The dangers of online tracking have been shown once again: French presidential candidate Eric Zemmour has bought tens of thousands of phone numbers of Jewish voters from a data broker to incite division with unsolicited anti-Muslim text messages. The DSA must put an end to the use of this kind of inferred sensitive data for ads.
On Friday evening, April 8, many members of the Jewish community in France received text messages from the far-right “Reconquest!” party of presidential candidate Eric Zemmour. The texts speak of an “expansion of Islam”, “Islamic terrorism”, “anti-Semitism”, and “daily violence of scum”. The text messages specifically targeted people based on inferred sensitive data, namely their religious views, trying to goad one religious community to hate another. This scandal shows once again how the massive collection of inferred personal data for targeting ads can be used to polarise our societies so far as to sow hatred among religious groups.
Inferred data: Where did the phone numbers of French Jewish voters come from?
Victims of Zemmour’s incendiary messages and the underlying data abuse might not have made their religious views public. In order for a data broker to know about it, they did not have to explicitly tell Facebook or Instagram what religious group they identified with. Instead, this sensitive personal information has most likely been inferred from other types of personal information such as ‘likes’ and comments on social media, or geolocation data revealing the regular attendance at a synagogue, in order to assume an individual’s Jewish beliefs.
Many recipients of these intrusive messages complained publicly, and rightly so. Information about someone’s religious views is highly sensitive and—alongside political opinions, health data and sexual preferences—enjoys particular protection under the European data protection law GDPR. That is also why the French National Commission for Information Technology and Civil Liberties (CNIL) has opened an investigation into the data abuse scandal.
What can we do about the misuse of sensitive data for ads?
Surveillance ads drive a whole data industry that needs strong regulation, ideally at the EU level in order to avoid the fragmentation of the EU’s digital single market. More concretely:
- The Digital Services Act (DSA) should prohibit the use of sensitive and inferred data for the purpose of ads. The DSA’s Article 24 is the perfect place to put an end to the kind of data misuse that has damaged the presidential election in France. But its protections go further: it would also help us curb the targeted spread of disinformation and the systematic manipulation of our public debates by foreign powers.
- The DSA should prohibit the use of deceptive interface designs (‘dark patterns’). Data brokers like the one who sold phone numbers of Jewish voters to Eric Zemmour have huge amounts of other types of personal data that is being sold to whoever puts money on the table. Often people’s consent for this kind of data trade is collected by pop-up banners that make it incredibly hard to say No. The DSA’s Article 13a provides a unique opportunity to put an end to those cheating interface designs and give people a real choice of whether or not they agree their data is being sold.
In March, over 35 civil society organisations have called on Emanuel Macron to commit to protecting people against these practices. Also in March, over 70 NGOs wrote to over 20 state representatives involved in the DSA negotiations from 11 Member States. The EU should act now to protect its citizens through the DSA.