The UK data protection commissioner has been criticized by data protection experts for failing to take enforcement action for systematic violations of the law in connection with behavioral advertisements – despite last summer's warning that the ad tech industry had gotten out of control.
The Information Commissioner's Office (ICO) previously admitted that it suspected that the real-time bidding system (RTB) used in some programmatic online advertising measures was the most sensitive Information of persons processed illegally. But instead of taking action against companies suspected of violating the law, today it has published another mildly worded blog post describing what it admits as a "systemic problem" that More (still) can be remedied) "reform" carried out by the industry.
But it is precisely this self-regulation carried out by industry that, in the opinion of data protection experts, has primarily led to the illegal Adtech mess. The "data industry complex" has been subjected to a broader examination by lawmakers and civil society in recent years. Serious concerns have been voiced in parliaments around the world that customized ads are a way to discriminate, take advantage of vulnerabilities, accelerate misinformation, and undermine democratic processes as a result of platform asymmetries and lack of transparency in how ads are targeted.
In Europe, which has a comprehensive framework, z. In the case of data protection rights, the main complaint about privacy protection is that these creepy, individually targeted ads are based on a systematic violation of the privacy of people, which is equivalent to industry-wide, internet-enabled mass surveillance that the security of personal data is also at great risk.
It has been almost a year and a half since the ICO was the recipient of a major complaint to RTB – submitted by Dr. Johnny Ryan from Brave's private browser; Jim Killock, director of the Open Rights Group; and Dr. Michael Veale a lecturer in data and politics at University College London, who explained what the applicants at the time described as "far-reaching and systematic" violations of the European data protection regime.
The complaint – which was also filed with other EU data protection authorities – believes that the systematic disclosure of personal data to bidders in the adtech chain is inherently unsafe and thus violates the European General Data Protection Regulation (GDPR) , which stipulates that personal data is processed in a manner that ensures adequate security of the personal data. “
The regulation also stipulates that data processors must have a valid legal basis for the processing of personal data – and RTB does not pass this test, according to data protection experts – even if it is said to agree (given the sheer number of entities and amounts of data being passed around, which means that it is not credible to achieve GDPR) 'Informed, specific and freely defined' threshold for the validity of consent); or 'legitimate interests' – data processors must carry out a series of balancing tests to demonstrate that they actually apply.
“We checked a number of reasons for using legitimate interests as a legitimate basis for the processing of personal data in RTB. We believe that the justification offered by organizations is insufficient, "writes Simon McDougall, Executive Director for Technology and Innovation at the ICO, and warns of the rampant abuse of legitimate interests by the industry to try to use RTB's illegal data processing as legitimate to identify.
The ICO is also not exactly happy with what adtech has done in the area of data protection impact assessment – in so many words that the industry has failed to actually assess the impact.
"The data protection impact assessments that we have seen have generally been immature, there is a lack of appropriate details and they do not follow the steps recommended by the ICO to assess the risk to the rights and freedoms of individuals," writes McDougall.
"We have that too." Examples of basic data protection controls related to security, data retention and data sharing are inadequate, ”he adds.
The new knowledge about the legality problem of adtech is used by the supervisory authority for more boring inactivity.
In the blog post, McDougall does not rule out taking “formal” measures at some point – however, there is only a vague indication that such activity is possible and no schedule for "developing [ing] an adequate regulatory response" as he puts it. (His favorite "E" word on the blog is "engagement". The word "enforcement" can only be found in the footer link on the ICO website.)
"We will continue to investigate RTB. Although it is too early To speculate on the outcome of this investigation, given the lack of maturity in some parts of this industry, we believe formal regulatory action will need to be taken and will continue to advance our work on that basis, "he added.
McDougall also trumpets some incremental fumbling in industry – such as trade organizations that are willing to update their guidelines – as somehow relevant to transforming the tanker into a fundamentally broken system.
(Trade organization of the British branch of the Internet Advertising Bureau Christie Dennehy-Neil, Head of Policy and Regulatory Affairs, responded to the developments with an optimistic comment and praised the ICO's commitment as a "constructive process": "We have made good progress Before we continue to push members and the broader industry to "implement the actions outlined in our response to the ICO" and "bring about meaningful change." The statement culminates in: rd continuing to work with the ICO as this process progresses McDougall also points out that Google will be removing content categories from its RTB platform next month (a move it announced in November), and takes advantage of the technology giant’s recent announcement, support for third party cookies within the next ten years as "encouraging". Kick-off by UK regulator – Warning that cosmetic changes to Adtech won't fix a system that is designed to prevent inadmissible and inherently unsafe high-speed background trading in Internet users' personal data.
"When an industry is presumed and engagement is not an appropriate way to benefit from the clear and rooted illegality that violates fundamental rights of the individual," said Veale of the UCL in a statement. "The ICO cannot look back on its previous enforcement precedents because this shy approach has led us to where we are now."
The trio behind the RTB complaints (including Veale) has also released a devastating collective response more "regulatory ambivalence" – to condemn the failure to take "substantial action to end the largest data breach ever recorded in the UK".
"The data breach" Real-time bidding "in the heart of the RTB market makes everyone visible in the UK to mass profiles and the associated manipulation and discrimination risks," they warn. "The regulatory ambivalence cannot persist. The longer this data breach lasts "The deeper the putrefaction and the more our data is exploited. That must end. We are considering all options to end the system violation, including direct challenges for the inspectors and the judicial supervision of the ICO."
Wolfie Christl, a data protection researcher who focuses on Adtech – including a contribution to a recent study on how very popular apps exchange user data with advertisers – the ICO's response was described as "catastrophic".
"Last summer the ICO said in its report that millions of people from the GDPR violations of thousands of companies were affected. I was skeptical when they announced they would give the industry six months to go without enforcing the law. My impression is that they are trying to find a way to make cosmetic changes and make the data industry happy, instead of responding to their own insights and ending the ubiquitous data misuse in today's digital marketing that should have happened years ago. The ICO seems to give priority to appeasing the industry over the rights of data subjects, and this is catastrophic. "
" The way data-driven online marketing currently works is illegal on a large scale and must be prevented, "added Christl. "Every day, EU data protection authorities allow these practices to continue to violate human rights and freedoms and maintain a toxic digital economy.
" This undermines GDPR and, in general, trust in technology, creates legal uncertainty for businesses and punishes companies that adhere to and create data protection services and business models.
“Twenty months after the GDPR came into force, it is still not being enforced in important areas. We are still seeing widespread misuse of personal information across the digital world. There is no enforcement of the GDPR against the technology giants and there is no enforcement against thousands of data companies outside of the big platforms. It appears that data protection authorities across the EU are unable or unwilling to stop many types of GDPR violations that are carried out for business purposes. Nothing will change without massive fines and data processing bans. The EU Member States and the EU Commission must act. "