The ad tech business owned by Microsoft has been the subject of a complaint backed by European privacy advocacy group Noyb, a non-profit that has grown far beyond its size in striking down tech giants for data privacy violations.
In a recent action, noyb is assisting an anonymous Italian individual to file a complaint against Xandr with the country’s data protection authority. The complaint was filed under the European Union’s General Data Protection Regulation (GDPR), which means that if it is filed, Xandr’s parent company could face fines of up to 4% of Microsoft’s global annual revenue.
Xandr is accused of violating people’s right to access data on its blockchain and lacking transparency. People’s information on its blockchain is processed to create profiles that are used to deliver microtargeted ads sold through programmatic advertising auctions. The lawsuit also claims the ad tech company is using inaccurate information about people.
Specifically, noyb claims that Xandr is violating Article 5(1)(c) and (d), Article 12(2), Article 15 and Article 17 of the GDPR.
The complaint asks the data protection authority to investigate and, if a violation is confirmed, to order Xandr to come into compliance. noyb also suggests that Xandr’s parent company be fined up to 4% of its annual revenue (note: Microsoft’s annual revenue in 2023 was closer to $212 billion).
Are you facing regulatory risk?
Microsoft expanded its digital advertising business in late 2021 by acquiring a “data-driven technology platform” called Xandr, but Xandr retained structural autonomy and operated as a separate entity. A Microsoft press release at the time touted the acquisition as enhancing its “retail media solutions” and “strengthening publisher monetization with greater first-party data access and full-funnel marketing offerings.” It made no mention of the potential regulatory risks posed by the acquisition.
According to the complaint backed by noyb, the problem is that Xandr does not respond to data access requests from individuals who want to delete or modify their personal information. The complaint links to a “hidden” webpage where Xandr says it posts data access metrics. According to the page, from January 1, 2022 to December 31, 2022, the company received 1,294 access requests and 600 deletion requests, all of which it denied.
An explanatory note on the webpage states, “Access and deletion requests will be denied if we cannot verify the identity and jurisdiction of the requester. Due to the pseudonymous nature of the data that Xandr collects on its platform, we are unable to verify the identity of the consumer making the access and deletion request unless these requests are linked to another identifier, and therefore these requests have been denied.”
Therefore, it appears that Xandr is arguing that it does not need to comply with GDPR data access rights because the information about the individuals is pseudonymized.
But the complaint argues that it is implausible for a company that relies entirely on profiling individuals for targeted advertising revenue to claim that the information it holds cannot identify people.
“Xandr’s business is clearly based on storing and targeting data on millions of Europeans, yet the company admits that it has a 0% response rate to access and deletion requests. It is astonishing that Xandr is publicly showing how it violates the GDPR,” Massimiliano Gelmi, a data protection lawyer at noyb, said in a statement.
The GDPR takes a broad view of what constitutes personal data, and it is important to note that pseudonymised data remains personal data, meaning anyone holding that information will need to comply with EU-wide legal requirements, including providing access to the data.
The guidance on data subject access adopted by the European Data Protection Board (EDPB) last year includes an illustrative example in the field of micro-targeting advertising, in which the Board notes that ad tech companies must be able to “precisely identify” individuals who request access to their personal data from the same terminal device linked to their advertising profile (i.e. via cookies installed on that terminal device), “so that a link can be established between the data being processed and the data subject.”
If an individual requests data in another way, such as by email, the EDPB guidelines suggest that ad tech companies should ask for additional information to identify the relevant advertising profile and fulfill the data access request. Specifically, the guidelines specify that individuals should provide a cookie identifier stored on their terminal equipment.
It's unclear what steps Xandr took to identify the advertising profiles of people who requested access to or deletion of their data.
Back to the complaint, noyb’s investigation found a high level of inaccuracy in the information Xandr held about individuals, which may raise separate questions about the quality of its ad targeting services to customers. However, it also has legal significance, as GDPR gives individuals the right to correct inaccurate data held about them.
EU citizens may also expect other rights under GDPR, including the right to request a copy of their data. Again, noyb argues that this is another area where Xandr is not compliant. While Xandr itself was unable to obtain a copy of the plaintiff’s data, it did use a subject access request to one of its data broker providers.
“Thanks to a request for access to emetriq, a data broker and Xandr provider, we have become aware that a significant portion of the Xandr database consists of highly inaccurate and contradictory personal data about people,” the press release states. “According to emetriq, the complainants are male and female and are estimated to be aged between 16-19, 20-29, 30-39, 40-49, 50-59 and 60+. The complainants’ incomes also range from €500-€1,500, €1,500-€2,500 and €2,500-€4,000. Furthermore, the same people are looking for work, are employed, are students, are students and work for companies that employ between 1-10, over 1,000 and between 1,100 and 5,000 people at any given time.”
“It’s hard to imagine how this data category could be used for precise ad targeting,” noyb added. “While emetriq is not the only data broker providing data to Xandr, we have to assume that this information is being used for ad targeting.”
Gelmi further commented, writing: “Some parts of the advertising industry don't seem to be interested in providing advertisers with accurate information. Instead, the data sets are littered with a confusing variety of conflicting information. This is potentially beneficial for companies like Xandr, which can sell younger and older users to different business partners.”
I have asked Microsoft to respond to my complaint.
A noyb spokesperson said they do not expect complaints to be referred from Italy to the Irish data protection authority under GDPR’s one-stop-shop process, as Xandr is incorporated in the US. This corporate structure suggests the ad tech company could face additional complaints from other EU member states where it has processed data from locals, which would further increase regulatory risk.
This complaint, supported by noyb, highlights previous research showing that Xandr collects highly sensitive information about individuals (such as their sex life, sexual orientation, religious beliefs, and political opinions) for advertising profiling purposes. The GDPR sets a particularly high bar (explicit consent) for lawfully processing sensitive categories of data.
It’s unclear how Xandr obtained such consent from the individuals whose data it holds. However, website visitors could be one source of information, as ad tracking can be triggered by people accessing a publisher’s content. In the EU, such sites are required to ask visitors for permission to track, but the industry-standard mechanism for obtaining people’s consent has itself been criticized as violating GDPR.
