Brussels must reject the Government’s calls for a post-Brexit “adequacy decision” – which would pave the way for the frictionless transfer of personal data between Britain and EU states – due to the UK’s “dismal record” in tackling the adtech industry’s mass breach of data protection laws.
That is the stark message from privacy body the Irish Council for Civil Liberties (ICCL) in a letter to the European Commission. It lays the blame squarely on the Information Commissioner’s Office, amid claims that, without a deal, tens of billions of pounds’ worth of UK exports a year that rely on data transfers will be lost.
The move is the latest twist in what has become something of a personal crusade against the ICO and the Irish Data Protection Commission by Johnny Ryan, who launched his campaign while chief privacy director at tech start-up Brave and is now continuing the fight as an ICCL fellow.
The original complaint – filed with the ICO and the Irish DPC – on behalf of Brave, the Open Rights Group and University College London, was lodged in September 2018, aimed at triggering an EU-wide GDPR investigation into the practice of realtime bidding.
Since then the complainants have ramped up the fight by claiming Google’s Authorised Buyers system leaks personal data about millions of visitors to thousands of advertisers 24/7 – without consent.
They have also threatened to push for a judicial review of the ICO after accusing it of failing to act and have accused Google of operating an internal data “free-for-all” which it is alleged allows the company to unlawfully share customer data across all of its divisions.
Meanwhile they have slated the ICO for stalling its investigation until next year at least, due to the coronavirus pandemic.
Last month, the ICCL even claimed that both regulators’ failure to act was making abuse even more widespread and consumers’ highly personal data was up for grabs tens of billions of times a day.
Now Ryan is taking the fight to Brussels, alerting the Commission to its legal obligation to limit EU data transfers to the UK after Brexit, because of the ICO’s failure to protect data rights.
The letter states: “Under the terms of Article 45(2)b of the GDPR, an adequacy decision is impossible because the UK’s data protection supervisory authority, the ICO, does not meet the test of an ‘effectively functioning’ supervisory authority.
“The ICO has shown itself to be incapable of discharging the tasks required of a supervisory authority under Article 57 of the GDPR and section 115 of the UK Data Protection Act, with respect to the largest data breach of all time: realtime bidding.
“The RTB data free-for-all infringes Article 5(1)f of the GDPR. Many RTB companies that process the personal data of data subjects in the Union are established in the UK.
“Without an adequacy decision, £85bn of UK exports are in jeopardy because they rely on EU data. This is 13% of the UK’s total, global exports. For perspective, the UK’s fishing industry was worth only £0.75bn last year.
“Even so, despite the fact that the enormity of the data protection infringements were publicly acknowledged by the ICO in its report, it did not take action to end the infringements. Instead, it accepted gestures from the infringers that did not limit or correct the infringements. As a result, infringements of the GDPR by RTB companies established in the UK have increased in the years since the ICO was notified.
“The consequences of this should be of utmost concern to the European Commission…The ICO has failed over the last two years to take any substantive action against the largest data breach that the UK and EU have ever experienced. It would be unreasonable to anticipate that it will perform any better after Brexit is complete.”
The letter goes on the examine the UK Government’s claims about the ICO. In March 2020, ministers published “explanatory framework” documents that they claimed “provide the information necessary for the Commission to plan and conduct its assessment” for an adequacy decision.
In the document, the Government suggested the ICO is “capable of handling complex cases and imposing tough sanctions where necessary”, and points to the issuing of 13 monetary penalties since the application of GDPR on 25 May 2020.
However, as Ryan points out that, by last month, the ICO had actually issued only one fine under the UK Data Protection Act that implements the GDPR, though it had issued fines on matters outstanding under previous legislation. The letter states: “Indeed, the ICO has found itself unable to proceed with the major fines that it had announced under the GDPR [against Marriott International and British Airways].”
The Government also claimed the ICO is among the “three most active data protection authorities in recent years in terms of individual fining decisions”. But Ryan explains that the citation on which this claim relies refers to a conference paper from 2017 that predates the GDPR, and which does not appear to substantiate the claim.
Finally, the Government asserted that the ICO has a staff of approximately 750, a budget of €55.65m, and “world-leading expertise in niche areas such as the impact of new technologies and privacy rights”. It added that “almost all” of the ICO’s budget “supports data protection compliance”.
However, Ryan’s letter dismisses this claim, too, adding: “Documents obtained under Freedom of Information show that the ICO had 680 full time equivalent staff, of which only 21 are specialist tech investigators. Moreover, only 8 people work in the ICO’s Cyber incident response & investigation unit.
“In other words, the ICO may be the biggest and most expensive supervisory authority to operate, but it is not configured to monitor and enforce data protection in the digital age. Indeed, only 1% of its staff is devoted to this purpose.”
The letter concludes: “The UK lacks an effective independent supervisory authority that is capable of enforcing compliance with data protection law and vindicating data subjects’ rights. As a consequence, the personal data of data subjects in the Union do not at present have an adequate level of protection in the UK.
“Therefore, we suggest to you that the inescapable conclusion is that the UK must be unable to benefit from an adequacy decision at the present time.”
Adtech breach widens, two years after first complaints
Group seeks €10bn pay-out over adtech GDPR breach
Privacy groups hit out at fresh delay to adtech probe
ICO strikes back at claims it has shut down all cases
‘Chicken’ ICO kicks adtech investigation into long grass
ICO ‘cosies up’ to industry in bid to tackle adtech issue
ICO urged to act now on adtech or be seen as soft touch
IAB in dock over sector’s ‘systemic’ breaches of GDPR
$273bn behavioural ad industry ‘is in breach of GDPR’