Privacy complaint takes aim at Musk’s X over EU ads targeted on sensitive data

Elon Musk’s X, the social media platform formerly known as Twitter, is facing a new privacy complaint in Europe related to its ad targeting tools. The complaint, which is being lodged with the Dutch data protection authority by privacy rights not-for-profit noyb, accuses X of failing to enforce its own its advertising guidelines.

While X’s T&Cs prohibit people’s political affiliations and/or religious beliefs being used to target them with ads, an advertiser on its platform — actually the European Commission itself, no less (awks!) — was able to use exactly this kind of sensitive personal data to target users with ads.

The bloc’s staffers used X’s tools in this way in order to promote a controversial legislative proposal to scan people’s messages for child sexual abuse material (CSAM).

As we reported last month, noyb already filed a complaint against the Commission for apparently breaching pan-EU rules it helped to draw up. It’s now followed up by filing a complaint against X too. “After we filed our first complaint in this matter, the EU Commission has already confirmed to stop advertising on X. However, to put an end to this in general, we need enforcement against X as a platform used by many others,” said Felix Mikolasch, data protection lawyer at noyb, in a statement.

As well as the EU’s General Data Protection Regulation (GDPR) setting strict limits on how sensitive personal data such as political affiliation and religious beliefs may be processed — requiring those wanting to do this obtain the explicit consent of the people in question — the bloc’s recently enacted Digital Services Act (DSA) stipulates that use of personal data for ad targeting requires consent. Yet the users of X whose data was processed were not explicitly asked to agree to this use of their info.

“[X] used this specially protected data to determine whether people should or should not see an ad campaign by the EU Commission’s Directorate General for Migration and Home Affairs, which tried to rally support for the proposed ‘chat control’ [CSAM scanning] in the Netherlands,” noyb wrote in a press release. “In November, this unlawful use of micro-targeting already prompted noyb to file a complaint against the EU Commission itself. Now, noyb follows up with a complaint against X. By enabling this practice in the first place, the company violated both the GDPR and the DSA.”

In a particularly ironic twist, the Commission is actually in charge of overseeing DSA compliance on so-called very large online platforms (VLOPs) like, er, X.

Indeed, in recent months, since the DSA came into force on VLOPs, the EU’s executive has been pressing X over compliance — specifically over concerns about the spread of illegal content and disinformation on the platform related to the Israel-Hamas war.  But — funnily enough — the Commission doesn’t appear to have asked X to demonstrate its ad targeting business is complying with the regulation. (Still, given some of its own staffers were apparently busy breaking these rules it’s perhaps not too surprising?)

noyb confirmed to us it hasn’t filed a DSA complaint against X with the Commission; it’s limited its action to lodging a grievance with the Dutch DPA. It said the reason it’s picked a Netherlands-based privacy authority for sending the complaint is because the controversial ads were targeted at X users in the country; and the complainant noyb is supporting to make the complaint is Dutch. However X is regionally headquartered in Ireland, so it’s likely the Netherlands authority would engage with the Irish Data Protection Commission (DPC) on any GDPR investigation of unlawful data processing for ad targeting.

But why isn’t noyb filing a DSA complaint about X with the European Commission? A spokesman for the not-for-profit told us it’s not taken that step as the two data protection complaints it’s now made — i.e., one against the Commission filed to the EDPS (European Data Protection Supervisor, which oversees EU institutions’ compliance with the rules); and one against X sent now to a national DPA — could lead to cooperation between these data supervisors “on an almost identical case”.

“It remains to be seen if the Commission may take action against X itself under the DSA,” noyb further added.

While penalties for violations of the GDPR can scale up to 4% of global annual turnover, the DSA’s regime allows for even larger sanctions — of up to 6%. So if enforcement action is taken under both regimes Musk’s company could face a double whammy of regulatory sanctions. (GDPR-DSA sandwich anyone?)

The Commission was contacted for an update on its own internal investigation into the controversial CSAM proposal ads targeting; and to ask whether it will be taking action against X, in its capacity as enforcer of the DSA on VLOPs, for accepting the unlawful ads. But a spokesman for the EU’s executive declined to provide an update “at the moment” — instead they reiterated the Commission’s earlier decision to advise its internal services to stop all types of paid communications on X.

Irish GDPR oversight of X

As noted above, noyb’s GDPR complaint against X, meanwhile, is likely to end up on the desk of the Irish privacy watchdog, the DPC.

Since Musk took over Twitter and set about imposing his distinctive stamp on the company (and its product), the DPC has responded by making a few public noises in the wake of certain controversial decisions by the new owner — such as Musk’s decision to let outside journalists access Twitter data; or his rolling out of a paid verification feature in the EU without prior notice; or not informing the watchdog when the DPO resigned — but the Irish regulator appears to have held back from harder interventions on the company. This is despite growing privacy concerns in areas like data deletion and the privacy and security of direct messages (DMs) under Musk’s ownership of Twitter/X.

Additionally, Musk’s X remains main established in Ireland, under the DPC’s lead oversight. It holds this status despite the US-based billionaire’s erratic leadership and unilateral decision-making — which have thrown up doubts that product decisions affecting EU users are really getting meaningful local input, as should be the case for X to claim main establishment locally. The designation is important as it allows the company continue to shrink its regulatory risk in the EU by benefiting from the streamlined oversight afforded by the GDPR’s one-stop-shop (OSS).

Again, aside from a few public expressions of concern in the early months of Musk’s takeover, the Irish regulator has not rocked the company’s boat here.

Looking further back, since the GDPR came into force, the DPC has issued just one public penalty on Twitter, as the company was still called at the time of the sanction a full three years ago. The penalty consisted of a fine of around $550k for failing to promptly report a data breach. So it’s fair to say the platform has had a pretty smooth ride under Irish privacy oversight to-date, even with Musk taking over steering the ship.

Still, it remains to be seen what the DPC might make of a complaint about X breaching ad targeting rules — assuming noyb’s latest strategic action ends up being referred to Ireland by the Dutch DPA, as seems likely under the OSS rules. The regulator has previously paid some mind to concerns about Twitter/X’s legal basis for ads when Musk was rumored to be planning to force users to choose between accepting personalized ads or paying him a subscription.

A cut-and-dried case of X failing to uphold its own advertiser T&Cs — if, indeed, that’s what noyb’s complaint boils down to — looks more straightforward than that.

Leave a Reply

Your email address will not be published. Required fields are marked *