The EU faces a privacy complaint over CSAM microtargeting ads it runs on X

A microtargeted advertising controversy involving European Union lawmakers in anti-privacy practices prohibited by laws they passed is the subject of a new non-profit privacy rights complaint. , november.

The complaint against the EU Commission’s Directorate General for Migration and Home Affairs was filed today, along with the European Data Protection Supervisor (EDPS), which oversees EU institutions’ compliance with the bloc’s data protection laws.

noyb accused the Commission of “unlawful micro-targeting” of X (Twitter) related to a legislative proposal of the Commission aimed at combating sexual abuse of children.

It said it was also considering filing a complaint against X for providing tools that enabled EU staff to target ads using categories related to political opinions and religious beliefs. – information known as “special category” data under the bloc’s General Data Protection Regulation (GDPR). These sensitive categories of personal data require the express consent of persons for processing and it is not clear that individual consent has been obtained from all users whose data is processed in this way (either by X; or by the Commission) before ads targeted at users of the microblogging platform.

“We are now considering filing a complaint against X because the company and the EU Commission are joint controllers for the ad campaign in question,” a spokesperson for Noyb told TechCrunch. “The Complaint against X is likely to be filed with a national supervisory authority such as the Dutch data protection authority … We will inform the EDPS when this step is taken.”

The use of sensitive personal data for ad targeting purposes is also prohibited under the bloc’s recently rebooted digital rulebook, the Digital Services Act (DSA).

Fines for GDPR violations can go up to 4% of global annual turnover, while DSA violations can reach up to 6% of the same. (Ironically the Commission is responsible for overseeing X’s DSA compliance so, if noyb pursues a complaint against the tech firm, it could — theoretically — lead to the EU fining X for accepting its own ads… 🙈)

noyb supports a Dutch complainant who is said to have seen an X post in the Home Affairs division of the Commission (which is still live on the platform at the time of writing) claims that 95% of Dutch people say that detecting child abuse online is more important or just as important as their right to online privacy .

Targeting details related to the Commission’s ad campaign are available through public ad transparency tools that the DSA requires platforms like X to provide. So, in a way, noyb’s complaint shows that EU transparency laws are working.

noyb also argued that the statistics in the controversial ad were “misleading” – quote media reports suggests that the data is based only on opinion surveys carried out by the Commission which allegedly failed to mention the negative effects of the proposed message scanning.

“While online advertising is not illegal per se, the EU Commission is targeting users based on their political views and religious beliefs,” noyb wrote in a press release. “In particular, ads are only shown to people who are not interested in keywords such as #Qatargate, brexit, Marine Le Pen, Alternative für Deutschland, Vox, Christian, Christian-phobia or Giorgia Meloni.”

It is unclear why Commission staff chose these particular ad targeting parameters for the campaign. Last month, the commissioner in charge of the Home Affairs division repeatedly claimed ignorance.

Noyb went on to note that the Commission had previously raised concerns over the use of personal data for micro-targeting – describing the practice as “a serious threat to a fair, democratic electoral process”.

“It appears that the EU Commission is trying to influence public opinion in countries like the Netherlands in order to undermine the position of the national government in the EU Council. Such behavior – especially in combination with illegal micro-targeting – is a serious threat to the EU legislative process and is completely against the Commission. intention to make political advertising more transparent“it said, referring to another EU legislative proposal aimed at regulating political advertising.

november requesting the EDPS to fully investigate this matter in accordance with the EU GDPR,” added noyb. “Due to the seriousness of the violations and the number of individuals affected, november also suggested that the EDPS impose fines.

Commenting in a statement, Maartje de Graaf, data protection lawyer at noyb said: “It is puzzling that the EU Commission is not following the law that helped to institutionalize just a few years ago. Additionally, X claims to prohibit the use of sensitive data for ad targeting but does nothing to enforce this prohibition.

“The EU Commission has no legal basis to process sensitive data for targeted advertising on X. No one is above the law, and the EU Commission is no exception,” added Felix Mikolasch, another data protection lawyer at noyb, in the second supporting statement.

The privacy group is perhaps best known for a series of strategic complaints against adtech giants like Meta — to which noyb has mounted a series of successful challenges in recent years. But this time it aims to penetrate the European Commission, accusing the bloc’s executive body of using adtech targeting tools in a way that violates the rights of citizens.

As we reported last month, the microtargeting ad controversy arose after web users saw ads run by the Home Affairs division of the X Commission in an attempt to garner support for the (also controversial) legislative CSAM -scanning proposal.

The draft CSAM proposal of the Commission has powers that could lead to messaging platforms being ordered to scan the content of all users’ missives to identify child sexual abuse material, even in cases where the message contents are end-to-end encrypted (E2EE).

It is a controversial proposal that has been criticized by legal experts, privacy and security researchers, civil society groups and the EDPS, among others – with fears that it will push platforms to use mass surveillance on European citizens and undermine E2EE security by forcing companies. serves with detect commands to deploy client-side scanning.

EU lawmakers in the European Parliament unanimously opposed the Commission’s CSAM-scanning proposal – recently proposing an alternative method that would remove the controversial scanning. The MEPs disputed their proposal, which would limit the CSAM detection order to individuals or groups suspected of child sexual abuse; and only allow CSAM-scan on non-E2EE platforms (among a raft of proposed revisions), more effective in combating child sexual abuse while respecting the freedoms that citizens of democratic country has the right to expect.

It is not clear where the CSAM file will end up as the EU protocol requires a negotiation loop with EU co-legislators in the Council, with the Commission also involved in these so-called trilogue talks aimed at hashing out in agreement on a final text.

But, in the meantime, the EU executive is facing unpleasant questions about the methods used by the staff to promote its proposal. And, last month, it admitted it had opened an investigation to determine whether any rules were broken because of X’s microtargeted ad campaign.

At a hearing in the European Parliament last month, Yla Johansson, the bloc’s home affairs commissioner, who is responsible for the CSAM scan proposal, defended the ad campaign she said her office was running – admit it is normal practice for the block to be used. digital ad tools to promote its draft laws. He however admitted that the bloc was right to be investigated if there was a violation of the rules.

But in the internal investigation the Commission essentially proposed to mark its own homework. That’s why Noyb’s complaint to the EDPS — which could lead to an external investigation opened by his data supervisor — seems important.

The EDPS has the power to sanction EU institutions, including the Commission, if it confirms violations of the rules. These powers include the ability to issue fines. It can also exercise powers of investigation and correction, such as issuing orders to comply with GDPR operations – or imposing a processing ban.

Reputational damage if the EU is found to be breaking its rules will also act as a strong deterrent against any future temptation to dip into anti-rights behavior targeting tools to mobilize the legislative agenda.

Asked for an update on the Commission’s internal investigation into the ads, a spokesperson told TechCrunch:

We are aware of reports about a campaign run by Commission services on platform X. We are currently conducting a thorough investigation of this campaign. As regulators, the Commission is responsible for taking measures where appropriate to ensure compliance with these rules on all platforms. Internally, we provide regularly updated guidance to ensure that our social media managers are familiar with the new rules and that external contractors also apply them fully.

The Commission did not provide any details on the timeframe for the conclusion of its internal investigation.

Leave a comment