On Friday the Information Commissioner's Office’s lead investigator on real-time bidding, executive director for technology and innovation Simon McDougall, signalled that the body would not bring enforcement action against Google and the Interactive Advertising Bureau.
The ICO warned it would use its regulatory powers against those in the adtech industry that "ignored the window of opportunity to engage and transform", but he accepted moves by the IAB to educate the industry on special category data (which contains sensitive information about internet users), and that Google will remove content categories and improve its auditing process.
This is despite the ICO confirming last November that special category data, which includes information about users such as their sexual orientation or political affiliation, was being directly processed without explicit consent.
Google and the IAB are responsible for the standards that underpin RTB, the programmatic ad tech market in which ad impressions are sold within nanoseconds based on the data held about web users. Sensitive category data, such as political beliefs and reproductive health, are tracked and broadcast via RTB, but Google and the IAB say these categories are not tracked against individual people.
The ICO is the UK’s watchdog for Europe’s General Data Protection Regulation and has the power to fine companies up to 4% of their global turnover for serious data breaches. However, such sanctions are normally imposed on individual companies. Taking action against the entire system of open-market bidding for ad impressions is a much larger and complicated undertaking.
McDougall’s article last week prompted outcry from the privacy experts that lodged complaints about RTB well over a year ago, such as the Brave browser’s chief policy and industry relations officer Johnny Ryan and UCL lecturer Michael Veale, who said: "When an industry is premised and profiting from clear and entrenched illegality that breaches individuals’ fundamental rights, engagement is not a suitable remedy. The ICO cannot continue to look back at its past precedents for enforcement action, because it is exactly that timid approach that has led us to where we are now."
Privately, industry sources have suggested that the ICO has opted for the "middle of the road" option. This is despite industry warnings last May that the regulator would start to show its teeth as the GDPR had then been in force for one year.
Ryan tells Campaign that the industry has been aware of these issues for years and it is no excuse for the ICO to continue dragging its feet on enforcement, given that it received formal evidence of "incontrovertible wrongdoing" 16 months ago.
"The [ICO] blog post says ‘we're seeing genuine engagement from the industry, the IAB and Google'. That’s patently a misinterpretation of what we’re seeing… this is the biggest data breach the UK has ever had.
"We expected when they announced what they were doing [in their report findings update in November] - that step would be banning processing and maybe fines (although fines are less important than the processing themselves). We thought they would go into ad exchanges and data management platforms and demand the deletion of data. They have the power to do that."
Ryan warns that Brave and its fellow complainants are now considering legal action, as well as other options that would "compel the regulator to enforce the law".
"This industry has known about this for so long. I used to be a member of IAB Tech Lab and was saying this from the inside," he adds.
He also rejects the idea that the ICO is compromising because the harm associated with such a widespread data breach is massive and the ad tech players involved are operating without proper checks and balances.
"We’re at this moment that is similar to other industries: it’s like the medical industry was in the Middle Ages – there was nothing, people in barber shops with rusty blades. Then the enlightenment happens and in the 1800s there are standards and guilds, you have sanitation and electricity. Now if you want to operate on someone, you have to do it in a hospital – if haven’t got a hospital you can go away – tough. It’s called professionalisation."
The ICO’s response to these criticisms, meanwhile, is framed as a reminder that this is a complex issue.
McDougall tells Campaign: "There are thousands of companies involved in the adtech eco-system and at this stage the issues raised involve the entire industry. We stand ready to deal with the problems but it is a hugely complex area. As a pragmatic regulator, we have a duty to build a thorough and robust case for any regulatory action we may decide to take, and all of this takes time.
"We are using the intelligence gathered throughout last year to develop an appropriate regulatory response and we continue to investigate real-time bidding. It may be necessary to take formal regulatory action and we will continue to progress our work on that basis."
Meanwhile the IAB UK says it is "pleased" that the ICO is recognising the work that the industry had done to date and the further work to which it has committed.
Christie Dennehy-Neil, head of policy and regulatory affairs at the IAB UK, says: "We have made good progress, but what matters now is the outcome. Implementing the actions outlined in our response to the ICO needs our members and the wider industry to work with us and be willing to take action where necessary to deliver meaningful change. We look forward to continuing to engage with the ICO as this process develops."
The apparent change in tone from the ICO also surprises Damon Reeve, chief executive of the Ozone Project, the digital publishing joint venture representing major UK news publishers Reach, News UK, The Guardian and Telegraph Media Group.
Reeve tells Campaign: "We expected a slightly firmer position from the ICO… What was missing from Simon’s blog post was anything of real substance. There’s been a lot of discussion and maybe they’re looking to see more action off the back of that.
"It doesn’t really change anything that we’re already on the path to doing. At Ozone we are being fairly proactive in the decisions we’re making to reduce the risks around the processing of data."
Reeve agrees about the need for a balanced approach: "The right thing for them to do is facilitate change through those organisations. If everyone is in good faith doing the right thing, that must be the best way for them to move in the right direction. Unless individual companies are being fraudulent and going against the industry grain, it makes sense to support competition through that process."
However, there may be events going on behind the scenes of the ICO that are having an impact on this investigation.
Last week the law firm Mishcon de Reya spotted that the watchdog had effectively decided to delay imposing £282m worth of fines on Marriott and British Airways. The US hotel chain and UK airline had both been found to have committed significant data breaches in 2018 under the GDPR and had been fined £99m and £183m respectively.
Mishcon's data protection adviser, Jon Baines, told The Register that he suspected both companies had deployed similar legal arguments to Facebook when it fought back against a Cambridge Analytica-linked fine and ended up being fined £500,000.
The suspicion is that the ICO’s internal procedures are being challenged and it could be that the watchdog is not feeling as confident as it was last June, or is simply too stretched in terms of its resources to fight so many battles at the same time.