Attacking EU citizens based on their political opinions is illegal.
This is the final verdict of the European Data Protection Supervisor (EDPS). The bloc’s data protection watchdog found the EU Commission guilty of illegally targeting citizens with ads using sensitive personal data based on their political opinions.
The decision follows a privacy complaint filed by Austria-based digital rights group Noyb in November 2023 over targeted ads related to so-called Chat Control. The controversial proposal seeks to introduce mandatory scanning of all citizens’ private communications to stop the spread of child sexual abuse material (CSAM).
There is no legal basis for political targeting online
Between 15 and 28 September 2023, the EU Commission ran a targeted advertising campaign on X (formerly Twitter) with the intention of raising awareness of the proposed Child Sexual Abuse Regulation (CSAR). The campaign targeted users in eight member states (Belgium, Czech Republic, Finland, France, Netherlands, Portugal, Slovenia and Sweden).
However, the Commission not only published political messages supporting the CSAM scanning proposal, but also targeted users based on their interests. In particular, it targeted those who were not interested in certain keywords, including #Qatargate, Brexit, Marine Le Pen, Alternative für Deutschland, Vox, Christian, Christian-phobia and Giorgia Meloni.
“Advertisers often use so-called “proxy data” (i.e. data closely associated with political thinking) to target political opinions,” explain Noyb experts. “By doing so, the European Commission has clearly activated the processing of personal data of EU citizens to target ads to them.”
The EDPS’s decision aligns with Noyb’s complaint: the EU Commission’s behavior violated GDPR rules on the use of personal data by processing people’s political interests “without a valid legal basis.”
Today: @NOYBeu wins against the @EU_Commission before the @EU_EDPS on political microtargeting… 😊https://t.co/xGKTcTfq2MDecember 13, 2024
“We welcome the EDPS’s decision,” said Felix Mikolasch, data protection lawyer at Noyb. “From Cambridge Analytica, it is clear that targeted ads can influence democracy. Using political preferences for ads is clearly illegal. Yet many political actors rely on them and online platforms take almost no action.”
The mother of all data protection legislation, the GDPR, actually provides special protection for so-called sensitive data, such as political opinions. Experts explain that this treatment is only allowed under very limited conditions, such as explicit consent, which in this case did not occur.
Despite this targeted campaign, EU members still cannot agree on the Chat Control proposal. On December 12, 2024, the bill once again failed to attract the necessary support.
According to the latest version, communication service providers, including encrypted messaging apps and secure email services, must scan all photos, videos, and URLs you share with other users with the users’ permission. However, you must consent to shared material being scanned before being encrypted to continue using the functionality.
During the public vote on December 12, representatives of 10 EU countries (Germany, Austria, Slovenia, the Netherlands, the Czech Republic, Poland, Estonia, Luxembourg, Belgium and Finland) spoke against the proposal. Lawmakers are especially concerned that screening rules could lead to indiscriminate surveillance while opening security backdoors for criminals to exploit.
