Many Europeans are fearful of the creation of a super-state which could harness the power of networks to continuously monitor all citizens. This fuels resistance to European Union proposals for the mandatory scanning of all e-mails and direct messages, including those which are encrypted end-to-end. Opponents refer to these proposals as ‘Chat Control’ because they would limit online chat. Whilst the nominal goal of the scanning would be the identification of content that sexually exploits children, many critics observe that the same surveillance infrastructure could be used for other purposes after it has been implemented. But now European Commissioner Ylva Johansson (pictured) has stirred up the ire of privacy advocates by running a social media advertising campaign that broke existing privacy laws. These adverts were designed to pressure national governments into supporting her proposed Child Sexual Abuse Regulation (CSAR), which would mandate the automated scanning of all e-mails and direct messages.
There will be many reasonable people amongst both the supporters and opponents of the CSAR proposals. However, what is not defensible is for the EU to abuse its own laws in order to promote one side of the argument. It is a further abuse to target adverts at the populations of countries where the democratically-elected governments had criticized the proposals. A comprehensive investigation by technology expert Danny Mekić has conclusively shown that the European Commission used microtargeted adverts to encourage support for its proposals in countries which had voiced doubts about them during a European Council meeting. Mekić further argues the choice of the audience segments selected for adverts shown on X, formerly known as Twitter, is a violation of EU laws that limit how sensitive data can be used. Such laws prohibit the frivolous use of personal data regarding a person’s political or religious beliefs, and thus create an obstacle to microtargeting adverts according to those beliefs. Per Mekić:
After excluding critical political and religious groups, X’s algorithm was set to find people in the remaining population who were indeed interested in the ad message, resulting in an uncritical echo chamber. This microtargeting on political and religious beliefs violates X’s advertising policy, the Digital Services Act — which the Commission itself has to oversee — and the General Data Protection Regulation.
The adverts on X were produced in multiple languages and used emotionally-charged images of children juxtaposed with adults who may be construed to be predators. They also used a tactic often exploited by scammers too: an insistence that ‘time is running out’ and the sound of a clock ticking, thus requiring the viewer to act immediately. The implied action would be lobbying the national governments that had sought reforms of the proposals during a September 14 meeting of the European Council. The adverts are still visible on Twitter; one example can be found here.
Mekić found that targeted ads had been run in Belgium, the Czech Republic, Finland, the Netherlands, Portugal, Slovenia and Sweden, all countries which had questioned the current proposals per leaked notes (in German) of the September 14 European Council meeting. The EU Home Affairs team headed by European Commissioner Ylva Johansson responded to the criticism of their proposal by instigating the adverts on X just one day later.
Microtargeting involves choosing user characteristics that are deliberately included or excluded when algorithms select who will see online adverts. Mekić reviewed the transparency reports of X to identify which characteristics had been selected by the campaign run by the EU Home Affairs team. The following are related to political and religious beliefs, and thus represent sensitive data per GDPR. Users were excluded from seeing the adverts if they were interested in the following:
- Christianity
- Julian Assange
- Brexit and its Dutch and Spanish equivalents, Nexit and Spanexit
- Victor Orbán
- Nigel Farage
- Alternative für Deutschland (AfD), a German right-wing political party
German MEP Patrick Breyer, a critic of Chat Control, agreed that the European Commission’s adverts had broken the law.
#ChatControlGate: Nach erstem Fehlschlag der #Chatkontrolle im Rat manipuliert die EU-Kommission nach Lobbyisten-Art die öffentliche Meinung in kritischen Ländern mithilfe verbotenem Microtargeting und unter Überschreitung ihrer Kompetenzen. https://t.co/phMHsPXWiZ 🧵
— Patrick Breyer #JoinMastodon (@echo_pbreyer) October 13, 2023
Commissioner Johansson insisted no law had been broken by her team, but provided no explanation of how she interpreted those laws to permit what had been done in practice.
