A Microsoft-owned advertising technology company is the target of a complaint backed by a European privacy advocacy group, Newbie – A nonprofit that outdoes itself when it comes to striking back against tech giants that violate data protection.
In its latest move, noyb is supporting an unnamed individual in Italy to file a complaint against Xandr with the country’s data protection authority. The complaint has been filed under the European Union’s General Data Protection Regulation (GDPR) — meaning that if successful, it could result in fines of up to 4% of Xandr’s parent company, Microsoft, of annual global sales.
Xandr is accused of failing to be transparent and violating the data access rights of people in the European Union whose information is processed to create profiles used in targeted ads sold through programmatic ad auctions. The complaint also alleges that the ad tech company uses inaccurate information about people.
Specifically, noyb alleges that Xandr violates Articles 5(1)(c) and (d); 12(2); 15 and 17 of the GDPR.
The complaint asks the data protection authority to investigate and, if the breaches are confirmed, order Xandr to comply. noyb also proposes a fine of up to 4% of annual revenue for Xandr’s parent company (note: Microsoft’s Annual Revenue 2023 (It was close to $212 billion.)
Acquiring regulatory risk?
Microsoft has acquired the “data-driven technology platform,” as it calls Xandr, in End of 2021to expand its digital advertising business, although Xandr will retain its structural independence and operate as a separate entity. press release At the time, the National Enquirer said the acquisition would enhance “media solutions for retail,” as well as promote “improved profitability for publishers through greater access to first-party data and a full-spectrum marketing offering.” It did not mention the potential for increased regulatory risks from the acquisition.
The problem, according to the complaint supported by noyb, is that Xandr fails to respond to any data access requests from individuals who want their personal information deleted or corrected. The complaint relates to a “hidden file.” web page Xandr does publish data access metrics, according to this page , from January 1, 2022 to December 31, 2022, the company received 1,294 access requests and 600 deletion requests — but denied every single one of them.
An explanatory note on the webpage states: “Access and deletion requests are denied when we are unable to verify the identity and jurisdiction of the requester. Due to the pseudonymous nature of the data Xandr collects on its platform, we are unable to verify the identity of consumers who have submitted access and deletion requests when such requests are not linked to any other identifiers, and therefore we deny such requests.”
So it appears that Xandr is claiming that it does not have to comply with the data access rights set out in the GDPR because the information it holds about individuals is pseudonymous.
However, the complaint alleges that it is unreasonable for a company whose entire business is based on creating personal profiles of individuals to profit from targeted advertising to claim that it cannot identify the people whose information it holds.
“It is clear that Xandr’s business is based on retaining and targeting the data of millions of Europeans. Yet the company admits that its response rate to access and erasure requests is 0%. It is astonishing that Xandr is publicly demonstrating how it violates the GDPR,” said Massimiliano Gelmi, data protection lawyer at Noyb.
It is worth noting that the GDPR takes a broad view of what constitutes personal data, and data that has undergone anonymization remains personal data – meaning that those holding such information must comply with EU-wide legal requirements such as providing data access rights.
Data Access Rights Guidelines The rules adopted by the European Data Protection Board (EDPB) last year include an illustrative example from the world of microtargeted advertising, stating that an ad tech company should be able to “identify” an individual requesting access to their personal data from the same terminal equipment associated with their advertising profile (i.e. through cookies dropped on it) since “a link can be established between the processed data and the data subject.”
If an individual requests their data in another way, for example via email, the EU Data Protection Authority’s guidance indicates that the ad tech company must request additional information from them in order to identify the relevant advertising profile and fulfil the data access request. Specifically, the guidance states that the individual will need to provide the cookie ID stored on their terminal equipment.
It’s not yet clear what steps Xandr has taken to identify ad profiles of people requesting access to or deletion of their data.
Returning to the complaint, noyb’s research also revealed high levels of inaccuracy in the information Xandr holds about individuals – which could raise separate questions for its customers about the quality of its ad targeting services. But it also has legal significance because the GDPR gives individuals the right to correct incorrect data held about them.
EU citizens can rely on the GDPR for other rights as well, including the ability to request a copy of their data. Again, noyb claims this is another area where Xandr does not comply. It was unable to obtain a copy of the complainant’s data from Xandr itself, instead using a data access request to one of its data broker suppliers.
“Thanks to a request for access to the data broker – and Xandr supplier – emetriq, we know that at least part of the Xandr database consists of inaccurate and significantly contradictory personal data about people,” he wrote in a press release. “According to emetriq, the complainant is male and female, with an estimated age of 16-19, 20-29, 30-39, 40-49, 50-59, and 60+. The complainant’s income is between €500 and €1,500, €1,500 and €2,500, and €2,500 and €4,000. Furthermore, the same person is looking for a job, is employed, is a student, is a pupil and works for a company. This company, in turn, employs 1-10, 1,000+ and 1,100-5,000 people at the same time.”
“It’s hard to imagine how these data categories could be used to accurately target ads,” Noyeb adds. “While Emetrix is not the only data broker providing data to Xander, it’s likely that this information is being used to target ads.”
In another comment, Gilmi wrote: “It seems that parts of the advertising industry don’t really care about providing advertisers with accurate information. Instead, the dataset contains a messy assortment of conflicting information. This could benefit companies like Xandr as they can sell the same young and old user to different business partners.”
Microsoft has been contacted for a response to the complaint.
A noyb spokesperson told us it does not expect the complaint from Italy to be referred to Irish data protection authorities, under the GDPR’s One Stop Shop process, because Xandr is incorporated in the US. This corporate structure suggests the ad company could be targeted by more complaints in other EU member states where it has processed local data — increasing regulatory risk.
The complaint supported by noyb highlights: Previous search The company said it found that Xandr collects highly sensitive information about individuals for the purposes of profiling them for advertising, such as data about their sex life or sexual orientation, religious beliefs and political views. The General Data Protection Regulation (GDPR) sets a particularly high bar — explicit consent — for legally processing sensitive categories of data.
It’s not clear how such consents were obtained from the individuals whose data Xandr holds. But website visitors may be one source of information where ad tracking can be triggered by people accessing publishers’ content. In the EU, such sites must ask visitors for their permission to be tracked, but industry-standard mechanisms for obtaining people’s consent have been accused of violating the GDPR.