Microsoft’s adtech business, Xandr, is facing a complaint supported by European privacy advocacy group, noyb. The complaint, filed by an individual in Italy with the country’s data protection authority, alleges transparency failures and breaches of data access rights under the EU’s General Data Protection Regulation (GDPR). If upheld, this could result in fines up to 4% of Microsoft’s global annual turnover.
Xandr is accused of not responding to data access requests from individuals seeking to delete or correct their personal information used for targeted advertising. Specifically, noyb claims Xandr is violating Articles 5(1)(c) and (d); 12(2); 15; and 17 of the GDPR. The complaint also highlights that Xandr uses inaccurate information about people.
The complaint requests the data protection authority to investigate and enforce compliance if breaches are confirmed, suggesting a fine up to 4% of annual revenue for Microsoft, Xandr’s parent company. Microsoft acquired Xandr in 2021 to expand its digital advertising business, though Xandr operates as a separate entity.
Xandr claims it cannot verify the identity of individuals making data access requests due to the pseudonymous nature of the data it collects. However, the complaint argues it is not credible for a company that profiles individuals for targeted advertising to claim it cannot identify them. The GDPR considers pseudonymous data as personal data, requiring compliance with data access rights.
🚨 noyb has filed two complaints against @Microsoft for violating children’s data protection rights!
👉 The company shifts responsibility for GDPR compliance to local schools…
👉 …and places tracking cookies without consent
Read all about it here:https://t.co/Y5t5kN6TMa
— noyb (@NOYBeu) June 4, 2024
noyb’s research found that Xandr has a 0% response rate to access and erasure requests. Additionally, it uncovered high levels of inaccuracy in the data Xandr holds, which may affect the quality of its ad targeting services and raises legal issues given individuals’ rights to correct inaccurate data.
noyb alleges Xandr also fails to provide copies of personal data upon request, only obtaining such data through a subject access request to one of its data broker suppliers. This revealed wildly inaccurate personal data about the complainant, suggesting significant issues with Xandr’s data accuracy and ad targeting practices.
The complaint further notes that Xandr collects sensitive information about individuals, such as sexual orientation, religious beliefs, and political opinions, which under GDPR requires explicit consent. The mechanisms for obtaining such consent are unclear and may not comply with GDPR standards.
Microsoft has been contacted for a response to the complaint. noyb expects the complaint to be handled in Italy rather than referred to Irish data protection authorities due to Xandr’s US establishment, implying potential complaints in other EU Member States where Xandr processes data.
