Press "Enter" to skip to content

Rights Group Sues UK Privacy Regulator in Landmark Case

By Robert Bateman

A digital-rights organization, the Open Rights Group (ORG), is taking the U.K.’s privacy regulator to court over allegations that it has failed to address illegal practices in the digital advertising technology — adtech — industry.

The claim, filed Oct. 21 with the U.K.’s Information Rights Tribunal, follows a complaint first filed with the regulator, the Information Commissioner’s Office (ICO), by ORG Executive Director Jim Killock in September 2018.

The complaint alleged that Google and other tech companies were using people’s personal data illegally, via a process called “real-time bidding” (RTB).

The ICO’s report on the RTB process, published in June 2019, found that the process was “taking place unlawfully,” and that the thousands of U.K. organizations engaged in it were giving “little or no consideration” to the requirements of data-protection law.

However, ORG alleged that the ICO had closed the complaint this past September without taking substantive action to address the issues it uncovered in its investigation.

No hearing date has yet been set in the case.

“Once the industry is told that change is necessary … it will engineer new solutions. But it needs to be told.”

Jim Killock, Open Rights Group.

“The ICO needed to explain that you couldn’t share data in a way that is uncontrolled and invisible to the user, and ends up making their data rights unenforceable,” Killock told Digital Privacy News.

“Once the industry is told that change is necessary … it will engineer new solutions,” he said. “But it needs to be told. Otherwise, it won’t.”

Agency Under Fire

ORG’s case is not the first time the ICO has been accused of failing to enforce privacy law. In August, a coalition of politicians accused the regulator of failing to address multiple privacy-law violations allegedly committed by the U.K. government.

Asked about ORG’s case, an ICO spokesperson told Digital Privacy News: “We are aware of this matter, which will be decided by the tribunal in due course.

“Consideration of concerns we have received forms part of our work on real-time bidding and the adtech industry,” the spokesperson said.

How RTB Works

Lukasz Olejnik, an independent privacy researcher and consultant, explained to Digital Privacy News how the RTB process works.

“RTB involves three parties: the website, the RTB auction operator and the bidders,” Olejnik began.

“RTB is an example of technology not designed with user privacy or transparency in mind.”

Lukasz Olejnik, privacy researcher and consultant.

“When the user is browsing a site (or launching a mobile app, for instance) that subscribes to RTB ads, the operator of the RTB system learns about this visit.

“They then launch an auction, sending information concerning the user to the bidders,” he said.

Asked whether he believed the process was legally compliant, Olejnik said that “RTB is an example of technology not designed with user privacy or transparency in mind.”

“Not only is user data shared in an uncontrolled manner, the winning bidders theoretically have total control over the final information,” he added, “which may mean that users are put at risk of receiving malicious or even harmful content.”

Issues of Authority

Johnny Ryan, senior fellow at the Irish Council of Civil Liberties in Dublin, told Digital Privacy News: “It was inevitable that ICO would be held to account for its failure.

“It was inevitable that ICO would be held to account for its failure.”

Johnny Ryan, Irish Council of Civil Liberties, Dublin. 

“This case also seeks to widen the tribunal’s approach to how it uses its powers,” he said.

To succeed, ORG must show that the tribunal has the authority to consider the outcome of the ICO’s investigation, which could prove to be a controversial point — based on how the court has previously defined its jurisdiction. 

However, Killock believes the law is clear in this regard.

“The decisions of the upper courts have been that people are owed a remedy — and, therefore, (privacy) rights have to be enforceable,” he said.

“So, it’s no good a regulator looking and seeing a problem, and then ignoring it,” Killock continued. “That’s not something that’s open to them.”

David Erdos, senior lecturer in law at the University of Cambridge, agreed.

He explained that the tribunal had, to date, only considered that it could address the procedural aspects of any complaints, such as the timeliness of the ICO’s response.

“My view is that such an understanding is wrong,” Erdos said. 

The case “provides a good opportunity to ask the tribunal to reconceptualize the understanding of its oversight function along these lines.”

David Erdos, University of Cambridge.

Erdos said that, under U.K. law, the tribunal’s duties should also include “ensuring that the ICO takes ‘appropriate steps to respond’ to the complaint itself.

“The appropriateness of response has both procedural and substantive aspects and must be informed by the ICO’s duty — within its resource constraints — to uphold data-protection in line with (European) Court of Justice case law,” Erdos told Digital Privacy News.

“The Open Rights Group’s adtech case provides a good opportunity to ask the tribunal to reconceptualize the understanding of its oversight function along these lines.”

Robert Bateman is a writer in Brighton, U.K.

Sources: