The Information Commissioner’s Office (ICO) is being accused of failing to regulate against violations as well as understaffing critical divisions, in the wake of demanding businesses pay their annual data protection fees.
The web browser developer Brave has written to the data regulator to highlight the “disquieting” juxtaposition between demands to pay data protection fees, required under law, and the ICO’s failure to act over real-time bidding (RTB).
Brave first highlighted evidence of potential violations in 2018, as a result of the use of the RTB mechanism in digital advertising. RTB allows online advertisers to compete for available digital space by automatically populating webpages and apps with billions of ads that load depending on the user that accesses the space.
This is in addition to research by Brave, published in April, that showed the ICO had dedicated just 3% of its 680 staff to focus on tech privacy issues, despite being Europe’s largest regulator, and the most expensive to run. The report found the ICO’s budget for 2020 was €61 million (£53.3 million).
“To the best of our knowledge, the ICO has failed to use a single one of its statutory powers to investigate the vast 'real-time bidding' data breach in the thirty months since I blew the whistle to your colleagues,” said chief policy and industry relations officer with Brave Software, Johnny Ryan.
“This is the UK’s largest-ever data breach, and the ICO’s failure to take any concrete statutory action to protect the UK population against it is most alarming.
“This is disquieting, and is hard to reconcile with the ICO’s growing budget, which has doubled in the last two years. Therefore, as you levy the ICO’s annual data protection fee on businesses such as Brave, I urge you to raise these concerns regarding the performance of the ICO with your colleagues.”
The data regulator produced a report in June 2019 confirming suspicions that the AdTech industry, overwhelmingly dominated by Facebook and Google, was violating data protection laws, particularly with regards to RTB.
The privacy-centric campaign organisation Open Rights Group (ORG), which initially co-authored the complaint that spurred the investigation, accused the ICO of proceeding slowly, and not insisting on changes. This is despite “the massive scale of the data breach”.
"The ICO's conclusions are strong and very welcome but we are worried about the slow pace of action and investigation," said the ORG's executive director Jim Killock at the time.
"The ICO has confirmed massive illegality on behalf of the adtech industry. They should be insisting on remedies and fast."
No enforcement action has followed to date with regards to RTB, and the ORG in January 2020 even threatened the ICO with legal action after accusing it of failing to enforce the law.
This was in response to a blog post the ICO published highlighting that it has been “encouraged” by steps companies involved have taken, with new principles agreed with the Interactive Advertising Bureau (IAB), a trade association for adtech businesses.
The ICO then published a short statement in May, saying it would pause its investigation into RTB because it did not want to “put undue pressure on any industry at the time”. The statement added that its concerns were still alive and it would restart its work “in the coming months, when the time is right”.
This statement was in keeping with the ICO’s intentions, as laid out the previous month, to adopt a lighter touch to data protection enforcement while organisations weathered the economic effects of COVID-19. This would, in practical terms, translate to a redirection of ICO resources, fewer investigations, and reduced fines where wrongdoing was found.
Brave’s Johnny Ryan highlighted his anxiety at the idea of the ICO demanding fees at a time it would be suspending at least some of its important investigation and enforcement activities.
“During the coronavirus pandemic our focus continues to be protecting privacy and information rights," an ICO spokesperson told IT Pro. "We continue to look into every complaint and data breach report, focusing on the information rights issues that are likely to cause the most harm or distress to people and organisations.
“Since 23 March 2020 we have received more than 54,000 calls to our helplines from individuals, businesses and organisations seeking our expert advice and guidance. Our casework teams have continued to assess concerns brought to us by individuals leading to us completing over 6,000 data protection and nearly 700 access to information cases.
“More than 90% of our cases and investigations are ongoing, with the remaining small minority on pause. These are specific cases where progressing regulatory activity may not be possible or appropriate during a global public health emergency.
