It has been over two years since the UK data protection watchdog warned the behavioral advertising industry that it is wildly out of control.
The ICO has not done anything stop the systematic illegality of the tracking and targeting industry that abuses the personal data of Internet users to try to manipulate their attention, not in terms of enforcing the law against offenders and stopping what rights defenders have described how the biggest data breach in history.
In fact, it is being Defendant for inaction against the misuse of personal data from real-time tenders by the plaintiffs who filed a petition on the matter since September 2018.
But today UK (outgoing) information commissioner Elizabeth Denham published a opinion – in which he warns the industry that his old illegal tricks just won’t work in the future.
New advertising methods must comply with a set of what she describes as “clear data protection standards” to safeguard people’s privacy online, she writes.
Among the privacy and data protection “expectations” that Denham suggests he wants to see in the next wave of online advertising technologies are:
• design data protection requirements by default in the initiative design;
• offer users the option to receive ads without tracking, profiling or targeting based on personal data;
• be transparent about how and why personal data is processed across the ecosystem and who is responsible for that processing;
• articulate the specific purposes for the processing of personal data and demonstrate how it is fair, legal and transparent;
• Address existing privacy risks and mitigate any new privacy risks that your proposal presents.
Denham says the purpose of the opinion is to provide “greater regulatory clarity” as new ad technologies are developed, and further specifies that it appreciates the efforts they propose:
• move away from current online tracking methods and profiling practices;
• improve transparency for individuals and organizations;
• reduce frictions in the online experience;
• provide individuals with meaningful control and choices over the processing of device information and personal data;
• ensure that valid consent is obtained when necessary;
• ensure that there is demonstrable responsibility throughout the supply chain;
The timing of the opinion is interesting, given the looming decision by Belgium’s data protection agency on a flagship consent-gathering tool from the ad industry. (And the UK’s current data protection rules share the same foundation as the rest of the EU, as the country transposed the General Data Protection Regulation into national law before Brexit.)
Earlier this month IAB Europe has warned that it expects to be found in violation of the EU General Data Protection Regulation, and that its so-called ‘transparency and consent’ framework (TCF) has failed to achieve any of the things claimed on the tin.
But this is also just the last ICO ‘reform’ missive to ad tech breaking the rules.
And Denham is simply reiterating the requirements that stem from the standards that already exist in UK law, and would not need to reiterate if his office had enforced the law against adtech infringements. But this is the regulation dance that she has preferred.
This latest salvo from ICO looks more like an attempt by the outgoing commissioner to claim credit for broader industry changes as he prepares to step down, such as Google’s slow-motion shift towards phasing out third-party cookie support (also known as the ‘Privacy Sandbox’ proposal, which is actually a response to evolving web standards, such as competing browsers creating privacy protections; growing consumer concern about online tracking, and data breaches; and a huge increase in lawmakers’ attention on digital matters) – of what moving the needle on illegal tracking is all about.
If Denham had wanted to do that, he could have taken actual enforcement action long ago.
Instead, the ICO has opted, at best, for a biased comment on the problem of systematic compliance with embedded technology. And, essentially, stay on the sidelines while the gap continues; and hope / hope for future fulfillment.
However, changes are possible regardless of regulatory inaction.
And in particular, Google’s ‘Privacy Sandbox’ proposal (which claims that ‘privacy-safe’ ad targeting of user cohorts, rather than microtargeting of individual web users) receives a significant call in comments from the ICO, with Denham’s office writing in a Press release which is: “Currently, one of the most significant proposals in the online advertising space is the Google Privacy Sandbox, which aims to replace the use of third-party cookies with alternative technologies that still allow targeted digital advertising.”
“The ICO has been working with the Competition and Markets Authority (CMA) to review how Google’s plans will protect people’s personal data while supporting the CMA’s mission to ensure competition in digital markets. “continues the ICO, giving a nod to ongoing regulatory oversight, led by the UK’s competition watchdog, which has the power to prevent Google’s privacy sandbox from being implemented – and therefore to prevent Google from phasing out support for tracking cookies in Chrome – if the CMA decides that the tech giant cannot do so in a way that meets competition and privacy criteria.
Therefore, this reference is also a nod to a dilution of the ICO’s own regulatory influence in a core realm related to ad tech, one that has a market reform significance and scale.
The back story here is that the UK government has been working on competition reform that will bring tailored rules for platform giants it is considered to have “strategic market status” (and thus the power to harm digital competition); with a dedicated Digital Markets Unit already established and operating within the CMA to lead the work (but which is yet to be enabled by incoming UK legislation).
So the question of what happens to ‘old school’ regulatory silos (and narrow-focus regulatory specialties) is key to our data-driven digital age.
Greater cooperation between regulators such as the ICO and the CMA may give way to oversight that is even more convergent or even merged, to ensure that powerful digital technologies do not fall between regulatory cracks and thus that the ball does not get caught. drop so dramatically on vital issues. like future ad tracking.
Intersectional digital surveillance FTW?
As for the ICO itself, there is an important additional caveat to the effect that Denham is not only on the verge of disappearing (ergo, his “opinion” naturally has a short shelf life), but UK government is busy consulting on ‘reforms’ to UK data protection rules.
Such reforms could see a significant degradation of national privacy and data protection; and even legitimize abusive ad tracking, if ministers, who seem more interested in empty sound bites (about removing barriers to “innovation”), end up abandoning legal requirements to ask internet users for their consent to do things like track them down and profile them in the first place, according to some of the proposals.
So the next UK information commissioner, John edwards, you may have a very different set of ‘data rules’ to apply.
And, if that’s the case, Denham, in his roundabout way, will have helped produce sliding standards.