Elon Musk’s X, formerly known as Twitter, is in hot water again. This time, the social media platform is facing a privacy complaint in Europe related to its ad targeting tools. The complaint, lodged with the Dutch data protection authority by privacy rights group noyb, accuses X of not enforcing its own advertising guidelines.
“After we filed our first complaint in this matter, the EU Commission has already confirmed to stop advertising on X. However, to put an end to this in general, we need enforcement against X as a platform used by many others,” said Felix Mikolasch, data protection lawyer at noyb, in a statement.
The complaint was filed because X’s Terms & Conditions claim to prohibit targeting users based on their political affiliations or religious beliefs. However, an advertiser on the platform, none other than the European Commission itself, was able to use sensitive personal data, including political and religious beliefs, to target users with ads.
This use of sensitive personal data is not only a violation of X’s own rules, but also goes against the EU’s strict General Data Protection Regulation (GDPR) and the recently enacted Digital Services Act (DSA), which requires explicit consent for the use of personal data for ad targeting.
According to noyb, the Commission used X’s tools to promote a controversial legislative proposal to scan people’s messages for child sexual abuse material (CSAM). This prompted noyb to file a complaint against the Commission last month for apparently breaking pan-EU rules it helped create. Now, noyb is taking it a step further by filing a complaint against X as well.
“[X] used this specially protected data to determine whether people should or should not see an ad campaign by the EU Commission’s Directorate General for Migration and Home Affairs, which tried to rally support for the proposed ‘chat control’ [CSAM scanning] in the Netherlands,” noyb wrote in a press release.
While the DSA allows for even stricter sanctions for violations, the GDPR’s penalties can still reach up to 4% of global annual turnover. If both regulations are enforced, X could face a double whammy of regulatory sanctions.
The irony in this situation is that the Commission is actually responsible for overseeing DSA compliance on large online platforms like X. However, it doesn’t appear to have asked X to prove its ad targeting business is complying with the regulation. This is likely because some of its own staffers were reportedly breaking these rules.
Although noyb has not filed a DSA compliant against X with the Commission, it has lodged a grievance with the Dutch DPA, as the ads were targeted at X users in the Netherlands and the complainant is Dutch. However, X is headquartered in Ireland, so the Dutch DPA may engage with the Irish Data Protection Commission (DPC) for any GDPR investigation.
As for why noyb has not filed a DSA complaint with the European Commission, a spokesman for the group stated that they haven’t taken that step because their two data protection complaints (against the Commission and X) may lead to cooperation between the two supervisors for a similar case.
Meanwhile, the DPC, which is responsible for overseeing X under the GDPR, has not taken any major action against the company despite concerns over data deletion and the privacy and security of direct messages (DMs) under Musk’s ownership.
Although the Irish regulator has expressed some concerns in the past, the only public penalty it has issued against X was for failing to report a data breach promptly. So it remains to be seen how the DPC will handle noyb’s complaint if it is referred by the Dutch DPA under the GDPR’s one-stop-shop (OSS) rule.
