Bundestag Bungle: Political Microtargeting of Facebook Users Draws Ire
With shades of the Cambridge Analytica scandal, German political parties skirted consumer data privacy regulations during the country's last parliamentary election, a privacy watchdog warns.
March 23, 2023
German politicians and political parties have been using data about Facebook users' political preferences to deliver microtargeted advertisements, a watchdog group is alleging — in direct violation of the European Union's General Data Protection Regulation.
On March 21, the European Center for Digital Rights (or "NOYB," short for "none of your business") filed complaints against six of the eight parties represented in the German parliament — the Bundestag — for various violations of Article 9 of GDPR. Article 9 states that:
Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited.
Put simply: Political advertising is perfectly legal in Europe, but collecting data about, and delivering advertisements based on, users' perceived political opinions is not.
"Any data on a person's political views is protected particularly strictly by the GDPR," wrote Felix Mikolasch, privacy lawyer at NOYB. "Such data is not only extremely sensitive, but also allows large-scale manipulation of voters, as Cambridge Analytica has shown."
Infamously, Cambridge Analytica was a digital marketing firm whose covert data mining app wormed its way through Facebook in the mid-2010s, collecting information relevant to the political preferences of hundreds of millions of Americans and fueling the presidential campaign of Donald Trump.
How We Got Here
It wasn't regulators, security analysts, or activists who discovered the data privacy problem in German politics.
In April 2021, NOYB founder Max Schrems teamed up with the late-night talk show ZDF Magazin Royale, prompting the audience to download Who Targets Me, a browser extension for tracking targeted political advertising. According to ZDF, more than 17,451 German citizens heeded that call during their country's 2021 election cycle, with the extensions collectively counting 2 million targeted ads in all.
In its Sept. 24, 2021 episode, ZDF revealed some of the more shocking results of an analysis of the browser extension's tracking.
For example, Diether Dehm — former Stasi collaborator and current member of the Left Party — ran ads "directed at people who are interested in the Russian propaganda channel 'Russia Today' or the conspiracy theorist Ken Jebsen," ZDF explained (translated via Google Translate), "in which he sows doubts about corona vaccines developed in the West."
The results also showed official government agencies participating in the game. "It is obvious that some authorities are thereby violating a judgment of the Federal Constitutional Court," ZDF explained, which "prohibits state organs 'using state resources' to support or fight political parties, in particular, to influence the voter's decision through advertising."
In one more humorous instance, the Free Democratic Party (FDP) "placed Facebook ads that contradict each other in terms of content. For people with 'green' interests, the FDP showed an advertisement according to which the party is committed to 'more climate protection' with the help of a state CO2 limit. At the same time, the FDP placed a Facebook ad on the target group 'frequent travelers' with a different message: No 'state measures, restrictions on freedom or bans' when it comes to 'major challenges such as climate change.'"
For their clear violations of GDPR and German law, NOYB, on March 21, filed formal complaints with six political parties: the AfD, Bündnis 90/Die Grünen, CDU, Die Linke, ÖDP, and SPD.
Are Global Data Privacy Regulations Clear Enough?
That data privacy compromise is so common across German politics may be due to disregard for the law. But, for many organizations, the same failures occur more often due to misunderstandings.
For as much as regulations like GDPR, the California Consumer Privacy Act, and other regulatory standards in recent years have done for consumers, they've also created a maze for organizations.
"Despite the intent of creating a comprehensive and clear EU-wide standard," says Dena Kozanas, associate general counsel and chief privacy official for MITRE, "there can remain confusion in how it is enforced with each individual Data Protection Authority."
Multinational enterprises have the most to deal with here, as the rules in the EU and around the world are vastly different. Even within the US, small and midsized businesses can struggle with different policies across states.
There are a few ways to address the problem, experts say.
A wealthy enough corporation might simply ignore the rules and eat the fines. Facebook has chosen this option many times before.
Most enterprises and governments will need to act with more tact, potentially investing into legal, operational, and software protections unique to each set of standards.
Alternatively, "what you will see in many enterprises is that they look to the country with the highest standard and aim to meet that," Kozanas says, "even if it is not required in all countries or states. Typically, hitting that high water mark can inoculate an enterprise from various regulatory regimes."
"Regardless of the legal matter being litigated," she concludes, "the fact is that this law was intended to reduce confusion but has not yet fulfilled that promise."
About the Author
You May Also Like
DevSecOps/AWS
Oct 17, 2024Social Engineering: New Tricks, New Threats, New Defenses
Oct 23, 202410 Emerging Vulnerabilities Every Enterprise Should Know
Oct 30, 2024Simplify Data Security with Automation
Oct 31, 2024Unleashing AI to Assess Cyber Security Risk
Nov 12, 2024