The Information Commissioner’s Office (ICO) is being accused of failing to regulate against violations as well as understaffing critical divisions, in the wake of demanding businesses pay their annual data protection fees.
The web browser developer Brave has written to the data regulator to highlight the “disquieting” juxtaposition between demands to pay data protection fees, required under law, and the ICO’s failure to act over real-time bidding (RTB).
Brave first highlighted evidence of potential violations in 2018, as a result of the use of the RTB mechanism in digital advertising. RTB allows online advertisers to compete for available digital space by automatically populating webpages and apps with billions of ads that load depending on the user that accesses the space.
This is in addition to research by Brave, published in April, that showed the ICO had dedicated just 3% of its 680 staff to focus on tech privacy issues, despite being Europe’s largest regulator, and the most expensive to run. The report found the ICO’s budget for 2020 was €61 million (£53.3 million).
“To the best of our knowledge, the ICO has failed to use a single one of its statutory powers to investigate the vast ‘real-time bidding’ data breach in the thirty months since I blew the whistle to your colleagues,” said chief policy and industry relations officer with Brave Software, Johnny Ryan.
“This is the UK’s largest-ever data breach, and the ICO’s failure to take any concrete statutory action to protect the UK population against it is most alarming.
“This is disquieting, and is hard to reconcile with the ICO’s growing budget, which has doubled in the last two years. Therefore, as you levy the ICO’s annual data protection fee on businesses such as Brave, I urge you to raise these concerns regarding the performance of the ICO with your colleagues.”
The data regulator produced a report in June 2019 confirming suspicions that the AdTech industry, overwhelmingly dominated by Facebook and Google, was violating data protection laws, particularly with regards to RTB.
The privacy-centric campaign organisation Open Rights Group (ORG), which initially co-authored the complaint that spurred the investigation, accused the ICO of proceeding slowly, and not insisting on changes. This is despite “the massive scale of the data breach”.
“The ICO’s conclusions are strong and very welcome but we are worried about the slow pace of action and investigation,” said the ORG’s executive director Jim Killock at the time.
“The ICO has confirmed massive illegality on behalf of the adtech industry. They should be insisting on remedies and fast.”
No enforcement action has followed to date with regards to RTB, and the ORG in January 2020 even threatened the ICO with legal action after accusing it of failing to enforce the law.
This was in response to a blog post the ICO published highlighting that it has been “encouraged” by steps companies involved have taken, with new principles agreed with the Interactive Advertising Bureau (IAB), a trade association for adtech businesses.
The ICO then published a short statement in May, saying it would pause its investigation into RTB because it did not want to “put undue pressure on any industry at the time”. The statement added that its concerns were still alive and it would restart its work “in the coming months, when the time is right”.
This statement was in keeping with the ICO’s intentions, as laid out the previous month, to adopt a lighter touch to data protection enforcement while organisations weathered the economic effects of COVID-19. This would, in practical terms, translate to a redirection of ICO resources, fewer investigations, and reduced fines where wrongdoing was found.
Brave’s Johnny Ryan highlighted his anxiety at the idea of the ICO demanding fees at a time it would be suspending at least some of its important investigation and enforcement activities.
IT Pro asked the ICO to provide a statement responding to the issues highlighted by Brave.
Preparing for long-term remote working after COVID-19
Learn how to safely and securely enable your remote workforce
Cloud vs on-premise storage: What’s right for you?
Key considerations driving document storage decisions for businesses
Staying ahead of the game in the world of data
Create successful marketing campaigns by understanding your customers better
Solutions that facilitate work at full speed