GDPR complaint against X (Twitter) over illegal micro-targeting for chat control ads

Today, noyb filed a complaint against X (Twitter) for unlawfully using the political views and religious beliefs of its users for targeted advertising. The company used this specially protected data to determine whether people should or should not see an ad campaign by the EU Commission’s Directorate General for Migration and Home Affairs, which tried to ralley support for the proposed “chat control” in the Netherlands. In November, this unlawful use of micro-targeting already prompted noyb to file a complaint against the EU Commission itself. Now, noyb follows up with a complaint against X. By enabling this practice in the first place, the company violated both the GDPR and the DSA.

Twitter Political Micro-Targeting

X abuses sensitive data for targeted ads. X (Twitter) harvests sensitive data such as political view and religious beliefs by monitoring user behavior such as clicks, likes and replies to postings on the platform. In September 2023, the EU Commission used this exact information to promote the highly controversial proposed chat control regulation on X. The platform’s targeting system allowed the Commission to target users based on political views and religious beliefs. To be specific: The ad campaign in question targeted X users who weren’t interested in keywords like brexit, Nigel Farrage or Giorgia Meloni.

A meaningless ban. In theory, this violation shouldn’t even be possible: X states in its advertising guidelines that political affiliation and religious beliefs should not be used for the purpose of ad targeting. In reality, it seems that X is not enforcing the ban in any way, making it practically meaningless. The EU Commission’s campaign was shown to at least several hundred thousand Dutch X users. The post in question is still available here.

Maartje de Graaf, data protection lawyer at noyb: “On paper, X prohibits the use of sensitive data for political ads, but in reality they still profit from techniques that we know are harmful every since the Cambridge Analytica scandal in 2018.”

A violation of both the GDPR and DSA. People’s political opinions and religious beliefs are specifically protected under the GDPR. Although this means that these data categories can only be legally processed under certain circumstances, they were used to target X users in the Commission’s ad campaign. This does not only violate the GDPR, but also the Digital Services Act (DSA). noyb therefore lodged a complaint with the Dutch DPA. Given the seriousness of the violations and the large number of affected X users, noyb also suggests that the competent authority should impose a fine.

Felix Mikolasch, data protection lawyer at noyb: “After we filed our first complaint in this matter, the EU Commission has already confirmed to stop advertising on X. However, to put an end to this in general, we need enforcement against X as a platform used by many others.”