Privacy experts slam UKs disastrous failure to tackle unlawful adtech

The UKs data protection regulator has been slammed by privacy experts for once again failing to take enforcement action over systematic breaches of the law linked to behaviorally targeted ads despite warning last summer that the adtech industry is out of control.
The Information Commissioners Office (ICO) has also previously admitted it suspects the real-time bidding (RTB) system involved in some programmatic online advertising to be unlawfully processing peoples sensitive information. But rather than take any enforcement against companies it suspects of law breaches it has today issued another mildly wordedblog post in which it frames what it admits is a systemic problem as fixable via (yet more) industry-led reform.
Yet its exactly such industry-led self-regulation thats created the unlawful adtech mess in the first place, data protection experts warn.
The pervasive profiling of Internet users by the adtech data industrial complex has been coming under wider scrutiny by lawmakers and civic society in recent years with sweeping concerns being raised in parliaments around the world that individually targeted ads provide a conduit for discrimination, exploit the vulnerable, accelerate misinformation and undermine democratic processes as a consequence of platform asymmetries and the lack of transparency around how ads are targeted.
In Europe, which has a comprehensive framework of data protection rights, the core privacy complaint is that these creepy individually targeted ads rely on a systemic violation of peoples privacy from what amounts to industry-wide, Internet-enabled mass surveillance which also risks the security of peoples data at vast scale.
Its now almost a year and a half since the ICO was the recipient of a major complaint into RTB filed by Dr Johnny Ryan ofprivate browser Brave; Jim Killock, director of theOpen Rights Group; and Dr Michael Veale, a data and policy lecturer at University College London laying out what the complainants described then as wide-scale and systemic breaches of Europes data protection regime.
The complaint which has also been filed with other EU data protection agencies agues that the systematic broadcasting of peoples personal data to bidders in the adtech chain is inherently insecure and thereby contravenes Europes General Data Protection Regulation (GDPR), whichstipulates that personal data be processed in a manner that ensures appropriate security of the personal data.
The regulation also requires data processors to have a valid legal basis for processing peoples information in the first place and RTB fails that test, per privacy experts either if consent is claimed (given the sheer number of entities and volumes of data being passed around, which means its not credible to achieve GDPRs informed, specific and freely given threshold for consent to be valid); or legitimate interests which requires data processors carry out a number of balancing assessment tests to demonstrate it does actually apply.
We have reviewed a number of justifications for the use of legitimate interests as the lawful basis for the processing of personal data in RTB. Our current view is that the justification offered by organisations is insufficient, writes Simon McDougall, the ICOs executive director of technology and innovation, developing a warning over the industrys rampant misuse of legitimate interests to try to pass off RTBs unlawful data processing as legit.
The ICO also isnt exactly happy about what its found adtech doing on the Data Protection Impact Assessment front saying, in so many words, that its come across widespread industry failure to actually, er, assess impacts.
The Data Protection Impact Assessments we have seen have been generally immature, lack appropriate detail, and do not follow the ICOs recommended steps to assess the risk to the rights and freedoms of the individual, writes McDougall.
We have also seen examples of basic data protection controls around security, data retention and data sharing being insufficient, he adds.
Yet again despite fresh admissions of adtechs lawfulness problem the regulator is choosing more stale inaction.
In the blog post McDougall does not rule out taking formal action at some point but theres only a vague suggestion of such activity being possible, and zero timeline for develop[ing] an appropriate regulatory response, as he puts it. (His preferred E word in the blog is engagement; youll only find the word enforcement in the footer link on the ICOs website.)
We will continue to investigate RTB. While it is too soon to speculate on the outcome of that investigation, given our understanding of the lack of maturity in some parts of this industry we anticipate it may be necessary to take formal regulatory action and will continue to progress our work on that basis, he adds.
McDougall also trumpets some incremental industry fiddling such as trade bodies agreeing to update their guidance as somehow relevant to turning the tanker in a fundamentally broken system.
(Trade body the Internet Advertising Bureaus UK branch has responded to developments with an upbeat note from its head of policy and regulatory affairs, Christie Dennehy-Neil, who lauds the ICOs engagement as a constructive process, claiming: We have made good progress before going on to urge its members and the wider industry to implement the actions outlined in our response to the ICO and deliver meaningful change. The statement climaxes with: We look forward to continuing to engage with the ICO as this process develops.)
McDougall also points to Google removing content categories from its RTB platform from next month (a move it announced months back, in November) as an important development; and seizes on the tech giants recent announcement of a proposal to phase out support for third party cookies within the next two years as encouraging.
Privacy experts have responded with facepalmed outrage to yet another can-kicking exercise by the UK regulator warning that cosmetic tweaks to adtech wont fix a system thats designed to feast off an unlawful and inherently insecure high velocity background trading of Internet users personal data.
When an industry is premised and profiting from clear and entrenched illegality that breach individuals fundamental rights, engagement is not a suitable remedy, said UCLs Veale in a statement. The ICO cannot continue to look back at its past precedents for enforcement action, because it is exactly that timid approach that has led us to where we are now.

ICO believes that cosmetic fixes can do the job when it comes to #adtech. But no matter how secure data flows are and how beautiful cookie notices are, can people really understand the consequences of their consent? I'm convinced that this consent will *never* be informed. 1/2
Karolina Iwanska (@ka_iwanska) January 17, 2020
See also:
Leave a comment
  • Latest
  • Read
  • Commented
Calendar Content