EDPS - 2023-1205
EDPS - 2023-1205 | |
---|---|
Authority: | EDPS |
Jurisdiction: | European Union |
Relevant Law: | Article 10 Article 26 Article 4 Article 5 |
Type: | Complaint |
Outcome: | Upheld |
Started: | 16.11.2023 |
Decided: | 13.12.2024 |
Published: | |
Fine: | n/a |
Parties: | European Commission |
National Case Number/Name: | 2023-1205 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | English |
Original Source: | GDPRhub (in EN) |
Initial Contributor: | ao |
The EDPS issued a reprimand to the European Commission for unlawfully targeting X users based on their political views in order to promote a legislative proposal.
English Summary
Facts
The campaign
From the 15 to the 28 September 2023, the Commission ran a targeted advertising campaign on X focussing on users in eight Member States. The campaign aimed at communicating the proposal for a Regulation laying down rules to fight and prevent child sexual abuse, the so-called “Chat Control Regulation”.
The Commission, here the controller, carried out the campaign through an external contractor. For its targeting strategy, the Commission defined certain inclusion and exclusion keywords and accounts affiliated with political interests. The exclusion words selected by the Commission showed to exclude terms that correlate with a "Eurosceptic" political opinion such as “Viktor Orban”. The inclusion words then correlated to “pro-EU” sentiments and included particular parties and politicians.
This input was then used through X’s keyword targeting and look-alike strategy allowing the targeting of people with interests similar to the keywords and accounts (proxy data). Specifically, the campaign targeted X users speaking Dutch, who were from the Netherlands and were older than 18.
The complaint
On the 16 November 2023, noyb on behalf of a data subject filed a complaint with the European Data Protection Supervisor against the Commission alleging unlawful data processing for targeted advertising. The data subject based its complaint on the provisions of Regulation 2018/1725 (EU-GDPR) which is data protection legislation applicable to data processing operations conducted by EU-institution.
The data subject alleged that under Regulation 2018/1725 the Commission had processed special categories of his data under Article 10(2) in breach of the principle of lawfulness under Article 4(1)(a). The data subject laid out that this practice encompasses profiling based on special category data; here the political views of the users. Therefore, the data subject alleged that the Commission had breached Article 10(1) prohibiting the processing of special category data as none of the exceptions under Article 10(2) applied. Moreover, even if the Commission had not intended to process special categories of data, Article 10(1) and Article 4(1)(a) do not require intent on the part of the controller to be established.
The Commission’s arguments
The Commission argued that the selection of the inclusion and exclusion keywords did not draw on personal data of specific X users. The Commission explained that it targeted groups based on their age, location and spoken language but stated that it never intended to process special categories of data. The Commission explained that X’s algorithm determines people with similar interests based on what they post and re-post. The Commission concluded that it merely used X’s services for the publication of the campaign.
Further, the Commission justified the data processing as it was necessary for the performance of a task in the public interest under Article 5(1)(a), referring to the communication of legislative proposals. As a legal basis for this, the Commission referred to Article 17(2) of the Treaty of the European Union which grants the Commission a general right of initiative for legislative proposals.
Holding
Controllership
The EDPS held that the Commission determines the means and purposes of the targeted advertising for political purposes. The EDPS highlighted that pursuing an interest through a processing operation is an indication of determining the purposes of processing. The Commission chose the services provided by X and selected the keywords that in turn determined the target audience.
Therefore, the EDPS stated that the European Commission acted as a controller.
Performance of a task in the public interest
The EDPS puts forward that Article 17(2) TEU is very general in nature, not referring to promotional activities of the Commission and therefore does not meet the requirement of a clear and precise legal basis under Article 5(2). The EDPS therefore rejected the Commission’s argument that the data processing was necessary for the performance of a task in the public interest. Other legal basis such as consent were found not to be applicable, as they were not disputed.
The EDPS found that the Commission had infringed Articles 4(1)(a), 4(2), 5 and 26 of the Regulation as promoting legislation is not in the public interest.
Special category data
The EDPS set out that if a social media provider categorises users into having certain religious, philosophical or political beliefs, this must be seen a processing special categories of data. The EDPS clarified that X had targeted users with interests similar to the key accounts and words which were directly linked to a political affiliation. The EDPS stated that X acted under the instructions of the Commission and therefore was liable. It further reiterated that the intent of the Commission to process special category data is irrelevant as has been shown in CJEU case law (e.g. C-131/12).
Exceptions to processing special category data
The EDPS considered the exceptions to processing special categories of data under Article 10(2) of the Regulation but found that they did not apply. In particular, the EDPS considered:
- Article 10(2)(e) – Data manifestly made public
The EDPS reiterated that in C-252/21, the CJEU showed that sharing or liking certain posts cannot be considered as manifestly making data public. The EDPS declared that even if the data had manifestly been made public, this does not in itself allow for the further processing of this data for political advertising. In particular the EDPS highlighted, with reference to the fact that the data subject had set their account to private, that this was crucial when the data subject could not reasonably have foreseen this kind of processing.
Conclusion
In conclusion, the EDPS found that the Commission had infringed Articles 4(1)(a), 4(2), 5, 10(1) and 26 of the Regulation by unlawfully processing personal data, including special category data without consent. The EDPS issued a reprimand against the Commission and explained that a fine was not necessary as the practice had already ended.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the English original. Please refer to the English original for more details.
