EU faces privacy complaint over CSAM microtargeting ads it ran on X

A microtargeted advertising controversy which has implicated European Union lawmakers in privacy-hostile practices banned by laws they had a hand in passing is the subject of a new complaint by privacy rights not-for-profit, noyb.

The complaint against the EU Commission’s Directorate General for Migration and Home Affairs is being filed today, with the European Data Protection Supervisor (EDPS), which oversees EU institutions’ compliance with the bloc’s data protection laws.

noyb is accusing the Commission of “unlawful micro-targeting” on X (Twitter) related to a Commission legislative proposal aimed at combating child sexual abuse.

It says it’s also considering filing a complaint against X for providing tools that enabled EU staffers to target ads using categories related to political opinions and religious beliefs — information that’s known as “special category” data under the bloc’s General Data Protection Regulation (GDPR). These sensitive categories of personal data require people’s explicit consent for processing and it’s not clear that individual permission was obtained from all users whose data was processed in this way (either by X; or by the Commission) ahead of the ads being targeted at users of the microblogging platform.

“We are currently considering to file a complaint against X since the company and the EU Commission are joint controllers for the ad campaign in question,” a spokesperson for noyb told TechCrunch. “The Complaint against X would probably be filed with a national supervisory authority such as the Dutch data protection authority… We will inform the EDPS if this step is taken.”

The use of sensitive personal data for ad targeting purposes is also prohibited under the bloc’s recently rebooted digital rulebook, the Digital Services Act (DSA).

Fines for breaches of the GDPR can scale up to 4% of global annual turnover, while DSA breaches can reach up to 6% of same. (Ironically the Commission is responsible for overseeing X’s DSA compliance so, if noyb forges ahead with a complaint against the tech firm, it could — theoretically — lead to the EU fining X for accepting its own ads… 🙈)

noyb is supporting a Dutch complainant who it says saw a post on X by the Commission’s Home Affairs division (which is still live on the platform at the time of writing) claiming 95% of Dutch people allegedly said the detection of child abuse online is more important or as important as their right to online privacy.

Targeting details associated with the Commission ad campaign are available via public ad transparency tools the DSA requires platforms like X to provide. So, in a way, noyb’s complaint shows EU transparency laws are working.

noyb also argues the stat in the controversial ad is “misleading” — citing media reports suggesting the data is based solely on opinion polls conducted by the Commission which it says failed to mention the negative effects of the proposed messaging scanning.

“While online advertising isn’t illegal per se, the EU Commission targeted users based on their political views and religious beliefs,” wrote noyb in a press release. “Specifically, the ads were only shown to people who weren’t interested in keywords like #Qatargate, brexit, Marine Le Pen, Alternative für Deutschland, Vox, Christian, Christian-phobia or Giorgia Meloni.”

It’s not clear why the Commission staffers selected these particular ad targeting parameters for the campaign. Last month, the commissioner in charge of the Home Affairs division repeatedly claimed not to know.

noyb goes on to note that the Commission has previously raised concerns over the use of personal data for micro-targeting — describing the practice as “a serious threat to a fair, democratic electoral process”.

“It appears that the EU Commission has tried to influence public opinion in countries such as the Netherlands in order to undermine the position of the national government in the EU Council. Such behaviour — especially in combination with illegal micro-targeting — is a serious threat to the EU legislative process and completely contradicts the Commission’s intention to make political advertising more transparent,” it said, referencing another EU legislative proposal aimed at regulating political advertising.

noyb requests the EDPS to fully investigate this matter in accordance with the EU GDPR,” noyb added. “Given the seriousness of the violations and the large number of individuals affected, noyb also suggests that the EDPS imposes a fine.”

Commenting in a statement, Maartje de Graaf, data protection lawyer at noyb, said: “It is mind-boggling that the EU Commission doesn’t follow the law it helped to institutionalize just a few years ago. Moreover, X claims to prohibit the use of sensitive data for ad targeting but doesn’t do anything to actually enforce this ban.”

“The EU Commission has no legal basis to process sensitive data for targeted advertising on X. Nobody is above the law, and the EU Commission is no exception,” added Felix Mikolasch, another data protection lawyer at noyb, in a second supporting statement. 

The privacy group is probably best known for a series of strategic complaints against adtech giants like Meta — where noyb has chalked up a string of successful challenges in recent years. But this time it’s aiming to skewer the European Commission, accusing the bloc’s executive body of leveraging adtech targeting tools in a way that infringes citizens’ rights.

As we reported last month, the microtargeting ad controversy sprung up after web users spotted ads the Commission’s Home Affairs division was running on X in a bid to drum up support for the (also controversial) legislative CSAM-scanning proposal.

The Commission’s draft CSAM proposal contains powers that could lead to messaging platforms being ordered to scan the contents of all users’ missives to detect child sexual abuse material, even in cases where message contents is end-to-end encrypted (E2EE).

It’s a hugely controversial proposal that has been critized by legal experts, privacy and security researchers, civil society groups and the EDPS, among others — with fears it would push platforms to apply mass surveillance to European citizens and undermine the security of E2EE by forcing firms served with detection orders to deploy client side-scanning.

EU lawmakers in the European Parliament have united in opposition to the Commission’s CSAM-scanning proposal — recently suggesting an alternative approach that would remove the contentious scanning. MEPs argue their proposal, which would limit CSAM detection order to individuals or groups who are suspected of child sexual abuse; and only allow for CSAM-scanning on non-E2EE platforms (among a raft of suggested revisions), would be more effective at fighting child sexual abuse while being respectful of the freedoms citizens in democratic nations have a right to expect.

It’s not clear where the CSAM file will end up as EU protocol requires negotiations loop in EU co-legislators in the Council, with the Commission also involved in these so-called trilogue talks which aim to hash out agreement on a final text.

But, in the meanwhile, the EU’s executive faces awkward questions about methods staffers used to promote its proposal. And, last month, it admitted it had opened an investigation to determine whether any rules had been broken as a result of the microtargeted ad campaign on X.

At a hearing in the European Parliament last month, Yla Johansson, the bloc’s home affairs commissioner, who is responsible for the CSAM-scanning proposal, defended the ad campaign she said her office had run — claiming it was normal practice for the bloc to use digital ad tools to promote its draft laws. However she conceded it was right the bloc should investigate whether there had been a breach of the rules.

But with the internal investigation the Commission is essentially proposing to mark its own homework. Which is why noyb’s complaint to the EDPS — which could lead to an external investigation being opened by its data supervisor — looks important.

The EDPS has powers to sanction EU institutions, including the Commission, if it confirms breaches of the rules. These powers include the ability to issue fines. It can also apply investigative and corrective powers, such as issuing orders to bring operations into compliance with the GDPR — or imposing a ban on processing.

The reputational sting if the EU is found in breach of its rules would also likely be a strong deterrent against any future temptation to dip into rights-hostile behavioral targeting tools to drive its legislative agenda.

Asked for an update on the Commission’s internal investigation of the ads, a spokesperson told TechCrunch:

We are aware of reports concerning a campaign run by the Commission services on the platform X.  We are currently conducting a thorough review of this campaign. As regulators, the Commission is responsible to take measures as appropriate to ensure compliance with these rules by all platforms. Internally, we provide regularly updated guidance to ensure our social media managers are familiar with the new rules and that external contractors also apply them in full.

The Commission did not provide any details of the timeframe for concluding its internal investigation.

Published at Thu, 16 Nov 2023 06:00:59 +0000