You remember the browser extension Who Targets Me from the privacy activists at Noyb? The group yesterday filed serious complaints based on logs from the expansion that six German political parties violated European data law when they targeted voters on Facebook's adtech platform.
The group claims the GDPR breach took place during the country's 2021 federal election and filed six complaints yesterday with the Berlin and Bavarian data protection authorities against a number of parties spanning the entire German political spectrum. The parties SPD (centre-left), AfD (right, Eurosceptic), CDU (Christian, centre-right), Bündnis 90/Die Grünen (ecological green party, centre-left), die Linke (democratic socialist) and ÖDP (the eco-democrat party) are reportedly accused and all have seats in the Bundestag, the German parliament.
Targeted advertising based on certain characteristics is not illegal "in and of itself", the campaigners conceded. However, Noyb's team claims that the users were selected because Facebook had "assessed their political opinions in the background".
Political opinions are protected under Article 9 of the European General Data Protection Regulation, reports the Noyb group, which claims that all the parties we mentioned above and the social network violated the GDPR by running political ads. Noyb confirmed that it had not filed a complaint against Facebook parent Meta in this case.
At the core of these complaints appear to be allegations that the political parties were trying to steal voters from each other by targeting people who were known to be interested in another political party.
The complaint against the left-wing Die Linke org [PDF], for example, claims to have targeted a voter known to be interested in Bündnis 90/Die Grünen (Greens).
The complaint alleges:
According to this recorded information, the ad targeted female voters who were known to be living in Germany, aged up to 53 and interested in “Bündnis 90 /Die Grünen”.
Noyb (None of Your Business) was founded by Max Schrems, the lawyer who filed the complaint that ultimately led to the downfall of the EU-US Safe Harbor data transfer system, and has been working on a number of focused data protection campaigns over the years.
Schrems is a big figure in Europe's digital rights scene. Facebook was part of two landmark complaints (Schrems I, Safe Harbor in the upcoming years, while Schrems II Privacy Shield), which forced many changes in how US and European companies must protect sensitive data in public clouds, but also how they manage personal data in general.