ICO faces legal action over ‘failure to regulate’ adtech industry

Campaigners may sue the data regulator for declining to take action against “massive data breaches”

hands typing on laptop

The Open Rights Group (ORG) has threatened the Information Commissioner’s Office (ICO) with legal action after accusing the data regulator of failing to enforce the law against adtech firms.

Following an examination into the practices of online advertising companies, the ICO published a report in June 2019 identifying a range of issues that amounted to critical data protection violations.

Advertisement - Article continues below

Six months on, the ICO has been "encouraged" by steps the companies involved are taking, and has agreed on a range of new principles with the Interactive Advertising Bureau (IAB), a trade association for adtech businesses. 

These steps, as well as fresh guidance, have been outlined by the ICO in a blog post released on Friday morning, and include measures on security, data minimisation, and data retention.

The ORG, however, in response to that blog post, has now accused the regulator of taking “minimal steps” to enforce the law against the “massive data breaches” taking place in the online ad industry.

As a result, the organisation has suggested that legal action could be taken against the ICO for failure to enforce the law, or against the offending companies directly for violating the Data Protection Act 2018.

"The ICO is a regulator, so needs to enforce the law,” said the ORG’s executive director Jim Killock. “It appears to be accepting that unlawful and dangerous sharing of personal data can continue, so long as 'improvements' are gradually made, with no actual date for compliance.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

"Last year the ICO gave a deadline for an industry response to our complaints. Now the ICO is falling into the trap set by industry, of accepting incremental but minimal changes that fail to deliver individuals the control of their personal data that they are legally entitled to.

"The ICO must take enforcement action against IAB members. We are considering our position, including whether to take legal action against the regulator for failing to act, or individual companies for their breach of data protection law," added Killock.

In its 2019 report, the ICO identified a range of issues associated with the data practices of companies within the multi-billion pound adtech industry, which is primarily dominated by Google and Facebook. 

The process of real-time bidding (RTB) was highlighted as the central tool through which personal data was being misused. This technology allows advertisers to compete for available digital space by placing billions of ads on webpages and apps. 

Advertisement - Article continues below

Ads are curated to users based on their personal data, including highly sensitive information such as sexuality, political leaning, and race, which firms are processing without gaining adequate consent.

"There is no dispute about the underlying illiegality [sic] at the heart of RTB that our clients have complained about,” said the solicitor acting for the prospective legal complaint, Ravi Naik.

“The ICO have agreed with those concerns yet the companies have not taken adequate steps to address those concerns. Nevertheless, the ICO has failed to take direct enforcement action needed to remedy these breaches. 

"Regulatory ambivalence cannot continue. The ICO is not a silo but is subject to judicial oversight.”

Although the ICO has refrained from taking enforcement action against online advertising companies as part of its investigation, its executive director for technology and innovation Simon McDougall has not ruled this out entirely.

“We are using the intelligence gathered throughout last year to develop an appropriate regulatory response,” he said in Friday's blog post.

Advertisement - Article continues below

“We will continue to investigate RTB. While it is too soon to speculate on the outcome of that investigation, given our understanding of the lack of maturity in some parts of this industry we anticipate it may be necessary to take formal regulatory action and will continue to progress our work on that basis.”

The most effective way for organisations to avoid regulatory scrutiny, he added, is to engage with the ongoing industry reform and to encourage their supply chains to do the same.

While the amount of progress being made was “heartening”, McDougall remains disappointed that some are still ignoring the demands, suggesting the ICO will indeed utilise its wider powers against these companies who fail to reform within the window provided.

The ICO has yet to respond to the ORG's threat of legal action.

Featured Resources

The case for a marketing content hub

Transform your digital marketing to deliver customer expectations

Download now

Fast, flexible and compliant e-signatures for global businesses

Be at the forefront of digital transformation with electronic signatures

Download now

Why CEOS should care about the move to SAP S/4HANA

And how they can accelerate business value

Download now

IT faces new security challenges in the wake of COVID-19

Beat the crisis by learning how to secure your network

Download now
Advertisement
Advertisement

Recommended

Visit/policy-legislation/general-data-protection-regulation-gdpr/355337/ico-will-reduce-gdpr-fines-due-to
General Data Protection Regulation (GDPR)

ICO to relax GDPR enforcement during coronavirus economic downturn

16 Apr 2020
Visit/security/privacy/355304/nhs-working-with-apple-google-coronavirus-tracking-app
privacy

The NHS teams up with Apple and Google on coronavirus tracking app

14 Apr 2020
Visit/policy-legislation/data-protection/355250/health-sites-sharing-users-medical-data-with-major-tech
data protection

Health sites are 'unlawfully' sharing medical data with Facebook and Google

7 Apr 2020
Visit/policy-legislation/data-protection/355184/supreme-court-finds-morrisons-was-not-liable-for-2014
data protection

Supreme Court rules Morrisons was not liable for 2014 data breach

1 Apr 2020

Most Popular

Visit/operating-systems/microsoft-windows/355812/microsoft-warns-against-installing-windows-10-may-2020
Microsoft Windows

Microsoft warns users not to install Windows 10's May update

28 May 2020
Visit/security/data-breaches/355777/easyjet-faces-class-action-lawsuit-over-data-breach
data breaches

EasyJet faces class-action lawsuit over data breach

26 May 2020
Visit/security/cyber-security/355797/microsoft-bans-trend-micros-rootkit-buster-from-windows-10
cyber security

Microsoft bans Trend Micro driver from Windows 10 for "cheating" hardware tests

27 May 2020