Campaigners are threatening to take the Information Commissioner’s Office (ICO) to court for failing to enforce data protection laws in tackling what they see as widespread illegality in the adtech industry.
The Open Rights Group (ORG) responded to an update from the ICO last Friday detailing what action has been taken since the latter’s June 2019 report raised serious concerns about real-time bidding (RTB).
RTB is the process where website publishers auction space on their pages to advertisers in near real-time. However, that process often involves the advertiser seeing detailed information about the individual web user they want to reach, including their browsing history and perceived interests.
The ICO duly raised multiple concerns in its report claiming: the methods of obtaining informed consent from data subjects are often insufficient; privacy notices lack clarity; and that the scale of data profiling and sharing is “disproportionate, intrusive and unfair.”
It also argued that the widespread use of contractual agreements to protect how bid request data is shared, secured and deleted is inappropriate given the scale of the supply chain and type of data shared.
However, in an update last week, the ICO seemed to hold back from enforcing GDPR and other relevant laws, choosing instead to focus on positive steps taken by Google and the Internet Advertising Bureau (IAB) to act on its concerns.
That’s not good enough for the ORG’s executive director, Jim Killock, who filed an initial complaint with the ICO regarding RTB practices 16 months ago.
"The ICO is a regulator, so needs to enforce the law. It appears to be accepting that unlawful and dangerous sharing of personal data can continue, so long as 'improvements' are gradually made, with no actual date for compliance,” he argued.
"Last year the ICO gave a deadline for an industry response to our complaints. Now the ICO is falling into the trap set by industry, of accepting incremental but minimal changes that fail to deliver individuals the control of their personal data that they are legally entitled to.”
Killock and co-complainant Michael Veale, a lecturer in digital rights and regulation at UCL, are now considering whether to take legal action against the regulator for failing to act, or individual companies for breaking the law.
“When an industry is premised and profiting from clear and entrenched illegality that breach individuals' fundamental rights, engagement is not a suitable remedy,” argued Veale. “The ICO cannot continue to look back at its past precedents for enforcement action, because it is exactly that timid approach that has led us to where we are now.”
However, the ICO’s primary impulse has always been to educate rather than punish the industry, so it’s likely that harsher enforcement measures will eventually come for those in the adtech ecosystem that fail to change their ways.
“The most effective way for organisations to avoid the need for further regulatory scrutiny or action is to engage with the industry reform and transformation, and to encourage their supply chain to do the same,” argued ICO executive director for technology and innovation, Simon McDougall.
“I am both heartened at how much progress we have made, and disappointed that there are some who are still ignoring our message. Those who have ignored the window of opportunity to engage and transform must now prepare for the ICO to utilize its wider powers.”