EDPS Decision concerning investigation in complaint case submitted by NOYB – European Center for Digital Rights on behalf of against the European Commission (Case 2023-1205) The European Data Protection Supervisor, Having regard to the Treaty on the functioning of the European Union, Having regard to Article 57(1)(e) and 58(2)(b) of Regulation (EU) 2018/1725 (‘the Regulation’) , Having regard to the EDPS Rules of Procedure, as amended on 18 July 2024, and in 2 particular Articles 16 to 18 thereof, Has adopted the following decision: 1. Proceedings 1.1. On 16 November 2023, the European Data Protection Supervisor (‘the EDPS’) received a complaint against the European Commission (‘the Commission’) submitted by NOYB - European Center for Digital Rights on behalf of (‘the complainant’) under Articles 63(1) and 67 of the Regulation, alleging unlawful processing of the complainant’s personal data in the scope of a targeted advertising campaign by the Commission’s Directorate-General for Migration and Home Affairs (‘DG HOME’). The complaint was registered under case number 2023-1205. 1.2. The EDPSinvestigated the complaint pursuant toArticle 57(1)(e) of the Regulation and invited the Commission’s observations on the allegations brought forward by the complainant by email dated 8 December 2023. On 22 December 2023, the Commission 1Regulation(EU)2018/1725 oftheEuropeanParliamentandof theCouncil of23 October2018 ontheprotection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC; OJ L 295, 21.11.2018, p. 39–98. References to Articles in this document refer to the Regulation. 2Decision of the European Data Protection Supervisor of 15 May 2020 adopting the Rules of Procedure of the EDPS; OJ L 204, 26.6.2020, p. 49, as amended. requested an extension of the deadline. The extension was granted and the Commission replied on 26 January 2024. 1.3. The EDPS requested the complainant’s comments on the Commission’s reply by email of 2 February 2024. The complainant provided his comments on 22 February 2024. 1.4. On 10 October 2024, the EDPS issued a preliminary assessment following his investigation of the complaint and shared it with the Commission, based on Article 57(1)(e) of the Regulation and in accordance with Article 18(1) of the EDPS Rules of Procedure, as amended on 18 July 2024. The EDPS invited the Commission to submit its observations on the preliminary assessment by 31 October 2024. The purpose of the preliminary assessment was to present the Commission with the EDPS’ preliminary findings of fact, an initial legal assessment of those facts, including any alleged infringements of the Regulation, and the corrective measures the EDPS envisaged taking. This allowed the Commission to exercise its right to be heard and aimed to ensure that the EDPS’ findings of fact are correct and complete. 1.5. On24October 2024, the Commission requestedan extension of thedeadlineto provide its observations on the preliminary assessment. The extension was granted, and the Commission provided its observations on 22 November 2024. 2. Factual background 2.1. The Commission ran a targeted advertisement campaign on the social media platform X from 15 to 28 September 2023 (‘the campaign’). The aim of the campaign was to communicate on the proposal for a Regulation laying 3own the rules to fight and prevent child sexual abuse submitted in May 2022. The advertisements focused on users in eight Member States. 4 2.2. The Commission conducted the campaign through an external contractor, European Service Network, by means of a specific contract 5 under a framework contract for communication activities. The Commission statesthat the design of the campaign was set up following technical criteria arising from communications and social media practices, on the basis also of the expertise of the contractor. 2.3. The Commission explains that the campaign had the objective to maximise the impact of the limited budget available and ensure an efficient use of financial resources though a ‘targeting strategy’. The Commission explains that targeting involves ‘determining certain segments of the audience to which the advertisement is and is not pushed’, and that ‘keywords targeting’ is the main tool available in X for selecting users to whom the advertisements are displayed. 2.4. The Commission therefore defined certain targeting segments, among others, a list of ‘inclusion’ and ‘exclusion’ keywords and key accounts. According to the Commission, ‘inclusion’ keywords were used with the intention ‘to draw the attention of a certain subject-related audience to the campaign and protection of children, in line with the content of the proposed legislation and the related Eurobarometer, while exclusion 3COM/2022/209 final. 4Belgium, Czech Republic, Finland, France, the Netherlands, Portugal, Slovenia and Sweden. 5Specific contract HOME-2022-ISF-TF1-FW-COMM-0055 implementing framework contract COMM/2019/OP/2009. 2 keywords were designed to avoid mixing with debates that are not related to the scope of the campaign’. 2.5. The Commission shared the list of these keywords and key accounts with its contractor, who inserted the criteria in the dashboard of X. X applied this information based on its ‘keyword targeting’ and ‘look-alike strategy’ , allowing it to target people with interests similar to the keywords and the key accounts shared by the Commission. 2.6. On , during a visit to the online platform X, the complainant was shown an advertisement of the Commission (DG HOME) promoted by the @EUHomeAffairs to his private X account. 2.7. The advertisement contained the following text about the proposed EU Child Sexual Abuse Prevention Regulation (COM/2022/209 final): “Misbruikers verbergen zich achter hunbeeldschermen terwijl kinderen in stilte lijden Het is hoog tijd om een einde te maken te maken aan seksueel kindermisbruik #online De meerderheid van de burgers ondersteunen het voorstel #EUvsChildSexuelAbuse En jij? Lees hier ↓” [Translation provided by the complainant: Abusers hide behind their screens while children suffer in silence It is high time to end child sexual abuse #online The majority of citizens support proposal #EUvsChildSexuelAbuse And you? Learn more here ↓]; as well as a video of 47 seconds displaying further text stressing the alleged public support for the proposed legislation. 2.8. The complainant downloaded an archive of his personal data through X’s platform, using the ‘Download an archive of your data’ functionality, which shows that the complainant saw the advertisement described above. 2.9. Furthermore, the general ads report downloaded from X’s ‘Ads repository’ (Annex 5 to the complaint) shows that with the advertisement campaign in question, between 18 and 27 September 2023, the Commission targeted X users that were speaking Dutch, 8 that were from the Netherlands, and were over 18 years old. 2.10. Moreover, the general ads report shows that 44 ‘Targeting Segments’ were explicitly excluded from the ads campaign by the Commission. 9Of the 44 excluded targeting 6Keyword targeting reaches people on X based on keywords in their search queries, recent posts, and posts they recently engaged with. Keyword targeting can either include or exclude users. Including means that if someone has either posted or interacted with a post containing the keyword, and they meet the defined geographic, language, device, and gendertargeting, they'reeligible tobe targetedby the campaign. If excluded, someone who has either posted or interacted with a post containing the excluded keyword willnot be targeted by the campaign, even if they meet the defined geographic, language, device, and gender. Additionally, the campaign will not appear in the Search results for any excluded keywords. See https://business.x.com/en/help/campaign-setup/campaign-targeting/keyword- targeting#:%7E:text=Keyword%20targeting%20allows%20you%20to,drive%20engagements%2C%20and%20incr 7ase%20conversions, accessed 27.09.2024. ‘Follower look-alikes targeting’ targets people with interests similar to an account's followers. See https://business.x.com/en/help/campaign-setup/campaign-targeting/interest-and-follower-targeting, accessed 27.09.2024. 8Column F “Targeted Segments” of Annex 5 to the complaint. 9Column G “Excluded Targeting Segments” of Annex 5 to the complaint. 