ICO sued over ‘failure’ to address ad industry practices

The Open Rights Group (ORG) is to take the UK’s Information Commissioner’s Office (ICO) to court over allegations that the regulator has failed to put an end to unlawful practices by the digital advertising technology (adtech) industry, which it says routinely breaches the General Data Protection Regulation (GDPR).

The action stems from the outcome of a previous complaint made by the group’s executive director, Jim Killock, and Michael Veale, a lecturer in digital rights and regulation at University College London (UCL) in September 2018, claiming systemic breaches of the GDPR by adtech operators, focusing on the role of the sector’s trade body, the Internet Advertising Bureau (IAB).

The ICO’s subsequent investigation did indeed identify widespread problems within the adtech industry, identifying unlawful practices such as the collection and sharing of people’s internet browsing histories without any control over who is able to access such data. However, after a pandemic-related delay, the ICO closed the investigation in September 2020 “without taking any substantive action”.

“The adtech industry has driven a coach and horses through the GDPR and the ICO’s own investigation has highlighted widespread systemic abuses in the adtech industry practices,” said Killock. “But instead of taking action against, it has decided to close the investigation.

“We are determined to ensure that the law is enforced, even when the regulator can’t be bothered to protect our rights and liberties.”

Veale, who besides his academic work, sits on the ORG’s advisory council, added: “The ICO is expected to protect individuals against complex misuses of their sensitive data by entire industries acting outside the law, not just the simple, low-hanging fruit it can easily enforce against.

“This lawsuit is about stopping the ICO sweeping the most difficult cases under the carpet. Adtech isn’t simple – but dealing with illegal adtech is the ICO’s job.”

Ravi Naik, legal director of data rights agency AWO, who is acting on behalf of Killock and Veale, said: “Our clients simply want to the ICO to act to prevent widespread and systemic abuses of human rights – abuses that the ICO has acknowledged occur. Rather than take steps to address those problems, the ICO has acted against our clients and closed their complaints because our clients asked them to take action.

“This appalling state of affairs has left our clients with little option than to take the commissioner to the tribunal. That the commissioner is being taken to the tribunal because of a refusal to act to protect our rights speaks volumes about the commissioner’s record.”

An ICO spokesperson said: “We are aware of this matter, which will be decided by the tribunal in due course.

“Consideration of concerns we have received forms part of our work on real-time bidding and the adtech industry.”

Meanwhile, a separate court case implicating the adtech industry in widespread breaches of data protection rules and regulations moved forward this week with the filing of a High Court action in England and Wales against software giants Oracle and Salesforce.

The class action lawsuit, led by privacy campaigner and data protection specialist Rebecca Rumbul, is seeking damages in excess of £10bn for the improper collection and use of internet browser data.