ICO faces legal action over alleged failure to address illegal data sharing

The ICO agreed that the AdTech industry had violated the GDPR but says that a tribunal will decide the matter 'in due course'

Privacy advocates at the Open Rights Group (ORG) have filed a legal challenge against the UK's privacy regulator, the Information Commissioner's Office (ICO), over its alleged failure to stop unlawful practices by the AdTech industry.

Jim Killock, executive director of ORG, and Michael Veale, a lecturer in digital rights at the University College London, filed the challenge.

According to the ORG, Killock and Veale made a complaint to the ICO in September 2018 about systemic GDPR breaches by the AdTech industry and the Internet Advertising Bureau (IAB).

Multiple complaints on the same issue have also been filed with other regulators across Europe over the past two years.

The bottom line of all the complaints is that the AdTech industry's real-time-bidding (RTB) auction system cannot comply with the GDPR's requirements for companies to provide proper security for people's data.

Responding to Killock's and Veale's complaint in 2018, the ICO ordered a probe and found that there were indeed many systemic issues with industry practices, such as the sharing of users' browsing history and personal information without any control over who is allowed to access peoples' personal data. The regulator said that it was concerned over the industry's use of personal data in the RTB component of programmatic advertising.

Simon McDougall, deputy commissioner at the ICO, also stated last year that the AdTech industry needs to correct its practices, such as the lack of clear consent for the processing of special category data.

However, despite identifying these GDPR breaches, the ICO announced earlier this year that it would 'pause' its ongoing investigation due to the coronavirus pandemic. The ORG now claims that the ICO has completely wrapped up its investigation, without taking any appropriate action against the wrongdoers.

"We are determined to ensure that the law is enforced even when the regulator can't be bothered to protect our rights and liberties," Killock said in a statement.

Veale commented: "The ICO is expected to protect individuals against complex misuses of their sensitive data by entire industries acting outside the law, not just the simple, low-hanging fruit it can easily enforce against. This lawsuit is about stopping the ICO sweeping the most difficult cases under the carpet. AdTech isn't simple — but dealing with illegal AdTech is the ICO's job."

In a statement, the ICO said: "We are aware of this matter, which will be decided by the Tribunal in due course. Consideration of concerns we have received forms part of our work on real time bidding and the AdTech industry. "

The legal challenge from the ORG comes more than seven months after privacy-focused web browser Brave filed an official complaint with the Irish Data Protection Commission (DPC), alleging that Google was infringing the "purpose limitation" principle of the EU's GDPR.

In its complaint, Brave said that Google's privacy policy "does not transparently and explicitly specify the purposes for which the data is collected and processed", which violates Article 5(1)b of the GDPR.

In addition to the Irish DPC, a complaint on behalf of Dr Johnny Ryan, Brave's chief policy and industry relations officer, was sent to the European Commission, the UK Competition & Markets Authority, Germany's Bundeskartellamt, and the French Autorité de la concurrence.

Ryan described Google's privacy policies as "vague and unspecific", and added that the company's practice of restricting details about how it uses the collected information is an example of bad practice.