Microsoft’s Xandr Faces GDPR Complaint Over Targeted Advertising Data Practices

Xandr, an advertising platform owned by Microsoft, is under scrutiny due to a GDPR complaint lodged by privacy group NOYB. The organization argues that Xandr’s data collection practices for creating advertising profiles are not in line with GDPR regulations on data access and removal. Detailed Accusations The core of NOYB’s complaint is Xandr’s real-time bidding (RTB) system, which collects extensive user data to facilitate targeted advertising. NOYB’s investigation claims the platform processes sensitive personal information, including health details, sexual orientation, political affiliations, religious beliefs, and financial data. Identified user segments comprised labels such as ‘french_disability,’ ‘pregnant,’ ‘lgbt,’ ‘gender_equality,’ and ‘jewishfrench.’ NOYB’s findings also indicate potential inaccuracies in Xandr’s data practices. Emetriq, a data supplier for Xandr, allegedly categorized users with contradictory attributes. Reports mentioned misclassifications such as labeling a single user as both male and female, aged between 16 and 60+, and having various employment statuses. Regulatory Demands The complaint has been presented to the Italian data protection authority, Garante. NOYB is calling for a comprehensive investigation into Xandr’s operations and insists on compliance with GDPR provisions. The group also recommends a fine amounting to 4% of Xandr’s annual revenue to enforce adherence to data protection laws. Microsoft purchased Xandr from AT&T in 2021 and transitioned Microsoft Advertising into Xandr’s SSP in 2023.  Internal data from Xandr, displayed on a confidential website, shows that the company did not respond to any GDPR access and erasure requests in 2022. In one instance, when an individual requested access to his data, Xandr reportedly asserted that the user could not be identified, even though they had enough information to do so. Legal Perspective Massimiliano Gelmi, a NOYB data protection lawyer, noted his astonishment at Xandr’s transparency regarding its non-compliance with GDPR. He emphasized that Xandr’s business model is heavily dependent on maintaining comprehensive profiles of millions of users for targeted ads. NOYB’s grievance mentions potential violations of several GDPR articles, such as Article 5(1)(c) and (d), Article 12(2), Article 15, and Article 17. The group is petitioning Garante to ensure that Xandr adheres to GDPR mandates on data minimization and accuracy. Recent NYOB Complaints Last month, Austrian advocacy group NOYB also filed official grievances with Austria’s data protection agency, contending that Microsoft neglects its obligations under EU regulations and misuses tracking cookies within its Microsoft 365 Education package. A lawyer from the privacy rights organization, Maartje de Graaf, took aim at Microsoft’s approach to student data protection in educational institutions. De Graaf argues that Microsoft unfairly places the responsibility for compliance on schools, an unrealistic expectation for these institutions. In May, NOYB also accused OpenAI of violating GDPR laws. The complaint highlights a potential conflict between the General Data Protection Regulation (GDPR) and the capabilities of large language models (LLMs) like ChatGPT. The core of the issue lies in the inability of the LLM to correct demonstrably inaccurate personal data.