3 segments of the campaign, 36 segments refer to political parties (such as AfD, Vox, Sinn Féin, and English Defence League), politicians (such as Viktor Orbán, Marine Le Pen, and Giorgia Meloni), or terms regarding eurosceptic and/or nationalistic political opinions (such as brexit, nexit and #EUCorruption), and six segments refer to religious beliefs (such as Christianity, Islam and anti-Christian) . 2.11. The general ads reportshows thatthe advertisements were shownover 600.000times. 11 3. Allegations of the complainant and comments of the parties Allegations of the complainant 3.1. The complainant alleges that the Commission infringed Article 10 of the Regulation by processing special categories of personal data of the complainant without a legal basis under Article 10 of the Regulation. In support of this allegation, the complainant puts forward the arguments below: (a) the use of the 36 segments that refer to political parties, politicians or political terms, and the six segments that refer to religious beliefs, for the purpose of showing a targeted advertisement based on the complainant's political opinions and religious beliefs, amounted in his view to a processing of special categories of his personal data; (b) since the data processed related in particular to the complainant and the data were processed in the context of a microtargeting campaign on his X account, the complainant considers that personal data of an identified natural person were processed; (c) the complainant puts forward that the Commission, as the entity commissioning atailoredadvertising campaign onXrelying on the use of personal datafor this campaign, is to be considered acontroller. The complainant considers that in the present case, the Commission determined the purposes of the data processing (displaying online advertisements according to certain parameters), and it also determined the means of the data processing (the choice of the corresponding advertising tool and the ‘keyword targeting’ on the X platform). In addition, the complainant puts forward that the contested processing on X took place in particular because the controller commissioned it; (d) the complainant underlines that Article 10(1) of the Regulation prohibits the processing of special categories of personal data unless any of the exemptions laid down in paragraph 2 of the same article applies. In this regard, the complainant alleges that none of the relevant exemptions under Article 10(2) of the Regulation is applicable, and that the Commission has consequently infringed Article 10(1) of the Regulation. 3.2. The complainant further considers that, since the Commission processed special categories of his personal data without a legal justification under Article 10(2) of the Regulation, it is in breach of the principle of lawfulness under Article 4(1)(a) of the Regulation. 10 11The complainant has created an overview of the excluded targeting segments in Annex 6 to the complaint. Column H “Impressions” of Annex 5 to the complaint. 43.3. Moreover, the complainant considers that the Commission as the controller bears the burden of proof regarding the lawfulness of the processing, in accordance with the accountability principle set out in Article 4(2) of the Regulation. Comments of the parties On the processing of special categories of personal data 3.4. The Commission states that its selection of the ‘inclusion’ and ‘exclusion’ keywords was ‘not done using personal data of specific users in X’. The Commission explains that ‘the selection of keywords aimed at creating the basis for X to choose the specific users to whom the information would be pushed’. It further explains that a ‘look-alike strategy’ serves to target people that have similar interest to another account’s followers and that ‘X’s algorithm determines such users based on what they repost, click on and post’. 3.5. The Commission explains that ‘the complainant may have been targeted on the basis of one or a combination of the following criteria: - Demographics: The Commission decided to target on the base of age (+18), location (one of the chosen countries was the Netherlands) and language (one of the chosen languages was Dutch); - Keywords: The Commission agreed on the use of a list of keywords to maximise the impact of the ads; - His interactions with specific X content on the following topics: education, technology and computing’. 3.6. The Commission claims that it did not request the processing of special categories of personaldata,norwas thedesignof the campaign based onsuchprocessing.It submits that it ‘has not received any information on whether the implementation of the campaign resulted in the unlawful processing of personal data of the complainant, including sensitive categories of personal data, contrary to the [Regulation]’. 3.7. The Commission further claims that it ‘did not intend to trigger the processing of special categories of data’, and, that, ‘if such special categories were processed in the implementation of the campaign, this should not have happened’. 3.8. The complainant considers that the selection of the ‘exclusion’ keywords by the Commission intended to exclude X-users with “Eurosceptic” political opinions, since 36 of the 44 excluded keywords refer to Eurosceptic and/or nationalistic political opinions, as illustrated by the complainant in Annex 6 of the complaint. 3.9. The complainant considers that Annex 1 to the Commission’s reply shows that ‘the “inclusion” of specific key accounts intends to target X-users with “pro EU” political opinions’. The complainant illustrates that these key accounts include, inter alia, a Dutch political party (@VVD) and several politicians. The complainant further considers that 15 of the 28 key accounts selected by the Commission could refer to ‘pro EU’ political opinions, which the complainant illustrates with a table compiled of these accounts.12 12 See Annex 1 to the complainant’s comments. 53.10. Based on the arguments presented above, the complainant considers that the Commission ‘clearly intended to target X-users with specific political opinions, since the design of the campaign was based “to target people who have similar interests to another account’s followers”’, and since these accounts include accounts of politicians and political parties. 3.11. The complainant further considers that the Commission ‘must have clearly been aware’ that targeting users with certain political ideas includes profiling and categorisation of the user’s political interests, and that it would not even be possible to run such a campaign for a specific political audience otherwise. 3.12. The complainant argues that the categorisation by X, revealing a political opinion based on what users ‘repost, click on and post’, ‘must obviously be seen as processing of special category of personal data’. The complainant states that ‘such sensitive personal data, which is derived from other information, is also covered by the [Regulation] and the term ‘political opinions’ in Article 10(1) [of the Regulation]’. 3.13. The complainant argues that the comments presented by the Commission confirm that the Commission ‘aimed to target specific X-users and that, therefore, it was [the Commission] who determined the purposes and means of the processing by determining to run its campaign on X and by choosing the keywords to include or exclude X-users with specific political opinions and religious beliefs’. The complainant argues that the Commission is therefore the (joint) controller for this processing. The complainant thus considers that also the Commission is to be held responsible for the processing, not only X. 3.14. The complainant further submits that even if the Commission did not have the intention to process special categories of personal data, this does not change the fact that the Commission violated Article 10(1) and therefore also Article 4(1)(a), since intent is not required to qualify for processing of special categories of data.14 On the lawfulness of the processing 3.15. The Commission states that the campaign was conducted within the framework of a specific contract between the Commission (DG HOME) and the contractor with the aim to ‘sustain trust, address disinformation, improve understanding and increase awareness of DG HOME's policy and funding instruments on Home Affairs’. The Commission explains that the contract envisaged a campaign including targeted advertising and that ‘the campaign was arranged with X via the contractor, and it was X which accepted it, and could be expected to implement it in accordance with the platform’s terms and conditions and the applicable legal rules, in particular [the General Data Protection Regulation (GDPR) 1]’. 