The coronavirus is proving to have an unexpected upside for the adtech industry.
The UK’s data protection agency has paused an investigation into the industry’s processing of Internet users’ personal data, saying targeted suspension of privacy oversight is merited because of disruption to businesses as a result of the COVID-19 pandemic.
The investigation into adtech industry practices by the Information Commissioner’s Office (ICO) is linked to a 2018 complaint it received about systematic, massive scale, high velocity personal data trading associated with the real-time bidding component of programmatic advertising.
A series of complaints have since been filed over the issue across the EU that assert it amounts to “the most massive leakage of personal data recorded so far”.
The first of these complaints was lodged in the UK with the ICO but the complainants are still waiting for any relief.
And now their wait goes on…
We (I and @jimkillock and @mikarv) have just received this remarkable e-mail. For 2 years the ICO (UK privacy watchdog) @ICOnews still has failed to use its powers to end the enormous (and on-going) RTB data breach which leaks UK citizens' online habits to 1000s of companies. pic.twitter.com/8yLtgTOfYF
One of the complainants, Brave’s Dr Johnny Ryan, described the regulatory inaction over a period of some two years since he sounded the alarm to the watchdog as “astounding”.
“They’ve failed to use any of their powers. Even their powers of investigation,” Ryan told TechCrunch. “We’re not even talking about enforcement. They’ve failed to ask their questions using their strong voice. The lack of action — it’s actually really hard to remember just how little action there is — it’s quite astounding, just how vacuous this vacuum is. How much of a pause this was a pause of.
“That’s astounding,” he added. “I claim it’s the biggest data breach the UK has ever had — but I’ve never had anyone contradict that. It’s almost indisputable because the figures are so big. So we’ve got this enormous breach, and… it’s continuing — so it’s not some discrete thing that’s now over… The harm accumulates. So this is a problem. It’s a breach pandemic!”
We also contacted the ICO with questions about the decision to suspend the adtech investigation — including asking how UK citizens can be confident their data rights are being defended against abuse by powerful industry platforms.
The regulator did not engage with what we asked — instead sending this generic statement:
The ICO recently set out its regulatory approach during the COVID-19 pandemic, where we spoke about reassessing our priorities and resources.
Taking this into account we have made the decision to pause our investigation into real time bidding and the Adtech industry.
It is not our intention to put undue pressure on any industry at this time but our concerns about Adtech remain and we aim to restart our work in the coming months, when the time is right.
This is by no means the first ‘breather’ the regulator has offered the adtech industry vis-a-vis this complaint.
Europe’s General Data Protection Regulation (GDPR), meanwhile, will turn two later later this month — meaning it’ll be two years since the updated framework was supposed to start to apply.
Many privacy experts and campaigners are questioning the quality and quantity of enforcement set along alongside the flagship update to legal safeguards for citizens’ data — which actually date all the way back to 1995.
Brave Ryan said the ICO’s regulatory abdication does not reflect well on the success of the wider EU data protection regime — pointing out that the UK watchdog is the best resourced of the bloc’s (post-Brexit) 27 Member States (the UK remains in the EU until the end of the Brexit transition period, so is still technically a member right now).
“If the EU’s biggest regulator in this domain — which is one of the jewels in the EU’s regulatory crown — its biggest and most well resourced, in terms of cash, regulators is unable to enforce against the biggest data protection infringement that the country it regulates for has ever experienced is the GDPR just a kind of collective hallucination?” he said. “Or is that something that is limited to the UK?”
A bigger issue he points to is that the UK, post-Brexit, will need to request a data protection ‘adequacy agreement’ from the European Commission if it wishes for its businesses to be able to freely exchange data with EU businesses as they can now.
“When the UK requests that the European Commission consider the UK as a safe and adequate third country where personal data from the EU can freely flow, one of the questions to be considered is do you have a regulator that can protect this personal data? And the answer today is no,” said Ryan. “No, you do not have a regulator that is able to protect personal data of European citizens.”
“This [ICO inaction] should have a post-Brexit implication — which will affect so many sectors of the UK economy,” he warned.
Ryan’s employer, Brave — which makes a pro-privacy web browser — recently lodged a complaint with the European Commission against EU Member States, producing a report and accusing governments of under-resourcing their data protection agencies. It has asked the Commission to launch an infringement procedure.
“How is only 3% of the [ICO] staff mainly focused on digital issues?” Ryan added. “Clearly more than 3% of infringement is digital and more than 3% of life is — so unless the ICO is labouring under the misapprehension that we are at the beginning of this digital transition they are the wrong regulator for this decade. This is last century’s regulator. So there’s a huge management problem inside the ICO. It seems they are unwilling or unable to regulate digital issues… They need to get fit for purpose.
“They are still living in a print based world. And we are confronting them urgently with problems that are not print based — but that affect every aspect of our lives. Including, apparently, the last election. And presumably the next one too… So this is shocking on many, many levels.”
As a consequence of Brexit, UK citizens should expect the ICO to be their sole data protection rights enforcer, rather than — as can be the case now — other EU regulators being involved in defending their rights, such as in the case of major tech platforms which often locate themselves under a legal jurisdiction elsewhere in the EU.