Xandr, a Microsoft subsidiary specialising in targeted advertising, has found itself in the crosshairs of the European association led by Max Schrems. The alleged breaches include the indiscriminate sharing of user data, and the failure to process requests from data subjects in accordance with Articles 15-22 of the GDPR (with a 0% processing rate in 2022).
What are Demand Management Platforms (or DSPs) such as those offered by Xandr?
Xandr Inc., which was acquired by Microsoft in 2021, operates a real time bidding (RTB) online advertising platform that enables multiple advertisers to purchase advertising space to be displayed to users profiled in heterogeneous clusters (segments). The moment a user visits a website, the auction between the various advertisers to buy the “targeted” advertising space that the user will see at that moment begins in real time.
In particular, Xandr offers various advertisers a “Demand Side Platform” or “DSP”, which brings together hundreds of advertisers interested in buying advertising space targeted at specific users. As user interests and characteristics provide strategic information for targeted marketing, advertisers have a strong interest in participating in the various RTBs and buying slots for their customised ads. For these reasons, SDRs such as the one operated by Xandr collect and share a huge amount of personal data with advertisers, even if it is acquired from data brokers. Among other things, SDRs process extremely detailed and granular market segments (which each user may be interested in), with the aim of profiling users by facilitating real-time auctions.
In order for the SDRs to be successful and for more advertisers to participate in the auction, the data is sent through the demand management platform to an unspecified number of companies that may be interested in advertising their products to the user cluster. As a result, users personal data, including lifestyle and consumer habits, as well as information on income, employment, health or sexual orientation, is shared with numerous advertisers, although only one of them will win the auction.
In June 2023, US and European investigative journalists published tens of thousands of segments collected by Xandr for the purpose of personalised advertising, denouncing an impressive level of granularity in the data collected and sufficient predictive power to derive detailed information about consumers personal lives, consumption habits and preferences.
The complaint lodged by Noyb
On 9 July, the Vienna-based European non-profit organisation noyb - European Center for Digital Rights filed a complaint against Xandr with the Italian Data Protection Authority (GPDP) on behalf of a user who had been denied the exercise of his rights of access and deletion under Articles 15 and 17 of the GDPR.
In the light of Noyb's allegation, Xandr allegedly purchased the complainant's data from its own data broker, which had been collected by tracking cookies on certain websites visited by the complainant.
The collection of the various segments relating to the user would then have enabled Xandr to communicate this information to advertisers interested in purchasing targeted advertising space in the manner described above.
Contested infringements
In addition to complaining about the lack of handling of the access and deletion requests under Articles 15 and 17 of the GDPR that the user – and thousands of other European data subjects – had made against Xandr, the association led by Max Schrems also questioned the legitimacy of the entire data processing process carried out by the Microsoft company.
In particular, Noyb pointed out that the processing carried out by Xandr contravenes the principles of data minimisation and accuracy, as set out in Article 5 of the GDPR, by collecting information that is excessive in relation to the purposes of the processing and often contradictory - thus thwarting the true personalisation of advertising. “More specifically”, it says, “dozens of segments are in blatant contradiction with each other and, far from facilitating personalisation, only create confusion about the interests and characteristics of the complainant”. This is to the detriment not only of the users to whom the data relates, but also of companies who buy advertising space on the basis of inaccurate, irrelevant or even contradictory information affecting millions of users across Europe.
Finally, the company would not allow data subjects to easily exercise their rights under Articles 15-22 of the GDPR, in breach of Article 12(2) of the GDPR.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.