3.16. The Commission explains that the campaign was conducted as part of the communication activities it undertakes on its legislative initiatives. The Commission stresses that it has a general right of initiative regarding legislative proposals, such as 13In support of his allegation, the complainant refers to para. 123 of the EDPB Guidelines 8/2020 on the targeting of social media users. 14In this regard, the complainant refers to the CJEU Judgment of 4 July 2023 in Case C-252/21, Meta vs Bundeskartellamt, paras. 69 and 70. 15Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation); OJ L 119 4.5.2016, p. 1. 6 in the present case, under Article 17(2) of the Treaty on the European Union (TEU). The Commission states that it ‘acted under the premise that it is part of its day-to-day activities to inform the public about those initiatives and its content, advocating for the need for the proposed legislation’ and that this was the aim of the campaign in question. 3.17. The Commission further states that it ‘conducted the campaign based on the understanding that if it resulted in any processing of personal data by third parties, such processing would be justified as necessary for the performance of a task in the publicinterest’. The Commission therefore claimsto have ‘acted under the assumption that, if any processing of personal data resulted from the campaign, it would have fallen within the scope of Article 5(1)(a) [of the Regulation]’. 3.18. The Commission further submits that it ‘acted under the premise that if any processing ofpersonaldatatookplaceas aresultof the campaign, this wouldbelawful, because of the necessity to carry out a task in the public interest where the Commission is vested authority, i.e., to communicate about legislative proposals arising from the prerogative conferred by the [TEU]’. 3.19. The complainant argues that the objectives for the campaign as described by the Commission cannot as such be considered an exemption to the prohibition to process special categories of personal data. The complainant emphasises that processing of special categories of personal data is only permissible if one of the exemptions of Article 10(2) applies. 3.20. Regarding the Commission’s statement that the possible processing of personal data resulting from the campaign would have been justified as necessary for the performance of a task in the public interest, the complainant argues that even if the Commission had avalid legal basisfor the processing underArticle 5of the Regulation, this would not exclude them from the obligation to comply with Article 10 of the Regulation. The complainant considers that the Commission did not meet the conditions laid down in Article 10(2) of the Regulation. 3.21. The complainant argues that in addition, pursuant to Article 5(2) of the Regulation, any processing ‘for the performance of a task carried out in the public interest’ shall be laid down in Union law. The complainant refers to Recital 23 of the Regulation, which states the Union law referred to in the Regulation should be clear and precise and its application should be foreseeable to persons subject to it. 3.22. The complainant considers that the provision of Article 17(2) of the TEU, to which the Commission refers, is ‘neither clear and precise in regard to the possible data processing of (special category) data for targeting on an online platform, nor does it make micro-targeting on such a platform foreseeable to the data subject in any way’. 3.23. Furthermore, the complainant argues that ‘it would be for [the Commission] in particular to assume its outstanding position as a role model and to ensure its actions are in line with applicable law’, noting that the Commission has vast legal knowledge and resources in this regard. Further comments 3.24. The Commission notes that ‘after the campaign was carried out, the Commission has ensured that colleagues are reminded of the existing rules’. 73.25. The Commission further notes that ‘since 25 October 2023, all Commission services were invited to temporarily suspend paid advertising campaigns on X in light of concerns regarding the spread of disinformation associated with the conflict in the Middle East’. 4. Legal analysis Admissibility of the complaint 4.1. The complainant, a Dutch citizen and a user of the online platform X, represented by the not-for-profit organisation NOYB – European Center for Digital Rights, alleges that his personal data were unlawfully processed by the Commission in the scope of a targeted advertising campaign ran by the latter. 4.2. NOYB – European Center for Digital Rights, fulfils the criteria laid down in Article 67 of the Regulation to represent the complainant for the purpose of lodging a complaint with the EDPS, in accordance with Article 63 of the Regulation. NOYB is a not-for- profit body, organisation or association which has been properly constituted in accordance with the law of a Member State, in this case Austria, has statutory objectives which are in the public interest, and is active in the field of the protection of data subjects’ rights and freedoms with regard to the protection of their personal data.16 The complainant has mandated NOYB to exercise the rights referred to in Articles 63 and 64 on his behalf.17 4.3. Information related to the complainant that wereprocessed in the targeted advertising campaign, such as his nationality, age, language, political opinions and religious beliefs, are personal data within the meaning of Article 3(1) of the Regulation. 4.4. Targeted advertising to the complainant based on information relating to him and his behaviour on the online platform X constitutes processing of his personal data within the meaning of Article 3(3) of the Regulation. 4.5. The Commission, by defining the objectives of the campaign as well as the targeted (and excluded) audience of the campaign, by defining the ‘inclusion’ and ‘exclusion’ parameters, determined the purposes and means of the processing. The Commission therefore acted as a controller for the processing within the meaning of Article 3(8) of the Regulation. 4.6. The Commission is a Union institution, as defined in Article 3180) of the Regulation, and DG HOME is a directorate-general of the Commission. 4.7. The complaint is therefore admissible under Article 63(1) of the Regulation. Controllership 16https://noyb.eu/sites/default/files/2020-03/NOYB Statute DE EN 0.pdf. 17Assignment of representation submitted by NOYB. 18TheEDPSnotes thatDG HOME is a delegated controllerfor this processing operation. However, directorate- generals do not have a legal personality distinct from that of the Commission as a whole, and, as such, the Commission is the liable legal entity. See Commission decision (EU) 2020/969 of 3 July 2020 laying down implementing rules concerning the Data Protection Officer, restrictions of data subjects’ rights and the application of Regulation (EU) 2018/1725 of the European Parliament and of the Council, and repealing Commission Decision 2008/597/EC. 84.8. According to Article 3(8) of the Regulation, a controller means the Union institution or body or the directorate-general or any other organisational entity which, alone or jointly with others, determines the purposes and means of the processing of personal data.Itfollows that19e controller mustdeterminebothpurposes and(essential) means of the processing. 4.9. The Commission determined the purpose of the processing of personal data of the complainant, which was targeted by an advertising campaign for political purposes. In particular, the processing operation was conducted to inform a targeted audience on X about the Commission’s legislative proposal and to advocate for the need for the proposed legislation. 4.10. The EDPS notes that pursuing an interest through a processing operation is an indication of determining the purposes of the relevant processing operation. 20 4.11. The Commission also determined the means of the processing by choosing to use the services provided by Xfor the advertisement campaign, and by selecting the key words and key accounts for targeting users of X. Through these key words, the Commission determined the ‘inclusion’ and ‘exclusion’ parameters used in the campaign. This is analogous to the circumstances of the case C-210/16, Wirtschaftsakademie, where the creator of a social media fan page, by using Facebook’s filters, defined the parameters of the processing. The Commission, by defining the parameters of processing, determined the means of processing. 