Microsoft’s adtech subsidiary, Xandr, is at the center of a major privacy controversy. European privacy advocacy group, noyb — known for its formidable strikes against data protection violators — is supporting an Italian individual’s complaint against Xandr. The complaint has been lodged with Italy’s data protection authority under the European Union’s General Data Protection Regulation (GDPR). If successful, Xandr could face fines of up to 4% of Microsoft’s global annual turnover, which was nearly $212 billion in 2023.
Transparency and Data Access Rights Under Fire
Xandr is accused of failing to meet transparency requirements and breaching the data access rights of EU citizens. These citizens’ data is used to create profiles for microtargeted advertising sold through programmatic ad auctions. The complaint also alleges that Xandr uses inaccurate information about individuals.
Noyb claims Xandr is violating several GDPR articles:
- Article 5(1)(c) and (d): Data minimization and accuracy
- Article 12(2): Transparent communication
- Articles 15 and 17: Data access and erasure rights
The complaint calls for an investigation and compliance enforcement, suggesting fines up to 4% of annual revenue for Xandr’s parent, Microsoft.
Acquisition and Regulatory Risk
Microsoft acquired Xandr in late 2021 to enhance its digital advertising capabilities, including “retail media solutions” and improved “first-party data access.” However, this acquisition did not foresee the potential regulatory risks now emerging.
Noyb’s complaint points to Xandr’s failure to respond to data access requests from individuals seeking to delete or correct their personal information. A “hidden” webpage shows Xandr received 1,294 access requests and 600 deletion requests in 2022, denying every single one. Xandr claims it can’t verify the identity of individuals due to the pseudonymous nature of the data.
However, noyb argues that a company profiting from profiling individuals for targeted ads should be able to identify those individuals. GDPR guidelines also support this view, suggesting adtech firms should use cookie identifiers to match data with individuals.
Inaccurate Data and Legal Implications
Noyb’s research uncovered high levels of inaccurate data within Xandr’s profiles, raising questions about the quality of its ad targeting. The GDPR grants individuals the right to correct inaccurate data, adding another layer of potential non-compliance for Xandr.
Noyb’s investigation found that data brokers supplying Xandr hold contradictory information about individuals. For instance, one data broker, emetriq, held data that described a single individual with multiple, conflicting demographics and statuses. This chaotic data set questions the reliability of Xandr’s ad targeting.
Implications for Xandr and Microsoft
The complaint’s allegations are serious, emphasizing that Xandr collects sensitive information such as sexual orientation, religious beliefs, and political opinions. GDPR requires explicit consent for processing such data, but it’s unclear how Xandr obtains this consent.
Noyb’s complaint may not be referred to Irish data protection authorities under the GDPR’s one-stop-shop process since Xandr is based in the US. This means Xandr could face similar complaints across multiple EU Member States, increasing its regulatory risks.
The Road Ahead
Microsoft has been contacted for a response, but the implications for Xandr are already significant. The noyb-backed complaint underscores the importance of data protection compliance and the potential fallout from regulatory breaches in the adtech industry.
As regulatory scrutiny intensifies, the case against Xandr could serve as a critical example for other adtech companies navigating the complex landscape of data privacy laws in the EU.
Stay tuned for updates on this unfolding story and its broader implications for digital advertising and data privacy.