As my services have been directly accused of illegal acts👇 I think it is import I step in:
1. @EUHomeAffairs have followed the guidelines & the law 100%
2. The promotion of our proposal is standard normal practice
3. This proposal is about protecting children from sexual abuse https://t.co/zSSAu3684P— Ylva Johansson (@YlvaJohansson) October 13, 2023
Ylva Johansson is a career politician who was elected to Sweden’s parliament in 1988, when she was 24 years old. She represented the Communists at that time, but later defected to the Social Democrats, a larger party which has dominated the Swedish political landscape since WW2. Johansson has remained on the hard left throughout her time in politics, but was rewarded for her loyalty in 2019 when Prime Minister Stefan Löfven nominated her as Sweden’s candidate for the European Commission. Her proposed CSAR regulation has been subject to prolonged criticism from numerous groups concerned about the implications for privacy. This includes a European Parliament impact assessment which concluded that no technology could satisfy the scanning requirements without having an unacceptably high error rate. They also found that the proposal would undermine end-to-end encryption and the security of messaging. The proposal was also criticized by the Council of the European Union’s Legal Service, who said it conflicted with laws that protect the right to a private life and prohibit mass retention of data.
Johansson’s argument that her adverts were not illegal must hinge on a contentious interpretation of existing privacy law. Put simply, data controllers should only process sensitive personal data, including political and religious beliefs, for one of several narrowly-defined reasons. Improving the targeting of adverts is not one of those reasons. If Johansson believes her adverts were legal then she must be seeking to create a distinction between a user’s interest in topics like Brexit or Julian Assange and their political beliefs. GDPR is too new to be subject to much case law. However, it would make a mockery of the law if a judge ever concluded it was legal to discriminate between people on the basis of which political figures they are interested in, as somehow separate to discrimination according to their political beliefs. Anyhow, the inclusion of Christianity as a reason to exclude social media users from receiving an advert would still be blatant discrimination according to their religious beliefs.
It is unlikely that Johansson will ever suffer any embarrassment as a consequence of her law-breaking. The European Commission has a track record of acting unlawfully with respect to EU data protection law, but it can take a decade for this to be proven in court. National data protection agencies have no stomach for fighting the European Commission and civil societies must carry a heavy burden when fighting the European Commission through the EU’s own legal system. The greater impact will come from the negative reaction of those national governments that were undermined by an EU-funded advertising campaign. The European Commission put itself in the position of actively stirring up dissent against seven democratically-elected governments, including the Swedish coalition government that succeeded Johansson’s party after the 2022 general election.
Fans of the European Union often exhibit double standards when it comes to privacy. They wail about US corporations gobbling up personal data but go silent when there are abuses by politicians who claim to protect them. If a hard-right politician like Viktor Orbán demands greater surveillance powers then a typical Europhile will have a markedly different reaction to when a hard-left member of the European Commission demands the same. Johansson was conscious that voters who worry about EU authoritarianism would be more hostile to her demands for a massive increase to EU-wide surveillance capabilities, so her team sought only to motivate voters who are more sympathetic to the EU.
This incident is further proof that the EU does not have a democratic government, not that further proof should be required. The European Parliament is directly elected, but is the weakest of the three bodies that determine EU policy. It has repeatedly indicated it will oppose Johansson’s proposals. The European Council represents democratically-elected national governments but works by seeking compromise between them. Enough members of the Council expressed reservations about Johansson’s proposals to effectively block them. Johansson is a member of the executive body, the European Commission, which is not elected. She, and the Commission, is appointed through a process that relies on political horse-trading between Europe’s most influential national governments. But Johansson is trusted with the executive responsibility for formulating and driving the adoption of a policy that could open the door for pervasive automated surveillance of every phone and computer. She also has control of resources used to influence public opinion on the matter.
Supporters of the EU should wake up and stop being so naïve about privacy. Many still maintain a hazy rose-tinted conviction that there is no risk when an ex-Communist hardliner is given the remit to roll out a massively upgraded infrastructure for comms surveillance across the whole of the EU. They maintain the conviction that nothing can go wrong because of a childishly simplistic conviction that everybody governing the EU must mean well. I can accept that a democratically-elected government may have a mandate to implement surveillance of this type, even though I would always disagree with it. The undemocratic nature of the European Union means it should never be trusted with powers like these, and the unlawful behavior of Commissioner Johansson demonstrates why.
Danny Mekić’s research into the adverts placed by the EU Home Affairs function, including meticulous cross-references, can be found here.