21 4.12. It follows that the Commission is a controller for the present processing operation. 4.13. The EDPS understands that X may have jointly determined the purposes and means 22 of the processing operation alongside the Commission as a possible joint controller. However, the EDPS is only competent to supervise the processing of personal data done by Union institutions and bodies. 23 As such, this Decision only examines the processing of personal data imputable to the Commission as falling under its sphere of control. Lawfulness of the processing - Infringement of Articles 4(1)(a), 4(2), 5 and 26 of the Regulation 19See EDPS Guidelines of 7 November 2019 on the concepts of controller, processor and joint controllership underRegulation (EU) 2018/1725,p.9 andEDPBGuidelines07/2020 on theconceptsof controller and processor in the GDPR, version 2.1 adopted on 07 July 2021, paras. 36 and 45. 20 See EDPB Guidelines 07/2020 on the concepts of controller and processor in the GDPR, version 2.1 adopted 21 7 July 2021, paras. 60 to 62 and paras. 50 and 51. Case C-210/16, Wirtschaftsakademie, ECLI:EU:C:2018:388, paras. 36 to 39. See also case C-683/21, 22LI:EU:C:2023:949, paras. 32, 33, 35, 36 and 38. See Case C-210/16, Wirtschaftsakademie, where the administrator of a fan page on Facebook was regarded as taking part in the determination of the means and purposes of the processing of personal data alongside the social media platform. 23See Articles 1 and 2 of the Regulation. 94.14. Article 4(1)(a) of the Regulation states that personal data shall be processed ‘lawfully’. 4.15. In accordance with Article 5(1) of the Regulation, processing shall be lawful only if and to the extent that at least one of the grounds listed in the provision applies. Article 5(1)(a) - necessary for the performance of a task carried out in the public interest 4.16. The Commission states that it ‘conducted the campaign based on the understanding that if it resulted in any processing of personal data by third parties, such processing would be justified as necessary for the performance of a task in the public interest’. The Commission therefore relies on Article 5(1)(a) as the lawful ground for the processing. 4.17. Article 5(1)(a) of the Regulation provides that the processing shall be lawful if and to the extent that the processing is ‘necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Union institution or body’. Article 5(2) provides that this basis shall be laid down in Union law. 4.18. The Commission underlines that it has ‘a general right of initiative regarding legislative proposals, such as in the case of the proposal, under Article 17(2) of the [TEU]’. It considers that it falls within its activities to inform the public about legislative proposals and their content and to advocate for the need for the proposed legislation. 4.19. In its observations on the EDPS’ preliminary assessment of the present case, the Commission notes that ‘certain sentences of the [EDPS’] preliminary findings imply that Article 17(2) TEU cannot serve as a legal basis for the processing of personal data in any type of promotional activities by the Commission in the context of its proposals for legislative acts’, and, that ‘[t]his would be contrary to the case-law of the General Court according to which a Union institution has the power to communicate with the public, even in the absence of an explicit provision to that effect, given that informing the public is an ancillary activity to that authority’s principal administrative activity’. The Commission considers that it ‘may organise communication campaigns, including on social media, to pursue the tasks with which the Commission is entrusted, such as the task to propose Union legislation based on Article 17(2) TEU’. The Commission further notes that Article 17(1) expressly states that ‘[t]he Commission shall promote the general interest of the Union and take appropriate initiatives to that end’. 4.20. Moreover, the Commission considers that ‘[c]ertain campaigns, even on social media, would seem to be inherently associated with such tasks, even when involving certain processing of personal data’, and that, therefore, ‘the Commission would disagree to any finding which addresses the Commissions communication activities beyond the very limited and very specific parameters of the campaign in question which was the object of the current EDPS investigation’. The Commission further emphasises ‘the institutional importance of its role in proposing new legislation and the corresponding duties and obligations towards citizens in the field of transparency, communication and openness’. The Commission notes that ‘[c]onveying accurate, objective and relevant information to citizens on the activities of the Commission is amatter of good administration and accountability’, and that ‘the possibility offered by social media to reach a diverse range of audiences provides a suitable platform for institutions to 10 engage with citizens within its competences and roles, which was the aim of the campaign’. 4.21. In support of its arguments, the Commission references a judgment of the General 24 Court of 12 September 2007, in case T-259/03, Nikolaou v Commission , which states that ‘the argument that a Community institution or body cannot confer on itself the power to issue press releases or otherwise communicate with the public, in the absence of a provision expressly empowering it to do so, is unfounded’. The General Court further states that ‘the fact that an administration informs the public of its activities, in particular by publishing press releases, may be regarded as an activity ancillary to its main administrative activity’. 25 4.22. Article 17(2) TEU states that Union legislative acts may only be adopted on the basis of a Commission proposal, except where the Treaties provide otherwise. The provision does not mention anything regarding the promotional activities of the Commission in relation to informing the publicabout such legislative proposals or advocating for their need. 4.23. Recital 23 of the Regulation specifies that ‘the Union law referred to in this Regulation should be clear and precise and its application should be foreseeable to persons subject to it, in accordance with the requirements set out in the Charter and the European Convention for the Protection of Human Rights and Fundamental Freedoms (‘the Convention’)’. The general standard of lawfulness set by the Convention requires that laws be sufficiently precise to allow the person – if need be, with appropriate advice – to foresee, to adegree that is reasonable in the circumstances, the consequences which a given action may entail 26. 4.24. According to case law, any legislation which entails interference with the individual rights to privacy and personal data protection must be ‘clear and precise rules governing the scope and application of the measure in question’. 27The law must ‘meet quality requirements: it must be accessible to the person concerned and foreseeable as to its effects’ to guarantee that the ‘law’ permitting for an interference with fundamental rights is compatible with the rule of law and that the individuals are protected from arbitrariness of public authorities. 28 A legal base permitting an 24Case T-259/03, Nikolaou v Commission, ECLI:EU:T:2007:254. 25Ibid., para. 218: ‘L’argument selon lequel une institution ou un organe communautaire ne peut s’attribuer le pouvoirde publier descommuniqués depresseou decommuniquer autrement avec le public, enl’absenced’untexte qui l’habilite expressément à le faire, n’est pas fondé. En effet, le fait pour une administration d’informer le public de ses activités, notamment par la publication de communiqués de presse, peut être considéré comme une activité accessoire à son activité administrative principale.’ 26Judgment of the European Court of Human Rights (‘the ECHR’) of 21 October 2013, Del Río Prada v Spain, CE:ECHR:2013:1021JUD004275009, para. 125, as well as ECHR judgment of 26 April 1979, Sunday Times v. the 27, CE:ECHR:1979:0426JUD000653874, para. 49. EDPS Supervisory opinion on the use of social media monitoring for epidemic intelligence purposes by the European Centre for Disease Prevention and Control, 9 October 2023, para. 15 and the case law cited: case C- 439/19, Latvijas Republikas Saeima(Penalty Points), ECLI:EU:C:2021:504, para.105, as well as case C-175/20, SIA, ECLI:EU:C:2022:124, para. 55. 