The European Union’s govt physique is dealing with an embarrassing privateness scandal after it was confirmed on Friday {that a} Commission advert marketing campaign on X (previously Twitter) breached the EU’s personal information safety guidelines.
The discovering, by the EU’s oversight physique the European Data Protection Supervisor (EDPS), pertains to a microtargeted advert marketing campaign that the Commission ran on X again in fall 2023 that processed the delicate information (political beliefs) of residents to microtarget advertisements.
The advert marketing campaign was supposed to sway opinion round a controversial EU legislative proposal to drive messaging apps to scan folks’s communications for CSAM (baby sexual abuse materials). Critics have warned the EU plan dangers a raft of democratic rights, threatens end-to-end encryption, and is itself legally unsound. But the Commission has ploughed on regardless — garnering some reputational knocks. And now this large privateness slapdown.
The discovering that the EU breached its personal information safety guidelines follows a November 2023 criticism by regional privateness rights non-profit noyb. Its criticism towards the Commission’s Directorate General for Migration and Home Affairs accused the division of “unlawful micro-targeting”. Per noyb, the EU’s information supervisor’s findings verify that the EU acted unlawfully — though the EDPS has solely issued a reprimand (no positive).
In a press launch saying the result of the criticism, Felix Mikolasch, an information safety lawyer for the non-profit, wrote: “Since Cambridge Analytica it is clear that targeted ads can influence democracy. Using political preferences for ads is clearly illegal. Nevertheless many political players rely on it and online platforms take almost no action. Therefore, we welcome the decision of the EDPS.”
noyb’s criticism highlighted how the Commission’s advert marketing campaign on X sought to not directly promote the CSAM regulation in a bid to sway opinion amongst residents within the Netherlands — concentrating on customers within the nation who weren’t serious about key phrases similar to: #Qatargate, brexit, Marine Le Pen, Alternative für Deutschland, Vox, Christian, Christian-phobia or Giorgia Meloni.
Such key phrases could also be related to individuals who maintain sure (right-wing) political beliefs — making the processing a proxy for political beliefs, that are classed as delicate (or particular class) information beneath EU information safety legal guidelines. The bloc’s authorized commonplace for processing delicate private information lawfully requires acquiring folks’s specific consent beforehand — which the Commission didn’t do.
The EU beforehand advised TechCrunch that the advert marketing campaign was “designed and implemented through a framework contract with a contractor”. It additionally mentioned its contract with the contractor included “data protection safeguards” geared toward guaranteeing compliance with the related laws — arguing it was X that accepted the marketing campaign and “could be expected to implement it in accordance with the platform’s terms and conditions and the applicable legal rules, in particular the GDPR [General Data Protection Regulation]”.
So, in different phrases, the Commission has sought in charge X for any illegal advert concentrating on. (NB: noyb has a separate criticism towards X over this political processing which stays beneath investigation by information safety authorities. But in mild of the EDPS’ discovering of illegal processing going down on X we’ve reached out to the social media agency for a response).
The Commission additionally beforehand mentioned it “did not intend to trigger the processing of special categories of personal data” — stressing at that time (May 2024) that such processing “should not have happened”.
It added on the time that it had taken steps to make sure “existing rules were reminded to all services”. And, per noyb, the explanation that the EDPS has solely issued a reprimand — not a positive — is as a result of the Commission stopped the apply. So it seems to be unlikely we’ll see any extra controversial EU…
