Microsoft-owned adtech Xandr accused of EU privacy breaches
An adtech business owned by Microsoft is the target of a complaint backed by European privacy advocacy group, noyb — a nonprofit that punches far above its weight when it comes to chalking up strikes against data protection-infringing tech giants.
For its latest action, noyb is supporting an unnamed individual in Italy to lodge a complaint against Xandr with the country’s data protection authority. The complaint has been filed under the European Union’s General Data Protection Regulation (GDPR) — meaning, if it prevails, it could lead to fines of up to 4% of Xandr’s parent entity’s Microsoft’s global annual turnover.
Xandr stands accused of transparency failings and breaches of the data access rights to people in the bloc whose information is processed to create profiles that are used for microtargeted advertising sold through programmatic ad auctions. The complaint also contends the adtech company is using inaccurate information about people.
Specifically, noyb alleges Xandr is breaching Articles 5(1)(c) and (d); 12(2); 15 and 17 of the GDPR.
The complaint asks the data protection authority to investigate and, if breaches are confirmed, to order Xandr to come into compliance. noyb is also suggesting it should impose a fine of up to 4% of annual revenue on Xandr’s parent (NB: Microsoft’s full year revenue for 2023 was close to $212BN).
Acquiring regulatory risk?
Microsoft picked up at the “data-enabled technology platform”, as it called Xandr, at the back end of 2021, to expand its digital advertising business, though Xandr retained its structural autonomy and operates as a separate entity. Microsoft’s press release at the time talked of the acquisition enhancing its “retail media solutions”, as well as touting “strengthened monetization for publishers through larger first-party data access and a full funnel marketing offering”. It did not mention the prospect of amped up regulatory risk flowing from the acquisition.
The problem, according to the noyb-backed complaint, is that Xandr is failing to respond to any data access requests from individuals wanting their personal information deleted or corrected. The complaint links to a “hidden” webpage where it says Xandr publishes data access metrics. Per this page, between January 1, 2022 and December 31, 2022, the company received 1,294 access requests and 600 deletion requests — but denied every single one.
A explanatory note on the webpage states: “Access and deletion requests are denied when we are unable to verify the identity and jurisdiction of the requestor. Due to the pseudonymous nature of the data Xandr collects on its Platform, we are unable to verify the identity of the consumers who made access and deletion requests when such requests are not tied to any other identifiers, and therefore we denied such requests.”
So Xandr appears to be claiming it doesn’t have to comply with GDPR data access rights because the information it holds on individuals is pseudonymous.
However the complaint argues it is not credible for a company whose entire business hinges on profiling individuals for targeted advertising profit to claim it cannot identify the people whose information it holds.
Commenting in a statement, Massimiliano Gelmi, data protection lawyer at noyb, said: “Xandr’s business is obviously based on keeping data on millions of Europeans and targeting them. Still, the company admits that it has a 0% response rate to access and erasure requests. It is astonishing that Xandr even publicly illustrates how it breaches the GDPR.”
It’s worth noting that the GDPR takes an expansive view on what constitutes personal data and data that has undergone pseudonymization remains personal data — meaning those holding such info must abide by pan-EU legal requirements such as providing data access rights.
Guidelines on data subject access rights adopted by the European Data Protection Board (EDPB) last year include an illustrative example from the realm of microtargeted advertising in which the Board points out an adtech company should be able to “precisely identify” an individual who is requesting access to their personal data from the same terminal equipment as is linked to their advertising profile (i.e. through cookies dropped on it) since “a link between the data processed and the data subject can be found”.
If an individual requests their data in another way, say by email, the EDPB guidance suggests the adtech company should request additional info from them in order to identify the relevant advertising profile and fulfil their data access request. Specifically the guidance says an individual would need to provide the cookie identifier stored in their terminal equipment.
It’s not clear what steps Xandr took to identify the ad profiles of the people requesting access to or deletion of their data.
Returning to the complaint, noyb’s research also unearthed what appears to be high levels of inaccuracy within the info Xandr holds on individuals — which may raise separate questions for its customers about the quality of its ad targeting services. But it also has legal significance given the GDPR furnishes individuals with the right to rectification of incorrect data held about them.
EU people can rely on the GDPR for other rights, too, including the ability to ask for a copy of their data. Again, noyb alleges this is another area where Xandr isn’t compliant. It wasn’t able to get a copy of the complainant’s data from Xandr itself but rather used a subject access request to one of its data broker suppliers.
“Thanks to an access request with the data broker — and Xandr supplier — emetriq, we know that at least part of Xandr’s database consists of wildly inaccurate and contradictory personal data about people,” it writes in a press release. “According to emetriq, the complainant is both male and female, has an estimated age between 16-19, 20-29, 30-39, 40-49, 50-59 and 60+. The complainant also has an income between €500-€1,500, €1,500-€2,500 and €2,500-€4,000. Furthermore, the same person is looking for a job, is employed, a student, a pupil and works in a company. That company, in turn, employs 1-10, 1,000+ and 1,100-5,000 people at the same time. “
“It is hard to imagine how these data categories can be used for accurate ad targeting,” noyb adds. “Although emetriq isn’t the only data broker supplying data to Xandr, it has to be assumed that this information is used for ad targeting.”
Commenting further, Gelmi also wrote: “It seems that parts of the advertising industry don’t really care about providing advertisers with accurate information. Instead, the data set contains a chaotic variety of conflicting information. This can potentially benefit companies like Xandr as they can sell the same user as young and old to different business partners.”
Microsoft has been contacted for a response to the complaint.
A spokesperson for noyb told us it does not expect the complaint to be referred from Italy to Irish data protection authorities, under the GDPR’s one-stop-shop process, because Xandr is established in the US. This corporate structure suggests the adtech firm could be targeted with further complaints in other EU Member States where it has processed locals’ data — further dialling up regulatory risk.
The noyb-backed complaint highlights previous research it said has shown Xandr collects highly sensitive information about individuals for ad profiling purposes, such as data about their sex life or sexual orientation, religion beliefs and political opinions. The GDPR sets a particularly high bar — of explicit consent — for legally processing sensitive categories of data.
It’s not clear how such consents would have been obtained from individuals whose data Xandr holds. But visitors to websites may be one source of information as tracking for ads can be triggered by people accessing publishers’ content. In the EU such sites should ask visitors for their permission to tracking however industry standard mechanisms for obtaining people’s consent are themselves accused of breaching the GDPR.