Microsoft's Xandr grants GDPR rights at a rate of 0%

Data Subject Rights
 /  09 July 2024

Advertising broker Xandr (a Microsoft subsidiary) collects and shares the personal data of millions of Europeans for detailed targeted advertising. This allows Xandr to auction off advertising space to thousands of advertisers. But: although only one ad is ultimately shown to users, all advertisers receive their data. This may include personal details concerning their health, sexuality or political opinions. Also, despite selling its service as “targeted”, the company holds rather random information: the complainant apparently is both a man, a woman, employed and unemployed. This could allow Xandr to sell ad space to multiple companies who think that they are targeting a specific group. As if that were not enough, Xandr does not comply with a single access request. noyb has now filed a GDPR complaint.

A document shredder in front of stacks of paper. A hand holds a document going through the shredder. The document has "ACCESS REQUEST" written on it. The shredder itself has "Microsoft" and "Xandr" written on it.

Background: targeted advertising. If companies want to use targeted advertising to promote their products or services online, they have to go through so-called Real Time Bidding (RTB) platforms. One such platform is run by Microsoft subsidiary Xandr, which allows advertisers to buy ad space on websites or in mobile apps in a fully automated way. When a user visits a website, an algorithmic auction takes place in order to decide which company can display an advertisement. Because a users’ interests and characteristics ultimately determine an advertiser’s willingness to place an ad, Xandr collects and shares a massive amount of personal data in order to profile the users and to allow for targeting. Much of that data is bought by external parties like emetriq, a subsidiary of the German Telecom.

Disability? Pregnant? LGBT? Previous research has shown that Xandr collects hundreds of sensitive profiles of Europeans containing information about their health, sex life or sexual orientation, political or philosophical opinions, religious beliefs or financial status. Specific segments include things like ‘french_disability’, ‘pregnant’, ‘lgbt’, ‘gender_equality’ and ‘jewishfrench’.

0% compliance with GDPR requests. According to the GDPR, everyone has the right to get access to their information. However, despite collecting vast amounts of detailed information about people, Xandr reports an astonishing 0% response rate to access and erasure requests in 2022. Xandr even publishes these internal statistics on a hidden website for everyone to see. The complainant has experienced this approach first hand: When he requested access to his data, Xandr claimed that it couldn’t identify him - and denied his request for access and erasure. In reality, the company has all the necessary information to single out specific data subjects. Identifying and targeting individuals is after all their core business.

Massimiliano Gelmi, data protection lawyer at noyb: “Xandr’s business is obviously based on keeping data on millions of Europeans and targeting them. Still, the company admits that it has a 0% response rate to access and erasure requests. It is astonishing that Xandr even publicly illustrates how it breaches the GDPR.”

Xandr metrics showing that the company, in 2022, has replied to 0 access request.

(Un)targeted advertising. In addition, the GDPR requires data about individuals to be 'accurate'. However, the available information suggests that Xandr’s system uses tonnes of false information about users. Even from a business perspective, Xandr seems to make a mockery of the idea of targeted advertising. Thanks to an access request with the data broker – and Xandr supplier – emetriq, we know that at least part of Xandr’s database consists of wildly inaccurate and contradictory personal data about people: According to emetriq, the complainant is both male and female, has an estimated age between 16-19, 20-29, 30-39, 40-49, 50-59 and 60+. The complainant also has an income between €500 - €1,500, €1,500 - €2,500 and €2,500 - €4,000. Furthermore, the same person is looking for a job, is employed, a student, a pupil and works in a company. That company, in turn, employs 1-10, 1,000+ and 1,100-5,000 people at the same time. It is hard to imagine how these data categories can be used for accurate ad targeting. Although emetriq isn’t the only data broker supplying data to Xandr, it has to be assumed that this information is used for ad targeting. 

Massimiliano Gelmi, data protection lawyer at noyb: “It seems that parts of the advertising industry don’t really care about providing advertisers with accurate information. Instead, the data set contains a chaotic variety of conflicting information. This can potentially benefit companies like Xandr as they can sell the same user as young and old to different business partners.”

Complaint filed in Italy. noyb has now filed a GDPR complaint with the Italian data protection authority (Garante) regarding transparency issues, the right of access and the use of inaccurate information about users. Overall, Xandr appears to be in breach of Article 5(1)(c) and (d), Article 12(2), Article 15 and Article 17 of the GDPR. We therefore ask the authority to investigate Xandr’s processing operations and to order the company to comply with the complainant’s request for access and erasure. With respect to all affected data subjects, we also suggest that the Garante orders Xandr to bring its processing operations in line with the principles of data minimisation and accuracy. Finally, we suggest that the competent authority impose an effective, proportionate and dissuasive administrative fine of up to 4% of Xandr’s annual turnover.