UK Privacy Watchdog Pauses Adtech Probe Amid Covid-19

By Ben Kochman
Law360 is providing free access to its coronavirus coverage to make sure all members of the legal community have accurate information in this time of uncertainty and change. Use the form below to sign up for any of our weekly newsletters. Signing up for any of our section newsletters will opt you in to the weekly Coronavirus briefing.

Sign up for our Technology newsletter

You must correct or enter the following before you can sign up:

Select more newsletters to receive for free [+] Show less [-]

Thank You!

Law360 (May 7, 2020, 9:07 PM EDT) -- The U.K.'s data protection agency has paused a closely watched probe into whether online advertisers' broadcasting of web users' personal data tied to targeted ads breaches EU privacy laws, citing pressure businesses are facing during the COVID-19 pandemic.

The Information Commissioner's Office said Thursday that it will take a break from its investigation into complaints lodged over the digital ad industry's practice of sending consumers' personal information to dozens of other companies in order to solicit ad bids, in a process known as real-time bidding. Privacy advocates have argued that the bid requests from Google and other digital advertisers violate data security rules in Europe's General Data Protection Regulation, which boosted EU privacy regulators' enforcement powers when it took effect in May 2018.

European privacy regulators have the right under the GDPR to fine companies up to €20 million or 4 percent of the company's annual revenue for alleged infringements of the privacy regime. But the ICO's office and its commissioner, Elizabeth Denham, say the agency is temporarily shifting its priorities away from the online advertising, or adtech, industry, due to both increased pressure on businesses during the coronavirus pandemic and privacy concerns that have arisen in recent months.

"It is not our intention to put undue pressure on any industry at this time, but our concerns about adtech remain, and we aim to restart our work in the coming months, when the time is right," Denham's office said in the statement.

Denham went into more detail on the ICO's "reshaped" enforcement strategy during the pandemic in a blog post published Tuesday.

"My office's role is to be both an enabler and a protector," Denham wrote in the post, adding that the agency "must reflect the requirements and reality of those we regulate" during COVID-19.

The ICO's top priority right now is "responding to the immediate privacy and information rights risks, issues and opportunities presented by COVID-19 in order to support frontline workers and protect the public," including by "identifying and taking action against those seeking to use or obtain personal data unlawfully or inappropriately" during the pandemic, Denham wrote.

The regulator's investigation into the adtech industry was spawned by complaints lodged starting in September 2018 from privacy advocates including the privacy-focused web browser Brave Software, which competes with Google's Chrome browser.

The complaints allege that real-time bidding violates Article 5 of the GDPR, which requires that personal data belonging to EU data subjects be "processed in a manner that ensures appropriate security of the personal data." Google and other ad-tech companies have failed to meet this standard because they can't ensure the security of individuals' personal data when it's openly broadcast to third parties outside of their control, the complaints allege.

Johnny Ryan, Brave's chief policy officer, said in an email Thursday that the ICO, by putting off the probe, is "refusing to use its powers to end the biggest data breach that UK citizens have ever experienced."

"Even though illegality is not in dispute, the ICO is unable, or unwilling, to act against egregious GDPR online infringements," Ryan said.

Brave also filed a complaint with the European Commission last month claiming that the GDPR is at risk of becoming toothless because regulators lack adequate resources to police tech giants. The complaint criticizes the U.K. privacy regulator, which, at €61 million in 2020, has by far the largest budget of any EU privacy enforcer, for devoting only 3 percent of its staff to "tech specialists." Privacy enforcers in Spain and France each have larger tech specialist teams than the ICO does despite having smaller budgets overall, Brave's report claims. 

Representatives for Google did not immediately respond Thursday to a request for comment.

-- Additional reporting by Allison Grande. Editing by Peter Rozovsky.

For a reprint of this article, please contact

Hello! I'm Law360's automated support bot.

How can I help you today?

For example, you can type:
  • I forgot my password
  • I took a free trial but didn't get a verification email
  • How do I sign up for a newsletter?
Ask a question!