Microsoft’s adtech business Xandr is facing accusations of privacy breaches in the European Union. The complaint, supported by the European privacy advocacy group noyb, alleges that Xandr, owned by Microsoft, has violated transparency requirements and data access rights of individuals in the EU. The complaint claims that Xandr is using inaccurate information about people and breaching several articles of the GDPR.
The complaint asks the data protection authority to investigate and potentially impose fines of up to 4% of Microsoft’s global annual turnover. Xandr, acquired by Microsoft in 2021, has been accused of failing to respond to data access requests from individuals wanting their personal information deleted or corrected. The company claims that it cannot verify the identity of requestors due to the pseudonymous nature of the data it collects.
However, the complaint argues that Xandr’s business model relies on profiling individuals for targeted advertising, making it necessary for the company to comply with GDPR data access rights. The GDPR requires companies to provide access to personal data even if it has been pseudonymized. The complaint also highlights the inaccurate information held by Xandr on individuals, raising concerns about the quality of its ad targeting services.
Furthermore, the complaint reveals that Xandr may be collecting highly sensitive information about individuals for ad profiling purposes, such as data about their sex life, sexual orientation, religion beliefs, and political opinions. The GDPR requires explicit consent for processing such sensitive data, but it is unclear how Xandr obtained these consents from individuals.
The complaint also points out that Xandr’s corporate structure, established in the US, may complicate the referral of the complaint to Irish data protection authorities under the GDPR’s one-stop-shop process. This could potentially lead to further complaints in other EU Member States where Xandr operates, increasing its regulatory risk.
In response to the complaint, Microsoft has been contacted for a statement. The complaint underscores the importance of companies like Xandr respecting individuals’ data access rights and ensuring the accuracy of the information they use for ad targeting. The outcome of the investigation and any potential fines imposed on Xandr could have significant implications for the adtech industry and data protection in the EU.