27-05-2025
Microsoft accused of sharing users' secret data with advertisers
The Irish Council of Civil Liberties was given the go-ahead by the High Court yesterday to bring a case aimed at forcing Microsoft to stop the alleged sharing of sensitive data gleaned from people's internet use with advertisers.
The ICCL has taken its action against Microsoft Ireland Operations Ltd, on behalf of all Irish users of Office, Windows, Xbox and other popular products. It is targeting what it describes as a massive data breach 'of millions of people's information' caused by real-time bidding (RTB) within Microsoft's advertising system.
It claims that Microsoft's RTB system operates behind the scenes on websites and apps to match advertising to specific people. Pic: Framalicious/Shutterstock
James Doherty, counsel for the ICCL, told Judge Barry O'Donnell the system compiles data 'segments' about Irish people based on what they have viewed online. He said these are then auctioned to a series of potential third-party advertisers in 'milliseconds'.
He said all of the personal info in those segments, that was processed by Microsoft, was protected by the EU's General Data Protection Regulation (GDPR). This could include information such as whether a person gambles, their finances and debt, their age, sexual interests, whether they have a child or a child with special needs, their medical condition, and even whether they work in a sensitive national security role, the court heard.
Mr Doherty said that, by way of example, the ICCL had used an audience discovery tool that allowed it to discover a sample of the data being processed by Microsoft. Pic: Getty Images
On May 9, 2025, this tool was able to identify that a segment was processed that related to Irish people who had an interest in online gambling with Paddy Power, the court was told. Mr Doherty said the segment contained 3,918 cookies, over 43,000 advertising identifiers and over 45,000 cached email addresses.
He said the tool also detected segments that day containing sensitive data, including government, intelligence and counter-terrorism information.
Mr Doherty added that Microsoft products featured on 70% of laptops and personal computers in Ireland. Users of Microsoft products and services, including Windows, Xbox, web-based Office products such as Word, Excel and Outlook, the Edge web browser, and websites and apps that use Microsoft's Xandr advertising technology, are affected, he told the court. Pic: Niall Carson/PA Wire
'A majority of consumers would be affected,' he said. The ICCL believes the outcome of the case could impact Microsoft's operations across the EU, as the company's European headquarters are based in Ireland.
The organisation hopes to make Microsoft bring its systems into compliance with GDPR. Its application comes on the seven-year anniversary of the GDPR's introduction in May 2018.
Mr Doherty told Judge O'Donnell it was the first time that a class action case had been taken to the Irish courts under the GDPR laws. Dr Johnny Ryan. Pic: Irish Council For Civil Liberties (ICCL)
The judge said he would give leave for the case to proceed, but noted that Microsoft was not represented in court yesterday and will have the opportunity to contest the case at a later date.
Dr Johnny Ryan, director of the ICCL's Enforce unit, is leading the case. Before the High Court hearing took place, he said: 'People's intimate secrets such as their relationship, work and financial status are broadcast by Microsoft into the real-time bidding advertising system.
'That system is a black hole of data open to any malicious actor and represents a huge data breach of millions of people's information… This is a data breach, pure and simple.'
