Irish court approves first class action against Microsoft RTB data breach
ICCL secures permission for Ireland's first class action targeting Microsoft's real-time bidding data violations under GDPR.
The Irish High Court granted permission on May 26, 2025 for the country's first class action lawsuit, marking a significant milestone in European data protection enforcement six days after the seventh anniversary of GDPR implementation.
Get the PPC Land newsletter ✉️ for more like this
The Irish Council for Civil Liberties (ICCL) secured approval to launch proceedings against Microsoft under the EU Collective Redress Directive. The case targets alleged violations within Microsoft's Real-Time Bidding (RTB) advertising system, which the organization characterizes as constituting a massive data breach affecting millions of users across Europe.
According to ICCL's application, the lawsuit focuses on Microsoft's RTB operations that process data from users across multiple platforms. Users of popular Microsoft products and services, including Windows, Xbox, web-based Office (Word, Excel and Outlook), the Edge web browser that is pre-installed with Windows, and websites and apps that use Microsoft's Xandr advertising technology, are affected, the organization stated.
The case emerges from ICCL's investigation into RTB data practices, which revealed extensive categorization of sensitive personnel. The organization's research identified thousands of RTB data "segments" about Irish people obtained through posing as a data buyer. These segments included information about gambling habits, financial status, and employment in sensitive national security roles.
Dr Johnny Ryan, Director of ICCL's Enforce unit, leads the case. "People's intimate secrets such as their relationship, work and financial status are broadcast by Microsoft into the Real-Time Bidding advertising system. That system is a black hole of data open to any malicious actor and represents a huge data breach of millions of people's information", Ryan stated.
Microsoft's controversial Xandr acquisition and sunset
The timing of this legal action coincides with Microsoft's decision to discontinue its demand-side platform (DSP), Microsoft Invest (formerly Xandr, formerly AppNexus). According to Microsoft Advertising Corporate Vice President Kya Sainsbury-Carter, the company announced on May 14, 2025 that it will discontinue Microsoft Invest effective February 28, 2026.
Microsoft acquired Xandr from AT&T in June 2022, completing a deal first announced in December 2021. AT&T had previously acquired AppNexus in 2018 for a reported $1.6 billion. The original AppNexus platform, founded in 2007 by Brian O'Kelley and Mike Nolet, was widely recognized for providing unprecedented transparency into fee structures and money flows throughout the advertising supply chain.
According to Sainsbury-Carter's announcement, Microsoft is "exclusively focusing our buy-side advertising technology investments on the Microsoft Advertising Platform" starting in 2026. The company stated its commitment to "more private and personalized advertising experiences for a more agentic and conversational world is not achievable with the industry's current DSP model."
This strategic shift away from traditional DSP operations removes one of the most transparent options in the programmatic ecosystem. AppNexus had established itself as a champion of transparency, with co-founder Brian O'Kelley positioning the company as providing advertisers with visibility into fee structures long before it became an industry priority.
Announcement from Kya Sainsbury-Carter, Corporate Vice President at Microsoft Advertising - May 14, 2025
At Microsoft Advertising, we believe that the future of digital engagement is conversational, personalized, and agentic. Our strategic vision is rooted in the transformative power of generative AI to create entirely new possibilities in advertising, unlocking better outcomes between people, brands, publishers, and ad platforms.
We are entering a new era—one defined by conversational AI experiences, agentic systems that simplify decision making and bring brands closer to people, and predictive design models that fundamentally reshape what people expect from digital services. This new era will be enabled by purpose-built AI-powered advertising platforms that make personalized advertising simple.
To revolutionize the way businesses connect with audiences means building groundbreaking tools that deliver performance, trust, and business growth. Personalization is no longer a luxury; it is a business imperative. Shaping the future of digital engagement starts with bold innovations powered by generative AI, where advertising is not just smarter but truly transformative. In March, we made several announcements to help businesses thrive in this new era—where websites can talk and ads become highly personalized and naturally integrated into conversational experiences. Today’s product strategies must be built at the speed of AI change, and you will see us continue to innovate with adaptive tools designed for the AI internet.
