A complaint has been filed against an adtech company owned by Microsoft. The case was backed by the European privacy advocacy group noyb, a non-profit that does a lot to take down tech giants that break data protection laws.
As its most recent move, noyb is helping a person in Italy who has not been named file a complaint against Xandr with that country’s data protection authority. The protest was made under the General Data Protection Regulation (GDPR) of the European Union. If it is upheld, the company could be fined up to 4% of Microsoft’s global annual turnover.
People in the bloc say that Xandr isn’t being transparent and is violating their right to access their data. This is because their information is used to make profiles that are then used for microtargeted ads that are sold through programmatic ad exchanges. According to the complaint, the adtech business is also using wrong information about people.
Noyb says that Xandr is breaking Articles 5(1)(c) and (d); 12(2); 15 and 17 of the GDPR.
The complaint asks the data security authority to look into it and, if they find breaches, tell Xandr to fix them. Noyb also says that Xandr’s parent company should be fined up to 4% of its annual revenue. By the way, Microsoft made close to $212 billion in revenue last year.
Taking On Governmental Risk?
At the end of 2021, Microsoft bought Xandr, which it called a “data-enabled technology platform,” to grow its digital advertising business. However, Xandr kept its own structure and still runs as a different business. In a press release at the time, Microsoft said that the purchase would improve its “retail media solutions” and give publishers “stronger monetization through larger first-party data access and a full funnel marketing offering.” It didn’t say anything about the rise in regulatory risk that could come from the purchase.
The problem, according to the complaint backed by noyb, is that Xandr is not responding to any calls for data access from people who want to delete or change their personal information. The complaint has a link to a “hidden” page that says Xandr posts data access measurements. This page says that the company got 1,294 requests to access information and 600 requests to delete information between January 1, 2022, and December 31, 2022. They turned down all of them.
On the page, there is a note that says, “Access and deletion requests are denied when we can’t verify the identity and jurisdiction of the requestor.” Because the data Xandr gathers on its Platform is pseudonymous, we can’t be sure of the identity of the customers who made requests to access or delete data when those requests aren’t linked to any other identifiers, so we turned down those requests.
It looks like Xandr is saying it doesn’t have to follow GDPR data access rights because the information it has on people is anonymous.
But the complaint says it is not believable for a company whose whole business is identifying people to make money from targeted ads to say it can’t find the people whose information it has.
A lawyer at noyb who specializes in data protection said in a statement, “Xandr’s business is obviously based on keeping data on millions of Europeans and targeting them.” Still, the business says it doesn’t answer any requests for entry or deletion. It’s amazing that Xandr even shows the public how it breaks the GDPR.
It’s important to remember that the GDPR has a broad definition of what personal data is, and data that has been anonymized is still personal data. This means that people who have access to this information must follow EU-wide laws like giving people the right to access their data.
The European Data Protection Board (EDPB) released guidelines on data subject access rights last year. The guidelines include an example from microtargeted advertising to show how an adtech company should be able to “precisely identify” a person who is asking to see their personal data from the same terminal equipment that is linked to their advertising profile (i.e. through cookies dropped on it) because “a link between the data processed and the data subject can be found.”
If a person asks for their data in a different way, like by email, the EDPB says the adtech company should ask for more information from them so they can find the right advertising profile and grant the person’s request to access their data. In particular, the instructions say that a person would have to give the cookie identifier that is saved on their terminal equipment.
It’s not clear what steps Xandr took to find the ad pages of the people who asked to see or delete their data.
Going back to the complaint, noyb’s research also found what seems to be a lot of wrong information that Xandr has on people. This may make its customers question the quality of its ad targeting services in other ways. However, it is also legally important because the GDPR gives people the right to have wrong information about them corrected.
The GDPR gives people in the EU other rights as well, such as the right to ask for a record of their data. Again, noyb says this is another place where Xandr doesn’t follow the rules. As Xandr wouldn’t give it to them, the company used a subject access request to get a copy of the complainant’s data from one of its data broker providers.
In a news release, the company says, “Thanks to an access request with the data broker and Xandr supplier emetriq, we know that at least part of Xandr’s database is made up of severely wrong and contradictory personal data about people.” “Emetriq says the complainant is both male and female and is between the ages of 16 and 19, 20 to 29, 30 to 39, 40 to 49, 50 to 59, and 60 and up. This person also makes between €500 and €1,500, €1,500 and €2,500, and €2,500 and €4,000 a month. Also, the same person is looking for work, has a job, is a student, is a pupil, and works for a company. One to ten, one thousand or more, and one thousand to five thousand people work for that company at the same time.
“It’s hard to see how these types of data could be used for accurate ad targeting,” says Noyb. “Emetriq isn’t the only data broker that Xandr gets data from, but it’s safe to assume that this data is used to target ads.”
On top of that, Gelmi wrote, “It looks like some people in the advertising business don’t care about giving advertisers correct information.” Instead, the data set is a mess of different pieces of information that don’t agree with each other. This could be good for businesses like Xandr because they can sell the same person as both young and old to different partners.
Microsoft Has Been Called To Get Their Take On The Complaint
Because Xandr is based in the US, a representative for noyb told us that the company does not think the report will be sent from Italy to the Irish data protection authorities through the GDPR’s one-stop-shop process. Because of how its business is set up, the adtech company could face more complaints in EU Member States where it has handled personal data of people there, which would increase the legal risk even more.
According to the complaint backed by Noyb, past study has shown that Xandr gathers very private details about people for the purpose of advertising, like their sexual orientation, religion, political views, and sex life. The GDPR makes it very hard to legally handle certain types of sensitive data. You have to give your clear permission first.
Also Read: Microsoft Doesn’t Let Us Police Use a Business Ai Tool for Facial Recognition
It’s not clear how Xandr could have gotten such permissions from the people whose data it has. But people who visit websites may be a source of information, since people who view authors’ content can set off tracking for ads. In the EU, these kinds of websites should ask visitors for permission before tracking them. However, normal ways of getting people’s permission are being accused of breaking the GDPR.
What do you say about this story? Visit Parhlo World For more.
