Microsoft could be forced to pay huge fine for breaches by its subsidiary

A modest complaint could turn into a huge fine for Microsoft if the regulators decide that the tech giant’s subsidiary ad broker, Xandr, is guilty of privacy breaches.

A nonprofit European privacy advocacy group called noyb, which often writes up complaints against tech giants, has hit the headlines again.

In support of an unnamed individual in Italy, noyb said it has filed a complaint under the EU’s General Data Protection Regulation (GDPR) against Xandr, an adtech business owned by Microsoft since 2021 though still structurally autonomous.

Xandr is accused of transparency failings and breaches of data access rights to people in the EU whose information is processed to then create profiles used for microtargeted advertising. These ads are sold through programmatic ad auctions. According to noyb, Xandr is also using inaccurate information about people.

“Xandr collects and shares the personal data of millions of Europeans for detailed targeted advertising. This allows Xandr to auction off advertising space to thousands of advertisers. But: although only one ad is ultimately shown to users, all advertisers receive their data. This may include personal details concerning their health, sexuality, or political opinions,” says noyb in a press release.

Previous research has shown that Xandr collects hundreds of sensitive profiles of Europeans containing information about their health, sex life or sexual orientation, political or philosophical opinions, religious beliefs, or financial status. Specific segments include things like ‘french_disability,’ ‘pregnant,’ ‘lgbt,’ ‘gender_equality,’ and ‘jewishfrench.’

“Also, despite selling its service as ‘targeted,’ the company holds rather random information: the complainant apparently is both a man and a woman, employed and unemployed. This could allow Xandr to sell ad space to multiple companies who think that they are targeting a specific group,” says noyb.

Finally, noyb points out that the ad broker does not comply with a single access request. In fact, despite collecting vast amounts of detailed information about people, Xandr reported an astonishing 0% response rate to access and erasure requests in 2022.

“Xandr’s business is obviously based on keeping data on millions of Europeans and targeting them. Still, the company admits that it has a 0% response rate to access and erasure requests. It is astonishing that Xandr even publicly illustrates how it breaches the GDPR,” said Massimiliano Gelmi, data protection lawyer at noyb.

The organization is asking the data protection authority to investigate and, if breaches are confirmed, to order Xandr to come into compliance.

According to the nonprofit, authorities should impose a fine of up to 4% of Xandr’s parent company's annual revenue. That’s Microsoft, and its full-year revenue for 2023 was around $212 billion – 4% would be a staggering $8.5 billion.