That scourge of big tech, Nyob, is supporting a complaint against Microsoft advertising subsidiary Xandr, claiming it's not only breaching data access rules but is also highly inaccurate.
Xander—acquired by Microsoft in late 2021—is a real time bidding platform that allows advertisers to buy ad space on websites or in mobile apps through an algorithmic auction, based on a users’ individual interests and characteristics.
Under the GDPR, everyone has the right to get access to the data that's held on them. However, the complaint, from an unknown Italian, says that when he requested access to his personal data from Xander, the company claimed that it couldn’t identify him—and denied his request for access and erasure.
And, says Nyob, this is far from an exceptional case, with the company admitting on its website that its response rate to the 1,900-odd access and erasure requests it received in 2022 was precisely zero.
"We are unable to verify the identity of the consumers who made access and deletion requests when such requests are not tied to any other identifiers, and therefore we denied such requests," it explains.
This isn't good enough for Nyob.
"Xandr’s business is obviously based on keeping data on millions of Europeans and targeting them," says Massimiliano Gelmi, data protection lawyer at Noyb.
"Still, the company admits that it has a 0% response rate to access and erasure requests. It is astonishing that Xandr even publicly illustrates how it breaches the GDPR."
And, says Nyob, this is of particular concern given the sensitivity of the personal data involved, which includes information about individuals' health, sex life or sexual orientation, political or philosophical opinions, religious beliefs and financial status.
Meanwhile, says Nyob, this information is rather less than accurate. An access request with the data broker and Xandr supplier emetriq reveals, it says, that the complainant is simultaneously male and female, with an estimated age listed as between 16 and 19, 20 and 29, 30 and 39, 40 and 49, 50 and 59 and 60+.
The complainant apparently also has an income between €500 and €1,500, €1,500 and €2,500 and €2,500 and €4,000, and is looking for a job, employed, a student, a pupil and working in a company.
"It seems that parts of the advertising industry don’t really care about providing advertisers with accurate information," says Massimiliano Gelmi, data protection lawyer at Noyb.
"Instead, the data set contains a chaotic variety of conflicting information. This can potentially benefit companies like Xandr as they can sell the same user as young and old to different business partners."
Noyb has now filed a GDPR complaint with the Italian data protection authority Garante, covering transparency issues, the right of access and the use of inaccurate information about users. It's calling on the Garante to order Xandr to bring its processing operations in line with the principles of data minimization and accuracy—and to impose a fine of up to 4% of Xandr’s annual turnover.
Microsoft's response is short but sweet, with a spokesperson commenting only: "We stand ready to answer any questions from the regulatory authority."