The privacy organisation NOYB (None Of Your Business) has filed a GDPR complaint against Microsoft"s advertising broker subsidiary, Xandr. NOYB said that Xandr is collecting extraordinary amounts of data to profile users to operate its services, but data on its own website shows that it complied with none of the 1,294 access requests and 660 deletion requests made under GDPR.
Many people are not going to have heard of Microsoft"s Xandr or what it does. NOYB has a nice explainer in its announcement:
"If companies want to use targeted advertising to promote their products or services online, they have to go through so-called Real Time Bidding (RTB) platforms. One such platform is run by Microsoft subsidiary Xandr, which allows advertisers to buy ad space on websites or in mobile apps in a fully automated way. When a user visits a website, an algorithmic auction takes place in order to decide which company can display an advertisement. Because a users’ interests and characteristics ultimately determine an advertiser’s willingness to place an ad, Xandr collects and shares a massive amount of personal data in order to profile the users and to allow for targeting. Much of that data is bought by external parties like emetriq, a subsidiary of [Deutsche Telekom]."
According to NOYB, which cited research, Xandr seems to process a lot of sensitive user data, including health, sex life and sexual orientation, political and philosophical opinions, religious beliefs and financial status, and there seem to be pretty strange segments for classifying users such as "french_disability," "pregnant," "lgbt," "gender_equality," and "jewishfrench."
While it"s definitely concerning seeing the data that Xandr tries to collect, NOYB"s access request to Emetriq, a supplier of Xandr, suggests that the data Xandr holds may not be very specific.
According to emetriq, the complainant, in this case, is both male and female, is aged between 16 and 60+, has an income of €500 to €4,000, and is looking for a job, employed, a student, a pupil and works in a company all at once - not very accurate, right?
NOYB warns that emetriq likely isn"t Xandr"s only data broker, so it probably does its own filtering, too, to get a more accurate picture of each user to better target ads.
NOYB said that the GDPR complaint has been filed with Garante, the Italian data protection authority. The complaint centres on transparency issues, the right of access, and the use of inaccurate information about users. It wants Garante to investigate Xandr"s processing operation and order the company to comply with GDPR requests.
It has also called on Garante to impose a fine on the company of up to 4% of Xandr"s annual turnover to deter future bad behaviour.
Source: NOYB