Elon Musk’s social media platform X (formerly known as Twitter) has come under fresh scrutiny in Europe after nine prominent civil society organisations filed formal complaints with the European Commission and France’s media regulator, Arcom, over alleged breaches of strict EU data protection laws.
The organisations claim that X has been using sensitive user data—such as political views, religious beliefs, sexual orientation, and health status—for targeted advertising, a practice that may violate the EU’s Digital Services Act (DSA) and General Data Protection Regulation (GDPR).
Who Filed the Complaints?
The joint complaint was submitted by a coalition of digital rights and transparency advocacy groups. These include:
-
AI Forensics
-
Centre for Democracy and Technology Europe
-
Entropy
-
European Digital Rights (EDRi)
-
Gesellschaft für Freiheitsrechte e.V. (GFF)
-
Global Witness
-
Panoptykon Foundation
-
Stichting Bits of Freedom
-
VoxPublic
These organisations announced on Monday that they had filed their complaints simultaneously with the European Commission and Arcom, urging both institutions to investigate X’s advertising practices and enforce the DSA provisions that restrict the use of sensitive personal data in ad targeting.
Core Concerns: Sensitive Data and Targeted Ads
In a joint statement, the organisations voiced serious concerns about how X may be violating user privacy and circumventing EU data protection standards.
“We express our deep concern regarding the use by X of users’ sensitive personal data for targeted advertisements,” the statement read.
The group’s concerns stem from an analysis of X’s Ad Repository, a transparency tool that companies operating in the EU are required to maintain under the Digital Services Act. This repository is meant to disclose how and why users see certain ads on the platform.
However, after scrutinising the content of the repository, the complainants say they found evidence suggesting that advertisers—including major corporations, public institutions, and financial services providers—were using sensitive data categories to target users.
These data categories—protected under Article 9 of the GDPR—include:
-
Political opinions
-
Sexual orientation
-
Religious beliefs
-
Health conditions
Such categories are considered especially sensitive under European law and cannot legally be used for ad targeting without explicit, informed user consent—something the groups argue is not being adequately obtained by X.
Legal Context: DSA and GDPR
The complaints are grounded in two major EU legislative frameworks:
-
The Digital Services Act (DSA) – A comprehensive regulation that came into force in early 2024, aimed at making online platforms more accountable for user safety, content moderation, and advertising transparency. Among other provisions, the DSA prohibits targeted advertising based on special categories of personal data without user consent.
-
The General Data Protection Regulation (GDPR) – Enforced since 2018, the GDPR sets strict rules on the collection, processing, and storage of personal data. It classifies certain types of information—like political beliefs or health conditions—as special categories that require a higher standard of protection.
The groups are calling for a thorough investigation by both the European Commission and Arcom to determine whether X has breached these regulations, and to impose sanctions if violations are confirmed.
No Immediate Response from X or Regulators
As of Tuesday, X has not responded to requests for comment regarding the complaints. Similarly, the European Commission and Arcom have not issued public statements addressing the allegations.
Elon Musk’s platform has previously faced criticism over its approach to moderation, transparency, and user data protection—particularly since Musk acquired the company and implemented sweeping changes to its operational structure and verification systems.
Implications for X and the Broader Tech Industry
If the complaints result in a formal investigation and regulatory action, X could face heavy financial penalties and be forced to change its data practices. Under GDPR alone, fines can reach up to €20 million or 4% of global annual revenue, whichever is higher. The DSA also carries stiff penalties, including up to 6% of a company’s global turnover.
This case could also set a precedent for how regulators enforce the DSA’s advertising restrictions on major digital platforms. As civil society groups continue to monitor tech companies’ compliance, more complaints could emerge across Europe in the coming months.
Broader Concerns About Transparency
The complainants also voiced frustration over the lack of effective oversight tools for users to understand and control how their data is used.
“The fact that this was discovered by independent researchers rather than regulators themselves points to weaknesses in the enforcement infrastructure,” said a spokesperson for European Digital Rights (EDRi).
They argue that more robust audits and stronger enforcement mechanisms are needed to ensure that platforms like X do not circumvent user consent rules or hide behind vague privacy policies.
A Pattern of Noncompliance?
Since Musk’s acquisition of the platform, X has been accused of backtracking on several transparency and moderation commitments. The company previously withdrew from a voluntary EU code on disinformation, leading some observers to question its commitment to complying with European standards.
Critics say this latest controversy further underscores the platform’s risk-prone approach to user privacy, and highlights the need for consistent regulatory oversight—especially when companies operate across multiple jurisdictions with varying data laws.
What Happens Next?
The European Commission now has the authority under the DSA to launch formal investigations and impose penalties on systemic noncompliance. If Arcom in France finds merit in the complaint, it may also initiate proceedings at the national level.
For now, the civil society organisations are urging swift and decisive action to ensure that X and other platforms do not exploit sensitive personal data for profit—especially without clear and informed consent from users.
Final Thoughts
This case is likely to draw international attention as governments and regulators around the world step up efforts to protect digital rights in an age of increasing surveillance and algorithmic influence.
As more civil society watchdogs focus on the hidden dynamics of digital advertising, platforms like X may be forced to rethink how they balance personalization with privacy, and whether profit should ever come at the cost of fundamental rights.
If the complaints succeed, this could mark a major turning point in how targeted advertising is regulated in Europe, and may signal a wave of similar actions against other tech giants accused of overstepping ethical and legal boundaries in the digital space.