Accelerating our trajectory requires providing the best platform for audience buying, best for privacy, and best for personalization. Starting in 2026, we are exclusively focusing our buy-side advertising technology investments on the Microsoft Advertising Platform, enhancing our globally scaled solution that empowers advertisers to achieve their goals—whether it’s identifying the best prospects for a new brand, increasing share of wallet among current customers, or competing more effectively during dynamic times such as these. This platform will harness the full power of AI and our unique audience intelligence to enable personalized and conversational advertising and deliver profitable growth for our clients and partners.
Our commitment to more private and personalized advertising experiences for a more agentic and conversational world is not achievable with the industry’s current DSP model which, therefore, no longer aligns with our investment in this future. As a result, we will no longer support media buying through our DSP, Microsoft Invest, starting on February 28, 2026. We are committed to supporting our clients during this transition, ensuring they have the guidance needed to minimize disruption and continue to achieve their business goals through advertising. Additionally, we will continue to support access to Microsoft and partner inventory through third-party DSPs who share our focus on privacy, quality, and transparency.
As AI disrupts traditional productivity, attention will become the scarcest remaining resource, and we are investing heavily in Microsoft’s family of consumer properties to enable brand safe access to people’s attention when they are open-minded to new ideas. We are building new AI-forward products to help advertisers gain unparalleled access to Microsoft’s high-intent, highly engaged audiences across work, life, and play—including Xbox, Gaming, Bing, Copilot, MSN, Outlook, Edge, Windows, LinkedIn, and high-quality supply from publisher partners. We want to simplify real-time audience targeting complexities and help brands stay ahead of dynamic market conditions by fully leveraging Microsoft’s robust first-party data, privacy-protecting data infrastructure, and advanced AI capabilities. Our commitment to innovation means expanding clean room technologies and comprehensive full-funnel measurement to allow advertisers to measure ROI in the way that works best for them. AI will take center stage in transforming every step of the campaign process from creative generation to optimization and insights, providing precision and impact across full-funnel outcomes. And our teams will partner with brands and agencies so that creativity and brand value remain front and center throughout.
For publishers, we are continuing to enhance our intelligent hub to grow their businesses with Microsoft Monetize. This platform provides access to high-quality demand, valuable audiences in secure environments, analytics and insights, real-time supply management, and optimization tools. Through a streamlined user experience and advanced AI-powered tools like Copilot, in Monetize publishers gain more control over monetization while delivering improved experiences to their users and stronger results for advertisers. We are committed to and continue to prioritize selling quality media enriched with data in a privacy-safe way and are reimagining the ways media and audiences will be discovered and purchased in the agentic world. And through Microsoft Curate, we’re empowering publishers to monetize proprietary data and access unique demand from buyers, while providing tools to build strategic, goal-oriented marketplaces.
We are not just adapting to change; we are leading it. With Copilot at the core of our platforms, we are creating a future where technology empowers businesses to connect meaningfully with people while adhering to the highest standards of privacy and trust. Join us as we build the next generation of advertising—one that is conversational, personalized, and agentic.
Kya Sainsbury-Carter
Technical mechanics of data exposure
The RTB system operates through instantaneous auctions that determine advertising placement. When users access websites or applications, RTB auctions broadcast personal data to numerous companies within milliseconds to solicit advertising bids.
ICCL's technical analysis reveals concerning aspects of Microsoft's data handling. "Microsoft has no way of knowing what happens to the personal data after it broadcasts. This a data breach, pure and simple. Microsoft is exposing us all individually to malicious profiling and discrimination, and in doing so it is also undermining European security", Ryan explained.
The organization's documentation indicates that Microsoft's systems send RTB data to 1,647 entities globally, including companies in jurisdictions where national security laws enable government access to such information.
The class action's potential impact extends beyond Ireland's borders. The outcome of this litigation is anticipated to affect Microsoft's operations across the European Economic Area as the company's European headquarters are based in Ireland, according to ICCL's filing.
