The European Union, that sanctimonious beacon of regulation and rule of law, just got caught violating its own sacred privacy laws.
This week, the EU’s executive arm, the European Commission, took an embarrassing hit when the European Data Protection Supervisor (EDPS) confirmed what everyone already suspected: their micro-targeted ad campaign on X was a flagrant breach of EU data protection rules.
It was all done to sell a deeply controversial legislative proposal that critics argue would eviscerate digital privacy under the guise of fighting child abuse material (CSAM). Yes, that’s right, the EU violated privacy to push a law that would violate privacy.
We obtained a copy of the decision for you here.
Privacy for Thee, But Not for Me
Let’s rewind to the fall of 2023 when the Commission’s Directorate General for Migration and Home Affairs launched a propaganda blitz to promote its “Chat Control” proposal. The plan? To force messaging platforms to scan every single user’s communication for traces of CSAM. Noble cause? Sure. But the implementation? A privacy nightmare. Think of it as a digital TSA rummaging through your private messages while muttering something about “public safety.”
Critics weren’t buying it. Civil rights groups and privacy advocates warned the proposal would shred end-to-end encryption—turning every private conversation into potential evidence in a perpetual surveillance state. Some even argued the plan was legally dubious, as it brushed up against EU principles that protect free expression and privacy. But instead of engaging in a debate, the Commission went full Orwell, rolling out targeted ads designed to soften public resistance.
And where better to run this charm offensive than X? The Commission’s campaign used micro-targeting to tailor its message, processing citizens’ sensitive political data in the process. For an institution that prides itself on regulating Big Tech, it’s a bit like lecturing your neighbor about noise complaints while blasting heavy metal at 2 a.m.
Noyb and the EDPS Drop the Hammer (Sort Of)
Unsurprisingly, this Orwellian escapade didn’t sit well with privacy advocates. No sooner had the campaign launched than regional nonprofit noyb—short for “none of your business”—filed a complaint. They accused the Commission of engaging in “unlawful micro-targeting” by processing citizens’ political views without consent.
Fast forward to December 2024, and the EDPS has validated noyb’s concerns, declaring the campaign unlawful. But here’s where it gets laughable: the punishment. The Commission gets off with a sternly worded letter—no fine, no tangible consequences, just a bureaucratic slap on the wrist. It’s like catching a bank robber red-handed and sentencing them to write an essay on why stealing is bad.
Irony Doesn’t Even Begin to Cover It
The optics of this scandal are stunning. This is the same European Commission that has spent the last decade crafting some of the strictest privacy laws in the world. Remember GDPR, the regulation that made CEOs lose sleep and showered inboxes with “we’ve updated our privacy policy” emails? That was their baby. And yet, when it came to their own shady ad tactics, the rules somehow didn’t apply.
If anything, this fiasco reveals the widening gap between the EU’s lofty rhetoric on privacy and its real-world behavior. The Commission routinely paints itself as the defender of citizens’ rights against the excesses of Silicon Valley. But when push comes to shove, they seem perfectly willing to dip their hands into the same Big Data cookie jar they claim to regulate.
What Now?
The EDPS ruling may not carry financial penalties, but the reputational damage is already piling up. For one, it undermines the EU’s credibility in regulating tech giants. After all, how can Brussels wag its finger at Meta or Google for privacy violations when it’s guilty of the same?
And let’s not forget the broader implications for the Commission’s “Chat Control” proposal. If the public wasn’t already skeptical, this scandal has poured gasoline on the fire. Opposition groups will undoubtedly use this incident as Exhibit A in their argument that the EU’s surveillance agenda is both dangerous and hypocritical.
