UK Resumes Adtech Privacy Oversight - Platform Audits Imminent

The United Kingdom’s data protection authority has reactivated its inquiry into advertising technology (adtech) practices. These practices have been the subject of numerous complaints throughout Europe since 2018, all filed under the General Data Protection Regulation (GDPR).

The complaints allege that the rapid exchange of individuals’ personal data is incompatible with GDPR’s stipulation that this information must be adequately protected.

Further concerns regarding real-time bidding (RTB) center on the issue of consent, questioning whether the legal requirements for consent can be fulfilled when people’s data is disseminated to a vast number of companies—potentially including sensitive details like health information, religious beliefs, political views, and sexual orientation.

Since the initial complaints were submitted, the U.K.’s Information Commissioner’s Office (ICO) has expressed its own reservations about what it describes as systemic legal issues within the adtech industry. However, last year, the ICO announced a temporary suspension of its investigation due to disruptions caused by the (ongoing) COVID-19 pandemic.

The ICO stated today that it is resuming its multi-year investigation and continuing its scrutiny of the sector.

In a statement published on its website, Simon McDougall, Deputy Commissioner at the ICO responsible for “Regulatory Innovation and Technology,” announced the end of the eight-month pause. He indicated that audits are now scheduled to commence.

“We have now restarted our investigation,” he stated. “Prioritizing transparency and safeguarding vulnerable individuals are key objectives for the ICO. The intricate RTB system utilizes individuals’ sensitive personal data for targeted advertising and necessitates explicit consent, which is currently not being obtained.”

“Distributing individuals’ data to potentially hundreds of companies without thoroughly evaluating and mitigating the associated risks to data security and retention also raises significant questions,” he continued. “Our efforts will proceed with a series of audits focused on digital market platforms, and we will be issuing assessment notices to specific companies in the coming months. The results of these audits will provide a more comprehensive understanding of the industry’s current state.”

It remains unclear what additional information the ICO requires to reach a conclusion on complaints that are nearing their 2.5-year mark. Nevertheless, the ICO has pledged to resume its examination of adtech, including data brokers, as noted by McDougall, who stated that “we will be reviewing the role of data brokers within this adtech ecosystem.”

“The investigation is extensive and complex, and due to the sensitive nature of the work, providing frequent updates may not always be feasible. However, we are dedicated to publishing our final conclusions upon the investigation’s completion,” he added, tempering expectations for a quick resolution to this long-standing GDPR complaint.

Commenting on the ICO’s continued hesitation to enforce regulations against adtech despite substantial evidence of widespread legal violations, Johnny Ryan, a senior fellow at the Irish Council for Civil Liberties—who participated in filing the initial RTB GDPR complaints and remains a prominent critic of the lack of EU regulatory action against adtech—told TechCrunch: “It appears to me that the facts are clearly outlined in the ICO’s mid-2019 adtech report.

“Indeed, that report simply corroborates the evidence that accompanied our complaints in September 2018 in both Ireland and the U.K. Therefore, it is unclear why the ICO requires further months of review. Nor is it clear why the ICO accepted superficial concessions from the IAB and Google a year ago.”

“I have since presented evidence of the consequences of this lack of enforcement, including documented instances of RTB data being used to influence an election,” he added. “As this evidence demonstrates, the scale of the extensive data breach caused by the RTB system has significantly increased in the three years since I initially alerted the ICO in early 2018.”

Despite the abundance of data regarding the extent of personal data leakage within RTB, and widespread concerns that various detrimental effects are stemming from adtech’s pervasive surveillance of internet users—ranging from discrimination and societal fragmentation to voter manipulation—the ICO is not expediting enforcement actions.

In fact, it quietly dismissed the 2018 complaint last year—informing the complainants that it believed it had investigated the matter “to the extent appropriate.” As a result, the complainants are currently pursuing legal action against the ICO—essentially, for failing to address their complaint. (The Open Rights Group (ORG), involved in this legal action, is currently fundraising to cover the costs of taking the ICO to court.)

Commenting on the ICO’s resumption of its investigation following the closure of the original complaint, Jim Killock, Executive Director of ORG, stated: “It is illogical to close complaints as if they are resolved and then continue investigating the industry. By closing our complaint, the ICO is effectively avoiding its accountability obligations to update complainants and resolve their concerns. If the ICO can operate in this manner, it renders the complaints process meaningless.”

“By improperly closing our complaints, the ICO may believe it is not bound by any specific timelines or need to bring these complaints to a conclusion. We will therefore continue to pursue resolution through the Tribunal. The case has already been expedited to the Upper-Tribunal, given the significance of the issues involved,” he added.

“The ICO has had two and a half years since our complaint was filed,” he continued. “The ICO has resumed issuing warnings to the industry, but has yet to take any substantial enforcement measures.”

Therefore, what does the ICO’s resumption of its adtech investigation actually signify for the sector?

Not much beyond a mild notification that you might receive an “assessment notice” at some point in the future, according to the latest cautiously worded ICO blog post (and based on its past performance).

McDougall advises that all organizations should be “assessing how they use personal data as a matter of urgency.”

He has also committed the ICO to publishing “final findings” at some unspecified time. Thus, following the pause, another report—and more audits—are anticipated.

“We already have established, comprehensive guidance in this area, which applies to RTB and adtech in the same way it does to other types of processing—particularly regarding consent, legitimate interests, data protection by design, and data protection impact assessments (DPIAs),” he stated, avoiding any discussion of stricter consequences should the adtech sector continue to disregard this guidance.

He concludes the post with a reference to the Competition and Markets Authority’s recent investigation of Google’s Privacy Sandbox proposals (to phase out support for third-party cookies on Chrome)—stating that the ICO is “continuing” to collaborate with the CMA on this active antitrust complaint.

The specifics of this collaboration remain unspecified—because, once again, McDougall is not providing details.

If it is intended as a subtle warning to the adtech industry—to align with the ICO’s privacy standards or risk jeopardizing its position in a critical antitrust versus privacy dispute—it is remarkably understated.

This report was updated with comment from the Open Rights Group