28EDPS Supervisory opinion on the use of social media monitoring for epidemic intelligence purposes by the European Centre for Disease Prevention and Control, 9 October 2023, para. 15 and Case C-601/15, PPU, EU:C:2016:84, para. 81. 11 interference with the fundamental right to personal data protection must itself define the scope of the interference with that right. 29 4.25. Given that the content of Article 17(2) TEU is very general in nature, and clearly does not mention anything regarding the promotional activities of the Commission in the context of its proposals for legislative acts, the EDPS does not consider Article 17(2) TEU to be a ‘clear and precise’ legal basis within the meaning of Article 5(2) of the Regulation and as further described in Recital 23, for processing personal data for thepurposes of a targeted advertising campaign to inform the targeted audience about a legislative proposal on a social media platform. 4.26. Furthermore, the EDPS considers that the application of Article 17(2) TEU as a legal basis for processing personal data for the purposes of targeted advertising on a social media platform cannot be considered foreseeable to the data subject within the meaning of Recital 23 of the Regulation. The EDPS considers that data subjects cannot reasonably expect this provision to authorise interferences with their fundamental rights to privacy and data protection. Indeed, while it cannot be objected that the legislation adopted on the basis of proposals made by the Commission under Article 17(2) may provide for interferences with fundamental rights on the conditions laid down in Article 52(1) of the Charter, this cannot imply that the right of initiative of the Commission as such entails the kind of interference consisting in the targeted processing of personal data for the purposes of promoting such initiatives. 4.27. The EDPS also notes that case T-259/03 differs on its facts from the case at hand. Press publications on a Union institution or body’s (‘EUI’) website are not analogous to targetedadvertising onasocial mediaplatform. The presentdecisionbythe EDPSdoes not limit the Commission from issuing press releases, which in judgment T-259/03 is considered by the General Court to be an activity ancillary to the main administrative activity of an EUI. 4.28. Moreover, the EDPS notes that accepting the Commission’s argument would mean interpreting Articles 5(1)(a) and 5(2) of the Regulation as not requiring a ‘provision expressly empowering’ the processing of personal data for the performance of a task carried out in the public interest or in the exercise of official authority vested in the EUI, which is to be laid down in Union law. This interpretation would be contrary to the interpretation of Articles 5(1)(a) and 5(2), and as further laid down in Recital 23, which require the basis for the processing to be laid down in Union law and for this law to be clear and precise and its application foreseeable to persons subject to it. 4.29. Finally, the EDPS notes that paragraph 219 of judgment T-259/03 clarified that the rejection of the argument according to which OLAF did not have the power to adopt a communication policy was without prejudice to the question whether OLAF complied with its obligations, in particular as regards the processing of personal data, by publishing the press release in that case. 30The General Court ultimately found at 29EDPS Supervisory opinion on the use of social media monitoring for epidemic intelligence purposes by the European Centre for Disease Prevention and Control, 9 October 2023, para. 17 and cases C-175/20, SIA, ECLI:EU:C:2022:124, para. 54 and C-623/17, Privacy International, ECLI:EU:C:2020:790, para. 65. 30Case T-259/03, Nikolaou v Commission, ECLI:EU:T:2007:254, para. 219 : ‘Il s’ensuit que l’OLAF n’a pas outrepassé ses attributions en publiant le communiqué de presse et ce volet de l’argumentation de la requérante doit être rejeté, sans qu’il soit besoin d’examiner en l’espèce la question de savoir si les règles d’attribution des pouvoirs ont pour objet de conférer des droits aux particuliers au sens de l’arrêt Bergaderm, point 30 supra (point 42). Ce rejet est toutefois sans préjudice de la question de savoir si l’OLAF a respecté ses obligations, notamment en matière de traitement des données à caractère personnel, en publiant le communiqué de presse en l’espèce.’ 12 paragraph 231 of that judgment that OLAF did not have a valid ground for processing personal data under Article 5 a) or e) of Regulation (EC) 45/2001, thereby engaging in unlawful processing. 4.30. Therefore, and in any event, the EDPS considers that the Commission could not show that the processing of personal data in the context of the targeted advertising campaign was justified as necessary for exercising its right of initiative under Article 17(2) TEU. 4.31. Since the Commission has not demonstrated any valid legal basis to rely on the performance of a task in the public interest or in the exercise of official authority as a ground for lawfulness for the processing, it follows that the Commission cannot rely on Article 5(1)(a) as a ground for lawfulness for the processing of personal data at stake. Article 5(1)(d) - consent 4.32. Given that Article 5(1)(a) is not applicable in the present case, the only ground for lawfulness left for the Commission to rely on would be consent in accordance with Article 5(1)(d) and as defined by Articles 3(15) and 7 of the Regulation. 4.33. The EDPS notes that, since the Commission processed special categories of personal data, as specified below, the type of consent required would be ‘explicit consent’ as laid down in Article 10(2)(a) of the Regulation. 4.34. It is undisputed that the Commission did not obtain the complainant’s explicit consent to process special categories of his personal for the specific purpose at hand. The complainant submits that he has not given his explicit consent for the processing of special categories of his personal data for these specific purposes, and in its response, the Commission did not contest this fact nor submit evidence that would challenge this fact. 4.35. Itfollows thatthe Commission cannot relyon Article 5(1)(d) as aground for lawfulness for the processing of personal data at hand. 4.36. The EDPS therefore concludes that the Commission has not demonstrated any legal basis to lawfully process the complainant’s personal data, including special categories of personal data.It follows thatthe EDPSfinds aninfringement of Articles 5and 4(1)(a) of the Regulation. 4.37. In accordance with the principle of accountability laid down in Article 4(2) and the responsibility of the controller as laid down in Article 26 of the Regulation, it is for the Commission as the controller todemonstrate thatprocessing is in compliance with the principle of lawfulness and is performed in accordance with the Regulation. 4.38. As the Commission could not demonstrate compliance with the Regulation, the EDPS further finds an infringement of Articles 4(2) and 26 of the Regulation. Processing ofspecialcategories of personaldata -Infringement of Article10(1) of the Regulation 4.39. Article 10(1) of theRegulation providesthatprocessing ofspecialcategories ofpersonal data is prohibited. Dataconsidered as special categories of personal dataare, inter alia, 13 data revealing racial or ethnic origin, political opinions or religious or philosophical beliefs. 4.40. In order for a processing of special categories of personal data to be lawful, the controller must have a lawful ground to process personal data under Article 5(1) of the Regulation, but also meet the conditions of a derogation listed in Article 10(2) of the Regulation. 31 Article 10(1) of the Regulation 4.41. The processing in the present case constituted processing of special categories of personal data, within the meaning of Article 10(1) of the Regulation. 4.42. In the context of the advertising campaign, X, acting under the instructions of the Commission, targeted the advertising campaign to some of its specific users by including and excluding users that had interacted with posts containing specific keywords set by the Commission. Some of these keywords referred to certain political parties, politicians, eurosceptic and/or nationalistic political opinions and to religious beliefs.Further,Xappliedthe parametersshared bythe Commission basedon its‘look- alike strategy’, targeting users with interests similar to the key accounts shared by the Commission. X targets advertisements to specific users based on information such as posts, link clicks, likes, replies and searches that demonstrate engagement or 32 interaction with posts containing the specific keywords set by the user of the service. 