Elon Musk’s X, the social media platform previously referred to as Twitter, is dealing with a privacy that is new in Europe related to its ad targeting tools. The complaint, which is being lodged with the Dutch data protection authority by privacy rights not-for-profit noyb, accuses X of failing to enforce its own its advertising guidelines.

While X’s T&Cs prohibit people’s political affiliations and/or religious beliefs being used to target them with ads, an advertiser on its platform — actually the European Commission itself, no less (awks!) — was able to use exactly this kind of sensitive personal data to target users with ads.

The bloc’s staffers used X’s tools in this way in order to promote a controversial proposal that is legislative scan people’s communications for youngster intimate misuse material (CSAM).

As we reported month that is last noyb already filed a complaint against the Commission for apparently breaching pan-EU rules it helped to draw up. It’s now followed up by filing a complaint against X too. The EU Commission has already confirmed to stop advertising on X“After we filed our first complaint in this matter. But, to place an final end to this in general, we need enforcement against X as a platform used by many others,” said Felix Mikolasch, data protection lawyer at noyb, in a statement.

As well as the EU’s General Data Protection Regulation (GDPR) setting strict limits on how sensitive personal data such as political affiliation and religious beliefs may be processed — requiring those wanting to do this obtain the consent that is explicit of individuals at issue — the bloc’s recently enacted Digital providers Act (DSA) stipulates which use of individual information for advertisement focusing on needs permission. Yet the users of X whoever data ended up being prepared weren’t clearly expected to consent to this utilization of their particular info.

“[X] utilized this particularly shielded information to find out whether individuals should or must not see an ad promotion because of the EU Commission’s Directorate General for Migration and Residence matters, which attempted to rally assistance for the recommended ‘chat control’ [CSAM scanning] into the Netherlands,” noyb had written in a press launch. “In November, this use that is unlawful of already prompted noyb to file a complaint against the EU Commission itself. Now, noyb follows up with a complaint against X. The company violated both the GDPR and the DSA.”

In a particularly ironic twist, the Commission is actually in charge of overseeing DSA compliance on so-called very large online platforms (VLOPs) like, er, X.

Indeed, in recent months, since the DSA came into force on VLOPs, the EU’s executive has been pressing X over compliance — specifically over concerns about the spread of illegal content and disinformation on the platform related to the Israel-Hamas war by enabling this practice in the first place.  But — funnily adequate — the Commission does not may actually have expected X to show its advertising targeting business is complying because of the legislation. (Nevertheless, provided a few of its staffers that are own apparently busy breaking these rules it’s perhaps not too surprising?)

noyb confirmed to us it hasn’t filed a DSA complaint against X with the Commission; it’s limited its action to lodging a grievance with the Dutch DPA. It said the reason it’s picked a privacy that is netherlands-based for giving the grievance is basically because the questionable adverts had been geared towards X people in the united kingdom; plus the complainant noyb is promoting to help make the issue is Dutch. But X is regionally based in Ireland, so that it’s most likely holland authority would engage the Irish Data Protection Commission (DPC) on any GDPR examination of illegal information handling for advertising targeting.

But exactly why is noyb that is n’t a DSA complaint about X with the European Commission? A spokesman for the not-for-profit told us it’s not taken that step as the two data protection complaints it’s now made — i.e., one against the Commission filed to the EDPS (European Data Protection Supervisor, which oversees EU institutions’ compliance with the rules); and one against X sent now to a national DPA — could lead to cooperation between these data supervisors “on an case” that is almost identical

“It stays to be noticed in the event that Commission usually takes activity against X it self underneath the DSA,” noyb further included.

While charges for violations regarding the GDPR can scale-up to 4% of worldwide turnover that is annual the DSA’s regime allows for even larger sanctions — of up to 6%. So if enforcement action is taken under both regimes Musk’s company could face a whammy that is double of sanctions. (GDPR-DSA sandwich any person?)

The Commission ended up being called for an update by itself investigation that is internal the controversial CSAM proposal ads targeting; and to ask whether it will be taking action against X, in its capacity as enforcer of the DSA on VLOPs, for accepting the unlawful ads. But a spokesman for the EU’s executive declined to provide an update “at the moment” — instead they reiterated the Commission’s earlier decision to advise its internal services to stop all types of paid communications on X.

Irish GDPR oversight of X

As noted above, noyb’s GDPR complaint against X, meanwhile, is likely to end up on the desk of the privacy that is irish, the DPC.

Since Musk took over Twitter and go about imposing their unique stamp in the organization (as well as its item), the DPC has actually answered by simply making various community noises within the aftermath of specific questionable choices because of the owner that is new such as Musk’s decision to let outside journalists access Twitter data; or his rolling out of a paid verification feature in the EU without prior notice; or not informing the watchdog when the DPO resigned — but the Irish regulator appears to have held back from harder interventions on the company. This is despite growing privacy concerns in areas like data deletion and the security and privacy of direct communications (DMs) under Musk’s ownership of Twitter/X.

Additionally, Musk’s X stays primary created in Ireland, underneath the DPC’s lead supervision. It keeps this standing inspite of the US-based billionaire’s leadership that is erratic unilateral decision-making — which have thrown up doubts that product decisions affecting EU users are really getting meaningful local input, as should be the case for X to claim main establishment locally. The designation is important as it allows the company continue to shrink its regulatory risk in the EU by benefiting from the oversight that is streamlined because of the GDPR’s one-stop-shop (OSS).

Again, apart from various community expressions of issue during the early months of Musk’s takeover, the regulator that is irish not rocked the company’s boat here.

Looking further back, since the GDPR came into force, the DPC has issued just one penalty that is public Twitter, given that organization ended up being nevertheless known as during the time of the sanction the full three-years ago. The punishment contains a superb of approximately $550k for failing woefully to immediately report a data breach. It remains to be seen what the DPC might make of a complaint about X breaching ad targeting rules — assuming noyb’s latest strategic action ends up being referred to Ireland by the Dutch DPA, as seems likely under the OSS rules so it’s fair to say the platform has had a pretty smooth ride under Irish privacy oversight to-date, even with Musk taking over steering the ship.(*)Still. The regulator has previously paid some mind to concerns about Twitter/X’s basis that is legal adverts whenever Musk ended up being reported is intending to force people to select between accepting customized ads or having to pay him a subscription.(*)A cut-and-dried situation of X failing woefully to support its very own advertiser T&Cs — if, certainly, that is exactly what noyb’s complaint comes down to — appears much more simple than that.(*)

About Author /