A digital advertising technology firm under Microsoft’s ownership has attracted a grievance, backed by the European privacy advocate group, noyb. This non-profit organization has gained a reputation for its effective legal challenges against major technology companies over privacy breaches.
In its recent initiative, noyb is aiding an anonymous party in Italy to file a grievance against Xandr at the national data protection authority. The grievance is lodged pursuant to the European Union’s General Data Protection Regulation (GDPR), which could potentially lead to penalties amounting to as much as 4% of the annual global turnover of Xandr’s parent company, Microsoft.
The accusation against Xandr revolves around its alleged lack of transparency and infringement of data access rights. This includes the processing of individuals’ information to construct profiles for microtargeted advertising via programmatic ad auctions and the utilization of incorrect information about individuals.
Specifically, noyb claims that Xandr is violating several GDPR Articles including 5(1)(c) and (d); 12(2); 15, and 17.
The complaint demands that the data protection authority undertake an investigation and, following any confirmed violations, mandate Xandr to align with compliance standards. Additionally, noyb suggests the imposition of a fine, potentially reaching up to 4% of the annual revenue of Xandr’s parent company, referencing Microsoft’s reported annual revenue for 2023, which approached $212 billion.
Potential Regulatory Risks Ahead?
Microsoft acquired the “data-enabled technology platform” known as Xandr at the tail end of 2021, aiming to bolster its digital advertising capabilities. Despite this acquisition, Xandr has maintained its operational independence, functioning as a distinct entity. Microsoft’s acquisition announcement emphasized the enhancement of its “retail media solutions” and better monetization for publishers, but it conspicuously omitted any reference to the potential increase in regulatory scrutiny resulting from the deal.
The crux of the issue, as highlighted in the complaint backed by noyb, is Xandr’s apparent failure to address data access and modification requests from individuals. This issue points to a “hidden” web page cited in the complaint, which allegedly shows how Xandr responded—or more accurately, did not respond—to over a thousand access and deletion requests in a single year.
According to an explanatory statement on this page, requests are denied if the identity and jurisdiction of the requester cannot be verified, attributed to the pseudonymous nature of the data Xandr collects.
Xandr claims that GDPR data access rights don’t apply due to the pseudonymous nature of the information it collects. However, the complaint argues that a business fundamentally based on profiling individuals for advertising cannot credibly claim an inability to identify those individuals.
Massimiliano Gelmi, a data protection lawyer with noyb, expressed astonishment at Xandr’s public acknowledgment of a 0% response rate to access and deletion requests, interpreting it as an open admission of GDPR non-compliance.
Moreover, the GDPR considers even pseudonymized data as personal, thus obligating holders to comply with specific legal requirements, including data access rights. Guidelines from the European Data Protection Board (EDPB) underscore that adtech companies should be capable of identifying individuals linked to advertising profiles, hence fulfilling their requests for data access.
The complaint further reveals purported inaccuracies in the data Xandr holds, which not only poses potential legal issues but also questions the quality of Xandr’s ad targeting capabilities.
Empirical evidence suggests that Xandr’s data, at least in part, is highly inaccurate, citing information about a complainant that is riddled with contradictions regarding demographic and employment details.
“It seems that parts of the advertising industry don’t really care about providing advertisers with accurate information. Instead, the data set contains a chaotic variety of conflicting information. This can potentially benefit companies like Xandr as they can sell the same user as young and old to different business partners.”
Microsoft has been approached for comments on the complaint.
A noyb spokesperson indicated that the complaint is unlikely to be transferred from Italy to Ireland’s data protection authorities under GDPR’s one-stop-shop mechanism, due to Xandr’s US establishment. This opens the possibility for further complaints across other EU member states.
Supporting research by noyb suggests that Xandr compiles highly sensitive data for ad profiling, which demands explicit consent under GDPR for legal processing, thereby introducing questions regarding the consent mechanisms used by Xandr and the websites it partners with for ad tracking.
Compiled by Techarena.au.
Fanpage: TechArena.au
Watch more about AI – Artificial Intelligence