This jurisdictional positioning means enforcement actions in Ireland can influence Microsoft's broader European compliance strategies. The case coincides with heightened scrutiny of RTB practices across multiple European jurisdictions, where data protection authorities have identified systemic issues with advertising technology consent mechanisms.
ICCL's investigation documented extensive categorization of European defense personnel, intelligence operatives, and political decision-makers through RTB data segments. The organization's analysis of data marketplace listings revealed specific targeting capabilities for military personnel, aerospace employees, and government officials across sixteen European countries.
Data marketplace revelations
ICCL's investigation documented extensive data trading through Microsoft's Xandr platform. A May 2021 analysis of Microsoft's Xandr data marketplace revealed 651,463 segments across 19,956 pages, according to the organization's research documents.
The data segments included RTB targeting capabilities for defense aerospace employees at Airbus, engineers at UK defense contractor BAE Systems, employees of Babcock (a defense vendor maintaining the UK nuclear submarine fleet), and personnel at GKN Aerospace, which services combat aircraft across Europe.
The investigation also identified segments targeting French, German, and UK military personnel, judges, politicians, and workers in sensitive industries including nuclear energy, aerospace defense, and space technology. One segment specifically identified people within six miles of military bases.
Related Stories
- January 16, 2025: EPIC and ICCL file complaint against Google's RTB system with US FTC, alleging exposure of Americans' sensitive data to foreign adversaries under new federal law
- February 15, 2025: Google fully adopts OpenRTB protocol, sunsetting its proprietary Authorized Buyers Real-time Bidding protocol
- March 2024: OpenRTB protocol updated to support Google's Protected Audience API as part of Privacy Sandbox initiatives
- May 1, 2025: Google's Q1 2025 Privacy Sandbox Report reveals industry skepticism about cookie replacement viability
- May 14, 2025: Microsoft announces plans to sunset Xandr DSP - detailing transparency challenges and industry implications
Legal representation and framework
The case operates under recently implemented collective redress mechanisms designed to enable group litigation for consumer protection and data privacy violations. James Doherty SC, Sean O'Sullivan BL, and Ahern Rudden Quigley represent ICCL in the proceedings.
The legal framework allows affected individuals to participate in collective action without individual filing requirements, potentially creating precedent for future technology accountability cases across the European Union.
Significance for marketing industry
This development represents a critical juncture for digital marketing professionals operating RTB infrastructure. The case directly challenges fundamental assumptions about data processing consent and security measures within programmatic advertising ecosystems.
Marketing technology providers face increasing pressure to demonstrate compliance with European data protection requirements. The Microsoft case establishes that RTB operations cannot rely solely on technical specifications developed by industry trade bodies but must meet strict legal standards for data protection and user consent.
Companies utilizing RTB systems for client campaigns should evaluate their data processing agreements and vendor compliance procedures. The case highlights potential liability exposure when advertising technology partners fail to implement adequate data protection safeguards.
The proceedings also underscore growing regulatory focus on surveillance-based advertising models that have dominated digital marketing for over a decade. Industry participants must prepare for enhanced scrutiny of data collection practices and expanded enforcement of existing privacy regulations.
For advertising agencies and their clients, the case signals a shift toward greater accountability for data processing activities conducted by technology vendors. Organizations can no longer assume that third-party compliance statements provide sufficient protection against regulatory action.
The outcome may influence how European authorities approach similar cases involving other major technology companies operating RTB systems, potentially reshaping compliance expectations across the digital advertising industry.
Timeline
- 2007: AppNexus founded by Brian O'Kelley and Mike Nolet
- 2018: AT&T acquires AppNexus for reported $1.6 billion
- December 2021: AT&T announces agreement to sell Xandr to Microsoft
- June 2022: Microsoft completes Xandr acquisition
- May 14, 2025: Microsoft announces plans to sunset Microsoft Invest DSP by February 28, 2026
- May 25, 2018: GDPR implementation (seven years prior to court announcement)
- May 26, 2025: Irish High Court grants ICCL permission for Ireland's first class action against Microsoft RTB practices
- February 28, 2026: Microsoft Invest DSP scheduled to be discontinued