In its latest piece of strategic litigation, the precision-punching European privacy rights campaign group noyb has used data donated by users of the ‘Who Targets me‘ browser extension, which analyzes political microtargeting on Facebook, to build a case against every political party in Germany — for what it alleges is unlawful processing of voters’ personal data via Facebook’s adtech platform during the 2021 federal elections.
Today it’s filed six complaints with Berlin’s data protection commission — one apiece for the Christian Democratic Union (CDU), Alternative for Germany (AFD), SPD, Bündnis 90/Die Grünen, DIE LINKE and the Ecological Democratic Party, suggesting the law-breaking behavior cuts across the political spectrum.
The European Union’s General Data Protection Regulation (GDPR) classes information on political opinions as so-called ‘special category data’ — which has a higher bar for processing (either explicit consent; or it was expressively made public by the data subject themselves; or some vital / public health or other not-for-profit interest applies, none of which looks likely here, given this is Facebook political ads we’re talking about).
noyb says neither Facebook, nor the political parties who paid the tech giant to run microtargeted ads, obtained express consent from the users whose information was processed. Nor had their political views been made expressly public. Hence it asserts the GDPR has been breached.
“We were able to determine that Facebook hadn’t obtained user consent for processing sensitive data and that the parties had targeted users on the basis of (prior) political views,” a noyb spokesperson told us. “Neither the parties, nor Facebook had obtained consent from any of the users.”
“Art. 9 GDPR prohibits the processing of special category data. Both Facebook and the political parties had no legal basis and [couldn’t] rely on any exception to process sensitive data such as political views,” it added.
In a statement, Felix Mikolasch, a privacy lawyer at noyb, also said: “Any data on a person’s political views is protected particularly strictly by the GDPR. Such data is not only extremely sensitive but also allows large-scale manipulation of voters, as Cambridge Analytica has shown.”
Infamously, Facebook does not ask users for permission to process their data for ad-targeting — let alone ask their explicit consent for political ad targeting — and this consent vacuum is the reason why the company was toptechtrends.com/2023/01/04/facebook-instagram-gdpr-forced-consent-final-decisions/”>recently slapped with several GDPR fines over so-called ‘forced consent’ issue (following toptechtrends.com/2018/05/25/facebook-google-face-first-gdpr-complaints-over-forced-consent/”>earlier noyb complaints). The tech giant had sought to claim its microtargeting platform was legal in Europe because users are in a contract with it to receive ads but, late last year, toptechtrends.com/2023/01/12/meta-ads-gdpr-decisions-edpb/”>EU regulators finally slapped that line down.
Despite some very long-running complaints over the Facebook’s consentless tracking, profiling and targeting of users, political parties in the region haven’t stopped to think twice about rushing to partake in the abusive data free-for-all.
In addition to black marks against the lawfulness of Facebook ads processing, the wider issue with microtargeting political messaging at potential voters is it erodes democratic accountability — since individually targeted messages aren’t immediately visible to anyone other than the intended recipient, making it harder for the public to hold political parties to account over what they’re claiming they stand for (or will do). It’s also a boon to anti-democratic voter suppression efforts.
Political campaigns can simply pay Facebook to pump out scores of different messages, promising the world to every type of voter under the sun (based on stuff Facebook has learned about them by tracking their browsing) — or just trying to dissuade people from voting for the opposition — without having to stand by any of these claims once/if they do get elected since there’s no clear public record of what’s been said. (Ad archives are a pretty useless check against microtargeting; no one is going to be able to oversee everything.)
Indeed, messaging that’s sliced and diced via Facebook’s data-driven ad targeting tools inherently lacks consistency. It’s about iterating to achieve maximum engagement. To the point where what’s being promised can literally be entirely contradictory — such as, in one example found in the German targeting data (see below), a political party pledging a commitment to climate action in a message delivered to a voter that Facebook has identified has concerns about the environment while simultaneously promising zero limits on individual freedoms in the name of climate action to a different voter Facebook’s tracking and profiling has inferred is more right-leaning (and thus likely to respond to that totally different appeal). Which is why it’s so problematic for democracy.
