Microsoft's subsidiary, Xandr, is facing allegations of breaching European Union data protection regulations following a complaint supported by the privacy advocacy group, noyb.
The nonprofit has rallied behind an unnamed individual in Italy who has officially filed a complaint against Xandr with the country's data protection authority under the General Data Protection Regulation (GDPR). If successful, this legal action may result in fines of up to 4% of Microsoft's annual global revenue.
Microsoft's Xandr Faces Allegations of Violating EU Data Protection Rules
The complaint centers on accusations concerning Xandr's practices in collecting and sharing the personal data of millions of Europeans for targeted advertising purposes.
Despite advertising itself as a platform for precise ad targeting, Xandr allegedly distributes user data widely among advertisers, encompassing sensitive information about health, sexuality, and political beliefs.
The complaint contends that this process enables Xandr to sell ad space to multiple advertisers under the guise of targeting specific demographics despite possessing inconsistent and inaccurate data.
Xandr operates within the Real Time Bidding (RTB) framework, a platform allowing advertisers to bid on ad placements based on automated algorithms that assess user profiles.
This automated auction system relies heavily on detailed user data to determine the value of ad space, which Xandr acquires and shares with external parties like emetriq, a subsidiary of Deutsche Telekom.
The data reportedly includes profiles categorizing individuals based on sensitive attributes such as disabilities, pregnancy status, and LGBTQ+ identification, among others.
Another concern raised in the complaint is Xandr's purported failure to comply with GDPR-mandated access and data erasure requests. Despite accumulating extensive personal data from users, Xandr allegedly maintains a 0% response rate to requests for access and erasure.
User Privacy Concerns
Massimiliano Gelmi, a data protection lawyer affiliated with noyb, criticized Xandr's approach, highlighting the discrepancy between the company's data handling practices and GDPR requirements.
He pointed out that Xandr's operations appear to prioritize data accumulation over accuracy, potentially compromising the integrity of targeted advertising efforts.
The lawyer emphasized that such practices undermine user privacy and raise questions about the effectiveness of regulatory frameworks designed to protect personal data.
The complaint, now under review by the Italian data protection authority (Garante), accuses Xandr of multiple GDPR violations, including failures in transparency, data accuracy, and responsiveness to user requests.
The legal action seeks to compel Xandr to rectify its data processing practices to align with GDPR standards, particularly regarding data minimization and accuracy.
Additionally, noyb has proposed imposing substantial fines on Xandr, amounting to 4% of its annual turnover, as a deterrent against future non-compliance. Xandr has not yet released a public statement about these allegations.