Noyb, a European non-profit that has won a number of corporate battles in recent years, has targeted a Microsoft subsidiary in its latest privacy complaint, and this one is pretty shocking.
The problem is with Xandr, a Microsoft-owned advertising technology company that provides a real-time bidding platform for online ad placements, which means it’s processing huge amounts of personal data to infer what people will click on. (Note: In Europe, “personal data” means any data that can be linked to an identifiable individual.) Much of Xandr’s data is highly sensitive, including religious beliefs, sexual preferences, health, and financial circumstances.
Noib, who is filing a complaint in Italy on behalf of an anonymous Italian citizen, claims that Xandr is violating the EU’s General Data Protection Regulation by not allowing access to the data it holds and by not erasing it, and that Xandr’s practices are so egregious that they violate the law.
Noyb said much of the data Xandr uses for targeting is inaccurate and contradictory. The complainants did not get the data from Xandr, but rather from Xandr’s supplier, Emetriq, a data broker that tracks people online and sells the resulting information. Emetriq’s data shows that the complainants were both male and female, fell into all age groups from 16 to 60+, were both frequent and infrequent TV viewers, both employed and job-seekers…
“Parts of the advertising industry seem less interested in providing accurate information to advertisers,” Noyb lawyer Massimiliano Gelmi said, adding that “this could benefit companies like Xandr, as they can sell the same users, young and old, to different business partners.”
As of publication time, neither Microsoft nor Emetric had responded to requests for comment.
Noyb said Italy’s data protection authority wants Xandr to comply with GDPR provisions that prohibit excessive retention of personal information and that any data it holds must be accurate. It also wants Xandr to face “effective, proportionate and dissuasive” GDPR fines of up to 4% of its global revenue, and wants users to be able to access and delete the data the company holds.
According to the lawsuit, Xandr explains that its advertising platform “contains only anonymous personal data of consumers and no personally identifiable information,” which could be problematic because it would make it impossible to find and hand over information about specific people.
Noyb argues that Xandr can do this because Xandr’s cookies assign a unique identifier to individuals. The complaint calls into question Xandr’s assertion that it only holds pseudonymized data. Pseudonymized data can be linked to an individual if it is correlated with other information, but anonymized data cannot be relinked. It also states that even with pseudonymized data, subjects of that data still have the right to access it or request its deletion.
Not only is this incident a poor reflection on how well Microsoft’s real-time bidding platform serves advertisers, but it also feels like another Jenga block sliding out from under Europe’s online advertising industry.
The EU’s top court is still struggling to adapt to a ruling last year that overturned the legal basis of Meta’s ad targeting business (the company may soon have to actually ask for consent before tracking users), and earlier this year, in a case about consent popups, the court ruled that pseudonymized strings of letters and numbers containing information about user preferences can still be considered personal data if they can be linked to a user’s device, meaning users can still request access and deletion even if the companies say they have no way to do so.
For more news, please see below.
David Meyer
If you have any comments or suggestions regarding the datasheet, please write them here.
Newsworthy
Russian Apple. Russians wanting to get around Russia’s constant online censorship will no longer get help from Apple. As Bleeping Computer reports, the company has removed 25 virtual private networks (VPNs that allow users to hide their activity) from the Russian App Store, complying with the authorities’ demands. Red Shield, one of the affected VPN providers, said: “Over the past six years, Russian authorities have blocked thousands of Red Shield VPN nodes, but failed to prevent Russian users from gaining access. However, Apple has done this job for them much more effectively.”
Beijing’s robot taxi rules. After recent tests, Beijing has established rules for robotaxis to aid in their wider rollout. According to Bloomberg, self-driving cars in Beijing will be required to have a human driver or safety officer on board, or at least someone who can control them remotely. The magazine notes that robotaxi tests in other parts of China have faced complaints from the human-powered taxi industry and residents who claim they will cause traffic congestion.
The spread of AI in China. In a survey of 1,600 business decision makers around the world by analytics software company SAS, 83% of respondents in China said they were using generative AI, compared with 65% in the United States and just 54% globally, Reuters reported.
Key figures
251 million
—Number of X’s Daily Active UsersThis was revealed on Elon Musk’s social network. Financial Times He noted that prior to 2022, when Musk bought Twitter, the company had seen double-digit growth every year, but this year it has only grown 1.6% year-over-year.
In case you missed it
AI is effectively “useless” and could create “fake it ’til you make it” bubbles that could end in disaster, warns veteran market watcher, by Will Daniel
Instacart’s AI-powered smart carts, which offer real-time recommendations and “gamified” shopping, are being rolled out to US grocery stores, reports Sasha Rogelberg.
“Two Self-Driving Car Developers Take on OpenAI’s Sora, Kling, and Runway in a bid to become Hollywood’s favorite AI” by Jeremy Kahn
NASCAR unveils $1.5 million electric car with twice the horsepower of its gas-guzzlers. By Chris Morris
House cryptocurrency bill could be the answer to US regulatory overhaul: the ball is now in the Senate’s court, John Mitchell (Commentary)
Before you leave
Meta on misinformation. Some experts argue that real journalism is a good antidote to misinformation and disinformation on social media, but Meta doesn’t acknowledge the connection. The company, which has resisted demands for payment from Australian news organizations, just told an Australian parliamentary inquiry that it has “never considered news as a means to minimise misinformation and disinformation on our service.” GuardianMeta’s recent decision to remove news from its Canadian platform (due to similar disagreements) has seen the articles largely replaced with memes.
