Microsoft ad-tech subsidiary is breaking EU law—and not doing right by advertisers, privacy activists claim

A Microsoft subsidiary is the target of the latest privacy complaint from the European nonprofit Noyb, which has successfully battled a number of other companies in recent years. And the accusations in this case are quite something.

The issues lie with a Microsoft-owned ad-tech outfit called Xandr, which offers a real-time bidding platform for online ad placements—meaning it processes a ton of personal data to infer what people are likely to click on. (Note: In Europe, “personal data” means any data that can be connected with an identifiable person.) Much of Xandr’s data is highly sensitive, covering things like religious beliefs, sexuality, health, and financial status.

Noyb, complaining in Italy on behalf of an unnamed Italian, says Xandr violates the EU's General Data Protection Regulation by failing to let people access the data it holds on them or to erase the data. It also claims that Xandr breaks the law by doing what it does quite badly.

The way Noyb tells it, much of the data Xandr uses for targeting is inaccurate and contradictory. The complainant couldn’t get their data from Xandr, but they had better luck with Xandr supplier Emetriq, a data broker that tracks people online and then sells the resulting information. Emetriq’s data suggested the complainant was both a man and a woman, fell into every age segment between 16 and 60+, was both a light and heavy TV viewer, was both employed and a job seeker…you get the picture.

“It seems that parts of the advertising industry don’t really care about providing advertisers with accurate information,” said Noyb lawyer Massimiliano Gelmi, adding that “this can potentially benefit companies like Xandr as they can sell the same user as young and old to different business partners.”

Neither Microsoft nor Emetriq had responded to requests for comment by the time of publication.

Noyb says it wants the Italian data protection authority to make Xandr comply with the parts of the GDPR that ban holding excessive data about individuals, and that any data held must be accurate. It also wants Xandr to get “an effective, proportionate and dissuasive” GDPR fine of up to 4% of global revenue—and it wants the operation to finally let people access and delete the data it keeps on them.

That could be a problem as—according to the complaint—Xandr tells people its ad platform “only contains consumers’ pseudonymous personal data and not personally identifiable information,” making it impossible to find and turn over information about a specific person.

Noyb claims Xandr can do this, as its cookies assign unique identifiers to people. The complaint casts doubt on Xandr’s claims about only holding pseudonymized data—which can still be linked to people when correlated with other information, unlike anonymized data, which can never be re-linked. It also says that, even if the data is pseudonymized, the people it’s about still have the right to access it or demand that it be deleted.

Apart from reflecting badly on how usefully Microsoft’s real-time bidding platform serves advertisers, this case feels like another Jenga block being slid out from underneath the online ad industry in Europe.

Last year, the EU’s highest court blew up the legal foundations of Meta’s targeted ad business in a ruling the company is still struggling to deal with (it may soon have to actually ask for people’s consent before tracking them). And earlier this year, the court ruled in a case about consent popups that a pseudonymized string of letters and numbers, containing information about someone’s preferences, can still be considered personal data if it can be linked with the user’s device—meaning the user still gets to demand access and deletion, even if the company says it has no way of doing this.

More news below.

David Meyer

Want to send thoughts or suggestions to Data Sheet? Drop a line here.

This story was originally featured on Fortune.com