Xandr, an Adtech company backed by Microsoft, is facing a complaint for data breach under the EU GDPR.
Microsoft is one of the leading software solutions companies in the world, with the biggest network of Microsoft Windows computer OSs. The tech giant backs an Adtech startup, Xandr, which recently came into controversy due to allegations of non-compliance with data protection policies. If the allegations are proven right, Xandr may incur Microsoft a hefty penalty by the EU Commission that can go up to 4% of its annual revenue.
Microsoft closed its annual revenue books at $212 Billion last year. The complaint is led by a non-profit European privacy advocacy group, noyb. The organization is supporting an unnamed individual from Italy to lodge a complaint against Xandr with the country’s data protection authorities.
Xandr has been accused of a lack of transparency in its data protection policies and is also allegedly practicing unethical data access rights policies. Noyb has urged the EU GDPR Commission to investigate the case, with documents backing the allegations. Specifically, noyb claims that Xandr breached the EU Commission’s Digital Markets Act under Articles 5(1)(c) and (d); 12(2); 15, and 17 of the GDPR.
If proven right, the EU Commission may impose a fine summing up to 4% of Xandr’s parent company’s annual turnover, which surely will be in billions. Microsoft acquired Xandr to expand its digital advertising business but kept running it as a separate entity. As a result, Microsoft’s top-notch data privacy and security policies were not applied to the startup. According to a press release by Microsoft on the acquisition, it “strengthened monetization for publishers through larger first-party data access and a full-funnel marketing offering.”
Between January 1, 2022, and December 31, 2022, the company received 1,294 access requests and 600 deletion requests but denied every single one. The complaint on Xandr explains the data breach activity in detail, “Access and deletion requests are denied when we are unable to verify the identity and jurisdiction of the requestor. Due to the pseudonymous nature of the data Xandr collects on its Platform, we are unable to verify the identity of the consumers who made access and deletion requests when such requests are not tied to any other identifiers, and therefore, we denied such requests.”
Xandr has responded to the complaint, calling it baseless. The company states that it does not have to comply with the EU’s GDPR data access rules as the information it holds on individuals is pseudonymous. This case raised skepticism among users about the privacy measures taken for their personal information by big tech companies. As a result, data security apps are growing faster to facilitate added layers of protection.
