Blatant abuse of people's private data has become firmly entrenched in the economic model of the free internet ever since Google recognised the value of analysing what people are searching for.
Now vast swathes of the internet are handsomely
funded by the exploitation of people's personal data. But that deep entrenchment clearly makes the issue a bit difficult to put right without bankrupting half of the internet that has come to rely on the process.
The EU hasn't helped with its
ludicrous idea of focusing its laws on companies having to obtain people's consent to have their data exploited. A more practical lawmaker would have simply banned the abuse of personal data without bothering with the silly consent games. But the EU
seems prone to being lobbied and does not often come up with the most obvious solution.
Anyway enforcement of the EU's law is certainly causing issues for the internet censors at the UK's ICO.
The ICO warned the adtech industry 6 months ago
that its approach is illegal and has now announced that it would not be taking any action against the data abuse yet, as the industry has made a few noises about improving a bit over the coming months.
Simon McDougall, ICO Executive Director of
Technology and Innovation has written:
The adtech real time bidding (RTB) industry is complex, involving thousands of companies in the UK alone. Many different actors and service providers sit between the advertisers
buying online advertising space, and the publishers selling it.
There is a significant lack of transparency due to the nature of the supply chain and the role different actors play. Our June 2019 report identified a range of
issues. We are confident that any organisation that has not properly addressed these issues risks operating in breach of data protection law.
This is a systemic problem that requires organisations to take ownership for their own
data processing, and for industry to collectively reform RTB. We gave industry six months to work on the points we raised, and offered to continue to engage with stakeholders. Two key organisations in the industry are starting to make the changes needed.
The Internet Advertising Bureau (IAB) UK has agreed a range of principles that align with our concerns, and is developing its own guidance for organisations on security, data minimisation, and data retention, as well as UK-focused
guidance on the content taxonomy. It will also educate the industry on special category data and cookie requirements, and continue work on some specific areas of detail. We will continue to engage with IAB UK to ensure these proposals are executed in a
Separately, Google will remove content categories, and improve its process for auditing counterparties. It has also recently proposed improvements to its Chrome browser, including phasing out support for third party
cookies within the next two years. We are encouraged by this, and will continue to look at the changes Google has proposed.
Finally, we have also received commitments from other UK advertising trade bodies to produce guidance for
If these measures are fully implemented they will result in real improvements to the handling of personal data within the adtech industry. We will continue to engage with industry where we think engagement will
deliver the most effective outcome for data subjects.
Comment: Data regulator ICO fails to enforce the law
Responding to ICO's announcement today that the regulator is taking minimal steps to enforce the law against massive data breaches taking place in the online ad industry through Real-Time Bidding, complainants Jim Killock and Michael Veale have
called on the regulator to enforce the law.
The complainants are considering taking legal action against the regulator. Legal action could be taken against the ICO for failure to enforce, or against the companies themselves for
their breaches of Data Protection law.
The Real-Time Bidding data breach at the heart of RTB market exposes every person in the UK to mass profiling, and the attendant risks of manipulation and discrimination.
As the evidence submitted by the complainants notes, the real-time bidding systems designed by Google and the IAB broadcast what virtually all Internet users read, watch, and listen to online to thousands of companies, without
protection of the data once broadcast. Now, sixteen months after the initial complaint, the ICO has failed to act.
Jim Killock, Executive Director of the Open Rights Group said:
The ICO is a
regulator, so needs to enforce the law. It appears to be accepting that unlawful and dangerous sharing of personal data can continue, so long as 'improvements' are gradually made, with no actual date for compliance.
Last year the
ICO gave a deadline for an industry response to our complaints. Now the ICO is falling into the trap set by industry, of accepting incremental but minimal changes that fail to deliver individuals the control of their personal data that they are legally
The ICO must take enforcement action against IAB members.
We are considering our position, including whether to take legal action against the regulator for failing to act, or individual
companies for their breach of data protection law.
Dr Michael Veale said:
When an industry is premised and profiting from clear and entrenched illegality that breach individuals'
fundamental rights, engagement is not a suitable remedy. The ICO cannot continue to look back at its past precedents for enforcement action, because it is exactly that timid approach that has led us to where we are now.
Ravi Naik, solicitor acting for the complainants, said:
There is no dispute about the underlying illiegality at the heart of RTB that our clients have complained about. The ICO have agreed with
those concerns yet the companies have not taken adequate steps to address those conerns. Nevertheless, the ICO has failed to take direct enforcement action needed to remedy these breaches.
Regulatory ambivalence cannot continue.
The ICO is not a silo but is subject to judicial oversight. Indeed, the ICO's failure to act raises a question about the adequacy of the UK Data Protection Act. Is there proper judicial oversight of the ICO? This is a critical question after Brexit, when
the UK needs to agree data transfer arrangements with the EU that cover all industries.
Dr. Johnny Ryan of Brave said:
The RTB system broadcasts what everyone is reading and
watching online, hundreds of billions of times a day, to thousands of companies. It is by far the largest data breach ever recorded. The risks are profound. Brave will support ORG to ensure that the ICO discharges its responsibilities.
Jim Killock and Michael Veale complained about the Adtech industry and Real Time Bidding to the UK's ICO in September 2018. Johnny Ryan of Brave submitted a parallel complaint against Google about their Adtech system to the Irish Data
Update: Advertising industry will introduce a 'gold standard 2.0' for privacy towards the end of 2020
The Internet Advertising Bureau UK has launched a new version of what it calls its Gold Standard certification process that will be independently audited by a third party.
In a move to address ongoing privacy concerns with the digital supply chain,
the IAB's Gold Standard 2.0 will incorporate the Transparency and Consent Framework, a widely promoted industry standard for online advertising.
The new process will be introduced in the fourth quarter after an industry consultation to agree on the
compliance criteria for incorporating the TCF.