Microsoft-owned company Xandr accused of privacy breach in the European Union
Microsoft-owned adtech company, Xandr, is facing a complaint supported by European privacy advocacy group, noyb, over alleged privacy breaches in the European Union. An individual in Italy, who remains anonymous, has filed the complaint under the General Data Protection Regulation (GDPR), and if successful, Xandr could face fines of up to 4% of Microsoft's global annual turnover. noyb accuses Xandr of failure to be transparent and breaching data access rights of individuals whose information is used for microtargeted advertising. The complaint also claims that the adtech company is using inaccurate information about individuals. This is reported by SSP.
Under specific GDPR articles, including 5(1)(c) and (d), 12(2), 15, and 17, the complaint asks the data protection authority to investigate and order Xandr to comply. noyb also suggests imposing a fine of up to 4% of Xandr's parent company's annual revenue, Microsoft. Xandr allegedly refuses to respond to data access and deletion requests from individuals concerning their personal information. Xandr claims that it cannot verify the identity and jurisdiction of requestors, as the data held is pseudonymous. noyb argues that it is not plausible for a company built on profiling individuals for targeted advertising to claim it cannot identify the people in question.
According to Massimiliano Gelmi, a data protection lawyer at noyb, it is surprising that Xandr breaches the GDPR while openly admitting to doing so. Xandr's business relies on collecting and targeting data on millions of Europeans. The complaint also emphasizes potential inaccuracies in the data Xandr holds, raising quality concerns regarding its ad targeting services. The GDPR offers individuals further rights, such as the ability to request a copy of their data, which noyb alleges Xandr is not complying with.
The complaint reveals that emetriq, a data broker and supplier to Xandr, has highlighted inaccuracies and contradictions in Xandr's database. The complaint states that the complainant is described as both male and female and has various ages and income levels, among other contradictory information. noyb questions how this data can be used for accurate ad targeting. It is unclear how Xandr obtained explicit consent for processing highly sensitive information, such as data about individuals' sex and political opinions, as required by the GDPR. Consent mechanisms used by publishers for tracking are also disputed for potentially breaching the GDPR.
Microsoft has been approached for comment regarding the complaint. noyb does not expect the complaint to be referred to Irish data protection authorities under the GDPR's one-stop-shop process, as Xandr is based in the US. This structure suggests that further complaints against Xandr may arise in other EU member states where it has processed data, increasing regulatory risk for the adtech firm.