Business

ICCL brings High Court action against Microsoft over alleged data breaches

Civil liberties group claims Microsoft Ireland Operations Ltd is infringing GDPR rules

The ICCL’s primary concerns, according to court documents, arise from Microsoft’s alleged collection and processing of personal data for “the purpose of provision of targeted advertising”. Photograph: PA
The ICCL’s primary concerns, according to court documents, arise from Microsoft’s alleged collection and processing of personal data for “the purpose of provision of targeted advertising”. Photograph: PA
Fiachra Gallagher
Mon May 26 2025 - 18:32

A High Court judge has allowed the Irish Council for Civil Liberties (ICCL) to initiate a class action-style case against Microsoft over alleged data breaches impacting a significant number of Irish consumers.

The ICCL claims Microsoft Ireland Operations Ltd is infringing GDPR rules and the related Data Protection Act 2018 by processing personal data within its real-time bidding system for online advertising.

On Monday, James Doherty SC, for the ICCL and appearing with Sean O’Sullivan BL, moved an application seeking the court’s approval in deeming the proceedings a representative action.

A representative action can be brought on behalf of a group of consumers by an organisation that has been recognised as a qualified entity, under the Protection of the Collective Interests of Consumers Act 2023. The ICCL is one of two recognised qualified entities.

READ MORE

In court documents, ICCL said it sought to bring the proceedings on behalf of all consumers in the State whose personal data rights are being allegedly infringed by Microsoft’s processing.

Noting that the ICCL’s application appeared to be the first of its kind to come before the Irish courts, Mr Justice Barry O’Donnell said he was satisfied to deem the ICCL’s intended proceedings as a representative action.

He stressed the order was being granted with only the ICCL side represented, and said Microsoft would have an opportunity to seek to set aside the order if it wishes.

The judge also granted permission to the ICCL to serve plenary summons on Microsoft.

The ICCL is seeking injunctive reliefs from the court, including orders restraining Microsoft from processing certain identified categories of personal data.

The ICCL’s primary concerns, according to court documents, arise from Microsoft’s alleged collection and processing of personal data for “the purpose of provision of targeted advertising”.

The ICCL raises concern about Microsoft’s alleged “broadcast” of “profiles” of individual data subjects to “large numbers” of prospective advertisers who use Microsoft’s real-time bidding advertising system.

The ICCL claims this raises questions as to whether individual data subjects are consenting to a “wide and unsecured broadcast of their personal data”, or if they are aware of “the breadth of the processing of their personal data undertaken by Microsoft”.

The ICCL claims that users of various Microsoft products and services, including Windows, Xbox, web-based Office, Edge web browser, and websites and apps that use Microsoft’s Xandr advertising technology, are affected by the alleged data breaches.

  • Join The Irish Times on WhatsApp and stay up to date

  • Sign up to the Business Today newsletter for the latest new and commentary in your inbox

  • Listen to Inside Business podcast for a look at business and economics from an Irish perspective

Fiachra Gallagher

Fiachra Gallagher

Fiachra Gallagher is an Irish Times journalist

Business Today

Business Today

Get the latest business news and commentary from our expert business team in your inbox every weekday morning