in the European Parliament last month, Yella Johansson, the bloc’s Home Affairs Commissioner, who is responsible for proposing the CSAM survey, defended the advertising campaign she said her office was running – claiming it was normal practice for the bloc to use it. Digital advertising tools to promote their bills. But she acknowledged that it was right for the federation to investigate whether there had been a violation of the rules.
But with the internal investigation, the committee proposes to define its own duties. That’s why Noib’s complaint to EDPS — which could trigger an external investigation by the data steward — seems important.
The EDPS has powers to impose sanctions on EU institutions, including the Commission, if it confirms violations of the rules. These powers include the ability to issue fines. It can also apply investigative and remedial powers, such as issuing orders to bring operations into compliance with the GDPR – or imposing a ban on processing.
The reputational sting if the EU is found to be violating its rules is also likely to be a strong deterrent against any future temptation to indulge in anti-rights behavioral targeting tools to advance its legislative agenda.
Asked for an update on the committee’s internal investigation into the ads, a TechCrunch spokesperson said:
We are aware of reports regarding a campaign run by Authority Services on Platform X. We are currently conducting a comprehensive review of this campaign. As regulators, the Commission is responsible for taking appropriate measures to ensure compliance with these rules by all platforms. Internally, we provide regularly updated guidance to ensure that our social media managers are aware of the new rules and that external contractors also fully implement them.
The committee did not provide any details about the timeframe for concluding its internal investigation.