Back in June 2019, the Information Commissioner’s Office (ICO) found that the Adtech industry had committed privacy violations against the General Data Protection Regulation (GDPR). Specifically concerns were raised around its use of real-time-Bidding auction systems.
In a report, the ICO gave the industry six months to make good on it’s violations, before potential regulatory action would be launched. However, in September 2020, the ICO announced that it had decided to close the investigation, failing to implement substantive action.
Now, privacy campaigners, the Open Rights Group (ORG), who first launched a complaint against the Adtech industry back in 2018, have begun legal action against the watchdog. It argues that ICO’s announcement ending the investigation shows a significant failure to perform its duty, and protect the rights and liberties of UK citizens.
Back in September 2018, Jim Killock, executive director of ORG and Michael Veale, a lecturer in digital rights at the University College London, filed a formal complaint to the ICO relating to serious GDPR violations by the Adtech industry.
In the complaint, the ORG outlined that the current frameworks and policies regulating the industry fail to provide “adequate” protections against “unauthorised, and potentially unlimited, disclosure and processing of personal data”.
Moreover, the group argued that current practices by the Adtech industry engage a number of different data protection principles. In particular, it raised an issue with the use of “real-time-bidding (RTB)” requests which broadcast the intimate, behavioural data of site visitors.This includes everything from a user’s location, to what they are reading or watching. This breaches Article 5 (1) (f) of the GDPR which requires that personal data is “processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss”.
Speaking at the time, Jim Killock of the ORG, said: “The online ad industry is opaque and needs investigation. People do not – and cannot – fully understand or know how and where their data is used. This seems highly unethical, and does not square with Europe’s data protection laws”.
Following the group’s complaints of a colossal data breach, the ICO commenced its investigation into the Adtech industry.
In June 2019, the ICO published its damning report on the Adtech industry. Overall, the watchdog found that the industry had an “immature” understanding of data protection requirements. Further to this, it revealed systemic concerns relating to the industry’s level of compliance of RTB.
Moreover, the report uncovered that the industry has committed a number of GDPR breaches. Specifically, the watchdog found that instead of obtaining the web users’ consent as required under Privacy and Electronic Communications Regulations (PECR), the industry has been unlawfully dropping trackers.
On top of this, users’ sensitive personal data relating to sexual orientation, and political views etc, was found to have been illegally processed by the industry without users giving their explicit consent. The ICO also stated that even if the industry collected this data through claiming “legitimate interest” as its legal basis, it did not have evidence that it had conducted sufficient legitimate interest tests. The industry was also found to be unable to demonstrate that it had implemented appropriate safeguards.
Moreover, due to the industry having an immature understanding of the data protection laws, and a lack of compliance, the report outlined it had “little confidence” that the Adtech industry had done it’s due diligence in relation to RTB. After all, data protection impact assessments (DPIAs) had not even been conducted.
The watchdog also highlighted the complex nature of the privacy information provided by organisations within the industry. It argued that due to this complexity means users are unable to provide free and informed consent, because often they don’t understand what they are agreeing to.
An even more sinister element to this, is that the detailed user profiles created by the behavioural advertising industry are then shared with hundreds of organisations without the user ever knowing.
Ultimately, the regulator concluded that processing operations involved in RTB and the industry’s failure to comply with GDPR, was likely to result in “a high risk to the rights and freedoms of individuals”.
However, despite these shocking revelations, as the COVID-19 pandemic emerged and lockdown took its hold, the ICO announced that the investigation was to be put on hold. Meanwhile, it said it would “[reassess]” its “processes and resources” and said that it didn’t want to put “undue pressure on any industry”.
Yet, as the months rolled on, the ICO stayed silent, and in September 2020, it announced that it had decided to close the investigation without taking any further action.
Infuriated by the watchdog’s lack of action, the ORG filed legal action against the ICO on 21 October 2020 over the regulator’s failure to stop the unlawful practices of the industry.
Commenting on ORG’s decision to launch a legal challenge, Jim Killock, executive director of the ORG, said: “The AdTech industry has driven a coach and horses through the GDPR and the ICO’s own investigation has highlighted widespread systemic abuses in the AdTech industry practices. But instead of taking action against it, it has decided to close the investigation. We are determined to ensure that the law is enforced even when the regulator can’t be bothered to protect our rights and liberties”.
Dr Michael Veale, the co-complainant who sits on the Advisory Council of the ORG, added: “The ICO is expected to protect individuals against complex misuses of their sensitive data by entire industries acting outside the law, not just the simple, low-hanging fruit it can easily enforce against. This lawsuit is about stopping the ICO sweeping the most difficult cases under the carpet. Adtech isn’t simple — but dealing with illegal adtech is the ICO’s job”.
Ravi Naik, Legal Director of the data rights agency AWO, acting on behalf of the complainants, said: “Our clients simply want [the] ICO to act to prevent widespread and systemic abuses of human rights; abuses that the ICO has acknowledged occur. Rather than take steps to address those problems, the ICO [has] acted against our clients and closed their complaints because our clients asked them to take action. This appalling state of affairs has left our clients with little option than to take the Commissioner to the Tribunal. That the Commissioner is being taken to the Tribunal because of a refusal to act to protect our rights speaks volumes of the Commissioner’s record”.
He added: “Our clients seek no more than the protection of our rights. Why the Commissioner is refusing to act to protect us all is a matter they will have to justify to the Tribunal.”
According to a report by Politico the legal challenge is likely to be resolved some time next year.