Civil society files joint DSA complaint against X for targeting people with ads using their sensitive personal data
Nine civil society organisations, including EDRi, submitted a complaint against X for violating the Digital Services Act (DSA) by using people’s sensitive personal data for targeted ads. Together, we are calling for Digital Services Coordinators and the European Commission to promptly investigate X, and hold it to accountable for undermining users’ fundamental rights.
Joint complaint based on research by AI Forensics on X’s use of sensitive personal information
On July 14, EDRi, AI Forensics, Centre for Democracy and Technology Europe, Entropy, Gesellschaft für Freiheitsrechte e.V. (GFF), Global Witness, Panoptykon Foundation, Bits of Freedom, and VoxPublic lodged a formal complaint about violations of Article 26(3) of the Digital Services Act (DSA) by X (formerly Twitter).
AIF investigated X’s Ad Repository and found that X allowed major brands as well as public and financial institutions to target online advertising based on especially sensitive categories of personal data that are protected by the GDPR, such as political opinions, sexual orientation, religious beliefs and health conditions. This type of data is considered inherently sensitive because it can reveal deeply personal aspects of a person’s identity, and can lead to increased risk of discrimination, harm and violations of users’ fundamental rights.
The use of such sensitive data by online platforms for targeted advertising is prohibited under the DSA.
Examples of harm found illustrate the need for DSA ban
For instance, AIF uncovered that X allowed Shein, the fast fashion company, to run ads targeting users interested in French far-left politics. X allowed Total Energies, the multinational energy and petroleum company, to run ads on its platform excluding users interested in ecologist political figures. X enabled McDonalds, the fast food chain, to run ads excluding X users interested in McDonalds own trade union as well users with interest for antidepressants and suicide.
Additionally, thanks to a tool developed by AIF that empowers the general public to determine if X showed them ads targeted on their sensitive personal data, it was uncovered that the platform allowed Brussels Signal, a media company with close ties to European right-wing parties, to run ads specifically targeting users with interests in far-right parties and political figures, presumably to promote the far-right in Europe.
These examples make is clear why the DSA includes a clear prohibition on advertising based on profiling using sensitive data: allowing advertisers to use such data to target users opens the door for a myriad of abuses, such as interest groups trying to secretly manipulate public opinion in ways that can threaten online civic discourse and undermine the democratic process.
What now?
The civil society organisations have filed the complaint with Digital Services Coordintaotrs in France, Germany and the Netherlands and call on these authorities to protect people and communities from discriminatory or exploitative profiling that undermines their rights by promptly investigating X’s behaviour.
Platforms operating at the scale and influence of X must be held to the highest standards of compliance to EU’s laws. As organisations committed to digital rights, transparency, and democratic integrity, we will continue to monitor developments closely and support the enforcement of the DSA.
The DSA, while imperfect, can be a powerful tool to hold platforms accountable, as we learnt through previous DSA complaints filed against LinkedIn and X, both of which led to wins for our rights online.