ICO Faces Legal Action Over Adtech Complaint Closure
The United Kingdom’s data protection authority is currently facing a legal challenge following its decision to discontinue a complaint concerning the adtech sector’s rapid exchange of personal data.
This legal challenge was initially reported by Politico.
The initial complaint – which questioned the adtech industry’s adherence to the European Union’s General Data Protection Regulation (GDPR) – was submitted to the ICO in September 2018 by Jim Killock, the executive director of the Open Rights Group, and Michael Veale, a lecturer in digital rights at University College London.
Over the past two years, multiple complaints regarding real-time bidding (RTB) have been lodged with regulatory bodies throughout Europe.
The central argument of these complaints is that the real-time bidding (RTB) auction mechanisms are unable to meet the GDPR’s stipulations for ensuring sufficient security for individuals’ data.
In a report released last year, the ICO expressed its own “systemic concerns” regarding the adtech industry’s utilization of personal data within the RTB aspect of programmatic advertising.
In December of last year, one of its deputy commissioners, Simon McDougall, further cautioned the industry about the necessity of reform, stating: “We harbor significant reservations about the legality of the processing of special category data that we have observed within the industry, and the absence of explicit consent for such processing.”
Therefore, the rationale behind the UK regulator’s decision to close the complaint remains unclear, especially considering it has not yet issued a ruling on the core issues.
The ICO did not provide responses to specific inquiries from TechCrunch regarding this matter – instead, it provided the following statement: “We are aware of this issue, which will be resolved by the Tribunal in due course. Our consideration of the concerns we have received is part of our work on real time bidding and the Adtech industry.”
Earlier this year, the regulator announced it would “pause” its ongoing investigation into RTB due to the coronavirus pandemic. The investigation remains suspended, prompting further questions as to why the ICO would choose a period of self-imposed inactivity to close the complaint at this time.
In a series of letters to the complainants’ legal representatives, which have been reviewed, the ICO states that it believes it has investigated the matter “to the extent appropriate,” and further asserts that the investigation has “assisted and informed the ICO’s broader regulatory approach to RTB since September 2018.”
“Please therefore regard this as confirmation of the outcome of your client’s complaint in accordance with s.165(4)(b) of the Data Protection Act 2018,” it adds, reinforcing its position that the complaint is now finalized.
Killock and Veale have expressed apprehension that this action is a tactic by the ICO to prevent them from challenging any future actions it may (or may not) take in the area of RTB.
A related concern is that the regulator does not intend to implement strong enforcement measures against what RTB complainants have described as a massive data breach – and is instead attempting to remove initial objectors.
In a letter to the complainants, dated September 23, 2020, the ICO states that it plans to “restart” its industry-wide investigation into RTB in the future – but provides no details regarding when this might occur, nor any indication of a potential outcome more than two years after the complaint was initially filed.
“We are pursuing legal action against the ICO, as we believe that the complexity and illegality of data processing are reasons to uphold the law, not to disregard it. Individuals are currently unable to opt out of online tracking – and the ICO should not be able to opt out of regulation,” Veale explained to TechCrunch.
“Following the ICO’s publication of a report in response to the complaint submitted by Jim Killock and myself, which demonstrated the unlawful nature of RTB, they appear to have determined that the appropriate course of action was to hold stakeholder meetings, refrain from utilizing their powers, and claim they have fulfilled their obligations to the complainants to enforce the law. RTB continues to be demonstrably illegal.”
“They dismissed our complaint without taking any action,” Killock also stated. “They claim they will still take action, but they eliminated the obligation to do so by closing our complaint.”
“They anticipate that the Information Tribunal will be lenient and will not entertain challenges to an ICO decision regarding a complaint of this nature,” he added. “The Information Tribunal has, in fact, stated that it will only consider procedural matters related to this type of complaint. They are mistaken in this approach, and this is an issue we also address [in the challenge].”
The ICO has already been subject to months of criticism from European privacy specialists regarding the lack of regulatory action to enforce regional data protection standards concerning RTB.
While the regulator has voiced concerns about the legality of practices supporting behavioral advertising – and has urged industry reform – these concerns have not been accompanied by concrete enforcement measures.
Consequently, in the UK, Internet users’ personal data continues to be processed on a large scale by the ad targeting industry, with individuals having no knowledge of where their information is being sent or how it is being utilized.
Concerns regarding the widespread surveillance of Internet users to facilitate behavioral advertising have been growing for years. Personal data routinely exchanged for ad targeting through RTB has been found to include sensitive information such as health details, sexual orientation, and political views.
Conversely, government and public health websites in Europe have also been shown to share user data with ad trackers – as have commercial websites offering assistance with sensitive issues like mental health.
Earlier this month, the European Parliament called for stricter controls on microtargeting – in favor of less intrusive, contextual forms of advertising.
In addition to the inherent insecurity of RTB systems broadcasting individuals’ information over the Internet, another concern in Europe revolves around whether all parties involved in the adtech chain are obtaining legally valid consent to process people’s data for ad targeting – as required by GDPR.
Last month, preliminary findings by the Belgium data protection authority questioned the legality of an industry-standard tool for gathering Internet users’ consent to ad targeting – with an investigation revealing that the IAB Europe’s Trust and Consent Framework (TCF) fails to comply with GDPR principles of transparency, fairness, and accountability, as well as the lawfulness of processing.
It also determined that the TCF does not provide sufficient regulations for the processing of so-called special category data (e.g., health information, political affiliation, sexual orientation, etc.).
Data protection authorities in Ireland, meanwhile, are continuing to investigate RTB – initiating a probe into how Google’s online ad exchange is processing people’s data in May of last year. However, Ireland’s Data Protection Commission is also facing criticism for its lack of regulatory action.
The complaint was filed there concurrently with the UK – meaning it is also over two years old, with no decision yet available.
