Privacy Complaint Filed Against Elon Musk’s X

Elon Musk’s X (formerly Twitter) faces more legal trouble, after a digital rights group filed a complaint against it with the Dutch data protection authority.

The digital rights group NOYB (None Of Your Business), co-founded by privacy activist Max Schrems, said it had filed the complaint “against X (Twitter) for unlawfully using the political views and religious beliefs of its users for targeted advertising.”

Last month NOYB had also filed a complaint about a paid ad-free subscription being offered by Mark Zuckerburg’s Meta Platforms – a move as Meta seeks to comply with new European privacy legislation.

X complaint

Now NOYB is alleging in its new complaint that X is mining people’s political and religious data in order to deliver them targetted adverts.

The complaint alleges that X showed Max Schrems an ad from the European Commission that promoted online content regulation to tackle child sexual abuse and the grooming of children online.

Schrems alleged the ad explicitly targets users from the Netherlands and excludes 44 “targeting segments,” such as political parties such as Alternative for Germany, Vox, Sinn Fein, and the English Defense League, as well as far-right politicians Viktor Orban and Marine Le Pen.

NOYB alleged that X used this specially protected data to determine whether people should or should not see an ad campaign by the EU Commission’s Directorate General for Migration and Home Affairs, which tried to rally support for the proposed “chat control” in the Netherlands.

NOYB said this “unlawful use of micro-targeting” in November had prompted it to also file a complaint against the EU Commission itself.

Now it had followed this up with a complaint against X.

Complaint allegations

NOYB alleges that by enabling this practice in the first place, X violated both the GDPR (General Data Protection Regulation) and the DSA (Digital Service Act).

The group said that people’s political opinions and religious beliefs are specifically protected under the GDPR. “Although this means that these data categories can only be legally processed under certain circumstances, they were used to target X users in the Commission’s ad campaign. This does not only violate the GDPR, but also the Digital Services Act (DSA).”

NOYB alleged that “X abuses sensitive data for targeted ads. X (Twitter) harvests sensitive data such as political view and religious beliefs by monitoring user behaviour such as clicks, likes and replies to postings on the platform. In September 2023, the EU Commission used this exact information to promote the highly controversial proposed chat control regulation on X.”

“On paper, X prohibits the use of sensitive data for political ads, but in reality they still profit from techniques that we know are harmful every since the Cambridge Analytica scandal in 2018,” said Maartje de Graaf, data protection lawyer at NOYB.

“After we filed our first complaint in this matter, the EU Commission has already confirmed to stop advertising on X,” added Felix Mikolasch, data protection lawyer at NOYB. “However, to put an end to this in general, we need enforcement against X as a platform used by many others.”

EC response

Elon Musk’s X did not respond when contacted by by the news website CNBC.

But the European Commission reportedly replied to a CNBC email, in which it said that it was aware of reports of the campaign and was conducting a “thorough review.”

“Internally, we provide regularly updated guidance to ensure our social media managers are familiar with the rules and that external contractors also apply them in full,” the Commission said.

“Also, in view of an alarming increase in disinformation and hate speech on social media platforms in recent weeks, we advised Commission services already back in October to refrain from advertising at this stage on X.”

The Commission added that, under its Digital Services Act, platforms including X “must not display targeted advertisements based on the sensitive data of a user.”

The complaint could ultimately lead to a full-blown investigation under the European Union’s General Data Protection, a strict EU privacy regulation passed by the bloc in 2016 – that came into force in 2018.

Under GDPR, firms can be fined up to 4 percent of their global annual revenues for breaches.