The European Commission has lost a case before the European Data Protection Supervisor (EDPS), which ruled that the EC had “illegally targeted advertisements at citizens using sensitive personal data related to their political views”.
For this, the EC received a reprimand.
The supervisor said in its December 13 ruling that it found that “the Commission has … unlawfully [processed] the complainant’s personal data, including special categories of personal data, without a valid legal basis in the context of the targeted advertising campaign that the Commission ran on the social media platform X from 15 to 28 September 2023.”
The main goal of the EDPS’ reprimand is to make the European Union institution aware of its violation of the Regulation and to have a dissuasive effect.
Because the EC no longer processes personal data, the EDPS found other corrective powers, such as compliance orders or processing limits, unsuitable.
The donation-funded privacy NGO noyb, based in Vienna, had filed a complaint against the EC in 2023 over what it said were targeted chat control advertisements.
A spokesperson for noyb told Brussels Signal: “We believe the decision of the EDPS sends a strong message to other data protection authorities and beyond. The decision confirms that targeting users based on their political views is clearly illegal.
“Unfortunately, such targeting is a common practice in many elections and needs to be tackled by national authorities, too. The EDPS decision is a good precedent.
“After this decision the Commission should definitely refrain from such micro-targeting. At the same time, the EDPS could have gone beyond a reprimand and could have imposed a ban. However, a fine was unlikely because of the legal framework for EU institutions.”
A spokesperson of the European Commission said: “We take note of the European Data Protection Supervisor (EDPS) decision on the Commission’s campaign to raise awareness about the Commission’s legislative proposal to prevent and combat child sexual abuse material online.”
“We will now assess the EDPS decision.”
In its complaint, noyb accused the Commission’s Directorate General for Migration and Home Affairs of using unlawful micro-targeting on X to promote its heavily criticised chat control regulation: the EC’s proposal to scan all private communications, purportedly to halt the spread of child sexual abuse material (CSAM).
When heated debate raged the EC was said to have wanted to influence political views in the Netherlands.
To get the Dutch population onside, the body used illegal means, noyb said, and the European Data Protection Supervisor agreed.
According to the NGO, the EC was not only “desperate to garner public support, which could be used to pressure national governments into accepting the controversial legislative proposal”, the move also “undermined the established democratic procedures between EU institutions and violated the EU GDPR”.
Reports of the adverts showed that the EC targeted users based on their political views and religious beliefs.
“Specifically, the ads were only shown to people who weren’t interested in keywords like #Qatargate, Brexit, Marine Le Pen, Alternative für Deutschland, Vox, Christian, Christian-phobia or Giorgia Meloni,” noyb said.
All this, it added, came while the EC “previously raised concerns over the use of personal data for micro-targeting and described the practice as ‘a serious threat to a fair, democratic electoral process’”.
Adding to the infringement, the EC used what it said were misleading opinion polls.
When the NGO lodged its complaint, Maartje de Graaf, data protection lawyer at noyb said: “It is mind-boggling that the EU Commission doesn’t follow the law it helped to institutionalise just a few years ago. Moreover, X claims to prohibit the use of sensitive data for ad targeting, but doesn’t do anything to actually enforce this ban.”
The EC’s reprimand comes shortly after the presidential elections in Romania were suspended for similar actions allegedly perpetrated by pro-Russian activists.
The European Union has invoked some of its powers under the Digital Services Act amid increasing scrutiny related to the activities of TikTok during the recent elections in Romania. https://t.co/5N8kg80fsD
— Brussels Signal (@brusselssignal) December 5, 2024
