UK resumes privacy oversight of adtech, warns platform audits are coming

The U.K.’s data watchdog has restarted an investigation of adtech practices that, since 2018, have been subject to scores of complaints across Europe under the bloc’s General Data Protection Regulation (GDPR).

The high velocity trading of internet users’ personal data can’t possibly be compliant with GDPR’s requirement that such information is adequately secured, the complaints contend.

Other concerns attached to real-time bidding (RTB) focus on consent, questioning how this can meet the required legal standard with people’s data being broadcast to so many companies — including sensitive information, such as health data, religious and political affiliation and sexual orientation.

Since the first complaints were filed, the U.K.’s Information Commissioner’s Office (ICO) has raised its own concerns over what it said are systemic problems with lawfulness in the adtech sector. But last year it announced it was pausing its investigation on account of disruption to businesses from the (ongoing) COVID-19 pandemic.

Today it said it’s unpausing its multi-year probe to keep on prodding.

In an update on its website, ICO deputy commissioner Simon McDougall, who takes care of “Regulatory Innovation and Technology” at the agency, writes that the eight-month freeze is over. And the audits are coming.

“We have now resumed our investigation,” he says. “Enabling transparency and protecting vulnerable citizens are priorities for the ICO. The complex system of RTB can use people’s sensitive personal data to serve adverts and requires people’s explicit consent, which is not happening right now.”

“Sharing people’s data with potentially hundreds of companies, without properly assessing and addressing the risk of these counterparties, also raises questions around the security and retention of this data,” he goes on. “Our work will continue with a series of audits focusing on digital market platforms and we will be issuing assessment notices to specific companies in the coming months. The outcome of these audits will give us a clearer picture of the state of the industry.”

It’s not clear what data the ICO still lacks to come to a decision on complaints that are approaching 2.5 years old at this point. But the ICO has committed to resume looking at adtech — including at data brokers, per McDougall, who writes that “we will be reviewing the role of data brokers in this adtech eco-system”.

“The investigation is vast and complex and, because of the sensitivity of the work, there will be times where it won’t be possible to provide regular updates. However, we are committed to publishing our final findings, once the investigation is concluded”, he goes on, managing expectations of any swift resolution to this vintage GDPR complaint.

Commenting on the ICO’s continued reluctance to take enforcement action against adtech despite mounds of evidence of rampant breaches of the law, Johnny Ryan, a senior fellow at the Irish Council for Civil Liberties who was involved in filing the first batch of RTB GDPR complaints — and continues to be a vocal critic of EU regulatory inaction against adtech — told TechCrunch: “It seems to me that the facts are clearly set out in the ICO’s mid 2019 adtech report.

“Indeed, that report merely confirms the evidence that accompanied our complaints in September 2018 in Ireland and the UK. It is therefore unclear why the ICO requires several months further. Nor is it clear why the ICO accepted empty gestures from the IAB and Google a year ago.”

“I have since published evidence of the impact that failure to enforce has had: Including documented use of RTB data to influence an election,” he added. “As that evidence shows, the scale of the vast data breach caused by the RTB system has increased significantly in the three years since I blew the whistle to the ICO in early 2018.”

Despite plentiful data on the scale of the personal data leakage involved in RTB, and widespread concern that all sorts of tangible harms are flowing from adtech’s mass surveillance of internet users (from discrimination and societal division to voter manipulation), the ICO is in no rush to enforce.

In fact, it quietly closed the 2018 complaint last year — telling the complainants it believed it had investigated the matter “to the extent appropriate”. It’s in the process of being sued by the complainants as a result — for, essentially, doing nothing about their complaint. (The Open Rights Group (ORG), which is involved in that legal action, is running this crowdfunder to raise money to take the ICO to court.)

Commenting on the ICO’s resumption of its investigation following the closing of the original complaint, Jim Killock, executive director of ORG, said: “It makes no sense to close complaints, as if they are resolved, and then to carry on investigating the industry. By closing our complaint, the ICO is in effect avoiding their accountability duties to update complainants and resolve their complaints. If the ICO can act in this way, it makes the complaints process hollow.

“By wrongfully closing our complaints, the ICO may believe that it has no timescale or need to bring these complaints to a close. We therefore will be continuing to press for resolution through the Tribunal. The case has already been fast-tracked to the Upper-Tribunal, given the importance of the issues involved.”

“The ICO has had two and a half years since our complaint,” he added. “The ICO has resumed its policy of issuing threats to the industry, but has yet to make any meaningful enforcement action.”

So what does the ICO’s great adtech investigation unpausing mean exactly for the sector?

Not much more than gentle notification you might be the recipient of an “assessment notice” at some future point, per the latest mildly worded ICO blog post (and judging by its past performance).

Per McDougall, all organizations should be “assessing how they use personal data as a matter of urgency”.

He has also committed the ICO to publishing “final findings” at some future point. So — to follow, post-pause — yet another report. And more audits.

“We already have existing, comprehensive guidance in this area, which applies to RTB and adtech in the same way it does to other types of processing — particularly in respect of consentlegitimate interestsdata protection by design and data protection impact assessments (DPIAs),” he goes on, eschewing talk of any firmer consequences following should all that guidance continue being roundly ignored by the adtech sector.

He ends the post with a nod to the Competition and Markets Authority’s recent investigation of Google’s Privacy Sandbox proposals (to phase out support for third party cookies on Chrome) — saying the ICO is “continuing” to work the CMA on that active antitrust complaint.

You’ll have to fill in the blanks as to exactly what work the regulator might be referring to there — because, again, McDougall isn’t saying.

If it’s a veiled threat to the adtech industry — to finally “get with the ICO’s privacy program”, or risk not having it fighting adtech’s corner in a crux antitrust versus privacy complaint — it really is gossamer thin.

This report was updated with comment from the Open Rights Group