UK Privacy Advocates Say GDPR Enforcement Comes Up ShortAppeal Alleges ICO Fails to Enforce Privacy Law for AdTech Industry
Privacy advocates in the U.K. have filed a complaint alleging that the Information Commissioner's Office, a watchdog agency, is not doing enough to make sure the digital advertising technology - or AdTech - industry complies with the European Union's General Data Protection Regulation.
The U.K. intends to continue abiding by GDPR after it officially leaves the EU in December.
Jim Killock, executive director of the Open Rights Group, a U.K. privacy organization, and Dr. Michael Veale of the University College London, announced an appeal regarding the ICO's AdTech enforcement activity was recently submitted to the Information Tribunal (General Regulatory Chamber), the U.K. body responsible for handling appeals against decisions made by government regulatory bodies.
The appeal accuses the ICO of failing to act despite finding unlawful practices in an investigation into alleged widespread violations of GDPR by the AdTech industry, focusing on the role of the Internet Advertising Bureau - a trade industry body - as the rule setter.
The Adtech industry was alleged to be collecting and then sharing individuals' browsing histories without their permission.
The Open Rights Group seeks a ruling that real-time-bidding advertising auction systems are incapable of complying with the GDPR's requirements to provide adequate security for citizens' data and thus should be subject to wholesale reform. Earlier, the ICO had investigated the issue, but it did not take any formal action upon concluding the probe in September.
Killock argues that the ICO "cannot simply close complaints without resolving them. If it could, complaints would be meaningless. The ICO is in effect claiming it does not have to remedy complaints, which is unacceptable."
But Dai Davis, a partner at the legal consultancy Percy Crow Davis & Co, says it's unlikely that the privacy advocates' legal action will prove successful.
"The complainants would have to prove the ICO had not acted reasonably in performing its duties, particularly as the complaint is against an industrywide practice rather than an individual breach of significant magnitude," he says.
In its written response to the claim submitted to the tribunal, the ICO noted that the Internet Advertising Bureau had begun introducing its own guidance on security, data minimization and data retention for AdTech firms.
But Killock says: "We would disagree that the IAB has made any meaningful progress [to reform resale of personal data online]. The ICO has not said that their changes are adequate either, merely that they are helpful steps towards getting there sometime."
The Internet Advertising Bureau did not immediately respond to a request for comment.
Veale of the University College London adds: "The ICO is expected to protect individuals against complex misuses of their sensitive data by entire industries acting outside the law, not just the simple, low-hanging fruit it can easily enforce against. This lawsuit is about stopping the ICO sweeping the most difficult cases under the carpet."
Commenting on the privacy groups' appeal, an ICO spokesperson tells Information Security Media Group: "We are aware of this matter, which will be decided by the tribunal in due course. Consideration of concerns we have received forms part of our work on real-time bidding and the Adtech industry."
In addition to the complaints about ICO's GDPR enforcement in the AdTech sector, some critics have argued that the ICO has imposed inadequate financial penalties overall and failed to consistently follow through on collections (see: Marriott and BA's Reduced Privacy Fines: GDPR Realpolitik).
Research by SMS app provider The SMS Works found that from January 2019 to September, the ICO issued 21 fines totalling 3.2 million pounds ($4.2 million). Of this, just over $1.4 million has been collected, which equates to 32% of all fines imposed, based on analysis of ICO reporting.
The ICO spokesperson tells ISMG that since January 2019, nine GDPR fines have been paid, seven are in the process of being recovered and five are under appeal.
But Henry Cazalet, director at The SMS Works, says only eight of 21 GDPR fines of between 250,000 and 500,000 pounds ($328,000 to $656,000) had been paid since January 2019.
"Organizations have the right to appeal any regulatory action issued by the ICO and this can delay payment of a fine," the ICO spokesperson says. "Many nuisance call companies fined under Privacy and Electronic Communications Regulations go into liquidation. While in some respects, a firm going into liquidation marks a frustrating end to our investigations, it's worth noting that when nuisance call companies go out of business, they stop making calls. And that's a successful outcome."
In addition, the ICO has used debt collectors whose actions can result in personal claims against directors. It also works with the U.K. Insolvency Service, which can disqualify the worst offenders from running companies.
The ICO paused enforcement during the first COVID-19 lockdown earlier this year. But Cazalet points out: "The non-payment of fines has been an issue since at least 2015. Before the pandemic hit, 42% of fines were unpaid."