A High Court judge has allowed the Irish Council for Civil Liberties (ICCL) to initiate a class action-style case against Microsoft over alleged data breaches impacting a significant number of Irish consumers.
The ICCL claims Microsoft Ireland Operations Ltd is infringing GDPR rules and the related Data Protection Act 2018 by processing personal data within its real-time bidding system for online advertising.
On Monday, James Doherty SC, for the ICCL and appearing with Sean O’Sullivan BL, moved an application seeking the court’s approval in deeming the proceedings a representative action.
A representative action can be brought on behalf of a group of consumers by an organisation that has been recognised as a qualified entity, under the Protection of the Collective Interests of Consumers Act 2023. The ICCL is one of two recognised qualified entities.
In court documents, ICCL said it sought to bring the proceedings on behalf of all consumers in the State whose personal data rights are being allegedly infringed by Microsoft’s processing.
Noting that the ICCL’s application appeared to be the first of its kind to come before the Irish courts, Mr Justice Barry O’Donnell said he was satisfied to deem the ICCL’s intended proceedings as a representative action.
He stressed the order was being granted with only the ICCL side represented, and said Microsoft would have an opportunity to seek to set aside the order if it wishes.
The judge also granted permission to the ICCL to serve plenary summons on Microsoft.
The ICCL is seeking injunctive reliefs from the court, including orders restraining Microsoft from processing certain identified categories of personal data.
The ICCL’s primary concerns, according to court documents, arise from Microsoft’s alleged collection and processing of personal data for “the purpose of provision of targeted advertising”.
The ICCL raises concern about Microsoft’s alleged “broadcast” of “profiles” of individual data subjects to “large numbers” of prospective advertisers who use Microsoft’s real-time bidding advertising system.
The ICCL claims this raises questions as to whether individual data subjects are consenting to a “wide and unsecured broadcast of their personal data”, or if they are aware of “the breadth of the processing of their personal data undertaken by Microsoft”.
The ICCL claims that users of various Microsoft products and services, including Windows, Xbox, web-based Office, Edge web browser, and websites and apps that use Microsoft’s Xandr advertising technology, are affected by the alleged data breaches.