The UK Information Commissioner has today announced that it will be taking no substantive action to end the largest data breach ever recorded in the UK. The “Real-Time Bidding” data breach at the heart of RTB market exposes every person in the UK to mass profiling, and the attendant risks of manipulation and discrimination. Regulatory ambivalence cannot continue. The longer this data breach festers, the deeper the rot sets in and the further our data gets exploited. This must end. We are considering all options to put an end to the systemic breach, including direct challenges to the controllers and judicial oversight of the ICO.
In September 2018, Dr Johnny Ryan of Brave submitted the same complaint to the Irish Data Protection Commission. On the same day, Jim Killock of the Open Rights Group and Dr Michael Veale of University College London, submitted a formal GDPR complaint to the UK Information Commissioner. These complaints included evidence of a vast and systematic data breach at the heart of the online “real-time bidding” advertising industry. In June 2019 the ICO published it’s interim adtech report, which vindicates our evidence and submissions.
As the evidence submitted by the complainants notes, the real-time bidding systems designed by Google and the IAB broadcast what virtually all Internet users read, watch, and listen to online to thousands of companies, without protection of the data once broadcast. It is by far the largest data breach ever recorded.Now, sixteen months after the initial complaint, the ICO has failed to act.
Jim Killock, Executive Director of Open Rights Group, said “We are considering our position, including whether to take legal action against the regulator for failing to act, or individual companies for their breach of data protection law.”
“Brave will support ORG to ensure that the ICO discharges its responsibilities,” said Dr Johnny Ryan, Chief Policy & Industry Relations Officer of Brave.
Emails obtained by Sam Clark of Global Data Review show that the UK ICO told the industry by email in August 2019 that further fixes to its consent system were “unlikely to be able to tackle issues around information security, processing of SCD [special category data] and re-identification”. Despite this, the IAB proposals, which the ICO believe ‘align with their concerns’ and will ‘result in real improvements to the handling of personal data’, do nothing of substance to address the core issues of systemic insecurity that are inherent to the real-time bidding system they co-ordinate. They are yet another attempt to obtain regulatory blessing for the industry’s decade-long, wilful misinterpretation of the fundamental rights to privacy and data protection — and the ICO is coming dangerously close to accepting the IAB’s version of the rulebook.
Dr Michael Veale said: “When an industry is premised and profiting from clear and entrenched illegality that breach individuals’ fundamental rights, engagement is not a suitable remedy. The ICO cannot continue to look back at its past precedents for enforcement action, because it is exactly that timid approach that has led us to where we are now“.
Ravi Naik, solicitor acting for the complainants, said “There is no dispute about the underlying illegality at the heart of RTB that our clients have complained about. The ICO have agreed with those concerns yet the companies have not taken adequate steps to address those concerns. Nevertheless, the ICO has failed to take direct enforcement action needed to remedy these breaches. Regulatory ambivalence cannot continue. The ICO is not a silo but is subject to judicial oversight. Indeed, the ICO’s failure to act raises a question about the adequacy of the UK Data Protection Act. Is there proper judicial oversight of the ICO? This is a critical question after Brexit, when the UK needs to agree data transfer arrangements with the EU that cover all industries“.