Enforcement Challenge

ICO enforcement challenge.

April 23, 2022 - By John Foster

ICO faces legal challenge

The Information Commissioner’s Office (ICO) is facing a legal challenge after it closed a data protection complaint without a even conducting an investigation. The dispute relates to a number of complaints about PII (personally identifiable information) being shared in the RTB (real-time bidding) process.

What is RTB?

Basically, real-time bidding bots are harvesting information about users when they are online. It looks to identify and catigorise a user, then passes the data to an ad exchange, which sells it to the highest paying advertiser. A carefully selected advert will then appear as if by chance to the person viewing the page. The process happens automatically in under a second.

The problem is that data subjects (the real owners of the data), often have no idea that their data is being used like this, and it's become a real problem.

Who has made the legal challenge?

A huge number of complaints have been made about RTB over the last year. The crux of these complaints is that RTB systems do not comply with the GDPR. And it seemed that the ICO agreed, as it has voiced concerns about the adtech industry’s use of personal data in the past.

Despite this, the UK data protection watchdog has now closed the RTB complaint made in September 2021 by Jim Killock, executive director of the Open Rights Group, and Michael Veale, a lecturer in digital rights at the University College London, without issuing a decision.

The ICO defended its decision by saying that it has investigated the matter “to the extent appropriate”.

Killock and Veale disagree, and are taking legal action against the ICO.

Veal said:

“We are taking legal action against the ICO, as we believe that data processing being too complex and illegal is more reason to uphold the law, not less. Individuals can’t currently opt out of online tracking — and the ICO shouldn’t be able to opt out of regulating,”

“After the ICO produced a report in response to the complaint of Jim Killock and myself illustrating just how illegal RTB was, they appear to have concluded the appropriate action was to hold some stakeholder meetings, use none of their powers, and claim that they have discharged their obligations to the complainants to uphold the law. RTB continues to be outrageously illegal.”

They argue that their complaint had been dismissed without an investigation, Killock and Vale have also expressed concerns that the ICO has no intention of any enforcement action against RTB related activity in the future, which has been described as the biggest data breach of all time. Earlier this year, Ireland’s data protection watchdog (the DPC) was similliarly criticised for inaction over RTB complaints.

The ICO must take action to defend data protection rights

The ICO has shown an eagerness to crack down on organizations that breach data protection regulation, with enormous fines given to BA and Marriott, so declining to make an unequivocal move against RTB is confusing.

The ICO is really giving the adtech business free rein to continue with illegal data harvesting, with individuals having no clue that their information is being utilised in such a way. Furthermore, the issue can escalate as RTB can include personal information like wellbeing data, sexual direction and political connection. The consequences of using such personal data for ad targeting is hugely problematic.

The ICO must review this issue and ensure that all personal data processed has the legally valid consent of the data subject as is required under the GDPR.