The UK’s data watchdog has re-launched an investigation into adtech practices which, since 2018, have been the subject of numerous complaints across Europe under the General Data Protection Regulation (GDPR) of The union.
High-speed trading of internet users’ personal data cannot comply with the GDPR’s requirement that such information be properly secured, the complaints say.
Other real-time auction (RTB) concerns focus on consent, wondering how it can meet the legal standard required with data being released to so many businesses – including sensitive information, such as data. on health or religious and political affiliation and sexual orientation.
Since the first complaints were lodged, the UK’s Information Commissioner’s Office (ICO) has expressed its own concerns about what it called systemic legality issues in the tech industry. information and communication. But last year announced that it was suspending its investigation due to business disruption due to the COVID-19 pandemic.
Today he said he was suspending his multi-year investigation to continue pushing.
In an update to his website, ICO Deputy Commissioner Simon McDougall, ICO, who deals with “regulatory innovation and technology” at the agency, writes that the eight-month freeze is finished. And the audits are coming.
“We have now resumed our investigation,” he said. “Enabling transparency and protecting vulnerable citizens are priorities for the ICO. RTB’s complex system can use people’s sensitive personal data to serve advertisements and requires people’s explicit consent, which is not currently happening. “
“Sharing people’s data with potentially hundreds of companies, without properly assessing and addressing the risk of these counterparties, also raises questions around the security and retention of this data,” he continues. “Our work will continue with a series of audits focused on digital market platforms and we will be issuing assessment notices to specific companies in the coming months. The result of these audits will give us a clearer picture of the state of the industry. “
It is unclear what data the ICO is still lacking to comment on complaints that are approaching 2.5 years at this point. But the ICO is committed to resuming its research on adtech – including data brokers, according to McDougall, who writes that “we are going to review the role of data brokers in this adtech ecosystem.”
“The investigation is large and complex and, due to the sensitivity of the work, there will be times when it will not be possible to provide regular updates. However, we are committed to publishing our final findings, once the investigation is complete, ”he continues, managing expectations of any early resolution of this old GDPR complaint.
Commenting on the ICO’s continued reluctance to take coercive action against adtech despite heaps of evidence of rampant violations of the law, Johnny Ryan, senior researcher at the Irish Civil Liberties Council who was involved in the filing of the first batch of RTB GDPR complaints – and continues to be a vocal criticism of EU regulatory inaction against adtech – told TechCrunch: “It seems to me that the facts are clearly laid out in the ICO’s adtech report mi -2019.
“Indeed, this report only confirms the evidence that accompanied our complaints in September 2018 in Ireland and the UK. It is therefore not clear why the ICO needs several additional months. It’s also unclear why the ICO accepted empty gestures from the IAB and Google a year ago. “
“I have since published evidence of the impact of rule non-enforcement: including the documented use of RTB data to influence an election,” he added. “As this evidence shows, the scale of the vast data breach caused by the RTB system has increased dramatically in the three years since I denounced the ICO in early 2018.”
Despite the abundance of data on the extent of personal data leaks involved in RTB and the widespread concern that all kinds of tangible harm stem from adtech’s massive surveillance of Internet users (from discrimination and division societal manipulation of voters), the ICO is in no hurry to strengthen.
In fact, he quietly closed the 2018 complaint last year – telling complainants he believed he had investigated the case “to the appropriate extent”. He is being sued by the complainants as a result – for, in essence, not doing anything about their complaint. (The Open Rights Group, which is involved in this lawsuit, is running this crowdfunder to raise funds to take the ICO to court.)
So what exactly does the ICO’s big adtech survey mean for the industry?
Not much more than a soft review, you might be the recipient of a “review review” at some point, according to the latest lightly-written ICO blog post (and judging by its past performance).
According to McDougall, all organizations should “urgently assess how they are using personal data.”
He also urged the ICO to release the “final findings” at some point. So – to be continued, after the break – yet another report. And more audits.
“We already have comprehensive guidelines in this area, which apply to RTB and adtech in the same way as to other types of processing – in particular with regard to consent, legitimate interests, data protection by design and data protection impact assessments (DPIAs), ”he continues, avoiding talking about any stronger consequences if all these indications continue to be completely ignored.
He ends the post with a nod to the recent Autorité de la concurrence et des marchés investigation into the Google Privacy Sandbox proposals (to phase out support for third-party cookies on Chrome) – claiming that the ICO “continues” to work the CMA on this active antitrust complaint.
You’ll have to fill in the blanks to find out exactly what work he could do there – because, again, McDougall doesn’t say so. If it’s a veiled threat to the adtech industry to finally “ get it on with the ICO privacy program ”, or if you might not have it around the adtech in this crucial antitrust vs privacy complaint is really slimmer.