4.43. The EDPS notes that if a social media provider or an entity using that service for the purposes of targeted advertising uses observed data to categorise individuals as having certain religious, philosophical or political beliefs, this categorisation of the individuals must be seen as processing of special categories of personal data in this context. 33 4.44. Further, if the data provided by the user, when compiled, indicate a certain political opinion or a religious belief, and even when no explicit statement on such an opinion or belief is provided, such data are to be considered as belonging to a special category of personal data. 34 4.45. As the Commission, based on X’s ‘look-alike strategy’, targeted users with interests similar to the key accounts it had selected, and as these key accounts included accounts of political parties and politicians, political opinions of users were likely indicated and could have been derived from these similar interests. Assigning an inferred political opinion to a user constitutes processing of special categories of data, which in this case has been performed by X but following the instructions of the Commission. 35 4.46. Regarding the Commission’s argument that it didnot request the processing of special categories of personaldata,nor did it intend to trigger suchprocessing, the EDPSnotes that, first, as a controller it assumed liability even though it did not or could not 31 32Case C-667/21, Krankenversicherung Nordrhein, ECLI:EU:C:2023:1022, para. 79. See https://business.x.com/en/help/campaign-setup/campaign-targeting/keyword-targeting.html, accessed 27.09.2024. 33EDPB Guidelines 8/2020 on the targeting of social media users, version 2.0, adopted on 13 April 2021, para. 123. 34Ibid. 35Ibid, para. 125. 14 entirely control that processing. Secondly, in line with the case law of the Court of Justice of the European Union (‘CJEU’), the intent of the controller is irrelevant to the determination of whether the processing is to be considered processing of special categories of personal data: in view of the significant risks to the fundamental freedoms and rights of data subject arising from the processing of special categories of personal data falling within Article 10(1) of the Regulation, the objective of the 37 Regulation is to prohibit the processing such data, irrespective of the stated purpose. Exemptions under Article 10(2) of the Regulation 4.47. Article 10(2) of the Regulation providesfor certainexemptions to whichthe prohibition laid down in paragraph 1 do not apply, and where the processing can thus be lawful. In accordance with the accountability principle set out in Article 4(2) of the Regulation, the controller is responsible for ensuring lawfulness of processing, and must be able to demonstrate compliance. 4.48. In the present case, the Commission did not raise that any of the exemptions set out in Article 10(2) of the Regulation would apply to the relevant processing of special categories of personal data. As such, the Commission did not demonstrate that the processing of special categories of personal data would be lawful. 4.49. The EDPS nevertheless deems appropriate to consider potentially applicable exemptions. Given the circumstances in the case at hand, the only exemptions that could apply would in any event be those laid down in Articles 10(2)(a), 10(2)(e) and 10(2)(g) of the Regulation. However, the conditions laid down in these provisions are not met for the reasons specified below. Article 10(2)(a) of the Regulation - explicit consent 4.50. Article 10(2)(a), (‘the data subject has given explicit consent to the processing of those personal data for one or more specified purposes’) is not applicable in the present case, since, as already stated above, it is undisputed that the Commission did not obtain the complainant’s explicit consent to process special categories of his personal for the specific purpose at hand. 4.51. It should be noted that explicit consent carries a heavier burden than normal consent and requires that the data subject must give an express statement of consent. 38 Article 10(2)(e) of the Regulation - data manifestly made public by the data subject 4.52. The EDPSconsiders thatthe conditionsfor the derogation laiddownin Article 10(2)(e), ‘the processing relates to personal data which are manifestly made public by the data subject’, were not met in the present case. 4.53. The EDPS notes that the CJEU has held that that where social media users, on the basis of individual settings selected with full knowledge of the facts, have clearly made the choice to have the data they enter into the platform made accessible to the general public, and where theyhave voluntarilyentered sensitive information onto their public 36Case C‑131/12, Google Spain and Google, EU:C:2014:317, para. 34 and Case C‑231/22, Belgian State (Données traitées par un journal officiel), ECLI:EU:C:2024:7, para. 38. See also Article 28(3) of Regulation (EU) 2018/1725. 37Case C-252/21, Meta vs Bundeskartellamt, ECLI:EU:C:2023:537, paras. 69 and 70. 38See EDPB Guidelines 5/2020 on consent under Regulation 2016/679, version 1.1, adopted on 04 May 2020, para. 93. 15 account, they can be regarded as manifestly making such data public, within the meaning of Article 10(2)(e) of the Regulation. 39 4.54. Since X, in its settings, provides users with the possibility of using a protected (private) account rather than a public account, thereby allowing the user to choose whether to make their data accessible to a limited number of selected people or to anyone with access to X, it could be argued that users of the platform who use a public account and post, like or comment on certain content connected to their political or religious beliefs on that public account, are manifestly making this information public. 4.55. As the CJEU has clarified, for the purposes of the application of the exception laid down in Article 10(2)(e) of the Regulation, it is important to ascertain whether the data subject had intended, explicitly and by a clear affirmative action, to make the personal data in question accessible to the general public. 40To ascertain whether such an affirmative action exists, it must be checked in turn whether it is possible for the users concerned to decide, on the basis of settings selected with full knowledge of the facts, whether to make the information entered into the apps in question and the data from clicking or tapping on buttons integrated into that app accessible to the general public or, rather, to a more or less limited number of selected persons. When the users concerned actuallyhave thatchoice, theycan be regarded, when theyvoluntarilyenter information into a website or app or when they click or tap on buttons integrated into them, as manifestly making public, within the meaning of Article 9(2)(e) of the GDPR, data relating to them only in the circumstance where, on the basis of individual settings selected with full knowledge of the facts, those users have clearly made the choice to have the data made accessible to an unlimited number of persons. If no such individual settings are available, according to the CJEU, users must have explicitly consented, on the basis of express information provided by that website or app prior to any such entering or clicking, to the data being viewed by any person having access to that website or app. 41 4.56. The EDPS notes that the use of the adverb ‘manifestly’ and the fact that that provision constitutes an exemption to the general prohibition on processing special categories of personal data require a particularly stringent application of that exemption. 42The user must, be fu43y aware that, by an explicit act, he is making his personal data accessible to anyone. 4.57. The CJEU has already held that the use of a socialnetwork, such as following accounts or interacting with posts through ‘share’ or ‘like’44uttons, cannot automatically be considered as making data ‘manifestly’ public. Whether data has been manifestly 39 40Case C-252/21, Meta vs Bundeskartellamt, ECLI:EU:C:2023:537, para. 82. 41Ibid., para. 77. 42Ibid. para. 83. AG Opinion, Case C‑446/21, Maximilian Schrems v MetaPlatforms Ireland Limited, ,ECLI:EU:C:2024:366, para. 35. 