Complainants call on ICO to take action against adtech sector

The ICO has agreed in substance with the complainants’ points about the insecurity of adtech data sharing. In particular, the ICO states that:

“Processing of non-special category data is taking place unlawfully at the point of collection”

“[The ICO has] little confidence that the risks associated with RTB have been fully assessed and mitigated”

“Individuals have no guarantees about the security of their personal data within the ecosystem”

However the ICO is proceeding very cautiously and slowly, and not insisting on immediate changes, despite the massive scale of the data breach.

Jim Killock said:

“The ICO’s conclusions are strong and very welcome but we are worried about the slow pace of action and investigation. The ICO has confirmed massive illegality on behalf of the adtech industry. They should be insisting on remedies and fast.”

Dr Michael Veale said:

“The ICO has clearly indicated that the sector operates outside the law, and that there is no evidence the industry will correct itself voluntarily. As long as it remains doing so, it undermines the operation and the credibility of the GDPR in all other sectors. Action, not words, will make a difference—and the ICO needs to act now.”

Ravi Naik, solicitor for the complaints and for Dr Johnny Ryan’s simultaneous complaint before the Irish DPC, said:

“Between the ICO’s report and the actions of the DPC, there can no longer be any question; AdTech cannot comply with the GDPR. We welcome the ICO’s findings and look forward to the Commissioner taking concrete steps to prevent further violations of individual rights. It is time for action.”

Contact
For more information and interviews, contact pam@openrightsgroup.org, 07749 785 932.

Notes to Editors

The ICO Report is available here:

https://ico.org.uk/media/about-the-ico/documents/2615156/adtech-real-time-bidding-report-201906.pdf

The ICO concludes:

Overall, in the ICO’s view the adtech industry appears immature in its understanding of data protection requirements. Whilst the automated delivery of ad impressions is here to stay, we have general, systemic concerns around the level of compliance of RTB:

  • Processing of non-special category data is taking place unlawfully at the point of collection due to the perception that legitimate interests can be used for placing and/or reading a cookie or other technology (rather than obtaining the consent PECR requires).
  • Any processing of special category data is taking place unlawfully as explicit consent is not being collected (and no other condition applies). In general, processing such data requires more protection as it brings an increased potential for harm to individuals.
  • Even if an argument could be made for reliance on legitimate interests, participants within the ecosystem are unable to demonstrate that they have properly carried out the legitimate interests tests and implemented appropriate safeguards.
  • There appears to be a lack of understanding of, and potentially compliance with, the DPIA requirements of data protection law more broadly (and specifically as regards the ICO’s Article 35(4) list). We therefore have little confidence that the risks associated with RTB have been fully assessed and mitigated.
  • Privacy information provided to individuals lacks clarity whilst also being overly complex. The TCF and Authorized Buyers frameworks are insufficient to ensure transparency and fair processing of the personal data in question and therefore also insufficient to provide for free and informed consent, with attendant implications for PECR compliance.
  • The profiles created about individuals are extremely detailed and are repeatedly shared among hundreds of organisations for any one bid request, all without the individuals’ knowledge.
  • Thousands of organisations are processing billions of bid requests in the UK each week with (at best) inconsistent application of adequate technical and organisational measures to secure the data in transit and at rest, and with little or no consideration as to the requirements of data protection law about international transfers of personal data.
  • There are similar inconsistencies about the application of data minimisation and retention controls.
  • Individuals have no guarantees about the security of their personal data within the ecosystem.

FixAdTech campaign website https://fixad.tech/about/ includes the complaints and details of other complaints made across the EU.

The complaints are being made by Dr Gemma Galdon Clavell (Eticas Foundation) and Diego Fanjul (Finch), David Korteweg (Bits of Freedom), Dr Jef Ausloos (University of Amsterdam), Pierre Dewitte (University of Leuven), Jose Belo (Exigo Luxembourg), Katarzyna Szymielewicz, President of the Panoptykon Foundation, Jim Killock, Executive Director of the Open Rights Group, Dr Michael Veale of University College London, and Dr Johnny Ryan of Brave, the private web browser. The complainants in Ireland and in the UK have instructed Ravi Naik, Partner at ITN Solicitors.
––