The European Union's executive body is embroiled in a privacy scandal after the European Data Protection Supervisor (EDPS) confirmed that a Commission ad campaign on X (formerly Twitter) breached the EU's own data protection rules. The microtargeted ad campaign, which ran in fall 2023, processed the sensitive data of citizens to sway opinion around a controversial EU legislative proposal.

The ad campaign was designed to promote the EU's plan to force messaging apps to scan people's communications for child sexual abuse material (CSAM), a proposal that has sparked widespread criticism for threatening democratic rights and end-to-end encryption. Despite the backlash, the Commission pressed on with the campaign, which has now been found to have breached the EU's data protection rules.

The EDPS' finding follows a November 2023 complaint by regional privacy rights non-profit noyb, which accused the Commission's Directorate General for Migration and Home Affairs of "unlawful micro-targeting." The complaint highlighted how the Commission's ad campaign on X sought to indirectly promote the CSAM regulation by targeting users in the Netherlands who weren't interested in keywords associated with right-wing political views.

Under EU data protection laws, processing sensitive personal data, including political views, requires obtaining people's explicit consent beforehand. The Commission did not obtain such consent, and the EDPS has issued a reprimand, although no fine, as the Commission stopped the practice.

The Commission had previously sought to blame X for any unlawful ad targeting, stating that its contract with the contractor included "data protection safeguards" aimed at ensuring compliance with relevant regulations. However, the EDPS' finding of unlawful processing taking place on X has put the spotlight back on the Commission's actions.

The implications of this finding are far-reaching, with potential consequences for noyb's still open complaint against X and other similar complaints over microtargeting on sensitive data. As Felix Mikolasch, a data protection lawyer for noyb, noted, "We have many more cases on political microtargeting in the Member States. Many political parties engage in the same illegal practice. We hope the EDPS decision will be a guiding light for national authorities that currently investigate such practices."

The EDPS' decision also raises questions about the Commission's commitment to upholding its own data protection rules. While the Commission has taken steps to ensure "existing rules were reminded to all services," the fact that such a breach occurred in the first place has sparked concerns about the EU's ability to regulate itself.

We have reached out to the Commission for a response to the EDPS' decision, but at the time of writing, it had not provided a statement. We have also put questions to the EDPS and to Ireland's Data Protection Commission, the authority that's likely to lead on investigating X's microtargeting, and will update this report if they respond.

In conclusion, the EU Commission's breach of its own data protection rules serves as a stark reminder of the need for vigilance in protecting citizen data. As the EU continues to grapple with the complexities of data protection and regulation, this incident highlights the importance of accountability and transparency in the use of personal data.