The class action suit is the first time that the recently-enacted EU Representative Actions Directive, which allows for collective action in consumer law, will be used in Ireland
The case, citing the Representative Actions Directive, is being taken by the Irish Council Of Civil Liberties, which claims that Microsoft is flouting European GDPR privacy law through its use of ‘real time bidding’ (RTB) in online advertising, a system that allows advertisers to bid for online ads based on traits and characteristics of the person looking at a web page.
The ICCL claims that RTB constitutes a “data breach” that flouts GDPR rules, because it collects too much personal information about internet users and then loses control of it online.
The organisation has been waging war on Big Tech firms like Google and Meta, as well as the Irish Data Protection Commission (DPC), over the online ad system in recent years.
Last year, the High Court and Court Of Appeal rejected a legal case by the ICCL that had claimed the Irish DPC didn’t adequately investigate Google for using ‘real time bidding’ as an ad system.
The ICCL is hoping that the EU’s new consumer-friendly class action legal rules will give it a better chance of success. It is targeting Microsoft for its use of ‘real-time bidding’ ad technology in Windows, web-based Office (including Outlook, Word and Excel), Microsoft’s Edge web browser, Xbox and other websites that use Microsoft’s ‘Xandr’ advertising technology.
“People’s intimate secrets such as their relationship, work and financial status are broadcast by Microsoft into the real-time bidding advertising system, which is is a black hole of data open to any malicious actor and represents a huge data breach of millions of people’s information,” said Dr Johnny Ryan, director of the ICCL’s Enforce unit.
“Microsoft has no way of knowing what happens to the personal data after it is broadcasted. This a data breach, pure and simple. Microsoft is exposing us all individually to malicious profiling and discrimination, and in doing so it is also undermining European security.”
Today’s News in 90 seconds – 26th May 2025
The ICCL says it conducted its own investigation, posing as an online data buyer, to explore the type of personal information available through the system.
”Posing as a data buyer, ICCL Enforce obtained thousands of RTB data segments about Irish people,” the organisation said.
”These include information such as whether a person gambles, their finances and debt, and even such sensitive information as whether the person works in a sensitive national security role.”
The ICCL is represented by James Doherty SC, Sean O’Sullivan BL and Ahern Rudden Quigley.
A spokesperson for Microsoft said: “we intend to respond to the ICCL filing through the appropriate legal channels”.
In January, the ICCL jointly filed legal action against Google with the US Federal Trade Commission, claiming that the tech giant’s use of ’real time bidding’ compromises national security in the US by exposing sensitive details to China’s security forces.
The filing claimed to cite internal Google discussions to support the complaint, taken under the US’s recently-enacted Protecting Americans’ Data from Foreign Adversaries Act.
source