Adtech scores a pandemic pause from UK privacy oversight

The coronavirus is proving to have an unexpected upside for the adtech industry.

The U.K.’s data protection agency has paused an investigation into the industry’s processing of internet users’ personal data, saying targeted suspension of privacy oversight is merited because of disruption to businesses as a result of the COVID-19 pandemic.

The investigation into adtech industry practices by the Information Commissioner’s Office (ICO) is linked to a 2018 complaint it received about systematic, massive-scale, high-velocity personal data trading associated with the real-time bidding component of programmatic advertising.

A series of complaints have since been filed over the issue across the EU that assert it amounts to “the most massive leakage of personal data recorded so far.”

The first of these complaints was lodged in the U.K. with the ICO, but the complainants are still waiting for any relief.

And now their wait goes on…

One of the complainants, Brave’s Dr Johnny Ryan, described the regulatory inaction over a period of some two years since he sounded the alarm to the watchdog as “astounding.”

“They’ve failed to use any of their statutory powers, including statutory powers of investigation,” Ryan told TechCrunch. “We’re not even talking about enforcement. The lack of action is quite astounding.”

“That’s astounding,” he added. “I claim it’s the biggest data breach the U.K. has ever had — and I’ve never heard anyone contradict that. This enormous breach continues every day. The vast RTB data breach is not a discrete event that is now over. The harm is constantly accumulating.”

We also contacted the ICO with questions about the decision to suspend the adtech investigation — including asking how U.K. citizens can be confident their data rights are being defended against abuse by powerful industry platforms.

The regulator did not engage with what we asked — instead sending this generic statement:

The ICO recently set out its regulatory approach during the COVID-19 pandemic, where we spoke about reassessing our priorities and resources.

Taking this into account we have made the decision to pause our investigation into real time bidding and the Adtech industry.

It is not our intention to put undue pressure on any industry at this time but our concerns about Adtech remain and we aim to restart our work in the coming months, when the time is right.

This is by no means the first “breather” the regulator has offered the adtech industry vis-à-vis this complaint.

In fact there have been a series of “warnings” — followed by a series of periods of, er, mildly worded blog posts. (See here, here and here.) Enforcement? Not a sniff.

Europe’s General Data Protection Regulation (GDPR), meanwhile, will turn two later this month — meaning it’ll be two years since the updated framework was supposed to start to apply.

Many privacy experts and campaigners are questioning the quality and quantity of enforcement set alongside the flagship update to legal safeguards for citizens’ data — which actually date all the way back to 1995.

Brave’s Ryan said the ICO’s regulatory abdication does not reflect well on the success of the wider EU data protection regime — pointing out that the U.K. watchdog is the best resourced of the bloc’s (post-Brexit) 27 Member States (the U.K. remains in the EU until the end of the Brexit transition period, so is still technically a member right now).

“If the EU’s biggest and best funded regulator in this domain is unable to enforce against the biggest data breach that the country it regulates for has ever experienced, then is the GDPR just a kind of collective hallucination?” he said. “Or is that something that is limited to the U.K.?”

A bigger issue he points to is that the U.K., post-Brexit, will need to request a data protection “adequacy agreement” from the European Commission if it wishes for its businesses to be able to freely exchange data with EU businesses as they can now.

“When the U.K. requests that the European Commission consider the U.K. as a safe and adequate third country where personal data from the EU can freely flow, one of the questions to be considered is: Do you have a regulator that can protect this personal data? The answer today is ‘no’,” said Ryan. “No, the UK does not have a regulator that is able to protect personal data of European citizens.”

“The ICO’s inaction will have a post-Brexit implication. It will affect so many sectors of the U.K. economy,” he warned.

Ryan’s employer, Brave — which makes a pro-privacy web browser — recently lodged a complaint with the European Commission against EU Member States, producing a report and accusing governments of under-resourcing their data protection agencies. It has asked the Commission to launch an infringement procedure.

“How is only 3% of the ICO’s staff specialised on digital issues?” Ryan added. “Clearly more than 3% of infringement is digital and more than 3% of life is. The ICO labours under the misapprehension that we are still at the beginning of this digital transition. It is the wrong regulator for this decade, and it is staffed for the last century. There appears to be a huge management problem at the ICO. It seems they are unwilling or unable to regulate digital issues. They need to get fit for purpose.

“They are still living in a print-based world. And we are confronting them urgently with problems that are not print based — but that affect every aspect of our lives. Including, apparently, the last election. And presumably the next one too… So this is shocking on many, many levels.”

As a consequence of Brexit, U.K. citizens should expect the ICO to be their sole data protection rights enforcer, rather than — as can be the case now — other EU regulators being involved in defending their rights, such as in the case of major tech platforms which often locate themselves under a legal jurisdiction elsewhere in the EU.

Google, for example, has said it will relocate U.K. users to a U.S. jurisdiction in response to Brexit.