Elon Musk’s X faces new privacy action in Europe over ad targeting
Elon Musk’s X, previously known as Twitter, is encountering a new privacy complaint in Europe in relation to its ad targeting tools. The complaint that is being filed with the Dutch data protection authority by a privacy rights not-for-profit noyb, accuses X of not enforcing its own advertising guidelines. Despite X’s terms and conditions prohibiting the use of people’s political affiliations and religious beliefs for ad targeting, an advertiser on the platform, the European Commission, was able to use this type of personal data to target users with ads. The European Commission used X’s tools to promote a controversial legislative proposal to scan people’s messages for child sexual abuse material (CSAM). noyb has already filed a complaint against the Commission for breaching pan-EU rules. It has now filed a complaint against X too. Felix Mikolasch, a data protection lawyer at noyb, stated that they need enforcement against X as it is a platform used by many others. The European Union’s General Data Protection Regulation (GDPR) sets strict limits on how sensitive personal data such as political affiliation and religious beliefs may be processed. The recently enacted Digital Services Act (DSA) stipulates that the use of personal data for ad targeting requires consent. X used specially protected data to determine whether people should or should not see an ad campaign by the European Commission’s Directorate General for Migration and Home Affairs. noyb wrote that by enabling this practice, X violated both the GDPR and the DSA. The European Commission is in charge of overseeing DSA compliance on very large online platforms like X. However, the Commission has not asked X to demonstrate its ad targeting business is complying with the regulation. noyb confirmed that it has not filed a DSA complaint against X with the Commission. The reason for picking a Netherlands-based privacy authority for the complaint is that the ads were targeted at X users in the country. X is regionally headquartered in Ireland, so the Netherlands authority would engage with the Irish Data Protection Commission on any GDPR investigation. noyb’s GDPR complaint against X is likely to end up with the Irish privacy watchdog, the DPC. Despite Musk’s controversial decisions, the Irish regulator has not taken stronger actions against the company.X remains established in Ireland, under the DPC’s oversight, allowing the company to benefit from the streamlined oversight afforded by the GDPR’s one-stop-shop. It remains to be seen what the Irish regulator might make of a complaint about X breaching ad targeting rules. The regulator has previously addressed concerns about Twitter’s legal basis for ads when Musk was rumored to be planning to force users to choose between accepting personalized ads or paying a subscription. If noyb’s complaint boils down to X failing to uphold its own advertiser terms and conditions, it would be a cut-and-dried case.