ICO faces legal challenge over failure to tackle adtech

gdpr n1The organisations behind the first GDPR complaints about realtime bidding – which triggered a formal investigation into the practice – are threatening to push for a judicial review of the Information Commissioner’s Office after accusing it of failing to act on “the largest data breach ever recorded”.

The threat has been triggered by yet another update from the ICO, in which executive director of technology and innovation Simon McDougall confirms the regulator will not yet be taking any action against the adtech industry.

It follows last year’s damning ICO report on the industry, published in June last year, which slammed online advertisers’ “immature” understanding of data protection and claimed this was triggering the mass unlawful use of consumer data, leaving millions of users at risk of potential harm.

At the time, the ICO gave the industry six months to get its house in order, although many data protection experts claimed the regulator was “pussy-footing” around the tech sector, especially since it only committed to potentially issuing further guidance, rather than enforcement action.

The latest update does little to appease these critics. McDougall does not rule out taking “formal” action at some point, but there is only a vague suggestion of such activity being possible, while he has also praised efforts by the IAB and Google to change their practices.

In a blogpost he writes: “We will continue to investigate RTB. While it is too soon to speculate on the outcome of that investigation, given our understanding of the lack of maturity in some parts of this industry we anticipate it may be necessary to take formal regulatory action and will continue to progress our work on that basis.”

However, perhaps unsurprisingly, this has not gone down well with privacy experts. Official complaints – on behalf of Brave, the Open Rights Group and University College London – were lodged in September last year with the aim of triggering an EU-wide investigation into RTB.

Brave chief policy officer Johnny Ryan said: “As the evidence submitted by the complainants notes, the RTB systems designed by Google and the IAB broadcast what virtually all Internet users read, watch, and listen to online to thousands of companies, without protection of the data once broadcast. It is by far the largest data breach ever recorded. Now, sixteen months after the initial complaint, the ICO has failed to act.

“Regulatory ambivalence cannot continue. The longer this data breach festers, the deeper the rot sets in and the further our data gets exploited. This must end. We are considering all options to put an end to the systemic breach, including direct challenges to the controllers and judicial oversight of the ICO.”

Open Rights Group executive director Jim Killock added: “We are considering our position, including whether to take legal action against the regulator for failing to act, or individual companies for their breach of data protection law.”

Meanwhile, UCL’s Dr Michael Veale said: “When an industry is premised and profiting from clear and entrenched illegality that breach individuals’ fundamental rights, engagement is not a suitable remedy. The ICO cannot continue to look back at its past precedents for enforcement action, because it is exactly that timid approach that has led us to where we are now.”

Ravi Naik, the solicitor acting for the complainants, added that “there is no dispute about the underlying illegality at the heart of RTB that our clients have complained about. The ICO has agreed with those concerns yet the companies have not taken adequate steps to address those concerns”.

Nevertheless, Naik insists that the ICO has failed to take direct enforcement action needed to remedy these breaches. Regulatory ambivalence cannot continue, he maintains.

Naik concluded: “The ICO is not a silo but is subject to judicial oversight. Indeed, the ICO’s failure to act raises a question about the adequacy of the UK Data Protection Act. Is there proper judicial oversight of the ICO? This is a critical question after Brexit, when the UK needs to agree data transfer arrangements with the EU that cover all industries.”

Related stories
Digital ad body acts over ‘mass unlawful use of data’
ICO ‘cosies up’ to industry in bid to tackle adtech issue
ICO urged to act now on adtech or be seen as soft touch
ICO: online ad industry ‘leaving millions at risk of harm’
Germans unleash GDPR blitz on behavioural ad giants
Google Ad Exchange probe threatens online ad mayhem
Adspend nears £24bn with surge in data-driven activity
Irish data regulator launches inquiry into adtech giant
New Govt probe to scrutinise behavioural data market
ICO taps up industry for probe into programmatic ads