Connect with us


Microsoft ad-tech subsidiary is breaking EU law—and not doing right by advertisers, privacy activists claim



Microsoft ad-tech subsidiary is breaking EU law—and not doing right by advertisers, privacy activists claim

A Microsoft subsidiary is the target of the latest privacy complaint from the European nonprofit Noyb, which has successfully battled a number of other companies in recent years. And the accusations in this case are quite something.

The issues lie with a Microsoft-owned ad-tech outfit called Xandr, which offers a real-time bidding platform for online ad placements—meaning it processes a ton of personal data to infer what people are likely to click on. (Note: In Europe, “personal data” means any data that can be connected with an identifiable person.) Much of Xandr’s data is highly sensitive, covering things like religious beliefs, sexuality, health, and financial status.

Noyb, complaining in Italy on behalf of an unnamed Italian, says Xandr violates the EU’s General Data Protection Regulation by failing to let people access the data it holds on them or to erase the data. It also claims that Xandr breaks the law by doing what it does quite badly.

The way Noyb tells it, much of the data Xandr uses for targeting is inaccurate and contradictory. The complainant couldn’t get their data from Xandr, but they had better luck with Xandr supplier Emetriq, a data broker that tracks people online and then sells the resulting information. Emetriq’s data suggested the complainant was both a man and a woman, fell into every age segment between 16 and 60+, was both a light and heavy TV viewer, was both employed and a job seeker…you get the picture.

“It seems that parts of the advertising industry don’t really care about providing advertisers with accurate information,” said Noyb lawyer Massimiliano Gelmi, adding that “this can potentially benefit companies like Xandr as they can sell the same user as young and old to different business partners.”

Neither Microsoft nor Emetriq had responded to requests for comment by the time of publication.

Noyb says it wants the Italian data protection authority to make Xandr comply with the parts of the GDPR that ban holding excessive data about individuals, and that any data held must be accurate. It also wants Xandr to get “an effective, proportionate and dissuasive” GDPR fine of up to 4% of global revenue—and it wants the operation to finally let people access and delete the data it keeps on them.

That could be a problem as—according to the complaint—Xandr tells people its ad platform “only contains consumers’ pseudonymous personal data and not personally identifiable information,” making it impossible to find and turn over information about a specific person.

Noyb claims Xandr can do this, as its cookies assign unique identifiers to people. The complaint casts doubt on Xandr’s claims about only holding pseudonymized data—which can still be linked to people when correlated with other information, unlike anonymized data, which can never be re-linked. It also says that, even if the data is pseudonymized, the people it’s about still have the right to access it or demand that it be deleted.

Apart from reflecting badly on how usefully Microsoft’s real-time bidding platform serves advertisers, this case feels like another Jenga block being slid out from underneath the online ad industry in Europe.

Last year, the EU’s highest court blew up the legal foundations of Meta’s targeted ad business in a ruling the company is still struggling to deal with (it may soon have to actually ask for people’s consent before tracking them). And earlier this year, the court ruled in a case about consent popups that a pseudonymized string of letters and numbers, containing information about someone’s preferences, can still be considered personal data if it can be linked with the user’s device—meaning the user still gets to demand access and deletion, even if the company says it has no way of doing this.

More news below.

David Meyer

Want to send thoughts or suggestions to Data Sheet? Drop a line here.


Apple in Russia. Russians who want to bypass their country’s ever-present online censorship will no longer get any help from Apple. As Bleeping Computer reports, the company has removed 25 virtual private networks (VPNs, which allow people to hide their activities) from its Russian App Store, to comply with official demands. Here’s Red Shield, one of the affected VPN providers: “Over the past six years, Russian authorities have blocked thousands of Red Shield VPN nodes but have been unable to prevent Russian users from accessing them. Apple, however, has done this job much more effectively for them.”

Beijing’s robo-taxi rules. Beijing has issued rules for robo-taxis, to support a wider rollout after recent testing. According to Bloomberg, autonomous vehicles in Beijing will need to have human drivers or safety officers in them, or at least have someone ready to take control remotely. The publication notes that robo-taxi tests elsewhere in China have faced complaints from the human-powered taxi sector, and from residents who say they cause traffic jams.

Chinese AI uptake. The analytics software company SAS surveyed 1,600 business decision makers worldwide, and a whopping 83% of Chinese respondents said they used generative AI, Reuters reports. The figure for the U.S. was 65%, and the global average just 54%.


251 million

—The number of X’s daily active users, as disclosed by Elon Musk’s social network. As the Financial Times notes, that’s only up 1.6% year on year, unlike before Musk bought Twitter in 2022 when the platform enjoyed double-digit growth each year.


AI is effectively ‘useless’—and it’s created a ‘fake it till you make it’ bubble that could end in disaster, veteran market watcher warns, by Will Daniel

Instacart’s AI-powered smart carts, which offer real-time recommendations and ‘gamified’ shopping, are coming to more U.S. grocery stores, by Sasha Rogelberg

Two self-driving car guys take on OpenAI’s Sora, Kling, and Runway to be Hollywood’s favorite AI, by Jeremy Kahn

NASCAR just unveiled a $1.5 million electric car—with twice the horsepower of its gas-guzzling cars, by Chris Morris

The House crypto bill could be the answer to America’s regulatory soul-searching. The ball is now in the Senate’s court, by John Mitchell (Commentary)


Meta on misinformation. Some experts maintain that real journalism is a good antidote to misinformation and disinformation on social media, but Meta claims not to see the connection. The company, which is resisting demands by Australian news organizations for payment, just told an Australian parliamentary inquiry that it had “never thought about news as a way to minimize misinformation/disinformation on our services.” According to the Guardian, Meta’s recent decision to cut news from its platform in Canada (due to a similar disagreement) led to articles being largely replaced by memes.

Subscribe to the Fortune Next to Lead newsletter to get weekly strategies on how to make it to the corner office. Sign up for free.
Continue Reading