German political parties accused of microtargeting voters on Facebook

Remember the Who Targets Me browser extension from privacy activists at Noyb? The group yesterday filed explosive complaints based on log records from the extension that claim six of Germany's political parties broke European data law when they targeted voters on Facebook's adtech platform.

The group is claiming the allegedly GDPR-busting activity took place during the country's 2021 federal elections, and filed six complaints yesterday with the Berlin and Bavarian data protection watchdogs against parties spanning the entire German political spectrum. So that's SPD (center left), AfD (right-wing, Eurosceptic), the CDU (Christian, center right), Bündnis 90/Die Grünen (eco green party, center left), die Linke (democratic socialist), and ÖDP (the eco democrat party). Of the parties that have seats in the Bundestag, Germany's parliament, just two didn't see a filing yesterday: the FDP and the CSU.

Targeted advertising based on certain characteristics is not unlawful "per se," the activists admitted. However, Noyb is claiming the users were selected because Facebook had "evaluated their political views in the background."

Political opinions are specifically protected under Article 9 of Europe's General Data Protection Regulation, says Noyb, which claims both the parties and the social network violated the GDPR by running the ads. Noyb confirmed it hadn't filed a complaint against Facebook parent Meta in this particular case – presumably it has enough Meta/Facebook complaints on the boil.

At the core of these complaints appears to be allegations the political parties were trying to nick voters from each other by targeting people known to be interested in another political party.

The complaint against the leftwing Die Linke org [PDF], for example, alleges it targeted a voter it knew to be interested in Bündnis 90/Die Grünen (the Greens).

The filing alleges (translated from the German):

The complaints claim that "a derived interest – i.e. calculated or extrapolated from other information – in a specific political current is to be regarded as a special category of personal data."

Our understanding is you have to be 13 to open a Facebook account, so we've asked Noyb about the wording here. Meta has been accused of targeting the youth, but six sounds very young indeed, and especially young to care about politics. Noyb confirmed it was alleging the ad may be displayed to any female "in this age bracket," but added: "However, this does not necessarily mean that Facebook accepts users that are that young."

Noyb (None of Your Business) was founded by Max Schrems, the lawyer who filed the complaint that ultimately led to the fall of EU-US Safe Harbor data transfer system, and has been working on a number of focused data protection campaigns over the years.

Schrems is a big presence on the Euro digital rights scene, whose raison d'être is to push back against data-slurping by Silicon Valley's tech platforms. Facebook was a big part of two landmark judgments (Schrems I, the Safe Harbor one, and Schrems II, the Privacy Shield one), both of which forced through plenty of changes on how American and European companies must secure sensitive data in public clouds and how they handle personal data more generally.

Microtargeting – as the redacted complaints point out – was reportedly used by Cambridge Analytica during the 2016 US presidential election, and is said to have played its part in the narrow victory of Donald Trump in various US states. Meanwhile, in the UK, after the Brexit referendum, microtargeting was probed by the UK Information Commissioner's Office and sanctioned by several companies and parties.

We asked the political parties for comment. Die Linke said (translated from the German) that it generally does not provide companies such as Facebook and Google with any personal data, use "dark posts", or other questionable means such as Cambridge Analytica has reportedly used. It added that it hadn't been aware of the specific complaint and will now examine it legally.

An SPD spokesman, meanwhile, said the party does not use microtargeting. In a statement, translated from German, they added: "The tailoring of our campaigns is based on socio-demographic characteristics, in particular gender, language and age preferences, as well as occupation and interests. Ads can also target regions. For reasons of transparency and data protection, the SPD does not use tools such as Facebook Pixel or Facebook SDK."

AfD told us it does not use micro-targeting strategies, adding that it hadn't used any micro-targeting strategies during the federal election either.

The CDU, the ÖDP and Bündnis 90/Die Grünen hadn't responded by the time of publication. ®