43Ibid., para. 35 and footnote 32. See also Case C-252/21, Meta vs Bundeskartellamt, ECLI:EU:C:2023:537, para. 77. 44Ibid., para. 37 and Case C-252/21, Meta vs Bundeskartellamt, ECLI:EU:C:2023:537, para. 80. 16 made public or not on a social network depends on the individual settings chosen by that user. 45 4.58. In the case at stake, such settings exist due to the possibility of turning on ‘protected posts’.46It appears to the EDPSthatthis has been turned on, making the complainant’s data only available to those who own an X account and follow him. 47 This gives the complainant control over who can access his data and, if anything, is a48se of X’s individual settings to protect his data rather than make it public. 4.59. Moreover, the complainant couldnot have expected the resultthathis dataon Xwould be used for political advertising, given that targeting based on political affiliation and/or beliefs and based on religious or philosophical affiliation and/or beliefs is prohibited as declared under X’s policy on targeting sensitive categories of data. 49 Therefore, in any event, the complainant could not have knowingly waived the protections afforded to special categories of data as he would not have expected the processing of those to begin with. 4.60. Also, the EDPS notes that even if the complainant’s data would be considered ‘manifestly’ made public within the meaning of Article 10(2)(e) of the Regulation, that does not, in itself, allow the further processing of that data for the purposes of 50 personalised political advertising. If data is made ‘manifestly’ public, then it is no longer considered a special category of personal data. However, as it is still personal data, it must be processed lawfully under the conditions laid down in the Regulation. 51 4.61. The fact that a data subject publishes a post online does not mean that a controller can reuse (i.e. further process) that individual’s public information, without complying with the Regulation, for what must be considered a new processing operation. In accordance with the relevant data protection rules, the controller still needs a lawful ground for the further processing of this data. 52 Article 10(2)(g) of the Regulation- processing is necessary for reasons of substantial public interest 4.62. Article 10(2)(g), ‘the processing is necessary for reasons of substantial public interest, on the basis of Union law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject’, would also 45 46Case C-252/21, Meta vs Bundeskartellamt, ECLI:EU:C:2023:537, para. 80. See https://help.x.com/en/safety-and-security/public-and-protected-posts on protected posts, accessed 27.09.2024. 47Ibid. 48Ibid. 49See https://business.x.com/en/help/ads-policies/campaign-considerations/targeting-of-sensitive- categories.html, accessed 28.06.2024 50 AG Opinion, Case C‑446/21, Maximilian Schrems v Meta Platforms Ireland Limited, ECLI:EU:C:2024:366, para. 45. 52 Ibid., para. 46. Ibid., para. 45 and 46 and Case C-667/21, Krankenversicherung Nordrhein, ECLI:EU:C:2023:1022, para. 77-78. See also EDPS Supervisory Opinion of 09/11/2023 on the use of social media monitoring for epidemic intelligence purposes by the ECDC, para. 65. 17 not be applicable in the present case, as the requirements listed in the provision cannot be considered fulfilled. 4.63. While the Commission has the right to communicate about its activities, including legislative proposals, it has not demonstrated that the processing of special categories of personaldatain the context of atargeted advertising campaign, in order to advocate for the need for the proposed legislation, would be necessary for reasons of substantial public interest and proportionate to the aim pursued by Article 17(2) TEU while respecting the right to data protection. It has also not demonstrated that the processing would provide suitable and specificmeasures to safeguard the fundamental rights and the interests of the data subject. 4.64. The EDPS therefore considers that the conditions laid down in Article 10(2) to lift the prohibition and lawfully process special categories of personal data are not met in the present case. 4.65. The EDPS therefore finds an infringement of Article 10(1) of the Regulation. 5. Conclusions 5.1. In conclusion, the EDPS finds that the Commission has infringed Articles 4(1)(a), 4(2), 5, 10(1) and 26 of the Regulation by unlawfully processing the complainant’s personal data, including special categories of personal data, without a valid legal basis in the context of the targeted advertising campaign that the Commission ran on the social media platform X from 15 to 28 September 2023, as referred in point 2.1. of the present decision. 6. Corrective measures 6.1. On the basis of the facts and findings described above, the EDPS issues a reprimand the Commission for the above infringements, in accordance with Article 58(2)(b) of the Regulation. 6.2. The EDPS has chosen a reprimand as an appropriate and proportional corrective measure, given the seriousness of the infringements and the fact that the processing involved special categories of personal data. A primary purpose of the EDPS’ power to issue a reprimand under Article 58(2)(b) of the Regulation is to achieve a dissuasive effect and to make it clear to the EU institution concerned that it has infringed the Regulation. 6.3. As per now settled case-law, the Regulation leaves the supervisory authority a discretion as to the manner in which it must remedy the shortcomings found, since Article 58(2) thereof confers on that authority the power to adopt various corrective measures. Thus, the Court has already held that the supervisory authority must determine which action is appropriate and necessary, and must do so taking into consideration all the circumstances of the specific case and executing its responsibility for ensuring thatthe Regulation is fullyenforcedwith alldue diligence. Thatdiscretion is, however, limited by the need to ensure a consistent and high level of protection of personal data through strong enforcement of the data protection rules. 53 53 Case C-768/21, TR v Land Hessen, ECLI:EU:C:2024:785, paras. 37 and 38. 186.4. In the consideration on the exercise of corrective powers, the EDPS has taken into account, as a mitigating factor, that the Commission has stopped the campaign in question and, thus, the relevant processing is no longer ongoing. Given that the relevant processing of personal data is no longer ongoing, the EDPS notes that other corrective powers, such as an order to bring the processing operation into compliance as per Article 58(2)(e) of the Regulation, or to impose a temporary or definitive limitation on processing as per Article 58(2)(g) of the Regulation, would not be fit for purpose in the present case. 6.5. The present Decision is without prejudice to any follow-up or other actions the EDPS might undertake in the future with regard to the supervision of the Commission. 6.6. Pursuant to Article 59 of the Regulation, the Commission must inform the EDPS of its views and describe the measures it has taken in response to our remarks within three months of the date of this Decision. 6.7. The EDPS intends to make public the facts of this complaint and the final outcome, including the actions taken in response by the Commission. If any part of this Decision should be regarded as confidential, this should beindicated clearly and reasons should be provided, so that those parts can be dealt with accordingly where appropriate. 6.8. This may be particularly relevant from the perspective of the right of access to the file under Article 41(2)(b) of the Charter. In accordance with that provision, everyone has a right of access to his or her file, while respecting the legitimate interests of confidentiality and of professional and business secrecy. In order for the EDPS to be able to assess, and possibly accept, any claim of confidentiality, the stated reasons should detail, in respect of each part the party considers confidential, how disclosure would likelycause serious harm to the party’s interests or the interests of athird party. 7. Judicial remedy 7.1. Pursuant to Article 64 of the Regulation, the Commission and any party which could be adversely affected by this Decision may bring an action for annulment against this Decision before the Court of Justice of the European Union, within two months from the adoption of the present Decision and according to the conditions laid down in Article 263 TFEU. Done at Brussels 19