The Information Commissioner’s Office (ICO) is accused of failing to regulate violations and not staffing critical departments, as demanding companies have to pay their annual data protection fees.
Web browser developer Brave has written to the data regulator to highlight the “unsettling” juxtaposition between the statutory requirements for payment of data protection fees and the ICO’s failure to act via real-time bidding (RTB).
For the first time, Brave highlighted indications of possible violations in 2018 due to the use of the RTB mechanism in digital advertising. RTB allows online advertisers to compete for available digital storage space by automatically filling websites and apps with billions of ads that load depending on the user accessing the storage space.
This is on top of Brave’s research, published in April, which showed the ICO only devoted 3% of its 680 employees to tech privacy issues, despite being Europe’s largest regulator and the most expensive. According to the report, the ICO’s 2020 budget was EUR 61 million (£ 53.3 million).
“To the best of our knowledge, the ICO has not used any of its legal powers to investigate the massive data breach in real time in the thirty months since I blew the whistle to your colleagues,” said Chief Policy and Industry Relations Officer at Brave Software, Johnny Ryan.
“This is the UK’s largest data breach and the ICO’s failure to take concrete legal action to protect the UK population is extremely alarming.
“This is worrying and difficult to reconcile with the growing budget of the ICO, which has doubled over the past two years. So if you are charging the ICO’s annual privacy fee for companies like Brave, I urge you to raise these concerns about the ICO’s performance with your peers. “
The data protection authority prepared a report in June 2019, in which the suspicion was confirmed that the AdTech industry, which is predominantly dominated by Facebook and Google, violates data protection laws, in particular with regard to RTB.
The privacy-driven campaign organization Open Rights Group (ORG), which originally co-authored the complaint that spurred the investigation, accused the ICO of moving slowly and not insisting on changes. This despite “the massive extent of the data breach”.
“The ICO’s conclusions are strong and very welcome, but we are concerned about the slow pace of action and investigation,” said ORG’s then chief executive Jim Killock.
“The ICO has confirmed massive illegality on behalf of the adtech industry. You should insist on remedial action and swift.”
So far, no enforcement action has been taken on RTB, and the ORG even threatened the ICO with legal action in January 2020 after accusing it of failing to enforce the law.
This was in response to a blog post published by the ICO which highlighted that it was “encouraged” by the actions taken by the companies involved. New principles were agreed with the Interactive Advertising Bureau (IAB), a trade association for adtech companies.
The ICO then issued a brief statement in May saying it would suspend its investigation into RTB because it “did not want to put undue pressure on any industry at the time”. The statement added that their concerns remained and that they would resume work “in the coming months when the time is right”.
This statement was in line with the ICO’s stated intentions last month to simplify data protection enforcement while organizations survived the economic impact of COVID-19. In practice, this would result in a diversion of ICO resources, fewer investigations, and lower fines if misconduct is found.
Brave’s Johnny Ryan highlighted his concern over the idea that the ICO would charge fees at a time when at least some of its vital investigative and enforcement activities were suspended.
“During the coronavirus pandemic, our focus remains on protecting data protection and information rights,” an ICO spokesman told IT Pro. “We continue to investigate every complaint and data breach report, focusing on the information rights issues that are likely to cause the most.” Harm or hardship for people and organizations.
“As of March 23, 2020, we have received more than 54,000 calls from individuals, companies and organizations to our helplines seeking our expert advice and guidance. Our casework teams continued to review concerns from individuals that resulted in us having completed more than 6,000 privacy statements and nearly 700 access to information cases.
“More than 90% of our cases and investigations are ongoing, the remaining small minority is on a hiatus. These are special cases where ongoing regulatory action may not be possible or appropriate during a global public health emergency.
The business guide to ransomware
Everything you need to know to keep your business alive
The macroeconomic impact of IBM identity and access management
Cost savings and business benefits from IBM’s professional and managed identity and access management services
The must-have cybersecurity toolkit for SMBs
Practical tips for cybersecurity training
Hybrid cloud trends
Strategies for optimizing the local and public cloud infrastructure