Microsoft's AdTech Arm Xandr Accused of Breaching EU Privacy Regulations

July 10, 2024 at 9:20:40 AM

TL;DR Microsoft-owned adtech business Xandr faces a GDPR complaint in Italy, supported by privacy group noyb. Xandr is accused of transparency failings and data access rights breaches, allegedly denying all data access and deletion requests. The complaint could lead to fines up to 4% of Microsoft's global turnover. Xandr claims pseudonymous data exempts it from GDPR compliance, but noyb argues this is not credible.

Microsoft's AdTech Arm Xandr Accused of Breaching EU Privacy Regulations

Microsoft-owned adtech company Xandr is facing a complaint from the European privacy advocacy group noyb, alleging GDPR violations. The complaint, filed in Italy, accuses Xandr of failing to provide transparency and breaching data access rights for individuals in the EU. If successful, this could result in fines up to 4% of Microsoft's global annual turnover.

Key Allegations

  • Transparency Failings: Xandr is accused of not responding to data access requests, thus violating GDPR Articles 5(1)(c) and (d); 12(2); 15 and 17.
  • Inaccurate Data: The complaint claims that Xandr holds inaccurate information about individuals, impacting the quality of its ad targeting services.
  • Non-compliance with Data Access Requests: Xandr allegedly denied all access and deletion requests in 2022, citing the pseudonymous nature of the data as a reason for non-compliance.
  • High Levels of Inaccuracy: Research indicates that Xandr's data on individuals is often contradictory and inaccurate, raising questions about its ad targeting efficacy.

Regulatory Risks

  • Acquisition Background: Microsoft acquired Xandr in late 2021 to bolster its digital advertising business. However, this acquisition has introduced regulatory risks.
  • Data Access Metrics: Xandr's own web page reveals it denied all 1,294 access requests and 600 deletion requests in 2022, claiming it couldn't verify the identity of the requestors.
  • Legal Implications: GDPR considers pseudonymous data as personal data, requiring compliance with data access rights. The European Data Protection Board (EDPB) guidelines suggest adtech companies should be able to identify individuals requesting data access.

Inaccuracy and Data Quality

  • Contradictory Data: Data obtained from Xandr's supplier, emetriq, showed wildly inaccurate and contradictory personal data about individuals, questioning the reliability of Xandr's ad targeting.
  • Potential Misuse: The chaotic variety of conflicting information could allow Xandr to sell the same user profile differently to various business partners.

The noyb-backed complaint against Xandr underscores significant GDPR compliance issues, particularly around data access and accuracy. The outcome could have substantial financial and operational implications for both Xandr and its parent company, Microsoft.

Have more questions on this topic? Ask our AI assistant for in-depth insights.

Want Personalized Digital Marketing Insights at Your Preferred Time?

Our Smart Newsletter brings you the latest insights on the topics you love, delivered at your preferred time and frequency.