UK’s ICO faces legal action after closing adtech complaint with nothing to show for it

The UK’s data watchdog is facing a legal challenge after it took the decision to quietly close a complaint against the adtech industry’s high velocity background trading of personal data.

The legal challenge was reported earlier by Politico.

The original complaint — challenging the adtech industry’s compliance with Europe’s General Data Protection Regulation (GDPR) — was filed to the ICO in September 2018 by Jim Killock, executive director of the Open Rights Group, and Michael Veale, a lecturer in digital rights at the University College London.

A series of RTB complaints have been filed with regulators across Europe over the past two+ years.

The crux of the complaints is that real-time-bidding (RTB) auction systems cannot comply with the GDPR’s requirements to provide adequate security for people’s data.

In a report last year the ICO voices its own “systemic concerns” about the adtech industry’s use of personal data in the RTB component of programmatic advertising.

Last December one of its deputy commissioners, Simon McDougall, further warned the industry of the need to reform, writing: “We have significant concerns about the lawfulness of the processing of special category data which we’ve seen in the industry, and the lack of explicit consent for that processing.”

So it’s not clear why the UK regulator has chosen to close the complaint when it still hasn’t issued a decision on the substance.

The ICO did not respond to specific questions TechCrunch put to it about this — but sent us this statement: “We are aware of this matter, which will be decided by the Tribunal in due course. Consideration of concerns we have received forms part of our work on real time bidding and the Adtech industry.”

Earlier this year the regulator said it would “pause” its ongoing investigation into RTB on account of the coronavirus pandemic. The probe appears to still be on ice — raising further questions as to why the ICO would choose a moment of self-imposed inaction to close the complaint now.

In a series of letters to the complainants’ legal team, which we’ve reviewed, the ICO writes that it believes it has investigated the matter “to the extent appropriate”, and further claims the probe has “assisted and informed the ICO’s broader regulatory approach to RTB since September 2018”.

“Please therefore consider this to be confirmation of the outcome of your client’s complaint in line with s.165(4)(b) of the Data Protection Act 2018,” it adds, reiterating its position that the complaint is now concluded.

Killock and Veale voiced concerns that the move is a tactic by the ICO to close down their ability to challenge any future action it may (or may not) take in the area of RTB.

The follow-on concern is that the regulator does not intend to take robust enforcement action against what RTB complainants have referred to as the biggest data breach of all time — and is instead seeking to clear the road of first-order objectors.

In a letter to the complainants, dated September 23, 2020, the ICO writes that it intends to “recommence our industry wide investigation into RTB in due course” — but gives no detail of when that might happen nor any hint of any ultimate outcome more than two years after the complaint was filed.

“We are taking legal action against the ICO, as we believe that data processing being too complex and illegal is more reason to uphold the law, not less. Individuals can’t currently opt out of online tracking — and the ICO shouldn’t be able to opt out of regulating,” Veale told TechCrunch.

“After the ICO produced a report in response to the complaint of Jim Killlock and myself illustrating just how illegal RTB was, they appear to have concluded the appropriate action was to hold some stakeholder meetings, use none of their powers, and claim that they have discharged their obligations to the complainants to uphold the law. RTB continues to be outrageously illegal.”

“They shut our complaint down without doing anything,” Killlock also told us. “They say they will still take action, yes, but they removed the obligation to do something by closing our complaint.”

“They think the Information Tribunal is a soft touch, and won’t listen to anyone seeking to challenge an ICO decision about a Complaint of this nature,” he added. “The Information Tribunal has in fact stated that it will only look at procedural matters relating to this kind of complaints. They are wrong to do this, and this is something we also address [in the challenge].”

The ICO has already faced months of criticizism from European privacy experts over the lack of regulatory action to enforce regional data protection standards around RTB.

And while the regulator has voiced concerns about the lawfulness of practices underpinning behavioral advertising — and urged industry reform — it’s been a bark that hasn’t been backed up with any bite.

The upshot in the UK is Internet users’ personal data continues to be processed at vast scale by the ad targeting industry with no way for people to know where their information might be ending up nor how exactly it’s being used.

Concerns about the mass surveillance of Internet users to power behavioral advertising have been stepping up for years. Personal data that’s being routinely traded for ad targeting via RTB has been shown to include highly sensitive data such as health information, sexual orientation and political affiliation.

On the flip side, government and public health websites in Europe have also been shown sharing data on users with ad trackers — as have commercial sites that offer help with sensitive issues like mental health.

Earlier this month the European Parliament called for tighter controls on microtargeting — in favor of less intrusive, contextual forms of advertising.

As well as the inherent insecurity of RTB systems broadcasting people’s information over the Internet, another objection in Europe concerns whether or not all the players in the adtech chain are obtaining legally valid consent to process people’s data for ad targeting — as they are supposed to under GDPR.

Last month preliminary findings by the Belgium data protection authority cast doubt on the legality of an industry standard tool for gathering Internet users’ consent to ad targeting — with an investigation finding that the IAB Europe’s Trust and Consent Framework (TCF) fails to comply with GDPR principles of transparency, fairness and accountability, and also the lawfulness of processing.

It also found the TCF does not provide adequate rules for the processing of so-called special category data (e.g. health information, political affiliation, sexual orientation etc) .

Data protection authorities in Ireland, meanwhile, are continue to investigate RTB — opening a probe into how Google’s online ad exchange is processing people’s data in May last year. Though Ireland’s Data Protection Commission is also under fire for regulatory inaction.

The complaint was filed there at the same time as in the UK — meaning it’s also over two years old and still no decision to show for it.