The murky world of political ad targeting has thrown up plenty of scandals over the years (e.g. toptechtrends.com/2018/03/16/facebook-suspends-cambridge-analytica-the-data-analysis-firm-that-worked-for-the-trump-campaign/”>Trump and Cambridge Analytica). But it’s fair to say there has been reluctance among lawmakers to grapple with the problem and clean up ‘dirty data’ tactics — likely because, regardless of who’s in or out of power, their political paymasters are also at it.
In the EU, the Commission has proposed toptechtrends.com/2021/11/25/eu-political-ads-transparency-proposal/”>some limits and improved transparency around political ads. But MEPs have recently been pushing for the proposal to go further — and are even talking in terms of amending the law so it kills off political microtargeting — although it toptechtrends.com/2023/02/02/eu-political-ads-transparency-rules-parliament-mandate/”>remains to be seen where the draft EU legislation will finally end up.
noyb’s action looks like a back-up if EU lawmakers fail to come through.
Plus their point is really that an existing EU law — the GDPR — is being breached so what’s needed is actual enforcement to stop the misuse of data. (Or, put another way: Fiddling round the edges with greater transparency into law-breaking isn’t an answer; just order political parties to stop breaking the law through microtargeting right now.)
With so many years of inertia on an issue that’s critical for democratic accountability, and which implicates political parties of all stripes, noyb’s strategic approach (a complaint against every main political party) looks sensible. It’s hoping these complaints, lodged on behalf of five individuals in Germany whose data it identified as being consentlessly processed by Facebook for political ad targeting, will be able to force reform — either via regulatory action; or, perhaps, via a referral up to Europe’s top court which could clarify/cement the line, making it harder for lawmakers to ignore. But, in the near term, it will be up to Berlin’s information commissioner to consider the complaints.
“Our main goal behind this project is to ensure that special category data is protected and not used against us to manipulate our choices,” noyb’s spokesperson added.
Political ad targeting in Germany was rocked by an earlier scandal, after the public broadcaster, ZDF Magazin Royal — which worked with noyb to drum up awareness and encourage citizens to download Who Targets Me so they could share their data for the public interest research into political ad targeting — found that the SPD and certain federal agencies had been using public funds to run political ads on Facebook. (A major no-no.) The SDP told the broadcaster this had been “a mistake”. One which ZDF’s subsequent research suggested had occurred well over 600 times… Which is a neat illustration of how ad platforms like Facebook scale harms.
It also found thousands of political ads missing from the library Facebook maintains — to which the tech giant offered it the excuse that “no system is perfect”.
ZDF Magazin Royal’s research into political ad targeting by German political parties also surfaced various examples of deceptive campaigning being enabled by Facebook’s ad tools — such as the FDP running Facebook ads that directly contradicted each other, showing potential voters with ‘green’ interests an ad under which the party said it was committed to “more climate protection”, while simultaneously showing a different target group (frequent travellers) with a totally different message that there should be no “government measures, restrictions on freedom or bans” when it comes to “major challenges such as climate change”.
Another example it highlights involved a member of parliament for a left-wing political group targeting Facebook ads at ‘questionable’ target groups — such as groups that had expressed an interest in the Russian propaganda channel ‘Russia Today’ (which has of course been toptechtrends.com/2022/03/02/eu-rt-sputnik-ban-live/”>banned in the EU since the Ukraine war).
toptechtrends.com/2023/03/20/facebook-political-ads-germany-gdpr-complaints-noyb/”>Facebook political microtargeting at center of GDPR complaints in Germany by toptechtrends.com/author/natasha-lomas/”>Natasha Lomas originally published on toptechtrends.com/”>TechCrunch