ICO faces legal challenge for failing to deal with personal data complaint

Kingsley Hayes

The Information Commissioner’s Office (ICO) is facing a legal challenge after it decided to close a data protection complaint, allegedly without proper investigation. The dispute relates to a series of RTB (real-time bidding) complaints.

What is RTB?

In simple terms, real-time bidding processes information about users when they are online. It looks at an individual’s data and passes it to an ad exchange, which sells it to the advertiser willing to pay the highest price. The winning company’s advert will then automatically load onto the page the person is viewing. The process happens automatically in less than a second.

However, data subjects (the people the data relates to), often do not know that their data is being used in this way, and that is a real problem.

Who has made the challenge?

A series of complaints have been filed about RTB over the past couple of years. The gist of these complaints is that RTB systems do not comply with the GDPR. And it seemed that the ICO agreed, as it has voiced concerns about the adtech industry’s use of personal data when it comes to RTB.

But despite this, the data protection watchdog has now decided to close an RTB complaint made by Jim Killock, executive director of the Open Rights Group, and Michael Veale, a lecturer in digital rights at the University College London, back in September 2018, without issuing a decision.

Commenting on the matter, the ICO defended its position by saying that it has investigated the matter “to the extent appropriate”. The ICO also said that its investigations have “assisted and informed the ICO’s broader regulatory approach to RTB since September 2018”. 

In response, Killock and Veale have now decided to take legal action against the ICO.

Talking to TechCrunch, Veal said:

“We are taking legal action against the ICO, as we believe that data processing being too complex and illegal is more reason to uphold the law, not less. Individuals can’t currently opt out of online tracking — and the ICO shouldn’t be able to opt out of regulating,”

“After the ICO produced a report in response to the complaint of Jim Killock and myself illustrating just how illegal RTB was, they appear to have concluded the appropriate action was to hold some stakeholder meetings, use none of their powers, and claim that they have discharged their obligations to the complainants to uphold the law. RTB continues to be outrageously illegal.”


Arguing that the complaint had been shut down without any action, Killock and Vale have also expressed concerns that the ICO does not intend to take any future enforcement action against RTB activity, which many complaints have described as the biggest data breach of all time. Earlier this year, Ireland’s data protection watchdog (the DPC) was also criticised for inaction over RTB.

The ICO must take robust action to defend data protection rights

The ICO has shown a willingness to come down hard on companies that breach data protection legislation, with huge fines issued against BA and Marriott, so it is unclear why it is refusing to take decisive action against RTB. 

Indeed, without showing its teeth on this matter, the ICO is effectively giving the adtech industry free rein to carry on with vast add targeting, with people having no idea that their data is being used in this manner. And that is a huge concern as RTB can include sensitive data such as health information, sexual orientation and political affiliation. And, as we all now know, the consequences of using such personal information for ad targeting has become hugely problematic.

The ICO must review this issue to ensure that all personal data processed has the legally valid consent of the data subject as is required under the GDPR.

This article was written by Kingsley Hayes

Contact Keller Postmans UK’s expert data breach lawyers to discuss a data breach.

Share this article: