The Information Commissioner’s Office is facing a new threat of legal action following the decision to scrap its investigation into how Google and IAB Europe allow the abuse of personal data through realtime bidding, which has already been branded “the biggest data breach of all time”.
The original complaint – filed with the Irish Data Protection Commissioner and the ICO – on behalf of tech start-up Brave, the Open Rights Group and University College London was lodged in September 2018.
The complainants argued that when users search on Google, personal information on their online behaviour is broadcast to multiple companies interested in targeting them with ads without users’ consent.
Since then the complainants have ramped up the fight by claiming Google’s Authorised Buyers system leaks personal data about millions of visitors to thousands of advertisers 24/7 – without consent; threatened to push for a judicial review of the ICO after accusing it of failing to act; and have accused Google of operating an internal data “free-for-all” which it is alleged allows the firm to unlawfully share customer data across all of its divisions.
Meanwhile, they slated the ICO when it announced it was stalling its own wider adtech investigation until next year due to the coronavirus pandemic and even claimed that both regulators’ failure to act was making abuse even more widespread.
The ICO has now told the complainants that it has concluded its investigation into their complaint, although it insists it will be pursuing its own independent probe into how all companies collect people’s data to serve them ads.
The regulator’s letter stated that the possible data protection issues around the sector were systemic, and that it was not appropriate to single out specific companies, including Goggle and IAB Europe. The ICO said: “Taking action against a small number of actors within a large and complex industry would not necessarily achieve the desired outcome of influencing change across the sector.”
However, Open Rights Group executive director Jim Killock told TechCrunch: “They shut our complaint down without doing anything. They say they will still take action, yes, but they removed the obligation to do something by closing our complaint.
“They think the Information Tribunal is a soft touch, and won’t listen to anyone seeking to challenge an ICO decision about a complaint of this nature. The Information Tribunal has in fact stated that it will only look at procedural matters relating to this kind of complaints. They are wrong to do this, and this is something we also address [in the challenge].”
The ORG is now launching a crowd-funding campaign to support its action. This states: “We’re taking the ICO to court. We want to end the widespread and systemic abuses of our privacy rights.
“Everyday, online advertisers make a mockery of our hard won data rights when they seize the intimate personal data of millions of people to target us with manipulative ads. Worse yet, the UK’s privacy regulator (the ICO) refuses to take action against abuses in the adtech industry – even after their own investigation found serious and extensive breaches of the law!
“Faced with a broken system, we’re taking the ICO to court to demand enforcement of the law. We need your help to win – Will you support our fight to end advertisers’ assault on privacy?”
Last week, Decision Marketing revealed that a new analysis of GDPR penalties showed that only the Isle of Man, Malta, and Croatia have issued fewer fines that the ICO and the Irish DPC.
Spain’s data protection authority (DPA) is way out in front on 143 fines, followed by Romania (43), Hungary (32), Italy (31) and Germany (27) but the ICO with three and Irish DPC with just two are in the same league as Estonia, Lithuania, Latvia and Iceland – countries with data protection authorities that operate on a fraction of the budgets which the UK and Irish regulators command.
Now Salesforce and Oracle face UK privacy class action
Group seeks €10bn pay-out over adtech GDPR breach
ICO and Irish DPC ‘among the worst GDPR enforcers’
Deceptive data processing sparks biggest GDPR fines
EU told to block UK data deal due to ICO’s dismal record
Adtech breach widens, two years after first complaints
Privacy groups hit out at fresh delay to adtech probe
‘Chicken’ ICO kicks adtech investigation into long grass
ICO ‘cosies up’ to industry in bid to tackle adtech issue
$273bn behavioural ad industry ‘is in breach of GDPR’