The European Commission has found itself in an awkward position after its advertising campaign on X (formerly Twitter) was declared to violate the EU's own data protection regulations.
The European Data Protection Supervisor (EDPS) confirmed on Friday that the Commission's micro-targeted ad campaign from fall 2023 unlawfully processed sensitive data about citizens' political views without obtaining required consent.
The campaign aimed to influence public opinion regarding proposed EU legislation that would require messaging apps to scan communications data for child sexual abuse material (CSAM). The ads specifically targeted users in the Netherlands by filtering out people based on keywords associated with certain political leanings.
According to privacy rights organization noyb, which filed the initial complaint in November 2023, the Commission's campaign excluded users interested in terms like "brexit," "Marine Le Pen," and other keywords linked to right-wing political views. Under EU law, processing such politically-sensitive data requires explicit user consent beforehand.
While the Commission previously claimed the campaign was handled through a contractor with appropriate data protection measures, the EDPS ruling confirms both the unlawful processing of sensitive data and issued a reprimand, though no financial penalty was imposed.
The Commission spokesperson Patricia Poropat responded that they "take note" of the decision and will assess the EDPS ruling. This development may impact similar pending complaints about micro-targeting using sensitive data, with potential GDPR fines of up to 4% of global annual turnover for private companies engaging in comparable practices.
The case highlights growing concerns around political micro-targeting in advertising, with noyb noting multiple ongoing investigations into similar practices by political parties across EU member states. The EDPS decision is expected to guide national authorities examining such cases.